BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

The Internet Useful Definitions and Concepts About the Internet.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Threat infrastructure: proxies, botnets, fast-flux

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Forensic and Investigative Accounting

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Amir Houmansadr CS660: Advanced Information Assurance Spring 2015

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Copyright 2003 CCNA 1 Chapter 9 TCP/IP Transport and Application Layers By Your Name.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

1 Version 3.0 Module 11 TCP Application and Transport.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

An Overview of the Internet: The Internet: Then and Now How the Internet Works Major Features of the Internet.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

CHAPTER 9 Sniffing.

Host and Application Security Lesson 17: Botnets.

TCP/IP (Transmission Control Protocol / Internet Protocol)

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Topic 5: Communication and the Internet

Working at a Small-to-Medium Business or ISP – Chapter 7

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee

Protocols 2 Key Revision Points.

Data Mining & Machine Learning Lab

Presentation transcript:

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology

Introduction to botnets BotMiner Detection Framework Experiments Setup Results Limitations Other weaknesses Questions Outline

Botnet background Structure of botnets o Centralized botnet o Decentralized botnet Botnet attack facilitator o Internet Relay Chat (IRC) o Fast-flux  Single-flux  Double-flux o Domain-flux Introduction to botnets

●Botnet is a network of compromised computers by malwares called bot ●Botmaster can command bots under his control to perform many activities ○ DDoS attacks ○ Spamming ○ Stealing sensitive information ○ Click fraud ○ Fast flux ○ Recruiting other hosts Botnet background

Centralized botnet o Having a central point for exchanging command and data called command and control server (C&C server) o C&C server usually run service network such IRC or HTTP o Bots will connect to the C&C server and wait for the command Structure of botnets (1)

Centralized botnet Structure of botnets (2)

Decentralized botnet o Each bot can act as both client and server by using the idea of Peer-to-peer (P2P) communication o Each bot have to connect to other bots o Still need some gathering place Structure of botnets (3)

Decentralized botnet Structure of botnets (4)

Pros o Centralized botnet  Small latency  High synchronization o Decentralized botnet  Hard to take down  Hard to detect Structure of botnets (5)

Cons o Centralized botnet  Easy to take down  Easy to detect o Decentralized botnet  High latency  Poor synchronization Structure of botnets (6)

Internet Relay Chat (IRC) o It is a protocol for live chat o Mainly designed for group communication o Allow sending text message and file sharing o Clients have to connect to the IRC server o Clients can join or create a chat room in the server called channel Botnet attack facilitator (1)

o Fast-flux  Single-flux Having multiple IP address register to a single domain name Each IP address is registered and de-registered rapidly with short TTL, possible to be as short as 3 minutes Botnet attack facilitator (2)

o Fast-flux  Double-flux It is a more advance version of single flux by adding one layer of domain name server flux Multiple DNS servers are registered and de-registered Each DNS server also have multiple IP addresses for the domain name Botnet attack facilitator (3)

Domain-flux o It is a technique for botnets to hide its C&C server or gathering point for P2P botnet o Each bot will generate a list of domain name using certain algorithm and try to locate its central point to receive command in those list Botnet attack facilitator (4)

Traffic monitor o A-plane monitor o C-plane monitor A-plane clustering C-plane clustering Cross-plane correlation BotMiner Detection Framework

A-plane monitor o Monitor and log internal host activities o Using SCADE (Statistical sCan Anomaly Detection Engine)from BotHunter to detect high rate of scan activities and high rate of fail connection o Detect spam-related activities by checking Simple Mail Transfer Protocol (SMTP) connection to mail server o Detect suspicious binary download activities, IRC bot Traffic monitor (1)

C-plane monitor o Monitor and log flow record  time  duration  source IP  source port  destination IP  destination port  number of packets and bytes transferred in both directions. Traffic monitor (2)

Listing clients that perform suspicious activities Clustering them by type of activities, scan, spam, binary downloading, exploit Clustering each group of activity type A-plane clustering (1)

A-plane clustering (2)

Reading and clustering the log from C- plane monitor Clustering method o Basic filtering  filter out flows initiated by external hosts and flows between internal hosts o Whitelisting  Filter out flows to legitimate servers o Aggregation to C-Flow  All flows that share protocol, source and destination IP, port are group together C-plane clustering (1)

o Translating C-Flow to vectors  Computing 4 variables into vectors with 13 elements for each vector the number of flows per hour (fph) the number of packets per flow (ppf) the average number of bytes per packets (bpp) the average number of bytes per second (bps) o Reducing a total of 52 features into 8 features by computing the mean and variance of each vector C-plane clustering (2)

o Performing coarse-grained clustering with only 8 features as step 1 o Performing another clustering on each cluster from earlier step with complete 52 features as step 2 C-plane clustering (3)

C-plane clustering (4)

Cross-check clusters to find out intersections Computing botnet score on clients with suspicious activities o High score for spam and exploit activities o Low score for scan and binary download activities o High score for performing more than 1 type of suspicious activities o Filter out clients with score less than threshold Cross-plane correlation

Monitor traffic at the College of Computing at Georgia Tech. Traffic contain many protocols such as HTTP, SMTP, Post Office Protocol (POP), FTP, Secure Shell (SSH), Simple Network Management Protocol (SNMP), Instant Message (IM), DNS, P2P, IRC Experiment Setup (1)

Collection of botnets traces o IRC bots  Botnet-IRC-spybot  Botnet-IRC-sdbot  Botnet-IRC-rbot  Botnet-IRC-N o HTTP bots  Botnet-HTTP-1  Botnet-HTTP-2 o P2P bots  Botnet-P2P-Storm  Botnet-P2P-Nugache Experiment Setup (2)

Experiment Setup (3)

Results

Evading C-plane Monitoring and Clustering Evading A-plane Monitoring and Clustering Evading Cross-plane Analysis Limitations and solutions

Botnet may use legitimate website for their C&C lookup o Don’t perform whitelisting Using multiple C&C servers o Can do the same as P2P clustering Randomize communication pattern o Randomization may provide some similarities o Randomized pattern may rise suspicious Mimic normal communication pattern o A-plane may still be able to detect Evading C-plane Monitoring and Clustering

Botnet can evade detection at the cost of its own efficiency o Having low rate of suspicious activities o Performing randomly and individually task Evading A-plane Monitoring and Clustering

Delaying command execution o Checking data back several days Evading Cross-plane Analysis

A-plane monitoring is useless against botnet with encrypted communication Be able to detect botnet in only attack phase Other weaknesses

Questions