Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University"— Presentation transcript:

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Network-based Botnet Detection Filtering, Containment, and Destruction Motorola Liaisons Z. Judy Fu and Philip R. Roberts Motorola Labs

2 New Internet Attack Paradigm Botnets have become the major attack force Symantec identified an average of about 10,000 bot infected computers per day # of Botnets - increasing Bots per Botnet - decreasing –Used to be 80k-140k, now 1000s More firepower: –Broadband (1Mbps Up) x 100s = OC3 More stealthy –Polymorphic, metamorphic, etc. Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance

3 Birth of a Bot Bots are born from program binaries that infect your PC Various vulnerabilities can be used –E-mail viruses –Shellcode (scripts)

4 Botnet Distribution

5 Project Goal Understand the trend of vulnerabilities and exploits used by the botnets in the wild Design vulnerability based botnet detection and filtering system –Deployed at routers/base stations w/o patching the end users –Complementary to the existing intrusion detection/prevention systems –Can also contain the botnets from infecting inside machines Find the command & control (C&C) of botnets and destroy it

6 Limitations of Exploit Based Signature 1010101 10111101 11111100 00010111 Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worm might not have exact exploit based signature Polymorphism!

7 Vulnerability Signature Work for polymorphic worms Work for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Vulnerability X X

8 Emerging Botnet Vulnerability and Exploit Analysis Large operational honeynet dataset Massive dataset on the botnet scan with payload Preliminary analysis show that the number of new exploits outpace the # of new vulnerabilities. LBLNU Sensor5 /2410 /24 Traces883GB287GB Duration37 months7 months

9 Vulnerability based Botnet Filtering/Containment Vulnerability Signature IDS/IPS framework Detect and filter incoming botnet Contain inside bots and quarantine infected customer machines Packet Sniffing TCP Reassembly Protocol Identification: port# or payload Protocol Parsing Vulnerability Signature Matching Single Matcher Matching Combine multiple matchers

10 Introduction 1-10 Residential Access: Cable Modems Diagram: http://www.cabledatacomnews.com/cmic/diagram.html

11 Snort Rule Data Mining NetbiosHTTPOracleSUNRPCRemainingTotal Rule%55.3%25.8 % 5.3%2.3%11.3%100% PSS%99.9%56.0 % 96.6%100%84.7%86.7 % Reduction Ratio 67.61.21.62.61.74.5 Exploit Signature to Vulnerability Signature reduction ratio PSS means: Protocol Semantic Signature NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols

12 Preliminary Results HTTPWINRPC Trace size558MB468MB #flows580K743K #PSS Signatures79145 #Snort Rule Covered9742000+ Parsing Speed2.893Gbps15.186Gbps Parsing + Matching speed1.033Gbps13.897Gbps Experiment Setting –PC XEON 3.8GHz with 4GB memory –Real traffic after TCP reassembly preload to memory Experiment Results

Download ppt "Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University"

Similar presentations

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
12-1 Last time Security in Networks Threats in Networks.

12-1 Last time Security in Networks Threats in Networks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.

Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement

Similar presentations

Ads by Google