09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi

Overview  Introduction to Botnet  Why SIP is useful?  Problem Statement.  Related Works.  Proposed Solution.  Preliminary Evaluation.  Conclusions & Future Work. 09 Dec Detection of SIP Botnet Based on C&C Communications

Brief Introduction to Botnet 09 Dec Detection of SIP Botnet Based on C&C Communications

Botnet?  A network of compromised computers controlled by a master to do a correlated tasks [GP+08]. 09 Dec Detection of SIP Botnet Based on C&C Communications Victim Botnet Master Controller Command & Control Channel: IRC, HTTP, P2P (Bot): Compromised host Malicious Activity: Scan, Spam, DDoS

Bot life Cycle 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 5  Infection:  Initial installation of the botnet malware  By , accessing infected web sites, or vulnerability exploitation.  Bootstrap:  Join Botnet.  Using preliminary list of bots.  Command and Control (C&C):  To get instructions and send info./feed back  Malicious Activity: Implement instructions  Scan, Spam, DDoS, Maintenance,..etc  Maintenance to upgrade bot software.

Botnet Models? 09 Dec Detection of SIP Botnet Based on C&C Communications Distributed model (P2P)Centralized model (IRC/HTTP) Controller Victim Botnet Master

Botnet History [GZL08] 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 7  IRC Botnet:  Centralized C&C structure.  Access to IRC is restricted or limited.  HTTP Botnet:  Centralized C&C structure.  Has better access policy, therefore stealthy.  P2P Botnet:  Distributed C&C structure.

SIP as a C&C protocol 09 Dec Detection of SIP Botnet Based on C&C Communications

Why SIP is a useful C&C Protocol?  SIP has outstanding features [A. Berger et al. (NPSec '09)] :  SIP access would have Less restriction policy than P2P.  SIP infrastructure minimizes management overhead: Registration, Tracking of clients' status.  Reliable message delivery.  SIP message's structure provides many options: SIP Instant Messaging, Message standard/user-defined headers, Message body. 09 Dec Detection of SIP Botnet Based on C&C Communications

Problem Statement 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 10  Botnet is one of the most serious and growing security threats [SLWL07, GZL08, YD+10] :  40% of all computers connected to Internet are considered infected bots [ZLC08].  20% of malware will still be able to get into uptodate Internet computers [BK07].  SIP is even more attractive as C&C protocol after being adopted by 3GPP.  SIP Botnet has not been considered before.

Study & Detection Approaches 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 11  Bot’s source code analysis.  Honeynets.  Signature based detections.  Anomaly based detection:  Based on Botnet Malicious Activities: High volume traffic, such as: DDoS attacks, Scans, Spams, or abnormal traffic.  Based on C&C communications.

C&C Detection Approach 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 12  C&C is the weakest link [GZL08] :  Interrupting C&C channel disarms the Botnet [SLWL07].  Based on the following observation [ GZL08, GP+08] : Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner.  Restrict Access to C&C controllers isolates the bots.  No prior knowledge is needed.

Related Works 09 Dec Detection of SIP Botnet Based on C&C Communications

Related Works (1) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 14  G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February:  Detect centralized C&C channel (IRC & HTTP).  Monitor crowd density/ homogeneity from clients that connect to the same server: Events sequence are considered.  Deep inspection: Protocol-Matcher. Crowd homogeneity algorithm is vulnerable to encryption.

Related Works (2) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 15  G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection”, (Security’08), July:  Protocol & Structure independent: Captures all TCP/UDP.  Does not consider events sequence.  Two-step X-means Clustering.  Identify hosts that share both similar C&C communication patterns and similar malicious activity patterns.

Related Works (3) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 16  X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010:  Protocol & Structure independent.  Events sequence are considered.  distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier Transform]  Less DFT coefficients are required to capture the distance.  Suspected bot’s malicious activities are monitored before confirming its identity.

The Proposed Solution 09 Dec Detection of SIP Botnet Based on C&C Communications

The Proposed Solution 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 18  Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol):  It is a network anomaly based system.  Based on bots similar behavior.  It does not rely on the events sequence [SLWL07, GP+08]: Resist random-time evasion technique.  Detect bots at early stages: Before initiating malicious activities, or as early as possible.  By monitoring & analyzing C&C communications (i.e. SIP communications).  Without any prior knowledge.  A suspected bot identity is confirmed as soon as it carries one or more botnet malicious activities.

