Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yuede Ji, Qiang Li, Yukun He and Dong Guo

Published byColleen Ann Thompson Modified over 5 years ago

Similar presentations

Presentation on theme: "Yuede Ji, Qiang Li, Yukun He and Dong Guo"— Presentation transcript:

1 Yuede Ji, Qiang Li, Yukun He and Dong Guo
A Multiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches Yuede Ji, Qiang Li, Yukun He and Dong Guo Jilin University 5/6/2014

2 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

3 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experimens Extended Architectures Discussion Conclusion

4 1.1 What is botnet and bot? Botnet is a network composed by a large scale of infected hosts under the control of botmaster through Command and Control (C&C) channel. Bot is the infected host. Botmaster C&C Infrastructure Bot Infected Hosts

5 1.1 What is botnet and bot? 3 basic elements: Various C&C channels
Bot, C&C channel, botmaster Various C&C channels Centralized: IRC, HTTP Decentralized: Peer-to-Peer (P2P), Online Social Network (OSN) A major threat to Internet security DDoS, spam, identity theft, phishing

6 1.2 Existing Detection Approaches
Network-based Analyze network traffic to filter out the bot host Host-based a) Signature-based extracts the feature information of the suspicious program to match with a knowledge database b) Behavior-based Monitors the abnormal behaviors on host to determine whether the host is infected

7 1.3 The Problem Most behavior-based approaches are based on single process or related family processes. If a bot is separated into two or more processes, these approaches will be less effective.

8 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

9 2.1 Specific Features of Multiprocess Bot
There are two specific differences between multiprocess and conventional bot: Separating C&C connection from malicious behaviors Assigning malicious behaviors to several processes

10 2.1 Separating C&C connection from malicious behaviors
1. The process communicating with C&C server has no other malicious behaviors, and the malicious processes do not communicate with C&C server directly. 2. This feature is able to evade the detection approaches correlating network behaviors with malicious behaviors. 3. However, it may not be able to evade approaches which only detect host malicious behaviors.

11 2.2 Assigning Malicious Behaviors to Several Processes
Each process only performs a small part of whole malicious behaviors. This feature can effectively evade malicious behavior detection approaches The number of malicious behaviors that each process performs becomes a critical challenge

12 2.2 Assigning Malicious Behaviors to Several Processes
Phase 1: Suppose we extract the system calls of known malicious behaviors to build the system call set fi of each behavior. We build the critical system call set C using the similar methods of building Common API in [15]. The system calls in the critical set are frequently called by these malicious behaviors. Phase 2: We match every system call aij of each set fi with critical set C to generate num1 i , and after matching all we can get set Num1. It denotes the number of critical system calls of each behavior. We match every system call a i of critical set C with each set f i to generate num2 i , and then Num2. It denotes the number of behaviors that call a specific critical system call. Phase 3: Based on set Num1 and Num2 we can get two assignment mechanisms: behavior level and system call level assignment mechanism. In behavior level assignment, we sort the behaviors in descending order in set Num1. The top behaviors represent the most frequent behaviors. We can separate the top behaviors with each other to average the critical behavior numbers of each process. In this way, we can decrease the malicious grain size of each process. We can assign the sorted set to the processes in S shape, and other assignment mechanisms like arithmetic, random walk, etc. can also be used. Set Num2 is about system call level assignment mechanism. We also sort the system calls in descending order. We assign top system calls to different processes or even a process only performing one critical system call. This assignment mechanism is more complicated than behavior level.

13 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

14 3. Evasion Mechanisms According to detection targets, we classify existing behavior-based detection approaches into 4 categories: 1. Detecting C&C connections 2. Detecting malicious behaviors 3. Detecting bot commands 4. Detecting bots (correlating C&C connection with malicious behaviors)

15 3.1 Evading C&C Detection

16 3.2 Evading Malicious Behaviors Detection

17 3.3 Evading Bot Commands Detection

18 3.4 Evading Bots Detection

19 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

20 4. Critical Challenges Although multiprocess bot is able to evade behavior-based bot detection approaches, it still has many critical challenges. We will present two of them: bootstrap mechanism, and process communication mechanism. Conventional bot which has one process only needs to start itself, while multiprocess bot needs to start all the processes. Multiprocess bot may run in the hosts stealthily, while the bootstrap of all the processes is not easy to accomplish stealthily. If the bootstrap mechanism is not well designed, multiprocess bot may be detected at the startup stage. IPC data may be easy to capture, while it may not be easy to identify the suspicious data from the variety benign IPC data. Covert channels are difficult to detect and changeable. Thus the process communication mechanisms make the detection more difficult.

21 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

22 5.1 Prototype Architecture

23 5.2 Signature Analysis File / URL Detection ratio Single_Mini_Zeus.exe
71e82907ae2a45fc b7db39a62675b190f26e444b796eb81dbdfad77f 28 / 47 SendInfo.exe 5d86d1fabefb094034e192039a5d75d5f982205b1149f5684bf3e74dc6e63224 6 / 33 NamedPipeServer.exe edb e40b237c7d99ed6f5177f39c0b99f693a7b619e168c667058f0d55 2 / 47 Mini_Zeus.exe 0647dcd190af0e7519f2a4f003a6502e be609c5494fe23cd6335fada5 13/47

24 5.3 Behavior Analysis

25 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

26 6 Extended Architectures of Multiprocess Bot
Six more architectures

27 6 Extended Architectures of Multiprocess Bot
Four extension rules

28 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

29 7 Discussion

30 OUTLINE Introduction Specific Features of Multiprocess Bot
Evasion Mechanisms Critical Challenges Experiments Extended Architectures Discussion Conclusion

31 8 Conclusion

32 Thanks! Questions?

Download ppt "Yuede Ji, Qiang Li, Yukun He and Dong Guo"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Department Of Computer Engineering

Department Of Computer Engineering
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google