Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1.

Published byJessie Dickeson Modified over 9 years ago

Similar presentations

Presentation on theme: "Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1."— Presentation transcript:

1 Botnet Yongdae Kim KAIST

2 Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1

3 Purpose  Contribution ▹ Systematic framework for evaluating the evadability of botnet detection methods »Quantifying the evasion cost  Approaches ▹ Examine existing Automated Botnet Detection Methods ▹ Evasive Techniques & its Cost ▹ Problems on detection methods ▹ Future research approaches 2

4 Bot/Botnet  Definition of a bot ▹ Receive commands through C&C ▹ Carry out attacks by commands ▹ No limit on attack time & format ※ More general than usual  Attack type ▹ DDoS, Identity Theft, Malware Distribution, Phishing, Piracy, Proxying, Scanning, Server hosting(SMTP,HTTP), Spamming 3

5 Automated Detection Methods  Relying Characteristics 4

6 #1. Strayer : Detection 5 Eliminate flows unlikely to be botnet 5 Distinct Filters - Non-TCP Traffic - Port Scans - High bit-rate flows (* Bandwidth > 8kb/s) - Flows w/ packet > 300Kb/s - Short lived connection (* > 60’) 5 Distinct Filters - Non-TCP Traffic - Port Scans - High bit-rate flows (* Bandwidth > 8kb/s) - Flows w/ packet > 300Kb/s - Short lived connection (* > 60’) Keep only IRC flows by machine learin alg. Keep only IRC flows by machine learin alg. Cluster related flows by 5D space & topol. anal Flow characteristics - Duration - Role - Bytes per packet (bpp) - Bytes per second (bps) - Packets persecond (pps) Flow characteristics - Duration - Role - Bytes per packet (bpp) - Bytes per second (bps) - Packets persecond (pps) - Keep flows : time period - Use 5d space · Find a cluster of flows their distance is small - Topological analysis · Identify RP -Manual analysis · Identify bot master IP - Keep flows : time period - Use 5d space · Find a cluster of flows their distance is small - Topological analysis · Identify RP -Manual analysis · Identify bot master IP

7 #2. Rishi : Detection  Identifies bot-infected hosts by passively monitoring network traffic (IRC packets)  Analyzing IRC packets with nicknames that match pre-specified templates  Heavily Rely on IRC client nickname(Syntax) 6

8 #3. Karasaridis : Detection  Focusing on detecting IRC botnet C&C using 4 steps 7 1.Identify hosts w/ bad behaviors : scan, spam.. 2.Isolate flows to/from those hosts 3.Identify C&C u/ 3 criteria - stad. IRC ports - remote hub having multiple access from suspicious hosts - flows whose characteristics within a flow model for IRC

9 #3. Karasaridis : Detection  Focusing on detecting IRC botnet C&C using 4 steps 8 4.Analysis of C&C records : 3 stages # of unique suspected bots for a given hub Avrg. fpa, ppf, bpp from most popular hub Distance b/w traffic to hub and model traffic heuristic score (e.g., #of idle clients) 5.Assign confidence score to suspected control servers 6.Alarm when c.score > threshold

10 #4. Botswat : Detection  Focusing on system call invocation ▹ remotely-initiated vs locally initiated  Characterize each behaviors ▹ Identify data initiated from local user inputs ▹ Track tainted data initiated remotely  Compare ▹ Behavioral separation b/w two 9

11 BotHunter  Bot Infection Dialog Model ▹ E1 : External to Internal Inbound scan ▹ E2 : External to Internal Inbound exploit ▹ E3 : Internal-to-external binary download ▹ E4 : Internal-to-external C&C communications ▹ E5 : Outbound port scan  Three detection engine ▹ Port scan detection engine ▹ Payload-anomaly detection engine ▹ Snort signatures  Correlation Engine declares host infection (static C&C IP) when ▹ E2 with E3, E4 or E5 ▹ Any 2 of {E3, E4, E5} 10

12 BotMiner  Clustering similar communication traffic ▹ cluster hosts whose flows are similar bpp, bps, ppf, fph  Clustering similar attack traffic ▹ clustering hosts scanning same ports, spamming, or downloading similar files  Performing cross cluster correlation to identify the bots 11

13 Conclusion  Limitations on detection methods ▹ Two common assumptions are less true »Bots simultaneous attack participation => Only a few needs that : DDoS, phishing »Coordination through C&C network => This can be achieved outside of the C&C  Alternative approaches ▹ Focus on botnet utility ▹ Ways to negatively affect this utility 12

