*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

possible results should be considered, and each evidence should be assigned a basic credibility, and then the final credibility value of the target should be fused by using the composition rule. In this section, a method of SA based on DS evidence theory is

The network security SA based on DS evidence chain collects the protected network information through active and passive network sensors and takes the information as the fusion data of DS evidence theory after processing. Each piece of data collected by the sensor can be corresponding to one evidence, and then the corresponding initial credibility can be given to the evidence. Finally, the composite formula is used to fuse these evidences to obtain the credibility of the protected network threat proposition. This value reflects the degree of trustworthiness of the protected network under the threat of the evidence, and sets the confidence threshold. If the credibility exceeds the threshold, it indicates that the network component has a security threat and is vulnerable to attack, otherwise, the network

In this chapter, the identification framework is Θ ¼ f g T, F in which T indicates

Second, every piece of data that is scanned from a camera device is used as a piece of evidence, and there are three types of evidence. The first is to scan the IOT devices opened on the port 23 all over the school, in which the camera device is the object of our SA so it could be attacked. An initial trust value is assigned to this evidence, that is, the ratio of camera devices to the number of devices opened on port 23 is used as the initial trust probability function of the evidence; the second type of evidence scans camera devices, in which cameras with weak password vulnerabilities are vulnerable to attack. Here we take the ratio of camera equipment with weak password vulnerability to the total number of cameras in NJUPT as the initial confidence probability function of the evidence; the third kind of evidence is to upload the virus to the camera device with weak password vulnerability. The successful uploading of the virus is highly dangerous and vulnerable to attack. We use the ratio of a successful webcam uploaded by a virus to a camera with a weak password vulnerability as the initial trust probability function. Through the above methods, we adopt three different types of evidence, further improve the credibility of evidence fusion, at the same time, we also compress a large number of evidence data into three pieces of evidence, improve the efficiency and time of synthesis. After that, we can use the improved composite formula to fuse the three evidences against the camera, and obtain the ultimate credibility of the dangerous

Finally, the credibility *m T*ð Þ after fusion will be compared with a given threshold. If the reliability is greater than the threshold, it shows that the whole situation of the camera in NJUPT is dangerous and vulnerable to attack, otherwise, the

In order to verify the feasibility and effectiveness of this method, the Telnet port scanning record of the network equipment in the campus network of NJUPT was used as the data source. The data was collected from the outbreak of a large-scale Mirai botnet attack on the East Coast of the United States at the end of 2016. The scope of collection is limited to the campus network of NJUPT. The study found

the camera was dangerous and vulnerable to attack while F indicates that the camera is secure and is not vulnerable to attack. Then the power set is 2<sup>Θ</sup> <sup>¼</sup> f g Φ, *T*, F, H in which Φ indicates the camera is both dangerous and safe while Himplies the camera may or may not be safe. The trust function satisfies *m*ð Þþ Φ *m T*ð Þþ *m F*ð Þþ *m H*ð Þ¼ 1 in which *m*ð Þ¼ Φ 0 and *m H*ð Þ¼ 0.

proposed.

*Computer Security Threats*

component is secure.

situation of the camera in NJUPT.

**5. Experiment**

**46**

overall situation of the camera of NJUPT is safe.

that a large number of cameras in the campus network have weak password vulnerabilities. As shown in **Figure 2**, this vulnerability allows for intrusion into the monitoring system. Moreover, based on the vulnerability, the Mirai botnet can be uploaded to the camera and run. The camera becomes the Mirai botnet broiler, which can launch a large-scale DDoS attack. Because the scope of the research object is relatively small, after discovering the problems existing in the monitoring system in the campus network, we should inform the relevant departments of the school and take timely measures to protect the monitoring system. However, for large-scale protected networks, SA methods are needed to discover threat situation in time. This chapter uses DS theory to verify the feasibility and effectiveness of the proposed approach based on campus network data sources.

This chapter data source contains three kinds of data: (1) all 23 Telnet ports in the campus network in the open device and its type, IP address and other information; (2) the network camera with the weak password vulnerability of 23 Telnet in the campus network; (3) the camera which can upload Mirai virus and run it successfully through weak password vulnerability.

**Figure 2.** *Schematic diagram of campus monitoring system through weak password vulnerability.*


**Figure 3.** *Scanned device records opened on port 23.*

First, scan all IOT devices opened on port 23 open and the scan results are shown in **Figure 3**. A total of 464 data opened on port 23 were recorded, including 242 camera devices. So in evidence 1, the initial trust value m1ð Þ *V*<sup>1</sup> is 242/464 ≈ 0.52 and m1ð Þ *S*<sup>1</sup> is 1�0.52 = 0.48.

