Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

SOCELLBOT: A New Botnet Design to Infect Smartphones via Online Social Networking th IEEE Canadian Conference on Electrical and Computer Engineering(CCECE)

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

A Distributed Proxy Server for Wireless Mobile Web Service Kisup Kim, Hyukjoon Lee, and Kwangsue Chung Information Network 2001, 15 th Conference.

School of Computer Science and Information Systems

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Computer Security and Penetration Testing

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

Lecture 11 Intrusion Detection (cont)

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

TOPIC 1 – SERVER SIDE APPLICATIONS IFS 234 – SERVER SIDE APPLICATION DEVELOPMENT.

11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING AND.

Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou CS Dept., Duke University.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Honeypot and Intrusion Detection System

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

--Harish Reddy Vemula Distributed Denial of Service.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Johannes Hassmund (2009), Project Report for Information Security Course, Linkoping University, Sweden. Speaker : Hung-Jen Chiang Studying IDS signatures.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Web Botnet Detection Based on Flow Information Chia-Mei Chen, Ya-Hui Ou, and Yu-Chou Tsai, National Sun Yat –Sen University,IEEE 2010.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Discovery 2 Internetworking Module 8 JEOPARDY K. Martin.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

1 Example security systems n Kerberos n Secure shell.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Port Knocking Benjamin DiYanni.

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

(bandwidth control) Jeff Boote Internet2

Chapter 4: Protecting the Organization

Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.

Presentation transcript:

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes

Outline /2/6 Abstract Introduction Botnet Environment Data analysis Traffic analysis Threshold Random Walk Evaluation Conclusion

Abstract /2/6 The nature of a Botnet is not specific malware, but instead the metheod, that possibly comprised of thousands or millions hosts controlled by hackers. The tool uses integrated system information to help users to identify unexpected network connections. Since a bot is a program running on a host, its behavior and response time is supra-human and we use the TRW algorithm for online detection.

Introduction /2/6 To resolve the problem, we analyze about botnet characteristics and propose a botnet emulation toolkit and a detection scheme. How big is the problem?  Vint Cerf presume about one quarter of all computers part of a botnet. Botnet features  Host Control  Command and control  Exploits and attack Assumptions  Observations-Most bots parasited on personal computer that unlike other internet incidents.  Bot herders control bots whole the uptime

Botnet environment(1/2) /2/6 Fig. 1. Environment topology Support Software  Cygwin- Cygwin is a Linux- like environment for Windows.  SSH- SSH is a network protocol that allows data to be exchanged using a secure channel between two computers.  IRC Server- Hybrid IRC daemon is a daemon for serving and controlling an IRC network.

Botnet environment(2/2) /2/6 Experiment process  Parameter Setting  Environment Setup  Launch Bots

Data analysis(1/2) /2/6 Response time - The response time means it start from a sender send a message to a receiver then the receiver get the message and end from the receiver answer the response. Data source  The botnet traffic is monitored in testbed used the emulation toolkit.  we acquired a number of SDbots traces in the herder and bots side.  The herder using a common unix irc client, irssi.  We also collected three kinds of client traffic in difference protocols, such as IRC, HTTP and ssh. Similarity examinations  Temporal similarity - Bots reply the messages at the close time.  All bots receive the same command, the should do the same activity such as connect to the same host.  Even the messages are encrypted, the sizes are still the same.

Data analysis(2/2) /2/6 Supra-human behaviors Service-like response Quick request

Traffic analysis /2/6

Threshold Random Walk /2/6 Accept hypothesis H 1 Accept hypothesis H 0 Need more observations

Evaluation /2/6

Conclusion /2/6 The goal of this study is to find a host is a bot or not. We had three implementation that purpose to achieve the goal. Our emulation toolkit combined several script for Emulab that is useful for researchers who are interesting IRC botnet behavior. One basically is a tool integrated several system utilities the other one is a dectection module of IDS bro that based on network analysis.