14 Sherlock Holmes and the Case of the Advanced Persistent Threat Ari Juels, Ting-Fang Yen 13

15 What is APT?  Advanced ▹ “Operate[s] in the full spectrum of computer intrusion.” [Bejtlich’10]  Persistent ▹ Maintains presence – Targeted  Threat ▹ Well-resourced, organized, motivated 14

16 Is This New? Traditional AttackersAPT Means of exploitatio n Software vulnerabilities, Social engineering Objective s Spam, DoS attack, Identity theft Espionage, IP theft MotiveFame, Financial gain Military, Political, Technical Target Machines with certain configurations Users ScopePromiscuousSpecific TimingFastSlow ControlAutomotive malwareManual Intervention 15

17 Commonalities between Reported APTs 16

18 Typical APT 17 Targeting Command and Control Lateral movement Data Exfiltration

19 Targeting : Spear Phishing  Socially Engineered Mail  Zeroday Vulnerability in Attachment 18

20 Targeting : Watering Hole 19 iOS Developer Site at Core of Facebook, Apple

21 Targeting : Watering Hole 20 http://securityledger.com/many-watering-holes-targets-in-hacks-that-netted-facebook-twitter-and-apple/

22 Targeting: Exploit Trusted Relationship 21 SecureID two-factor authentication product ALZip Update Server Attacker

23 Other Techniques: Tools  Infected digital photo frames  Infected mobile phones  Bluetooth vulnerabilities  Compromised device drivers 22

24 Command and Control 23 Illustration of links among SK communications, RSA, and Night Dragon

25 Command and Control : Insights  Uses Specific DNS servers  The TTL of domains  Communicate with C&C at frequent intervals  Inspection of TCP port 443 traffic 24

26 Data Exfiltration 25 HTTP, FTP High value asset Attacker’s

27 Case Study : SK Comm. Hack 26 Database Attacker ALZip Update Server Non-targeted Computers C&C Server Tool box Server WayPoint Targeted Computers 1010010110101000 011100010000.. Gain Acces s Legitimate Update Malicious Update Tool Downloadin g C&C Communication 10100 10110 1010..

28 Reconnaissance & Preparation (1/2)  C&C Server ▹ Registering the domain ‘alyac.org’ ▹ At attack time, a Korean IP was used ▹ Time-To-Live(TTL) = 30 minutes  Tool box server ▹ A large Taiwanese publishing company website ▹ Webserver was used to download malwares 27

29 Reconnaissance & Preparation (2/2) 28 Attacker from a Chinese IP ALZip Update Server Gained access Uploaded instructions Non-targeted Computers Targeted Computers SK Comm. Info. was gained to distinguish target

30 Targeting 29 ALZip Update Server Targeted Computers Malicious Update Request malicious update file Over 60 Computers were infected Tool box Server Tool Downloading x.exe: network monitor nateon.exe: access the user databases rar.exe: modified WinRAR

31 Data Exfiltration 30 Collecting Information Database Targeted Computers Personal details of 35 million SK Comm. users User identifier, password was encrypted but others not WayPoint 101001010010111000100000.. Attacker 10100101001011 1000101.. Korean IP A Company in Nonhyeon Chinese IP

32 The Red-Headed-League Attack  Encompass a victim in a general event that conceals a targeted attack.  Red-headed Botnet 31

33 Other Red-headed Attacks  Open source software  Social Network ▹ Friend finding  Free USB Sticks 32

34 The Blue-Carbuncle Attack  Conceal unauthorized communications within commonplace objects or activities. 33 HTTP, FTP High value asset Attacker’s

35 The Bohemian-Scandal Attack  Create disturbances to the victim to obtain intelligence about a target resource  Recommended responses to a breach can reveal... ▹ Location of valuables ▹ Critical services ▹ What you know about the attack 34

36 The Speckled-Band Attack  Breach a security perimeter through unconventional means  Examples ▹ Infected digital photo frames ▹ Infected mobile phones ▹ Bluetooth vulnerabilities ▹ Compromised device drivers 35

37 Conclusion  APT is a campaign ▹ No formula or playbook of tactics  How about detection? ▹ Behavior profiling ▹ Defensive deception ▹ Information sharing 36

Download ppt "Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Similar presentations

Ads by Google