Presentation is loading. Please wait.

Presentation is loading. Please wait.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Published byCarmella Corey Ward Modified over 8 years ago

Similar presentations

Presentation on theme: "Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes."— Presentation transcript:

1 Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes

2 Outline 2 2016/2/6 Abstract Introduction Botnet Environment Data analysis Traffic analysis Threshold Random Walk Evaluation Conclusion

3 Abstract 3 2016/2/6 The nature of a Botnet is not specific malware, but instead the metheod, that possibly comprised of thousands or millions hosts controlled by hackers. The tool uses integrated system information to help users to identify unexpected network connections. Since a bot is a program running on a host, its behavior and response time is supra-human and we use the TRW algorithm for online detection.

4 Introduction 4 2016/2/6 To resolve the problem, we analyze about botnet characteristics and propose a botnet emulation toolkit and a detection scheme. How big is the problem?  Vint Cerf presume about one quarter of all computers part of a botnet. Botnet features  Host Control  Command and control  Exploits and attack Assumptions  Observations-Most bots parasited on personal computer that unlike other internet incidents.  Bot herders control bots whole the uptime

5 Botnet environment(1/2) 5 2016/2/6 Fig. 1. Environment topology Support Software  Cygwin- Cygwin is a Linux- like environment for Windows.  SSH- SSH is a network protocol that allows data to be exchanged using a secure channel between two computers.  IRC Server- Hybrid IRC daemon is a daemon for serving and controlling an IRC network.

6 Botnet environment(2/2) 6 2016/2/6 Experiment process  Parameter Setting  Environment Setup  Launch Bots

7 Data analysis(1/2) 7 2016/2/6 Response time - The response time means it start from a sender send a message to a receiver then the receiver get the message and end from the receiver answer the response. Data source  The botnet traffic is monitored in testbed used the emulation toolkit.  we acquired a number of SDbots traces in the herder and bots side.  The herder using a common unix irc client, irssi.  We also collected three kinds of client traffic in difference protocols, such as IRC, HTTP and ssh. Similarity examinations  Temporal similarity - Bots reply the messages at the close time.  All bots receive the same command, the should do the same activity such as connect to the same host.  Even the messages are encrypted, the sizes are still the same.

8 Data analysis(2/2) 8 2016/2/6 Supra-human behaviors Service-like response Quick request

9 Traffic analysis 9 2016/2/6

10 Threshold Random Walk 10 2016/2/6 Accept hypothesis H 1 Accept hypothesis H 0 Need more observations

11 Evaluation 11 2016/2/6

12 Conclusion 12 2016/2/6 The goal of this study is to find a host is a bot or not. We had three implementation that purpose to achieve the goal. Our emulation toolkit combined several script for Emulab that is useful for researchers who are interesting IRC botnet behavior. One basically is a tool integrated several system utilities the other one is a dectection module of IDS bro that based on network analysis.

Download ppt "Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
SOCELLBOT: A New Botnet Design to Infect Smartphones via Online Social Networking 2012 25 th IEEE Canadian Conference on Electrical and Computer Engineering(CCECE)

SOCELLBOT: A New Botnet Design to Infect Smartphones via Online Social Networking th IEEE Canadian Conference on Electrical and Computer Engineering(CCECE)
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
A Distributed Proxy Server for Wireless Mobile Web Service Kisup Kim, Hyukjoon Lee, and Kwangsue Chung Information Network 2001, 15 th Conference.

A Distributed Proxy Server for Wireless Mobile Web Service Kisup Kim, Hyukjoon Lee, and Kwangsue Chung Information Network 2001, 15 th Conference.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google