Presentation is loading. Please wait.

Presentation is loading. Please wait.

Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on 102064535 黃川洁 1/25.

Published byIngrid Scragg Modified over 9 years ago

Similar presentations

Presentation on theme: "Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on 102064535 黃川洁 1/25."— Presentation transcript:

1 Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on 102064535 黃川洁 1/25

2 Outline INTRODUCTION BOTNET LIFE CYCLE BOTNET ARCHITECTURES DETECTION OF BOTNET ATTACK PREVENTION & MITIGATION OF BOTNET FUTURE PROSPECTS CONCLUSION 2/25

3 BOTNET is a large network of compromised computers used to attack other computer systems for malicious intent. NetBus and BackOrifice2000 several techniques for BOTNET attack detection data mining, fuzzy logic based on some statistical data, anomaly based, structure based INTRODUCTION-1 3/25

4 INTRODUCTION-2 Testbed environment should focus on following requirements: The ability to test with a variability of bot types (both known and unknown) deploy on variety of standard operating system. To be capable of conducting experiments in a secure mode such as one that poses no threat to the greater internet To be able to form a flexible and realistic botnet technologies and configuration. To perform and conduct experiments at scale and under realistic conditions. 4/25

5 BOTNET LIFE CYCLE-1 In start it primarily infects other computer. Then injects small code File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Peer to Peer (P2P), and combination of HTTP and P2P (HTTP2P) etc. When user connects to internet code is executed automatically to establish a connection in which it connects to Command & Control (C&C) server. 5/25

6 BOTNET LIFE CYCLE-2 Command and control the zombie computers through C & C server. To remain transparent and active by using Dynamic Domain Name Server (DNS) and keeping zombie updated and in existence to maintain and use them accordingly. 6/25

7 BOTNET ARCHITECTURES Centralized Botnet Architecture Peer to Peer (P2P) Botnet Architecture Hybrid Botnet Architecture Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture 7/25

8 Centralized Botnet Architecture 8/25

9 Peer to Peer (P2P) Botnet Architecture 9/25

10 Hybrid Botnet Architecture 10/25

11 Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture P2P has threat of Sybil attacks Sybil Attack: 是一種攻擊者透過大量匿名實體增加不成比例的巨大影響, 來破壞 P2P 網路的信譽系統。 (TWCERT/CC) Combined HTTP and P2P Become harder to be detected by to bypass firewall and client server architecture Cipher the message While the Soldier-Bot does not contact dynamically to Supervisor-Bot or other soldier-bots rather it waits for a call from its supervisor. 11/25

12 Centralized Botnet Architecture Peer to Peer (P2P) Botnet Architectur e Hybrid Botnet Architecture Hypertext Transfer Protocol Peer to Peer (HTTP2P) Botnet Architecture 隱密性低高高高 加密無有有有 管理容易困難 偵測容易較困難 困難 阻絕容易較困難 困難 monitoring and healing (for Supervisor- bot ) 容易困難較容易 12/25

13 DETECTION OF BOTNET ATTACK Structured Based Detection Signature Based Detection DNS Based Detection Behavior Based Detection Anomaly Based Detection Communication Pattern of Botnet 13/25

14 Signature Based Detection The first and most widely Only successful for already known Botnets Two way list of IRC nicknames and applied n-gram analysis IP addresses Other system Honeynet, Honeypots, and Snort good cost and without false positives 14/25

15 DNS Based Detection-1 DNS queries In 2004-05 ideas were given to detect domain names by unusually high or temporary intense DDNS queries. In following year, abnormally recurring NXDOMAIN reply rates approach was proposed. 15/25

16 DNS Based Detection-2 Passive analysis of DNS based Black-hole list (DNSBL) lookup traffic Two problems high false positive cannot detect distributed inspection Hyunsang Choi et al 16/25

17 Anomaly Based Detection-1 high network latency, high volumes of traffic, traffic on unusual ports, and unusual system behavior cannot detect a BOTNET in sleeping mode Binkley and Singh solved by combining TCP based anomaly with IRC tokenization and IRC message statistics to create a system 17/25

18 Anomaly Based Detection-2 Gu et al. have proposed Botsniffer Botnet C&C channels local area network low false positive Basheer Al-Duwairi and Lina Al-Ebbini proposed BotDigger fuzzy logic not work on a specific pattern the most reliable and flexible 18/25

19 Communication Pattern of Botnet -1 Cyber security defenders checks the communication characteristics between a Supervisor-Bot and a Soldier- Bot on transport layer such as for TCP or UDP. Defenders check its source and destination IP, Port and Protocol Identifier. Static characteristics header dynamic characteristics arrival, departure, throughput, and burst time of payload information 19/25

20 Communication Pattern of Botnet-2 selecting precise set of characteristic and defining unique flow as object comparing with other objects provide more information encrypted with the evolution of Botnet data mining techniques are applied on that limited data to overcome the problem 20/25

21 PREVENTION & MITIGATION OF BOTNET In 2007 Collins et al. work to detect future botnet address by the help of unclean network spatial (compromised hosts to cluster) temporal (tendency to contain compromised hosts for extended period) Alex Brodsky et al. proposed a distributed content independent spam classification system to defend from Botnet generated Spam’s. Trend Micro provided Botnet Identification services real- time Botnet C&C bot-master address list 21/25

22 FUTURE PROSPECTS-1 Some of the steps to be taken to study the mind of supervisor- bot are as follow: Make data warehouse of known bots for future use in data mining, and to make an algorithm to use that data as mitigation for attacks. Honeypots based defense is so popular and used mostly; it is predicted and possible that one day supervisor- bots will have a defense mechanism for detection of honeypots in their bots. 22/25

23 FUTURE PROSPECTS-2 To make anti-bot application software which can work against Botnet attack as antivirus does against viruses etc. New Testbeds are required to be developed which allow testing in large-scale network either open or closed environments. Getting of Botnet sample code is required for analyzing but criminals don’t want to examine their malware as well as cyber defender also feels hesitation with un-trusted ones. 23/25

24 CONCLUSION In this survey we analyzed the protocols being used by the Supervisor-bots and how they evolved with the passage of time. How cyber defenders proposed and work for the detection of a cyber-attack from known and unknown BOTNETs and given ideas and techniques for its prevention and mitigation. But unfortunately for prevention and mitigation till now no sufficient work has been done. 24/25

25 25/25

Download ppt "Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on 102064535 黃川洁 1/25."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google