JUCS - Journal of Universal Computer Science 25(11): 1417-1436, doi: 10.3217/jucs-025-11-1417
Analysis of the Infection and the Injection Phases of the Telnet Botnets
Tomáš Bajtoš‡, Pavol Sokol‡, Andrej Gajdoš‡, Katarína Lučivjanská‡, Terézia Mézešovᇇ Pavol Jozef Šafárik University, Košice, Slovakia
Corresponding author: Tomáš Bajtoš ( tomas.bajtos@upjs.sk ) © Tomáš Bajtoš, Pavol Sokol, Andrej Gajdoš, Katarína Lučivjanská, Terézia Mézešová. This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-ND 4.0). This license allows reusers to copy and distribute the material in any medium or format in unadapted form only, and only so long as attribution is given to the creator. The license allows for commercial use. Citation:
Bajtoš T, Sokol P, Gajdoš A, Lučivjanská K, Mézešová T (2019) Analysis of the Infection and the Injection Phases of the Telnet Botnets. JUCS - Journal of Universal Computer Science 25(11): 1417-1436. https://doi.org/10.3217/jucs-025-11-1417 |  |
Abstract
With the number of Internet of Things devices increasing, also the number of vulnerable devices connected to the Internet increases. These devices can become part of botnets and cause damage to the Internet infrastructure. In this paper we study telnet botnets and their behaviour in the first two stages of its lifecycle - initial infection, and secondary infection. The main objective of this paper is to determine specific attributes of their behavior during these stages and design a model for profiling threat agents into telnet botnets groups. We implemented a telnet honeynet and analyzed collected data. Also, we applied clustering methods for security incident profiling. We consider K-modes and PAM clustering algorithms. We found out that a number of sessions and credential guessing are easily collected and United States of Americable attributes for threat agents profiling.
Keywords
security, clustering, threat agent, telnet honeypot, profiling