The Proposed Solution ( Main idea ) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 19  Two users are considered similar if they share similar flows more than a defined threshold ( ).  Similar users are considered suspected bots. User-1 User-2

System Overview 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 20

System Components (1) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 21  Monitoring Engine:  Logs SIP/Malicious traffic to a central DB server.  Based on snort (open source intrusion detection system): with a customized set of rules to capture SIP traffic. Set of activated plug-ins to capture malicious activities.  Installed where the designated traffic pass by, such as network gateways.

System Components (2) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 22  Correlation Engine:  Developed in Java.  Input: SIP/Malicious traffic that has been logged into the Central DB.  Function: detect bots and C&C controllers.  It can be installed any where as long as it has access to the central DB server.

Correlation Engine (How it works) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 23  Feature Vector (FV):  A flow is transferred to a feature vector.  FV Consists of flow attributes, such as: Duration (seconds), size (bytes), No. of packets. bps (bytes per sec.), bpp (bytes per packet).  Feature Stream (FS):  User flows are represented by a feature stream.  A column represents a Feature Vector. Duration Size #Packets Bps bpp FV1  Flow1 Duration Size #Packets Bps bpp FV n  Flow n Time window ( w ) User Feature Stream Duration Size #Packets Bps bpp FV2  Flow2

Correlation Engine (How it works) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 24  Two flows [a, b] are similar if distance:  d(a,b) =, f: no. of features  Two users (A, B) are considered similar if distance:  distance d(A,B) = A/B  Feature Stream of user A/B.

Calculate False Positive & Negative Experimental Evaluation 09 Dec Detection of SIP Botnet Based on C&C Communications

Input Data Set (Users’ traffic) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 26  Network traces has been generated using two tools developed by A. Berger et al. [BH09]: 1. Autosip: Emulate a realistic behavior of a regular users calls: Number of online users varies with time. Calls duration is modeled based on μ (Mean value) and σ (S. deviation). A user calls a friend with probability ( α ) and others with probability (1 − α ). A user makes in average C calls/hour:

Autosip Components 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 27  Manager:  Set call parameters to clients.  Control the number of active users during day.  Client (SIP users):  Connect to the manager.  Call each others according to parameters setting.

Input Data Set (Malicious traffic) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications Sipbot: Generate SIP Botnet traffic. Based on P2P Storm botnet: Overnet Protocol has been replaced by SIP. Send “603 Decline” response for SIP INVITE message.

Test bed Network Design 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications NSL cluster:

Preliminary Result 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 30

Conclusion / Future Work / Challenges 09 Dec Detection of SIP Botnet Based on C&C Communications

Conclusion 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 32  Botnet is a serious growing threat:  I t needs more researches.  Detecting bots based on C&C channel is efficient:  It allows us to detect bots at early stages.  SIP is a promising C&C protocol.  A system is provided to detect SIP botnet with a very low False Negative (~0) & a reasonable False Negative.

Future Work 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 33  Improve similarity algorithm to decrease False Positive.  Implement larger scale evaluation experiments.  Integrate Malicious activity handler component.  Extracting C&C controllers.  Try to :  Reduce time complexity.

Challenges 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 34  Resilience to evasion:  A very long Response Delay (Larger than the time window): botnet utility is reduced or limited because the botmaster can no longer command his bots promptly and reliably [GZL08].  Random session’s size/duration.  Random noise packets.  A pool of random SIP options.

End 09 Dec Detection of SIP Botnet Based on C&C Communications

Appendix 09 Dec Detection of SIP Botnet Based on C&C Communications

Centralized C&C Model 09 Dec Detection of SIP Botnet Based on C&C Communications Communicator Zombie Master Zombie Victim C&C Controller Victim Botnet Master Command & Control Channel: IRC, HTTP, P2P (Bot): Compromised host Malicious Activity: Scan, Spam, DDoS ProsCons Prompt communicationsSingle point of failure Easy managementEasy to break down

Distributed C&C Model 09 Dec Detection of SIP Botnet Based on C&C Communications Communicator Zombie Master Zombie Victim C&C ProsCons ReliabilityNot a real time control Harder to break downManagement overhead (P2P)

