Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of Computing Georgia Institute of Technology ONR MURI N000140911042 Project Kick-off Meeting November 20, 2009

ONR MURI Project Kick-Off Project Team Wenke, David Nick Jon Kang Giovanni Farnam Michael John Chris 11/20/09 ONR MURI Project Kick-Off

ONR MURI Project Kick-Off Project Team (cont’d) Georgia Tech Wenke Lee (Ph.D. 1999, Columbia) Nick Feamster (Ph.D. 2005, MIT) Jon Giffin (Ph.D. 2006, Wisconsin) David Dagon (Ph.D. 2009/10?, Georgia Tech) Michigan Kang Shin (Ph.D. 1978, Cornell) Farnam Jahanian (Ph.D. 1989, Texas) Michael Bailey (Ph.D. 2006, Michigan) Stanford John Mitchell (Ph.D. 1984, MIT) UC Santa Barbara Giovanni Vigna (Ph.D. 1998, Politecnico di Milano) Christopher Kruegel (Ph.D. 2002, Technical University of Vienna) 11/20/09 ONR MURI Project Kick-Off

ONR MURI Project Kick-Off Project Overview A botnet is a network of compromised computers (bots) under the control of an attacker Platform for most of the cyber attacks and fraudulent activities IA problems addressed What are the intrinsic properties of botnets? What are fundamental approaches to detect and remove all current and future botnets? And how to develop them? 11/20/09 ONR MURI Project Kick-Off

ONR MURI Project Kick-Off Project Overview An overarching framework that covers all aspects of botnet lifecycle and the entire network stack/scale, rather than a collection of point solutions. A systematic and scientific approach to design robust botnet detection and analysis algorithms, rather than ad-hoc and brittle techniques. 11/20/09 ONR MURI Project Kick-Off

Project Overview (cont’d) Approaches Analyze the intrinsic/invariant properties of botnets Derive the axioms, or the necessary and possible host-, network- and Internet- level botnet behaviors that are due to these properties From the axioms develop the principles or theories for detecting and stopping these botnet behaviors Put the theories into practice by developing pactical algorithms and systems 11/20/09 ONR MURI Project Kick-Off

Project Overview (cont’d) Approach example Analyze essential properties of botnet lifecycle E.g., botnets are valuable, long-term resources Derive axioms that directly follow from the properties E.g., botnets need to have agility to evade detection and removal Derive theories from the axioms E.g., by detecting and neutralizing the sources of network agility, we can limit botnets’ evasion capabilities and thus make botnets easier to detect and remove Apply the theories to practice E.g., an on-line detection of naming (DNS) based agility. 11/20/09 ONR MURI Project Kick-Off

Project Overview (cont’d) Capabilities to offer Innovative and foundational solutions to enable End-hosts to identify bot activities on the host and block bot related traffic Enterprise networks to identify hosts that participate in botnet activities on the Internet and accordingly block such traffic Internet core to detect anomalies in Internet basic protocols to identify the servers used to support botnet operations and accordingly disrupt or even remove the botnets Technology transfer and commercialization PIs connected to Damballa and Arbor Networks 11/20/09 ONR MURI Project Kick-Off

ONR MURI Project Kick-Off Research Areas Theory and taxonomy Essential properties, axioms and theories Lee, Mitchell, Dagon, Bailey Taxonomy Bailey Dagon, Mitchell, Lee Metrics, network and game theory models Mitchell, Dagon, Feamster, Jahanian Epidemiology Models Population estimates and threat assessment Jahanian, Dagon, Feamster, Shin 11/20/09 ONR MURI Project Kick-Off

Research Areas (cont’d) Essential properties of botnets call for multifaceted detection and analysis approaches Bots are compromised computers Malware Bot traffic is not sent/authorized by users Host/user activities C&C required to form/maintain botnet Bot programs, network/Internet traffic Bots used for attacks and frauds Bots are long-term resources Reuse models, and mechanisms/protocols to support agility Man behind the bots reaping the profit “Management” servers or “mothership” 11/20/09 ONR MURI Project Kick-Off

Research Areas (cont’d) Detection and analysis Malware and malicious web pages/scripts Kruegel, Bailey, Giffin, Lee Host activities and network/Internet traffic Giffin, Feamster, Mitchell, Jahanian, Lee Agile C&C and activity infrastructures Shin, Feamster, Jahanian, Dagon Long-lived and reused bots Feamster, Bailey, Vigna, Dagon Motherships Vigna, Shin, Dagon, Feamster 11/20/09 ONR MURI Project Kick-Off

Research Areas (cont’d) Theoretical work validates intuitions and directs development and evaluation of detection and analysis algorithms for current and future botnets For example Botnet has long-term utility, which depends of its network model ✖ ✖ 11/20/09 ONR MURI Project Kick-Off

Research Areas (cont’d) Agility thus helps preserve botnet utility Realization in Internet: DDNS, fast-flux, new domain daily (hourly?) Scale and layers of agile control ✖ Metrics, network and game theory models provide a theoretical understanding of the possibilities and trade-offs of botnet agilities Basis to fight future botnets 11/20/09 ONR MURI Project Kick-Off

ONR MURI Project Kick-Off Plan and Milestones 11/20/09 ONR MURI Project Kick-Off

Evaluation and Technology Insertion PIs have a long history of dataset collection and network measurement and thus have access to a wide variety of production datasets including: DNS, spam, malware, and alert data via SIE BGP and netflow data from ISPs Malware collections and exchanges Deployment and evaluation in operational environments in departments, universities, and upstream services providers PIs have strong ties to industry (e.g., Arbor and Damballa), and have participated in DHS-led efforts to deploy technologies in government agencies 11/20/09 ONR MURI Project Kick-Off

Project Management and Student Education Project web site at Georgia Tech Public pages showcasing the project http://onrbotnet.gtisc.gatech.edu/ Private/wiki for project team and PM to share data, software, and reports http://onrbotnet.gtisc.gatech.edu/wiki Bi-yearly project meeting One co-located with a major security conference, and the other on a campus Education 15 Ph.D. students, 1-3 Post Docs Exchange summer interns, post docs 11/20/09 ONR MURI Project Kick-Off

Related Projects and Support NSF “CLEANSE”, total $1.2M Georgia Tech and Michigan (and UNC, SRI, ISC) Large-scale monitoring of core Internet services such as DNS and BGP DHS botnet projects Michigan and Georgia Tech, separate Tech transfer and deployment NSF, AFRL, ARO, and ONR IA projects All PIs; Focused/specific areas such as malware on cell phones 11/20/09 ONR MURI Project Kick-Off