Presentation is loading. Please wait.

Presentation is loading. Please wait.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Published byBertina Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan."— Presentation transcript:

1 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan

2 Outline Introduction – Botnet problem – Challenges for botnet detection – Related work BotMiner – Motivation – Design – Evaluation Conclusion

3 What Is a Bot/Botnet? Bot – A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent – Profit-driven, professionally written, widely propagated Botnet (Bot Army): network of bots controlled by criminals- “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” – Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) – “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)

4 Botnets are used for … All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spyware

5 How big is the Bot Problem? Computers were used for fun, now they are platforms Current top computing platforms http://www.top500.org/list/2008/11/100 Storm worm-1-50 million computers infected -Massive computing power -Incredible bandwidth distributed world wide -Is the storm over?

6 Conflicker according to McAfee When executed, the worm copies itself using a random name to the %Sysdir% folder. obtains the public ip address of the affected computer. Attempts to download a malware file from the remote website Starts a HTTP server on a random port on the infected machine to host a copy of the worm. Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit.

7 Challenges for Botnet Detection Bots are stealthy on the infected machines – We focus on a network-based solution Bot infection is usually a multi-faceted and multi-phased process – Only looking at one specific aspect likely to fail Bots are dynamically evolving – Static and signature-based approaches may not be effective Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable

8 Existing Techniques Traditional Anti Virus tools – Bots use packer, rootkit, frequent updating to easily defeat Anti Virus tools Traditional IDS/IPS – Look at only specific aspect – Do not have a big picture Honeypot – Not a good botnet detection tool

9 Related Work [Binkley,Singh 2006]: IRC-based bot detection combine IRC statistics and TCP work weight Rishi [Goebel, Holz 2007]: signature-based IRC botnickname detection [Livadas et al. 2006, Karasaridis et al. 2007]: (BBN, AT&T) network flow level detection of IRC botnets (IRCbotnet) BotHunter [Gu etal Security’07]: dialog correlation to detect bots based on an infection dialog model BotSniffer [Gu etal NDSS’08]: spatial-temporal correlation to detect centralized botnet C&C TAMD [Yen, Reiter 2008]: traffic aggregation to detect botnets that use a centralized C&C structure

10 Motivation Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers, infection models …

11 Botnet again “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” We need to monitor two planes – C-plane (C&C communication plane): “who is talking to whom” – A-plane (malicious activity plane): “who is doing what”

12 Botminer Framework

13 C-Plane clustering What characterizes a communication flow (C-flow) between a local host and a remote service? –

14 Temporal related statistical distribution information in – BPS (bytes per second) – FPH (flow per hour) Spatial related statistical distribution information in – BPP (bytes per packet) – PPF (packet per flow)

15 Two-step Clustering of C-flows Why multi-step? – Coarse-grained clustering Using reduced feature space: mean and variance of the distribution of FPH, PPF, BPP, BPS for each C-flow (2*4=8) Efficient clustering algorithm: X-means – Fine-grained clustering Using full feature space (13*4=52) What’s left?

16 A-plane Clustering Capture “activities in what kind of patterns”

17 Cross-plane Correlation Botnet score s(h) for every host h Similarity score between host hi and hj Hierarchical clustering Two hosts in the same A-clusters and in at least one common C-cluster are clustered together

18 Results

19 False Positive Clusters

20 Botnet detection

21 Overview

22 Conclusion Botminer - New botnet detection system based on Horizontal correlation - Independent of botnet C&C protocol and structure -Real-world evaluation shows promising results -while it is possible to avoid detection of BotMiner the efficiency and convenience of the BotNet will also suffer

Download ppt "BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Presented by Nilesh Sharma Pulkit Mehndiratta Indraprashta Institute of Information Technology, Delhi (IIIT- DELHI)

Presented by Nilesh Sharma Pulkit Mehndiratta Indraprashta Institute of Information Technology, Delhi (IIIT- DELHI)
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.

09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Similar presentations

Ads by Google