We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byKaylee Parsons
Modified over 3 years ago
Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute for Cyber Security 1 World-Leading Research with Real-World Impact!
Introduction Botnets (centralized & P2P): spam distribution, DoS, DDos, unauthorized FTP, etc. Bot masters lease their botnets = $$$$$$$ Current research focuses on detecting infected bot machines but not the actual process on that machine This is good for botnet identification but for disinfection, process information is mandatory ©2010 Institute for Cyber Security 2 World-Leading Research with Real-World Impact!
Introduction - 2 We attempt to fill this gap by identifying the actual bot process running on compromised machines with behavior based detection of bot/malware symptoms We study the execution behavior of known bot samples and attempt to distinguish characteristics exclusive to a bot and/or malware process We partition the behaviors into symptoms as basis of detection algorithm: Bot network behavior, Unreliable provenance and Stealth mechanisms Use data mining algorithms along with logical evaluation of symptoms to detect bots ©2010 Institute for Cyber Security 3 World-Leading Research with Real-World Impact!
Contributions The process-based identification of: – Bot network behavior, Unreliable provenance, Stealth mechanisms: A formal detection model based on non-trivial use of established data mining algorithms (C4.5). – Generate and evaluate detection models. Results show our methodology has better detection accuracy for both centralized and Peer-to-Peer (P2P) bots than a straightforward use of established data mining algorithms. ©2010 Institute for Cyber Security 4 World-Leading Research with Real-World Impact!
Observed Behaviors B(P) Bot Network: tcp, udp, icmp, dns usage U(P) Unreliable provenance: process self replication and dynamic code injection, & verified digital signature S(P) Stealth mechanisms: lacking a GUI & no user input to execute Analyzed in real time ©2010 Institute for Cyber Security 5 World-Leading Research with Real-World Impact!
Bot Behavior Symptoms DNS/rDNS highly used by bots to: – Locate active remote hosts, harvest new IP addresses – Successful DNS/rDNS should connect, failed should not – Bots may depend on DNS for botnet activity B1: Failed connection attempt to the returned IP address of a successful DNS query. B2: IP address in a successful DNS activity and connection. This is considered normal behavior. B3: Connection attempt to the input IP address of a failed reverse DNS query. ©2010 Institute for Cyber Security 6 World-Leading Research with Real-World Impact!
Unreliable Provenance Symptoms Most malware lack digital signatures, self replicate and dynamically inject other running processes with malicious code U1: Standalone executables static file image does not have a digital signature. U2: Dynamic code injectors static file image does not have a digital signature. U3: Creator of processs static file image does not have a digital signature. ©2010 Institute for Cyber Security 7 World-Leading Research with Real-World Impact!
Stealth Mechanism Symptoms Malware execute in silent mode requiring no user interaction: no GUI & no user input S1: Graphical user interface. A process executing without a GUI S2: Human computer interface. A process executing without reading keyboard or mouse events is considered to have a stealth mechanism. ©2010 Institute for Cyber Security 8 World-Leading Research with Real-World Impact!
Evaluation Four symptom evaluations to predict a bot: Bot(P) -> T or F Bot( ) constructed by function f as follows: – f0: established data mining algorithm J48 – f1: B(P) or (U(P) and S(P)) – f2: B(P) and (U(P) or S(P)) – f3: B(P) and U(P) and S(P) F3 most restrictive requiring all three symptoms present to identify a bot Evaluations partially based on J48 classification trees ©2010 Institute for Cyber Security 9 World-Leading Research with Real-World Impact!
Data Collection – Training Set Vmware workstation: XP-SP2; Windows network monitor, sigcheck, various hooking techniques, 20 bot & 62 benign processes 4 active bots: virut, waledac, wopla & bobax 5 inactive bots: nugache, wootbot, gobot, spybot & storm 41 benign applications Bots executed for 12 hour period, results drawn from post analysis of log files Benign data collected on two laptops 12 hour period: FTP, surfing, P2P, instant messaging and software updates Bots and benign samples executed multiple times ©2010 Institute for Cyber Security 10 World-Leading Research with Real-World Impact!
Data Collection – Test Set Test data collected on 5 laptops – Minimal security – No recent malware scans – 8 to 12 hours Post scan malware analysis revealed two bot processes – Cutwail bot: servwin.exe – Virut bot: TMP94.tmp Cutwail bot not part of training set Test set consisted of 34 processes including 2 bot processes, the rest were assumed benign Several benign processes not part of training set ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 11
Bot Predictions ©2010 Institute for Cyber Security 12 World-Leading Research with Real-World Impact!
