Presentation is loading. Please wait.

Presentation is loading. Please wait.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Published byLoraine Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology."— Presentation transcript:

1 BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology

2 Introduction to botnets BotMiner Detection Framework Experiments Setup Results Limitations Other weaknesses Questions Outline

3 Botnet background Structure of botnets o Centralized botnet o Decentralized botnet Botnet attack facilitator o Internet Relay Chat (IRC) o Fast-flux  Single-flux  Double-flux o Domain-flux Introduction to botnets

4 ●Botnet is a network of compromised computers by malwares called bot ●Botmaster can command bots under his control to perform many activities ○ DDoS attacks ○ Spamming ○ Stealing sensitive information ○ Click fraud ○ Fast flux ○ Recruiting other hosts Botnet background

5 Centralized botnet o Having a central point for exchanging command and data called command and control server (C&C server) o C&C server usually run service network such IRC or HTTP o Bots will connect to the C&C server and wait for the command Structure of botnets (1)

6 Centralized botnet Structure of botnets (2)

7 Decentralized botnet o Each bot can act as both client and server by using the idea of Peer-to-peer (P2P) communication o Each bot have to connect to other bots o Still need some gathering place Structure of botnets (3)

8 Decentralized botnet Structure of botnets (4)

9 Pros o Centralized botnet  Small latency  High synchronization o Decentralized botnet  Hard to take down  Hard to detect Structure of botnets (5)

10 Cons o Centralized botnet  Easy to take down  Easy to detect o Decentralized botnet  High latency  Poor synchronization Structure of botnets (6)

11 Internet Relay Chat (IRC) o It is a protocol for live chat o Mainly designed for group communication o Allow sending text message and file sharing o Clients have to connect to the IRC server o Clients can join or create a chat room in the server called channel Botnet attack facilitator (1)

12 o Fast-flux  Single-flux Having multiple IP address register to a single domain name Each IP address is registered and de-registered rapidly with short TTL, possible to be as short as 3 minutes Botnet attack facilitator (2)

13 o Fast-flux  Double-flux It is a more advance version of single flux by adding one layer of domain name server flux Multiple DNS servers are registered and de-registered Each DNS server also have multiple IP addresses for the domain name Botnet attack facilitator (3)

14 Domain-flux o It is a technique for botnets to hide its C&C server or gathering point for P2P botnet o Each bot will generate a list of domain name using certain algorithm and try to locate its central point to receive command in those list Botnet attack facilitator (4)

15 Traffic monitor o A-plane monitor o C-plane monitor A-plane clustering C-plane clustering Cross-plane correlation BotMiner Detection Framework

16 A-plane monitor o Monitor and log internal host activities o Using SCADE (Statistical sCan Anomaly Detection Engine)from BotHunter to detect high rate of scan activities and high rate of fail connection o Detect spam-related activities by checking Simple Mail Transfer Protocol (SMTP) connection to mail server o Detect suspicious binary download activities, IRC bot Traffic monitor (1)

17 C-plane monitor o Monitor and log flow record  time  duration  source IP  source port  destination IP  destination port  number of packets and bytes transferred in both directions. Traffic monitor (2)

18 Listing clients that perform suspicious activities Clustering them by type of activities, scan, spam, binary downloading, exploit Clustering each group of activity type A-plane clustering (1)

19 A-plane clustering (2)

20 Reading and clustering the log from C- plane monitor Clustering method o Basic filtering  filter out flows initiated by external hosts and flows between internal hosts o Whitelisting  Filter out flows to legitimate servers o Aggregation to C-Flow  All flows that share protocol, source and destination IP, port are group together C-plane clustering (1)

21 o Translating C-Flow to vectors  Computing 4 variables into vectors with 13 elements for each vector the number of flows per hour (fph) the number of packets per flow (ppf) the average number of bytes per packets (bpp) the average number of bytes per second (bps) o Reducing a total of 52 features into 8 features by computing the mean and variance of each vector C-plane clustering (2)

22 o Performing coarse-grained clustering with only 8 features as step 1 o Performing another clustering on each cluster from earlier step with complete 52 features as step 2 C-plane clustering (3)

23 C-plane clustering (4)

24 Cross-check clusters to find out intersections Computing botnet score on clients with suspicious activities o High score for spam and exploit activities o Low score for scan and binary download activities o High score for performing more than 1 type of suspicious activities o Filter out clients with score less than threshold Cross-plane correlation

25 Monitor traffic at the College of Computing at Georgia Tech. Traffic contain many protocols such as HTTP, SMTP, Post Office Protocol (POP), FTP, Secure Shell (SSH), Simple Network Management Protocol (SNMP), Instant Message (IM), DNS, P2P, IRC Experiment Setup (1)

26 Collection of botnets traces o IRC bots  Botnet-IRC-spybot  Botnet-IRC-sdbot  Botnet-IRC-rbot  Botnet-IRC-N o HTTP bots  Botnet-HTTP-1  Botnet-HTTP-2 o P2P bots  Botnet-P2P-Storm  Botnet-P2P-Nugache Experiment Setup (2)

27 Experiment Setup (3)

28 Results

29 Evading C-plane Monitoring and Clustering Evading A-plane Monitoring and Clustering Evading Cross-plane Analysis Limitations and solutions

30 Botnet may use legitimate website for their C&C lookup o Don’t perform whitelisting Using multiple C&C servers o Can do the same as P2P clustering Randomize communication pattern o Randomization may provide some similarities o Randomized pattern may rise suspicious Mimic normal communication pattern o A-plane may still be able to detect Evading C-plane Monitoring and Clustering

31 Botnet can evade detection at the cost of its own efficiency o Having low rate of suspicious activities o Performing randomly and individually task Evading A-plane Monitoring and Clustering

32 Delaying command execution o Checking data back several days Evading Cross-plane Analysis

33 A-plane monitoring is useless against botnet with encrypted communication Be able to detect botnet in only attack phase Other weaknesses

34 Questions

Download ppt "BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google