Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August 01 2008.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Threat infrastructure: proxies, botnets, fast-flux

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

14 Publishing a Web Site Section 14.1 Identify the technical needs of a Web server Evaluate Web hosts Compare and contrast internal and external Web hosting.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Honeypot and Intrusion Detection System

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Johannes Hassmund (2009), Project Report for Information Security Course, Linkoping University, Sweden. Speaker : Hung-Jen Chiang Studying IDS signatures.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose & Andreas Terzis IMC’06.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

Host and Application Security Lesson 17: Botnets.

Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Zhiyu Wan and Shunxing Bao BOTNET ATTACKS ON CYBER-PHYSICAL SYSTEM.

Botnets Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

A lustrum of malware network communication: Evolution & insights

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

ADVANCED PERSISTENT THREATS (APTs) - Simulation

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Chapter 4: Protecting the Organization

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Presentation transcript:

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Outline Introduction Understanding Botnet Detecting and Tracking Botnet Defenses Against Botnet Conclusion and Possible Future Work 2016/2/26 2

Introduction(1/2) Botnet is a term for a collection of software robots, or bots. They run on groups of zombie computers controlled remotely by attackers. A typical bot can be created and maintained in four phases. 2016/2/26 3

Introduction(2/2) 1. Initial Infection: vulnerability, web pages, , USB autorun 2. Secondary Injection: infected hosts download and run the bot code,  The download can be via be ftp, http and P2P. 3. Malicious Activities: The bot communicates to its controller (spam, DDoS)  IRC or HTTP or DNS -based and P2P protocol 4. Maintenance and Upgrade: continuously upgrades 2016/2/26 4

Understanding Botnet Most current research focuses on understanding botnets. There are mainly three types area: 1. Bot Anatomy: analysis mainly focuses on its network-level  use of binary analysis tools. 2. Wide-area Measurement Study: through tracking botnets to reveal different aspects  such as botnet size, traffic generated. 3. Botnet Modeling and Future Botnet Prediction: 2016/2/26 5

Bot Anatomy IRC Bot it analyzed the source code for four bots. Agobot,SDBot, SpyBot and GT bot, ( IRC-based bots ) only Agobot is a fully-developed bot. Agobot has provided the following five features. 2016/2/26 6

AgoBot five features 1. Exploits: exploit OS vulnerabilities and back doors. 2. Delivery: Shell on the remote host to download bot binary encoded. 3. Deception: If it detected VMWare it stopped running. 4. Function: steal system information and monitorlocal network traffic. 5. Recruiting: Botmaster Recruits horizontal and vertical scannings. 2016/2/26 7

HTTP Bot Analyzed the HTTP-based spam bot module The command and control (C&C) is http-based. The communication channel is encrypted. IDA Pro Tool is used to analyze the binary and find the encryption key. 2016/2/26 8

P2P-based The author claims that centralized control of botnets offers a single point of failure for the botnet. So mare stable architectures, like P2P-based architecture. 2016/2/26 9

Fast-flux Networks(1/2) The fast-flux networks are increasingly used as botnets. phishing websites. These websites are valuable assets. hide their IP addresses. let a user first connect to a compromised computer. which serves as a proxy. To forward the user requests to a real server and the response from the server to the user. 2016/2/26 10

Fast-flux Networks(2/2) New type of techniques called Fast-flux service networks. round-robin IP addresses. very short Time-To-Live. 2016/2/26 11

Wide-area Measurement Study a honeynet-based botnet detection system as well as some findings on botnets across the Internet The systems are composed of three module: 1. malware collection: nepenthes and unpatched WindowsXPin a virtualized environment. 2. Graybox testing: learn botnet ”dialect”. 3. Botnets tracking: an IRC tracker lurk in IRC channel and record commands. 2016/2/26 12

Botnet Modeling and Future Botnet Prediction It creates a diurnal propagation model based on the fact that computers that are offline are not infectious. we still have no idea how close these models are to the botnets in the real world. 2016/2/26 13

Detecting and Tracking Botnet honeynet based first, there are several tools available to collect malware, but no tool for tracking the botnet. Secondly,the tracking tool needs to understand the botnet’s ”jargon” in order to be accepted by the botmaster. Moreover, the increasing use of anti-analysis techniques used by the blackhat circle. makes the development of the tool even more challenging. 2016/2/26 14

Traffic monitoring Identify botmasters based on transport layer The core idea is based on the attack and control chain of the botnet. The major steps are listed as follows: 1. Identify bots based on their attack activities. 2. Analyze the flows of these bots to find candidate controller connections. 3. Analyze the candidate controller connections to locate the botmaster. 2016/2/26 15

Defenses Against Botnet Enterprise Solutions Trend Micro provided Botnet Identification Service provide the customers the real-time botnet C&C botmaster address list. 2016/2/26 16

Conclusion and Possible FutureWork HTTP/P2P Botnet The existing works are anatomy of some samples. Fast-flux Network Who do them serve? What’s the structure of its network? Is it the same as a typical IRC botnet or not? Is their botmaster also fast-fluxed? The binary analysis of its code will be extremely helpful. 2016/2/26 17

END 2016/2/26 18