Presentation is loading. Please wait.

Presentation is loading. Please wait.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

Similar presentations


Presentation on theme: "BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke."— Presentation transcript:

1 BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee PUBLICATION: USENIX Security Symposium, PRESENTATION BY: Bharat Soundararajan

2 INTRODUCTION activity  Network perimeter monitoring system called bothunter  Track two way communication between internal assets and external entities  Dialog correlator ties together these communications in the bothunter  Sequence of evidence is used for matching botnet infection

3 BOTNET INFECTION SEQUENCE  Propagates through remote exploit injection e.g. NetBIOS (139),My Doom(3127),Dame ware(6129).  After infection the victim host downloads the full Phatbot binary  Bot inserts itself into the boot process,security process off  Connection to C&C server.Infected host acts as a bot

4 MODEL OF THE DIALOG PROCESS

5 BOT INFECTION DECLARATION  Condition1: Evidence of local host infection (E2) and evidence of outward bot co-ordination or attack propagation (E3-E5)  Condition2: At least two distinct signs of outward bot coordination or attack propagation (E3-E5)

6 BOTHUNTER SYTEM ARCHITECTURE  Snort is used for detection  Extra plug-in such as SCADE and SLADE are used in snort  Network dialog correlation matrix is used for data structure  Report bot infection profiles to a remote repository  TLS over TOR (onion routing protocol)

7 BOTHUNTER SYTEM ARCHITECTURE

8 SCADE(Statistical Scan Anomaly Detection Systems) Inbound scan Detection  Specifically weighted towards the ports often used by malware Memory usage to the number of inside hosts Failed connection attempts on each ports  Ports are classified in bothunter as 1)Highly vulnerable ports: 80(HTTP),NETBIOS(445),26(TCP),4(UDP) 2)Low vulnerable ports

9 SCADE(Statistical Scan Anomaly Detection Systems) S = W 1 * F hs + W2* F ls (Inbound scan detection) Where W1 = weight of high severity ports W2= Weight of low severity ports F hs = No of connection failures in high severity ports F ls = No of connection failures in low severity ports

10 SCADE(Statistical Scan Anomaly Detection Systems) S = (W1 * Fhs + W2* Fls)/C (outbound scan detection) Where W1 = weight of high severity ports W2= Weight of low severity ports F hs = No of connection failures in high severity ports F ls = No of connection failures in low severity ports C = Total number of scans from the host within a window time

11 SLADE(Statistical Payload Anomaly Detection Engine)  1-gram payload system : occurrence frequency of one of the 256 possible bytes in the payload  Examines every request packet sent to the monitored services and outputs an alert if it deviates from the normal profile  n-gram will improve accuracy and hardness of evasion e.g. polymorphic worms

12 Time HostTimer E1E2 E3 E4E softAa…Ab hardAc…AdAe..Af hard AgAh..AiAj hard … hard & Soft AlAm.An A0 NETWORK DIALOG CORRELATION MATRIX

13  Dynamically-allocated row – summary of internal host to external entities  Cell – one or more sensor alerts that map into one of the five sensor devices  Correlation matrix – dynamically grows when a new activity involving the local host is detected and expires  Timers are set for expiry of observation window

14 TYPES OF TIMERS  HARD PRUNE TIMERS (filled clocks ) Fixed temporal interval over which the users are allowed to aggregate After evaluation,it leads to either bot declaration or to the complete removal of that dialog trace  SOFT PRUNE TIMERS(open faced clocks) smaller time window that allows users to configure tighter interval requirements Inbound scan warning are expired more quickly by the soft prune interval

15 BOT DECLARATION  Expectation table is used and compared with the values obtained from the Calculation  Dialog sequence crosses the threshold which leads to either bot declaration or non-bot declaration

16 Figure6: SCORING PLOTS : 2019 Real bot infections

17 EXPERIMENTS AND RESULTS E1 E2E3E4E5 agobotYes(2/2)Yes(9/8)Yes(6/6)Yes(38/8)Yes(4/1) Phat- alpha 5 Yes(14/4)Yes(5785/ 5721) Yes(3/3)Yes(28/26)Yes(4/2) Phatbot-rlsYes(11/3)Yes(2834/ 46) Yes(8/8)Yes(69/20)Yes(6/2) Rbot 0.6.6No(0)Yes(2/1)Yes(2/2)Yes(65/24)Yes(2/1) Rx-asn-2- re-worked version2 No(0)Yes(2/2) Yes(70/27)Yes(2/1) RxbotNo(0)Yes(4/3)Yes(2/2)Yes(59/18)Yes(2/1) SxbotNo(0)Yes(3/2)Yes(2/2)Yes(73/26)Yes(2/1) Yes/No – Indicate Dialog warning, (No of dialog warning in whole / No of warning victim involves)

18 RESULTS IN LIVE DEPLOYMENT Website Stats: Spotlight: Top 50 ISP Infection SourcesTop 50 ISP Infection Sources Active Period Reported: 245 Days Botnet Attacks Detected: Botnet C&C channels Witnessed: 175 Botnet DNS lookups Witnessed: 8496

19 ADVANTAGES  only one bot profile is generated for infection  presented analysis of bothunter against more than 2000 recent bot infection experiences.  remote repository for global collection and evaluation of bot activity.

20 DISADVANTAGES  Bots could use encrypted communication channels for C&C  This correlator is not adaptable for botnets with the capability of doing stealth scanning  This is not polymorphic malwares as it uses 1-gram payload

21 THANK YOU


Download ppt "BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke."

Similar presentations


Ads by Google