Detection Approaches 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 39  Most of the current botnet detection approaches [7,17,19,20,26,29,35,40] work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques [GP+08].  Some approaches [4, 6, 12, 18] have been proposed [YD+10].  [BCJ+09, ZLC08]

C&C Detection Approach 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 40  C&C is the weakest link [GZL08] :  Interrupting C&C channel disarms the Botnet [SLWL07].  Based on the following observation [ GZL08, GP+08] : Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner.  C&C controllers are usually much less than bots:  Restrict access to them is easier, safer, and more efficient.  No prior knowledge is needed.

Related Works (1) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 41  G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February:  Detecting centralized C&C channel (IRC & HTTP).  Analyzing bots response (Message, Activity) to Botmaster’s commands.  Looking every time window (t) for a response crowd from clients that connect to the same server: Crowd Density (>%50). Crowd homogeneity  A number of rounds are required before confirming a crowd is a botnet.  Deep inspection: Protocol-Matcher. Implemented Crowd homogeneity algorithm is vulnerable to encryption.

Related Works (2) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 42  G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection”, (Security’08), July:  Protocol & Structure independent: Captures all TCP/UDP.  Does not consider events sequence.  Identify hosts that share both similar C&C communication patterns and similar malicious activity patterns.  Aggregate related flows during epoch time ( E ~ one day) into the same C-Flow.  Transfer C-Flows into equal pattern vectors length, by a Quantile binning technique.  Two-step X-means Clustering.

Related Works (2) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 43  G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July:  Protocol & Structure independent.  Does not consider events sequence.  Aggregate past epoch (E~ one day) related flows into one flow.  To standardize feature’s vector length, discrete distribution is approximated by binning technique (computing quartiles).  Two-step X-means Clustering.  Identify hosts that share both similar communication patterns and similar malicious activity patterns: A host receives a high score if it has performed multiple types of suspicious activities, and if other hosts that were clustered with also show the same multiple types of activities. If two hosts appear in the same activity clusters and in at least one common C-cluster, they should be clustered together.

Related Works (3) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 44  X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010:  Protocol & Structure independent.  Events sequence are considered.  Online Detection.  User flows are represented by a feature stream.  Similarity is measured by an average Euclidean distance.  distance(X, Y)=distance(DFT(X), DFT(Y))[ Discrete Fourier Transform ]  Less DFT coefficients are required to capture the stream.  Incremental DFT coefficients to avoid recalculation when a new value arrives (Minimize processing time further).  Suspected bot’s malicious activities are monitored before confirming its identity.

Related Works (3) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 45  X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010:  Online Detection.  Protocol & Structure independent.  A flow is represented by a feature stream.  Similarity is measured by average Euclidean distance.  distance(X, Y)=distance(DFT(X), DFT(Y)).  DFT needs fewer feature streams.  Incremental DFT coefficients to avoid recalculation when a new feature stream arrives (Minimize processing time further).  Suspected bot’s malicious activities are monitored before confirming its identity.

Related Works (4) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 46  H. Zeidanloo and A. Abdul Manaf, “Botnet detection by monitoring similar communication patterns”, International Journal of Computer Science and Information Security, 7(3), March 2010:  General framework: Focuses on P2P based and IRC based Botnets.  Similar users have similar graphs: User  Feature Streams  Graph [(X, Y)= (bpp, bps)]. Exact method has not been provided.  They did not provide evaluation.

Related Works () 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 47  W. Strayer et al., “Botnet detection based on network behavior”, Vol. 36 of Advances in Information Security. Springer, October 2007:  Detect IRC Botnets (Centralized): Prompt C&C mechanism.  Does not consider events sequence.  Filtering phase assumes prior knowledge: Pass only what it can be a C&C traffic. Filter out any traffic that does not comply with some specific semantics. It does not examine content nor port.  Looking for C&C servers: Topological analysis: Highest in/out-degree in a directed graph of similar flows.  Flow characteristics: bandwidth, packet timing, and burst duration.

