Botnet Dection system
Introduction Botnet problem Challenges for botnet detection
What Is a Bot/Botnet? Bot A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)
Botnets are used for … All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spywarePCs are part of a botnet!” ( - Vint Cerf)
Challenges for Botnet Detection Bots are stealthy on the infected machines – We focus on a network-based solution Bot infection is usually a multi-faceted and multiphased process – Only looking at one specific aspect likely to fail Bots are dynamically evolving – Static and signature-based approaches may not be effective Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable
Roadmap to three Detection Systems Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle Botsniffer:works for IRC and http, can be extended to detect centralized C&C botnets Botminer:independent of the protocol and structure
BotHunter system-detection on single infected client Detecting Malware Infection Through IDS-Driven Dialog Correlation Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware Correlates dialog trail of inbound intrusion alarms with outbound communication patterns
Bot infection case study: Phatbot
Dialog-based Correlation BotHunter employs an Infection Lifecycle Model to detect host infection behavior
Bothunter Architecture
Evaluation Example: ta.org/releases/malware- analysis/public/ public/
BotSniffer-detection on centralized C&C botnets(IRC,HTTP) WHY we will focus on C&C? C&C is essential to a botnet – Without C&C, bots are just discrete, unorganized infections C&C detection is important – Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link
Botnet C&C Communication Example
Botnet C&C: Spatial-Temporal Correlation and Similarity
BotSniffer Architecture
Correlation Engine Based on two properties Response crowd – a set of clients that have (message/activity) response behavior -A Dense response crowd: the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5). A homogeneous response crowd – Many members have very similar responses
Evaluation
Why Botminer? Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.),structures (P2P, etc.), C&C servers, dialog models So bothunter, botsniffer systems may be evaded. We need to consider more
Revisit Botnet Definition “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” We need to monitor two planes – C-plane (C&C communication plane): “who is talking to whom” – A-plane (malicious activity plane): “who is doing what”
C-Plane clustering What characterizes a communication flow (Cflow) between a local host and a remote service? –
A-plane clustering
Cross-clustering Two hosts in the same A-clusters and in at least one common C-cluster are clustered together
Botminer Architecture
Evaluation Data
Evaluation Result(FP)
Evaluation Result(Detection Rate)
Botnet Detection Systems summary Bothunter: Vertical Correlation. Correlation on the behaviors of single host. Botsniffer: Horizontal Correlation. On centralized C&C botnets Botminer: Extension on Botsniffer, no limitations on the C&C types.
Thank you! Questions?