1. 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology ONR MURI N000140911042 Project Kick-off Meeting November 20, 2009

2. 11/20/09 ONR MURI Project Kick-Off 2 Two Problems: From Axioms to Theories to Practice Problem #1: Tracking Bots –Bots are compromised computers –Bot traffic is not sent/authorized by users Correlating host activities Problem #2: Tracking Network Agility (BGP & DNS) –Bots are long-term resources Reuse, mechanisms/protocols to support agility

3. 11/20/09 ONR MURI Project Kick-Off 3 Problem #1: Tracking Bot Propagation Malware enters enterprise over the network (e.g., remote exploit, Web application), mobile device. Administrators rely on virus scanners, AV, etc. –Problem: Payloads may change, hard to keep AV up-to-date Axiom: Bot traffic is not sent by humans/users.

4. 11/20/09 ONR MURI Project Kick-Off 4 Annotate Traffic with Provenance Idea: Annotate network traffic with taints –The process that generated the traffic –Inputs that the process has taken (i.e., what other resources it has read) As malware spreads, traffic accumulates a common set of taints. –Identify taints corresponding to bad operation –Block traffic if it carries a known bad taint Theory: We can trace botnet traffic based on how it was sent, not what the botnet is sending.

5. 11/20/09 ONR MURI Project Kick-Off 5 Pedigree Design Trusted tagging component on host Arbiter on network switch Practice: Tag traffic with provenance; block traffic at network switches. NSF-TC 0916732: Taint- Based Information Tracking in Networked Systems Student: Anirudh Ramachandran

6. 11/20/09 ONR MURI Project Kick-Off 6 Status and Challenges Status –Implementation and application to information- flow control in enterprises Challenges –Discover taints corresponding to the malware –Defend against attacks on the taint set (e.g., overflow) –Protecting integrity of tagger

7. 11/20/09 ONR MURI Project Kick-Off 7 Problem #2: Tracking Network Agility DNS: Remap DNS names to new IP addresses –Fast-flux / Double-Flux BGP: Hijack IP address space –Allow hosts to operate from new IP addresses Axiom: Botnets have only finite resources. These resources must be reused or recycled.

8. 11/20/09 ONR MURI Project Kick-Off 8 Example: DNS Agility Theory: Places of change are much faster than for legitimate load-balanced sites. Maria Konte et al., Dynamics of Online Scam Hosting Infrastructure, PAM 2009. Best Paper.

9. 11/20/09 ONR MURI Project Kick-Off 9 Rates of Change Domains that exhibit fast flux change more rapidly than legitimate domains Rates of change are inconsistent with actual TTL values Theory: Rates of change are faster than for legitimate load-balanced sites.

10. 11/20/09 ONR MURI Project Kick-Off 10 Fingerprinting DNS Agility Step 1 (simple idea) –Changes to name server assignment –Characteristics of new domains Step 2: Graph Comparison –Lookups from recursive resolvers to fresh domains will look similar –Build fingerprints based on graph and point-set comparison techniques Practice: Develop fingerprints of DNS dynamics. Identify underlying infrastructure, not attacks. Student: Shuang Hao

11. 11/20/09 ONR MURI Project Kick-Off 11 ~ 10 minutes Example: BGP Agility Hijack address space, send spam withdraw prefix 61.0.0.0/8 4678 66.0.0.0/8 21562 82.0.0.0/8 8717 Theory: Different prefixes follow similar patterns. Anirudh Ramachandran et al., Understanding the Network-Level Behavior of Spammers, SIGCOMM 2006. Best Student Paper.

12. 11/20/09 ONR MURI Project Kick-Off 12 Fingerprinting BGP Agility Spam Trap BGP FeedSpam Prefix & Origin AS Bogus ASIARRecently Registered Scam Hosting New Prefixes Heuristics Practice: Bootstrap suspicious prefix discovery. Look for similar prefixes. Student: Maria Konte