Presentation is loading. Please wait.

Presentation is loading. Please wait.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Similar presentations


Presentation on theme: "RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from."— Presentation transcript:

1 RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from the author's slides https://ftp.isoc.org/isoc/conferences/ndss/09/slides/10.pdf

2 Outline Motivation of RB ‐ Seeker System Architecture Overview of subsystems Evaluation of results Conclusion

3 Redirection/Proxy Botnet Redirect users to malicious servers o Additional layer of misdirection o Protect mothership servers o Evade URL based detection or IP based black list

4 Motivation of RB ‐ Seeker Botnet is an ideal source for redirection/proxy servers Botnets used for multiple purposes/scams Previous research: detection of C&C channel

5 Overview of RB ‐ Seeker Automatic detection of redirection/proxy botnets Utilizes 3 cooperating subsystems Behavior ‐ based detection Quick identification of aggressivebotnets (FP < 0.01%) o Advertise manyIPs per query o Change IPs very often (short TTL) Accurate identification of stealthybotnets o Advertise fewIPs per query o Change IPs more slowly (very small TTL, closely monitored

6 System Architecture

7

8 SSS: Spam Source Subsystem Redirection/proxy botnet are commonly used by spam/phishing campaigns SSS exploits this close relatrionship o Real time collection of spam s: > 50,000 monthly

9 SSS: Spam Source Subsystem Extract embedded URLs from message bodies Probe extracted URLs to identify redirection URL links Domains added to redirection domain database

10 System Architecture

11 NAS: NetFlow Analysis Subsystem Use NetFlow because: o Inspecting packet contents incurs too much overhead o Privacy concerns Spammers send image ‐ or PDF ‐ based s o Evade content ‐ based filtering User redirected to RBnet by clicking on malicious webpage Inspecting each not always possible o Privacy concerns/laws

12 NAS: NetFlow Analysis Subsystem NetFlow: core router on campus Looks for suspicious redirection attempts o Without analyzing packet contents

13 NAS: NetFlow Analysis Subsystem Sequential Hypothesis testing on: o Flow size, inter ‐ flow duration, and flow duration

14 NAS: NetFlow Analysis Subsystem Identifies IPs participating in redirection o Correlation engine uses DNS logs to add domains participating in redirection to redirection domain db

15 NAS: NetFlow Analysis Subsystem Redirection: obtained from SSS, servers identified as redirection Normal: normal web browsing over 2 days (removing redirection)

16 System Architecture

17 a ‐ DADS: active DNS Anomaly Detection Subsystem Actively performs DNS queries on domains in redirection domain db Uses CDN Filter to remove Content Delivery Networks o CDNs behave similarly to redirection/proxy botnets o Recursively removes

18 a ‐ DADS: active DNS Anomaly Detection Subsystem IP Usage: o RBnets will accrue more unique IPs over time o RBnets will have more unique IPs per valid query Reverse DNS names with “bad words” o e.g., broadband, cable, comcast, charter, etc… AS count o Number of different ASes the IPs belong to o RBnets consist of home computers scattered geographically

19 a ‐ DADS: active DNS Anomaly Detection Subsystem Applies 2 ‐ tier linear SVM on remaining domains o Trained: 124 valid, 18 aggressive, 10 stealth o 10 ‐ fold cross validation on multiple classifiers  knn, decision tree, naïve Bayesian, various SVMs and kernel functions

20 a ‐ DADS: active DNS Anomaly Detection Subsystem SVM-1: o detects Aggressive RBnets based on 2 valid queries o unique IPs, num ASes, DNS “bad words”

21 a ‐ DADS: active DNS Anomaly Detection Subsystem

22 SVM-2 o detects Stealth RBnets using a week of DNS queries o unique IPs, num ASes

23 a ‐ DADS: active DNS Anomaly Detection Subsystem

24 Evaluation of Results SSS and NAS identified 91,600+ suspicious domains over 2 month period a ‐ DADS CDN Filter o Removed 5,005 CDN domains o Recursion 16.8% increase in identified CDN domains (13.1% in IPs) o Similar technique for valid domains reduced this to 35,000+ domains to be monitored

25 Evaluation of Results

26 Aggressive RBnets: Redirection vs. Proxy Botnets

27 Stealth RBnets

28 Evaluation of Results FFSN detector: o Detected 124 of the 125 Aggressive RBnets o 1 FP: same as ours (mozilla.org) o Missed all the Stealth RBnets

29 Conclusion Designed and implemented system for detecting redirection/proxy botnets Uses network detection techniques o multiple data sources readily available to enterprise network environments Behavior ‐ based detection works despite use of C&C protocol or structure Capable of detecting Aggressive and Stealthy RBnets Automatic detection with low false positives (< 0.01%)


Download ppt "RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from."

Similar presentations


Ads by Google