Secondly, Scan camera equipment in school for leak detection, as shown in **Figure 4**. Among them, there are 142 camera devices with weak password vulnerabilities. So in evidence 2, the initial trust value m2ð Þ *V*<sup>2</sup> is 142/242 ≈ 0.59 while m2ð Þ *S*<sup>2</sup> is 1�0.59 = 0.41.

Finally, we uploaded the virus to the cameras with a weak password, and 86 camera records were uploaded successfully, as shown in **Figure 5**. So in evidence 3, the initial trust value m3ð Þ *V*<sup>3</sup> is 86/142 ≈ 0.61 and m3ð Þ *S*<sup>3</sup> is 1�0.61 = 0.39.

Then, the three evidences are fused by Dempster formula. If the evidence provided by the sensor scan is B, C, and D respectively, the proposition that the investigated camera in the campus network has a network security threat is called V, and the proposition that the investigated camera in the campus network is secure is called S. Then three sets of evidence are combined to calculate the confidence of proposition V as follows:

the normalized constant k is calculated as follows:

$$\mathbf{K} = \sum\_{B \cap C \cap D \neq \Phi} m\_1(B) \bullet m\_2(C) \bullet m\_3(D)$$

$$= 0.52^{\bullet}0.59^{\bullet}0.61 \text{ + } 0.48^{\bullet}0.41^{\bullet}0.39.$$

**Figure 4.**

**Figure 5.**

**Figure 6.**

**49**

*Scanned records of cameras for leak detection in school.*

*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

*The virus uploading records on the cameras with a weak password.*

*Schematic diagram of network security SA prototype system based on DS evidence chain.*

≈ 0.26.

to calculate *m V*ð Þ by composite formula:

$$\begin{aligned} &m\_1 \oplus m\_2 \oplus m\_3 \{ m(V) \} \\ &= \frac{1}{k} \sum\_{B \cap C \cap D = \{ m(V) \}} m\_1(B) \bullet m\_2(C) \bullet m\_3(D) \\ &= \frac{1}{0.26} (0.52 \ast 0.59 \ast 0.61). \end{aligned}$$

$$\approx 0.71.$$

to calculate *m S*ð Þ by composite formula:

$$\begin{aligned} &m\_1 \oplus m\_2 \oplus m\_3 \{ m(S) \} \\ &= \frac{1}{k} \sum\_{B \cap C \cap D = \{m(S)\}} m\_1(B) \bullet m\_2(C) \bullet m\_3(D) \\ &= \frac{1}{0.26} (0.48 \ast 0.41 \ast 0.39) . \\ &\approx 0.29. \end{aligned}$$

Based on the above calculations, the ultimate trust of *m V*ð Þ is 0.71 and that of *m S*ð Þ is 0.29. Because the experimental data source in this chapter contains only campus network camera and no other devices, there is no need to estimate the threshold. In the experiment, *m V*ð Þ . *m S*ð Þ, it shows that there are serious security threats in the monitoring system of campus network by calculating the method, and the method is effective.

The prototype system based on this method is shown in **Figure 6**. The system includes a scanning module, data query, weak password management and

## *Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*


**Figure 4.** *Scanned records of cameras for leak detection in school.*


**Figure 5.**

First, scan all IOT devices opened on port 23 open and the scan results are shown in **Figure 3**. A total of 464 data opened on port 23 were recorded, including 242 camera devices. So in evidence 1, the initial trust value m1ð Þ *V*<sup>1</sup> is 242/464 ≈ 0.52 and

Secondly, Scan camera equipment in school for leak detection, as shown in **Figure 4**. Among them, there are 142 camera devices with weak password vulnerabilities. So in evidence 2, the initial trust value m2ð Þ *V*<sup>2</sup> is 142/242 ≈ 0.59 while

Finally, we uploaded the virus to the cameras with a weak password, and 86 camera records were uploaded successfully, as shown in **Figure 5**. So in evidence 3,

*m*1ð Þ *B* •*m*2ð Þ *C* •*m*3ð Þ *D*

*m*1ð Þ *B* •*m*2ð Þ *C* •*m*3ð Þ *D*

*m*1ð Þ *B* •*m*2ð Þ *C* •*m*3ð Þ *D*

= 0.52\*0.59\*0.61 + 0.48\*0.41\*0.39.

the initial trust value m3ð Þ *V*<sup>3</sup> is 86/142 ≈ 0.61 and m3ð Þ *S*<sup>3</sup> is 1�0.61 = 0.39. Then, the three evidences are fused by Dempster formula. If the evidence provided by the sensor scan is B, C, and D respectively, the proposition that the investigated camera in the campus network has a network security threat is called V, and the proposition that the investigated camera in the campus network is secure is called S. Then three sets of evidence are combined to calculate the confidence of

the normalized constant k is calculated as follows:

<sup>K</sup> <sup>¼</sup> <sup>X</sup> *B*∩*C*∩*D*6¼Φ

≈ 0.26.

