Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Mining & Machine Learning Lab

Published byHannah McLaughlin Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Mining & Machine Learning Lab"— Presentation transcript:

1 Data Mining & Machine Learning Lab
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Author: Guofei Gu, et al. Report: Chien-Yi Chiu Mail: 2019/4/7 Data Mining & Machine Learning Lab

2 Data Mining & Machine Learning Lab
Outlines Introduction Challenges Case Study: Phatbot BotHunter System Infection Lifecycle Model Correlation Framework Architecture Overview BotHunter Sensor Suite: SCADE SLADE Signature Engine Example BotHunter Infection Profile Experiment & Evaluation Detection Performance SRI Honeynet Georgia Tech Summary References 2019/4/7 Data Mining & Machine Learning Lab

3 Data Mining & Machine Learning Lab
Introduction Bots: malware that has A remote control facility (C&C) A spreading mechanism to propagate Botnets – networks of bots Bots/Botnets are used for DDoS, Spam, Click fraud, Data theft… 2019/4/7 Data Mining & Machine Learning Lab

4 Data Mining & Machine Learning Lab
Challenges Bots are actively evolving Infection vectors Binary updates C&C servers/communications Scanning strategies Traditional IDSs/IPSs are less helpful in identifying bots (too many false positives) Only looking at one specific aspect is probably not enough 2019/4/7 Data Mining & Machine Learning Lab

5 Data Mining & Machine Learning Lab
Case Study: Phatbot 2019/4/7 Data Mining & Machine Learning Lab

6 Data Mining & Machine Learning Lab
BotHunter System Infection Lifecycle Model Correlation Framework Architecture Overview BotHunter Sensor Suite: SCADE SLADE Signature Engine Example BotHunter Infection Profile 2019/4/7 Data Mining & Machine Learning Lab

7 Infection Lifecycle Model
Egress point (internal – external) Search for duplex communication sequences that map to I.L. model Stimulus does not require strict ordering, but does require temporal locality 2019/4/7 Data Mining & Machine Learning Lab

8 Correlation Framework
Characteristics of Bot Declarations External stimulus alone cannot trigger bot alert 2 x internal bot behavior triggers bot alert 2019/4/7 Data Mining & Machine Learning Lab

9 Architecture Overview
2019/4/7 Data Mining & Machine Learning Lab

10 Data Mining & Machine Learning Lab
SCADE Statistical sCan Anomaly Detection Engine Custom malware specific weighted scan detection system for inbound and outbound sources Bounded memory usage to the number of inside hosts, less vulnerable to DoS attacks Inbound (E1: Initial Scan Phase): Suspicious port scan detection using weighted score Failed connection to vulnerable port = high weight Failed connection to other port = low weight Outbound (E5: Victim Outbound Scan): S1 - Scan rate of V over time t S2 – Scan failed connection rate (weighted) of V over t S3 – Scan target entropy (low revisit rate implies bot search) over t Combine model assessments: OR, Majority Voting, AND scheme 2019/4/7 Data Mining & Machine Learning Lab

11 Data Mining & Machine Learning Lab
SLADE Statistical payLoad Anomaly Detection Engine Suspicious payload detect: new “lossy” n-gram byte distribution analyzer over a limited set of network services Implements a lossy data structure to capture 4-gram hash space: Default vector size = (Versus n-4, 2564 = 232 = 4Gb). Comparable accuracy as full n-gram scheme: low FP and FN General performance comparable to PAYL [Wang2004]: to detect all 18 attacks, the false positive of PAYL is 4.02%, SLADE is % Ke Wang, Salvatore J. Stolfo. “Anomalous Payload-based network Intrusion Detection”, RAID’04 2019/4/7 Data Mining & Machine Learning Lab

12 Data Mining & Machine Learning Lab
Signature Engine Signature Set Replaces all standard snort rules with five custom rulesets: e[1-5].rules Scope: Dialog content Known worm/bot exploit signatures, shell/code/script exploits, malware update/download, C&C command exchanges, outbound scans Rule sources Bleeding Edge malware rulesets Snort community rules Cyber-TA custom bot-specific rules Current Set 1383 rules, operating on SRI/CSL and Georgia Tech networks, low FP 2019/4/7 Data Mining & Machine Learning Lab

13 Example BotHunter Infection Profile
2019/4/7 Data Mining & Machine Learning Lab

14 Experiment & Evaluation
Detection Performance SRI Honeynet Georgia Tech 2019/4/7 Data Mining & Machine Learning Lab

15 Data Mining & Machine Learning Lab
SRI Honeynet False Positive Test: 1 false positive in a 10-day trace 2019/4/7 Data Mining & Machine Learning Lab

16 Data Mining & Machine Learning Lab
Georgia Tech Virtual network, detect all 10 bots, including AgoBot, Phatbot RBot, RxBot WisdomBot/SdBot/SpyBot GTBot Real capture in live network Feb. 2007, Georgia Tech, CoC network BotHunter declared a bot infection via dialog warnings E1, E4, E5 E4 (C&C Server) address seen in both Shadow Server and the botnet mailing list False Positive Test Less than 1 (false profiles) per day in a 4 month real-time operation 2019/4/7 Data Mining & Machine Learning Lab

17 Data Mining & Machine Learning Lab
Summary New network perimeter monitoring strategy: Dialog correlation New bot detection system: BotHunter Free Internet release: 2019/4/7 Data Mining & Machine Learning Lab

18 Data Mining & Machine Learning Lab
References BotHunter: Detectin Malware Infection Through IDS-Driven Dialog Correlation Authors: Guofei Gu, Philip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee BotHunter USENIX Security’07 slides Cyber-Threat Analytics Project Page 2019/4/7 Data Mining & Machine Learning Lab

Download ppt "Data Mining & Machine Learning Lab"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance slide 1 Cyber-TA: Massive and Distributed Data.

28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance slide 1 Cyber-TA: Massive and Distributed Data.
Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.

Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

Similar presentations

Ads by Google