Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of Computing Georgia Institute of Technology ONR MURI N000140911042.

Similar presentations


Presentation on theme: "Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of Computing Georgia Institute of Technology ONR MURI N000140911042."— Presentation transcript:

1 Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of Computing Georgia Institute of Technology ONR MURI N000140911042 Project Kick-off Meeting November 20, 2009

2 Project Team 11/20/09 ONR MURI Project Kick-Off 1 Wenke, DavidNickJonKang Giovanni FarnamMichaelJohnChris

3 Project Team (contd) Georgia Tech –Wenke Lee (Ph.D. 1999, Columbia) –Nick Feamster (Ph.D. 2005, MIT) –Jon Giffin (Ph.D. 2006, Wisconsin) –David Dagon (Ph.D. 2009/10?, Georgia Tech) Michigan –Kang Shin (Ph.D. 1978, Cornell) –Farnam Jahanian (Ph.D. 1989, Texas) –Michael Bailey (Ph.D. 2006, Michigan) Stanford –John Mitchell (Ph.D. 1984, MIT) UC Santa Barbara –Giovanni Vigna (Ph.D. 1998, Politecnico di Milano) –Christopher Kruegel (Ph.D. 2002, Technical University of Vienna) 11/20/092 ONR MURI Project Kick-Off

4 Project Overview A botnet is a network of compromised computers (bots) under the control of an attacker –Platform for most of the cyber attacks and fraudulent activities IA problems addressed –What are the intrinsic properties of botnets? –What are fundamental approaches to detect and remove all current and future botnets? And how to develop them? 11/20/093 ONR MURI Project Kick-Off

5 Project Overview 11/20/09 ONR MURI Project Kick-Off 4 An overarching framework that covers all aspects of botnet lifecycle and the entire network stack/scale, rather than a collection of point solutions. A systematic and scientific approach to design robust botnet detection and analysis algorithms, rather than ad-hoc and brittle techniques.

6 Project Overview (contd) Approaches –Analyze the intrinsic/invariant properties of botnets –Derive the axioms, or the necessary and possible host-, network- and Internet- level botnet behaviors that are due to these properties –From the axioms develop the principles or theories for detecting and stopping these botnet behaviors –Put the theories into practice by developing pactical algorithms and systems 11/20/095 ONR MURI Project Kick-Off

7 Project Overview (contd) Approach example –Analyze essential properties of botnet lifecycle E.g., botnets are valuable, long-term resources –Derive axioms that directly follow from the properties E.g., botnets need to have agility to evade detection and removal –Derive theories from the axioms E.g., by detecting and neutralizing the sources of network agility, we can limit botnets evasion capabilities and thus make botnets easier to detect and remove –Apply the theories to practice E.g., an on-line detection of naming (DNS) based agility. 11/20/096 ONR MURI Project Kick-Off

8 Project Overview (contd) Capabilities to offer –Innovative and foundational solutions to enable End-hosts to identify bot activities on the host and block bot related traffic Enterprise networks to identify hosts that participate in botnet activities on the Internet and accordingly block such traffic Internet core to detect anomalies in Internet basic protocols to identify the servers used to support botnet operations and accordingly disrupt or even remove the botnets –Technology transfer and commercialization PIs connected to Damballa and Arbor Networks 11/20/097 ONR MURI Project Kick-Off

9 Research Areas Theory and taxonomy –Essential properties, axioms and theories Lee, Mitchell, Dagon, Bailey –Taxonomy Bailey Dagon, Mitchell, Lee –Metrics, network and game theory models Mitchell, Dagon, Feamster, Jahanian Epidemiology Models –Population estimates and threat assessment Jahanian, Dagon, Feamster, Shin 11/20/098 ONR MURI Project Kick-Off

10 Research Areas (contd) Essential properties of botnets call for multifaceted detection and analysis approaches –Bots are compromised computers Malware –Bot traffic is not sent/authorized by users Host/user activities –C&C required to form/maintain botnet Bot programs, network/Internet traffic –Bots used for attacks and frauds Bot programs, network/Internet traffic –Bots are long-term resources Reuse models, and mechanisms/protocols to support agility –Man behind the bots reaping the profit Management servers or mothership 11/20/099 ONR MURI Project Kick-Off

11 Research Areas (contd) Detection and analysis –Malware and malicious web pages/scripts Kruegel, Bailey, Giffin, Lee –Host activities and network/Internet traffic Giffin, Feamster, Mitchell, Jahanian, Lee –Agile C&C and activity infrastructures Shin, Feamster, Jahanian, Dagon –Long-lived and reused bots Feamster, Bailey, Vigna, Dagon –Motherships Vigna, Shin, Dagon, Feamster 11/20/0910 ONR MURI Project Kick-Off

12 Research Areas (contd) Theoretical work validates intuitions and directs development and evaluation of detection and analysis algorithms for current and future botnets For example –Botnet has long-term utility, which depends of its network model 11/20/09 ONR MURI Project Kick-Off 11

13 Research Areas (contd) –Agility thus helps preserve botnet utility –Realization in Internet: DDNS, fast-flux, new domain daily (hourly?) Scale and layers of agile control 11/20/09 ONR MURI Project Kick-Off 12 –Metrics, network and game theory models provide a theoretical understanding of the possibilities and trade-offs of botnet agilities Basis to fight future botnets

14 Plan and Milestones 11/20/0913 ONR MURI Project Kick-Off

15 Evaluation and Technology Insertion PIs have a long history of dataset collection and network measurement and thus have access to a wide variety of production datasets including: –DNS, spam, malware, and alert data via SIE –BGP and netflow data from ISPs –Malware collections and exchanges Deployment and evaluation in operational environments in departments, universities, and upstream services providers PIs have strong ties to industry (e.g., Arbor and Damballa), and have participated in DHS-led efforts to deploy technologies in government agencies 11/20/0914 ONR MURI Project Kick-Off

16 Project Management and Student Education Project web site at Georgia Tech –Public pages showcasing the project http://onrbotnet.gtisc.gatech.edu/ –Private/wiki for project team and PM to share data, software, and reports http://onrbotnet.gtisc.gatech.edu/wiki Bi-yearly project meeting –One co-located with a major security conference, and the other on a campus Education –15 Ph.D. students, 1-3 Post Docs –Exchange summer interns, post docs 11/20/09 ONR MURI Project Kick-Off 15

17 Related Projects and Support NSF CLEANSE, total $1.2M –Georgia Tech and Michigan (and UNC, SRI, ISC) –Large-scale monitoring of core Internet services such as DNS and BGP DHS botnet projects –Michigan and Georgia Tech, separate –Tech transfer and deployment NSF, AFRL, ARO, and ONR IA projects – All PIs; Focused/specific areas such as malware on cell phones 11/20/09 ONR MURI Project Kick-Off 16


Download ppt "Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of Computing Georgia Institute of Technology ONR MURI N000140911042."

Similar presentations


Ads by Google