*m*1⊕*m*2⊕*m*3f g *m V*ð Þ

X *B*∩*C*∩*D*¼f g *m V*ð Þ

*m*1⊕*m*2⊕*m*3f g *m S*ð Þ

X *B*∩*C*∩*D*¼f g *m S*ð Þ

<sup>0</sup>*:*<sup>26</sup> ð Þ <sup>0</sup>*:*<sup>52</sup> <sup>∗</sup> <sup>0</sup>*:*<sup>59</sup> <sup>∗</sup> <sup>0</sup>*:*<sup>61</sup> *:*

<sup>0</sup>*:*<sup>26</sup> ð Þ <sup>0</sup>*:*<sup>48</sup> <sup>∗</sup> <sup>0</sup>*:*<sup>41</sup> <sup>∗</sup> <sup>0</sup>*:*<sup>39</sup> *:*

Based on the above calculations, the ultimate trust of *m V*ð Þ is 0.71 and that of *m S*ð Þ is 0.29. Because the experimental data source in this chapter contains only campus network camera and no other devices, there is no need to estimate the threshold. In the experiment, *m V*ð Þ . *m S*ð Þ, it shows that there are serious security threats in the monitoring system of campus network by calculating the method, and

The prototype system based on this method is shown in **Figure 6**. The system

includes a scanning module, data query, weak password management and

to calculate *m V*ð Þ by composite formula:

¼ 1 *k*

<sup>¼</sup> <sup>1</sup>

≈ 0.71.

¼ 1 *k*

<sup>¼</sup> <sup>1</sup>

≈ 0.29.

the method is effective.

**48**

to calculate *m S*ð Þ by composite formula:

m1ð Þ *S*<sup>1</sup> is 1�0.52 = 0.48.

*Computer Security Threats*

m2ð Þ *S*<sup>2</sup> is 1�0.59 = 0.41.

proposition V as follows:

*The virus uploading records on the cameras with a weak password.*


**Figure 6.**

*Schematic diagram of network security SA prototype system based on DS evidence chain.*

The security situation of campus network based on the security threat analysis of

This chapter first introduces the related work of SA technology, the concept, definition and formula of DS evidence theory, and then aims at the problem of slow response of network security SA to burst vulnerabilities in the network. A method of network security SA based on DS evidence theory is proposed. Finally, according to the experiment of Mirai botnet, a surveillance camera in NJUPT's campus network, it is proved that the SA method based on DS evidence theory is feasible and effective, and this method can detect the major threat in a protected

Thanks to Shu Wang, Qing Ye, Na Wang, Haichang Yao, Kui Li, Ruchuan Wang

and Lu Yao for their contributions. This work is supported by the National Key Research and Development Program of China (2017YFB1401301, 2017YFB1401302, 2017YFB0202204), the National Natural Science Foundation Program of China (61373017), the Key Research and Development Program of Jiangsu Province (BE2017166), the Natural Science Foundation Outstanding Youth Fund of Jiangsu Province (BK20170100), the Open Fund of Jiangsu High Technology Research Key Laboratory for Wireless Sensor Networks (WSNLBZY201514), the 1311 Project of

Nanjing University of Posts and Telecommunications.

The authors declare no conflict of interest.

campus network camera is shown in **Figure 8**. The situation map is based on geographical location information, and the red point indicates that there is a security threat in the corresponding location of the map, which will make the adminis-

*Evaluation of Botnet Threats Based on Evidence Chain DOI: http://dx.doi.org/10.5772/intechopen.89564*

trator reminded.

**6. Conclusion**

network in time.

**Acknowledgements**

**Conflict of interest**

**51**

visualization (chart analysis) module, as shown in **Figure 7**. The scanning module integrates the automatic scanning function, as long as we input the network segment to be scanned and click "Start Scanning", the scanning can be done automatically. The buttons under the "Operation" column on the right enable you to manually access the device. For example, if the device has a weak password vulnerability, you can start shell through the "Operation" button to automatically use the weak password to login to the device for easy viewing. The "Operation" also includes manual uploading of the Mirai zombie program, etc. Data Query is designed for your viewing history scanning records; Weak Password Management for adding or removing the collected camera factory default password; Visual Analysis Module for displaying the network situation by means of geographic information, data statistics and chart, etc.

The prototype system is shown in **Figure 6**.

The security situation of campus network based on the security threat analysis of campus network camera is shown in **Figure 8**. The situation map is based on geographical location information, and the red point indicates that there is a security threat in the corresponding location of the map, which will make the administrator reminded.