Bot Predictions ©2010 Institute for Cyber Security 13 World-Leading Research with Real-World Impact!
Bot Predictions ©2010 Institute for Cyber Security 14 World-Leading Research with Real-World Impact!
Prediction Results f0: simplistic use of J48 classifier; 2 FP, 0 FN. f1: least restrictive; 6 FP, 0 FN. B(P) or (U(P) and S(P)) f2: more restrictive; 3 FP, 0 FN B(P) and (U(P) or S(P)) f3: most restrictive; 0 FP, 0 FN B(P) and U(P) and S(P) ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 15
Discussion FP were a mix of browsers, FTP, video streamers, P2P & torrent clients Both bots in test set detected by all 4 functions. The different functions f only served to eliminate FP F3 gave the best results by eliminating all FP, suggesting a high restriction can improve results in bot detection F1 & F2 with weaker restrictions produced more false positives but may be applicable in detecting non-bot malware Symptoms B1, B2, U1, U2 & S1 used in final bot prediction; S1 most dominant with 13 processes – Several benign samples were system services running in background ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 16
Conclusion Presented 3 sets of symptoms usable in detecting bot processes Enhances current research which focuses most on bot machines Results drawn from real time data collection Most restrictive evaluation most suitable for bot detection, but combining with less restrictive may detect broader range of bots and non-bot malware Future Work: identify more symptoms, test with kernel based bots and implement automated detection techniques ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 17
THANK YOU ! QUESTIONS? вопрос ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 18
Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.
Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Modelling uncertainty in 3APL Johan Kwisthout Master Thesis
UNCLASSIFIED © 2011 Carnegie Mellon University Building Malware Infection Trees Jose Andre Morales 1, Michael Main 2, Weilang Luo 3, Shouhuai Xu 2,3, Ravi.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Addition 1’s to
BotNet Detection Techniques By Shreyas Sali Course: Network Security (CSCI – 5235) Instructor: Dr. T Andrew Yang.
1 Verification by Model Checking. 2 Part 1 : Motivation.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Executional Architecture Lecture Conceptual vs execution Conceptual Architecture Execution Architecture Component Connector Domain-level responsibilities.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Computer virus Speaker : 蔡尚倫. Introduction Infection target Infection techniques Outline.
Addition Facts = = =
ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
General Information Software Robot Benri. Characteristics 1. Connect up to 16 cameras. 2. Do six different type of detections. 3. Define sub-areas where.
BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.
Analyzing Malware Detection Efficiency with Multiple Anti-Malware Programs Dr. Jose A. Morales – Software Engineering Institute, Carnegie Mellon University.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/
1 WATER AUTHORITY Dr. Or Goldfarb CENTRAL BUREAU of STATISTICS Zaur Ibragimov Water Accounts in Israel Vienna January 2009.
October 20-23rd, 2015 Sandboxing and Reasoning on Malware Infection Trees Kris Ghosh 1, Jose Morales 2, Will Casey 2 and Bud Mishra 3 1. Miami University.
DATABASE SYSTEM CONCEPTS AND ARCHITECTURE CHAPTER 2 1.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.
INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.
A New Method for Symmetric NAT Traversal in UDP and TCP Yuan Wei & Daisuke Yamada & Suguru Yoshida & Shigeki Goto Waseda University
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
1 A Test Automation Tool For Java Applets Testing of Web Applications TATJA Program Demonstration Conclusions By Matthew Xuereb.
KFSensor Honeypot and Intrusion Detection System Sunil Gurung [60-475] Security and Privacy on the Internet.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.
10 Systems Analysis and Design in a Changing World, Fifth Edition.
CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman.
Remote - DSP Lab for Distance Education Kalantzopoulos Athanasios, Karageorgopoulos Dimitrios Zigouris Evangelos Electronics Laboratory, Electronics &
Intrusion Detection Dr. Neminath Hubballi IIT Indore © Neminah Hubballi.
WEEK 1 You have 10 seconds to name…
10 Chapter 10: The Traditional Approach to Design Systems Analysis and Design in a Changing World, 3 rd Edition.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
© 2017 SlidePlayer.com Inc. All rights reserved.