Presentation is loading. Please wait.

Presentation is loading. Please wait.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Published byRudolf Caldwell Modified over 8 years ago

Similar presentations

Presentation on theme: "BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and."— Presentation transcript:

1 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology Presented by Joshua Cox

2 Botnet Group of compromised computers Controlled by remote commands
Malicious activities DDoS attacks – spam phishing – identity theft Protocols IRC, HTTP, P2P

3 Centralized Botnets Botmaster sends command to designated C&C server
Bots request commands from server

4 P2P Botnets No C&C server Botmaster sends command to any bot
Bots share commands with neighbors

5 Rishi Detects IRC based botnets Monitors traffic Suspicious nicknames
Suspicious servers Uncommon server ports

6 BotSniffer Network based anomaly detection
All bots within a botnet will share similar traffic patterns Works with IRC and HTTP botnets Does not detect P2P botnets

7 BotHunter Works with Relies on “Infection Lifecycle Model”
IRC and HTTP P2P botnets Relies on “Infection Lifecycle Model” What if we change the lifecycle?

8 BotMiner Objective Detect groups of compromised machines that are part of a botnet Independent of C&C communication structure and content Minimal false positives Resource efficient detection

9 BotMiner Architecture

10 BotMiner Architecture

11 C-plane Monitor Who is talking to whom? TCP and UDP traffic flows
time, duration source, destination packet count, bytes transferred Manageable log size less than 1GB per day for 300 Mbps network

12 A-plane Monitor Who is doing what? Detects malicious activities
scanning – binary downloading spamming – exploit attempts Snort with custom plugins expandable

13 C-plane Clustering Which machines have similar communication patterns?
C-plane monitor logs → cluster reports

14 C-plane Clustering Basic Filtering Remove internal flows
Remove one way flows

15 C-plane Clustering White Listing Remove flows to popular destination
Google, Yahoo, etc.

16 C-plane Clustering Aggregation
C-flow: all traffic flows over a period of time that share the same source, destination, and protocol

17 C-plane Clustering Feature Extraction
flows per hour – bytes per packet packets per flow – bytes per second

18 C-plane Clustering Two-step Clustering
Coarse-grain and Refined clustering X-means clustering algorithm

19 A-plane Clustering Which machines have similar activity patterns?
A-plane monitor logs → cluster reports

20 A-plane Clustering Activity Type Clustering scan – spam
binary download – exploit

21 A-plane Clustering Activity Feature Clustering
target subnet – similar binary spam content – exploit type

22 Cross-plane Correlation
Which machines are in a botnet? Botnet score Number of clusters Score of other hosts in cluster Activity weighting Which bots are in the same botnet?

23 Test Case Georgia Tech campus network Ran monitors for 10 days
up to 300 Mbps Ran monitors for 10 days wide variety of protocols Obtained traces for 8 botnets IRC, HTTP, and P2P

24 Botnets Used Overlaid malicious traffic on normal traffic
Mapped IPs from random hosts to bots

25 Filtering Results Internal/External filter reduces data by 90%
10 billion packets reduced to 50k C-flows

26 Detection Results All botnets detected 99.6% bot detection
0.3% false positive rate

27 Limitations Traffic randomization and mimicry
C-plane cluster evasion Individual or group commands A-plane cluster evasion Delay bot tasks Cross-plane analysis evasion

28 References Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008. D. Pelleg and A. W. Moore. X-means: Extending k-means with efficient estimation of the number of clusters. In Proceedings of the Seventeenth International Conference on Machine Learning (ICML’00), pages 727–734, San Francisco, CA, USA, Morgan Kaufmann Publishers Inc. J. Goebel and T. Holz Rishi: Identify bot contaminated hosts by irc nickname evaluation. In Proceedings of USENIX HotBots’07, 2007. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security’07), 2007. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.

Download ppt "BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1.

Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1.
B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.

B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Active Botnet Probing to Identify Obscure Command and Control Channels Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee Georgia.

Active Botnet Probing to Identify Obscure Command and Control Channels Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee Georgia.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.

09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Similar presentations

Ads by Google