The Proposed Solution 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 48  Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol):  It is a network anomaly based system.  Based on bots similar behavior concept.  It does not rely on the events sequence [SLWL07, GP+08]: Resist random-time evasion technique.  Detect bots at early stages: Before initiating malicious activities, or as early as possible.  By monitoring & analyzing C&C communications (i.e. SIP communications).  Without any prior knowledge.  A suspected bot identity is confirmed as soon as it carries one or more botnet malicious activities.  A further analysis can be applied to extract C&C controllers.

The Proposed Solution ( Main idea ) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 49  Two users are considered similar if they share similar flows more than a defined threshold ( ).  Similar users are considered suspected bots.  Bot identity is confirmed when it commits any malicious activity. User-1 User-2

Input Data Set 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 50  Network traces has been generated using the following tools developed by A. Berger:  Autosip: Emulate a realistic behavior of a regular users calls: Number of online users varies with time. Calls duration is modeled with a log-normal distribution [BC+05]. A user calls a friend with probability ( α ) and others with probability (1 − α ). A user makes in average C calls/hour: Uniform call probability per minute ( ).

Autosip Components 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 51  Manager:  Set call parameters.  Control the number of active users during the day.  Client (SIP users):  Connect to the manager.  Call each others according to parameters setting.

Autosip (How it works) 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 52  Upon start, and after random-time sleep.  A client tries to initiate calls to a friend (On average, c calls/hour)  Call duration is computed using parameters μ and σ.  Only a single ongoing call per client.  During an ongoing call, the client does not make call  attempts and answers incoming call attempts with a SIP BUSY.

Input Data Set 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 53  Network traces has been generated using the following tools developed by A. Berger :  Autosip: Emulate regular users phone calls’ realistic behavior: Number of online users varies with time. Calls duration is modeled with a log-normal distribution [BC+05]. A user calls a friend with probability ( α ) and others with probability (1 − α ). A user makes in average C calls/hour: Uniform call probability per minute ( ). Two components: Manager: Set call parameters. Control the number of active users during the day. Client (SIP users): Connect to the manager. Call each others according to parameters setting. CAverage number of call attempts per hour Mean value of call duration Standard deviation of call duration Number of simulated SIP clients Number of friends of each client Probability of calling a friend

Preliminary Result 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 54

Future Work 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 55  Improve similarity algorithm to decrease False Positive.  Implement larger scale evaluation experiments.  Extracting C&C controllers.  Offline  Online Detection.  Try to :  Implement Real Time Detection.  Reduce time complexity.

Future Work 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 56  Evaluation:  Improve similarity algorithm to decrease False Positive.  Implement larger scale evaluation experiments.  Extracting C&C controllers:  For example: By a directed graph technique.  Real Time Detection.  Attempt to reduce time complexity.

Future Work 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 57  Evaluation:  Implement larger scale evaluation experiments.  Compare result with another algorithm.  Implement Malicious Activity component.  Extracting C&C controllers:  For example: By a directed graph technique.  Real Time Detection:  Incremental DFT [YD+10].  Estimated Weighted Moving Average (EWMA) [SLWL07].  Binning technique [GP+08].  Aggregate related flows within epoch time (E~ one day) into one flow [GP+08].  Reduce Time Complexity:  Reduce Dataset size (No. of Feature Streams).

Challenges 09 Dec 2010 Detection of SIP Botnet Based on C&C Communications 58  Resilience to evasion:  Response time (Long &/OR Random): If the random response times exist within the maximum expected time window, then it is ok. Otherwise (i.e. long delay response time) Under very long response delay, botnet utility to botmaster is reduced or limited because the botmaster can no longer command his bots promptly and reliably.  Random session’s size/duration.  Adding random noise packets, or when a bot is not only a bot, and simply carries a normal traffic as well.  Random picking form a pool of different SIP options.  Using stack of different C&C protocols.

Key Findings/Results 1 09 Dec Detection of SIP Botnet Based on C&C Communications

Key Findings/Result 2 09 Dec Detection of SIP Botnet Based on C&C Communications

Key Findings/Result 3 Run NumberDescriptionResult AResult B 1Condition ATrue 2Condition BTrueFalse 3Condition CFalse 09 Dec Detection of SIP Botnet Based on C&C Communications

Conclusion  Add your conclusion here 09 Dec Detection of SIP Botnet Based on C&C Communications

Questions and Discussion 09 Dec Detection of SIP Botnet Based on C&C Communications