11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

Slides:



Advertisements
Similar presentations
Nick Feamster Georgia Tech
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure
Network-Level Spam and Scam Defenses
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 OpenFlow Research on the Georgia Tech Campus Network Russ Clark Nick Feamster Students: Yogesh Mundada, Hyojoon Kim, Ankur Nayak, Anirudh Ramachandran,
Packets with Provenance Anirudh, Mukarram, Nick, Kaushik.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Level Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte, Nadeem Syed, Alex Gray, Santosh Vempala, Jaeyeon.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
ONR MURI Project Kick-Off
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
The Datapository Dave Andersen, CMU James Moss, CMU Nick Feamster, Georgia Tech
Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Securing Enterprise Networks with Traffic Tainting Anirudh Ramachandran Nick Feamster Yogesh Mundada Mukarram bin Tariq.
Network Operations Research Nick Feamster
Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.
Network Security Highlights Nick Feamster Georgia Tech.
Network-Level Spam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Alex Gray, Santosh Vempala.
Flux in Fraud Infrastructures Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Threat infrastructure: proxies, botnets, fast-flux
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:
Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.
Revealing Botnet Membership Using DNSBL Counter-Intelligence David Dagon Anirudh Ramachandran, Nick Feamster, College of Computing,
Network-Level Spam and Scam Defenses Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Maria Konte Alex Gray, Jaeyeon Jung, Santosh Vempala.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Host and Application Security Lesson 17: Botnets.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Unit 9: Distributing Computing & Networking Kaplan University 1.
Tracking Malicious Regions of the IP Address Space Dynamically.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Introduction1-1 Chapter 1: roadmap 1.1 What is the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  circuit switching,
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.
De-anonymizing the Internet Using Unreliable IDs By Yinglian Xie, Fang Yu, and Martín Abadi Presented by Peng Cheng 03/22/2017.
Introduction to Internet Worm
Presentation transcript:

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology ONR MURI N Project Kick-off Meeting November 20, 2009

11/20/09 ONR MURI Project Kick-Off 2 Two Problems: From Axioms to Theories to Practice Problem #1: Tracking Bots –Bots are compromised computers –Bot traffic is not sent/authorized by users Correlating host activities Problem #2: Tracking Network Agility (BGP & DNS) –Bots are long-term resources Reuse, mechanisms/protocols to support agility

11/20/09 ONR MURI Project Kick-Off 3 Problem #1: Tracking Bot Propagation Malware enters enterprise over the network (e.g., remote exploit, Web application), mobile device. Administrators rely on virus scanners, AV, etc. –Problem: Payloads may change, hard to keep AV up-to-date Axiom: Bot traffic is not sent by humans/users.

11/20/09 ONR MURI Project Kick-Off 4 Annotate Traffic with Provenance Idea: Annotate network traffic with taints –The process that generated the traffic –Inputs that the process has taken (i.e., what other resources it has read) As malware spreads, traffic accumulates a common set of taints. –Identify taints corresponding to bad operation –Block traffic if it carries a known bad taint Theory: We can trace botnet traffic based on how it was sent, not what the botnet is sending.

11/20/09 ONR MURI Project Kick-Off 5 Pedigree Design Trusted tagging component on host Arbiter on network switch Practice: Tag traffic with provenance; block traffic at network switches. NSF-TC : Taint- Based Information Tracking in Networked Systems Student: Anirudh Ramachandran

11/20/09 ONR MURI Project Kick-Off 6 Status and Challenges Status –Implementation and application to information- flow control in enterprises Challenges –Discover taints corresponding to the malware –Defend against attacks on the taint set (e.g., overflow) –Protecting integrity of tagger

11/20/09 ONR MURI Project Kick-Off 7 Problem #2: Tracking Network Agility DNS: Remap DNS names to new IP addresses –Fast-flux / Double-Flux BGP: Hijack IP address space –Allow hosts to operate from new IP addresses Axiom: Botnets have only finite resources. These resources must be reused or recycled.

11/20/09 ONR MURI Project Kick-Off 8 Example: DNS Agility Theory: Places of change are much faster than for legitimate load-balanced sites. Maria Konte et al., Dynamics of Online Scam Hosting Infrastructure, PAM Best Paper.

11/20/09 ONR MURI Project Kick-Off 9 Rates of Change Domains that exhibit fast flux change more rapidly than legitimate domains Rates of change are inconsistent with actual TTL values Theory: Rates of change are faster than for legitimate load-balanced sites.

11/20/09 ONR MURI Project Kick-Off 10 Fingerprinting DNS Agility Step 1 (simple idea) –Changes to name server assignment –Characteristics of new domains Step 2: Graph Comparison –Lookups from recursive resolvers to fresh domains will look similar –Build fingerprints based on graph and point-set comparison techniques Practice: Develop fingerprints of DNS dynamics. Identify underlying infrastructure, not attacks. Student: Shuang Hao

11/20/09 ONR MURI Project Kick-Off 11 ~ 10 minutes Example: BGP Agility Hijack address space, send spam withdraw prefix / / / Theory: Different prefixes follow similar patterns. Anirudh Ramachandran et al., Understanding the Network-Level Behavior of Spammers, SIGCOMM Best Student Paper.

11/20/09 ONR MURI Project Kick-Off 12 Fingerprinting BGP Agility Spam Trap BGP FeedSpam Prefix & Origin AS Bogus ASIARRecently Registered Scam Hosting New Prefixes Heuristics Practice: Bootstrap suspicious prefix discovery. Look for similar prefixes. Student: Maria Konte

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.