Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Published byMelissa Rodgers Modified over 8 years ago

Similar presentations

Presentation on theme: "11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,"— Presentation transcript:

1 11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS’09). 2009 Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/09/28

2 2 Outline Introduction Methodology Traffic Classification ◦ Payload signature based classification ◦ Identifying unknown traffic applications Botnet Detection Experimental Evaluation Conclusions

3 3 Life-cycle of an IRC Botnet

4 4 Approaches of Botnet Detection Honeypots ◦ Capture malware & understand the behavior of botnets. Passive anomaly analysis ◦ Usually independent of the traffic content ◦ Example: Botsniffer & Botminer Traffic application classification ◦ Classifying traffic into IRC traffic & non-IRC traffic ◦ Can only detected IRC based botnets

5 5 Two Challenges of Botnet Detection Detect new (or recent) appeared botnets ◦ Centralized C&C structure -> decentralized (P2P) structure ◦ Network protocols: IRC or HTTP -> own developed protocol Identify applications for network traffic ◦ Port number: limited information ◦ Examine the payload of network flows and then create signatures for each application  Legal issues related to privacy  Encrypted traffic  40% network flows cannot be classified

6 6 Methodology

7 7 Payload Signature based Classification Characteristics of bit strings in the payload

8 8 Payload Signature based Classification (cont’d)

9 9 Identifying Unknown Traffic Applications Basic idea: ◦ Association relationship between known traffic & unknown traffic Step 1: ◦ Cluster flows in terms of the src IP & the dst IP ◦ Generate a set of rectangles -> community Step 2: ◦ Cluster flows in terms of the dst IP & the dst port ◦ Generate a set of rectangles -> application community Label each application community ◦ Assign unknown flows according to probability of known flows

10 10 Identifying Unknown Traffic Applications (cont’d)

11 11 Identifying Unknown Traffic Applications (cont’d)

12 12 Botnet Detection Object: ◦ Differentiate the botnet behavior from the normal traffic on a specific application community Concept: ◦ Temporal-frequent characteristics of the 256 ASCII binary bytes in the payload over a time period Botnet behavior: ◦ Response time of bots: immediate and accurate once they receive commands ◦ Bots might be synchronized with each other

13 13 Detection Algorithm

14 14 Detection Algorithm (cont’d) Metric: standard deviation for  m each cluster m ◦ The higher the value of average  m  over 256 ACSII characters for flows on a cluster m, the more normal the cluster m is. Given the frequency vectors for n flows: ◦ j = standard deviation of the j th ASCII over n flows ◦ average standard deviation  over 256 ACSII characters for flows

15 15 Detection Algorithm (cont’d)

16 16 Tested Network Topology

17 17 Evaluation on Traffic Classification Part of known traffic → label them as unknown

18 18 Evaluation on Botnet Detection

19 19 Evaluation on Botnet Detection (cont’d)

20 20 Conclusions They propose a novel application discovery approach for automatically classifying network applications on a large-scale WiFi ISP network. They develop a generic algorithm to discriminate general botnet behavior from the normal network traffic on a specific application community, which is based on n-gram (frequent characteristics) of flow payload over a time period (temporal characteristics). Evaluation results show that their approach obtains a very high detection rate (approaching 100% for IRC bot) with a low false alarm rate when detecting IRC botnet traffic.

21 21 Reference Lu, W., M. Tavallaee, and A.A. Ghorbani, “ Automatic Discovery of Botnet Communities on Large‐Scale Communication Networks ”, in ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS’09). 2009: Sydney, Australia.

Download ppt "11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Networking, Sensing and Control (ICNSC), 2013 10th IEEE International Conference on 102064535 黃川洁 1/25.

Networking, Sensing and Control (ICNSC), th IEEE International Conference on 黃川洁 1/25.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.

11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Similar presentations

Ads by Google