Post on 19-Dec-2015
BotMiner
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee
College of Computing, Georgia Institute of Technology
• Introduction to botnets• BotMiner Detection Framework• Experiments Setup• Results• Limitations• Other weaknesses• Questions
Outline
• Botnet background• Structure of botnets
o Centralized botneto Decentralized botnet
• Botnet attack facilitatoro Internet Relay Chat (IRC)o Fast-flux
Single-flux Double-flux
o Domain-flux
Introduction to botnets
● Botnet is a network of compromised computers by malwares called bot
● Botmaster can command bots under his control to perform many activities○ DDoS attacks○ Spamming○ Stealing sensitive information○ Click fraud○ Fast flux○ Recruiting other hosts
Botnet background
• Centralized botneto Having a central point for exchanging
command and data called command and control server (C&C server)
o C&C server usually run service network such IRC or HTTP
o Bots will connect to the C&C server and wait for the command
Structure of botnets (1)
Centralized botnet
Structure of botnets (2)
• Decentralized botneto Each bot can act as both client and
server by using the idea of Peer-to-peer (P2P) communication
o Each bot have to connect to other botso Still need some gathering place
Structure of botnets (3)
Decentralized botnet
Structure of botnets (4)
• Proso Centralized botnet
Small latency High synchronization
o Decentralized botnet Hard to take down Hard to detect
Structure of botnets (5)
• Conso Centralized botnet
Easy to take down Easy to detect
o Decentralized botnet High latency Poor synchronization
Structure of botnets (6)
• Internet Relay Chat (IRC)o It is a protocol for live chato Mainly designed for group
communicationo Allow sending text message and file
sharingo Clients have to connect to the IRC
servero Clients can join or create a chat room in
the server called channel
Botnet attack facilitator (1)
o Fast-flux Single-flux
• Having multiple IP address register to a single domain name
• Each IP address is registered and de-registered rapidly with short TTL, possible to be as short as 3 minutes
Botnet attack facilitator (2)
o Fast-flux Double-flux
• It is a more advance version of single flux by adding one layer of domain name server flux
• Multiple DNS servers are registered and de-registered
• Each DNS server also have multiple IP addresses for the domain name
Botnet attack facilitator (3)
• Domain-fluxo It is a technique for botnets to hide its
C&C server or gathering point for P2P botnet
o Each bot will generate a list of domain name using certain algorithm and try to locate its central point to receive command in those list
Botnet attack facilitator (4)
• Traffic monitoro A-plane monitoro C-plane monitor
• A-plane clustering• C-plane clustering• Cross-plane correlation
BotMiner Detection Framework
• A-plane monitoro Monitor and log internal host activitieso Using SCADE (Statistical sCan Anomaly
Detection Engine)from BotHunter to detect high rate of scan activities and high rate of fail connection
o Detect spam-related activities by checking Simple Mail Transfer Protocol (SMTP) connection to mail server
o Detect suspicious binary download activities, IRC bot
Traffic monitor (1)
• C-plane monitoro Monitor and log flow record
time duration source IP source port destination IP destination port number of packets and bytes transferred in
both directions.
Traffic monitor (2)
• Listing clients that perform suspicious activities• Clustering them by type of activities,
scan, spam, binary downloading, exploit• Clustering each group of activity
type
A-plane clustering (1)
A-plane clustering (2)
• Reading and clustering the log from C-plane monitor• Clustering method
o Basic filtering filter out flows initiated by external hosts
and flows between internal hostso Whitelisting
Filter out flows to legitimate serverso Aggregation to C-Flow
All flows that share protocol, source and destination IP, port are group together
C-plane clustering (1)
o Translating C-Flow to vectors Computing 4 variables into vectors with 13
elements for each vector• the number of flows per hour (fph)• the number of packets per flow (ppf)• the average number of bytes per packets (bpp)• the average number of bytes per second (bps)
o Reducing a total of 52 features into 8 features by computing the mean and variance of each vector
C-plane clustering (2)
o Performing coarse-grained clustering with only 8 features as step 1
o Performing another clustering on each cluster from earlier step with complete 52 features as step 2
C-plane clustering (3)
C-plane clustering (4)
• Cross-check clusters to find out intersections• Computing botnet score on clients
with suspicious activitieso High score for spam and exploit
activitieso Low score for scan and binary
download activitieso High score for performing more than 1
type of suspicious activitieso Filter out clients with score less than
threshold
Cross-plane correlation
• Monitor traffic at the College of Computing at Georgia Tech.
• Traffic contain many protocols such as HTTP, SMTP, Post Office Protocol (POP), FTP, Secure Shell (SSH), Simple Network Management Protocol (SNMP), Instant Message (IM), DNS, P2P, IRC
Experiment Setup (1)
• Collection of botnets traceso IRC bots
Botnet-IRC-spybot Botnet-IRC-sdbot Botnet-IRC-rbot Botnet-IRC-N
o HTTP bots Botnet-HTTP-1 Botnet-HTTP-2
o P2P bots Botnet-P2P-Storm Botnet-P2P-Nugache
Experiment Setup (2)
Experiment Setup (3)
Results
• Evading C-plane Monitoring and Clustering• Evading A-plane Monitoring and
Clustering• Evading Cross-plane Analysis
Limitations and solutions
• Botnet may use legitimate website for their C&C lookupo Don’t perform whitelisting
• Using multiple C&C serverso Can do the same as P2P clustering
• Randomize communication patterno Randomization may provide some
similaritieso Randomized pattern may rise
suspicious
• Mimic normal communication patterno A-plane may still be able to detect
Evading C-plane Monitoring and Clustering
• Botnet can evade detection at the cost of its own efficiencyo Having low rate of suspicious activitieso Performing randomly and individually
task
Evading A-plane Monitoring and Clustering
• Delaying command executiono Checking data back several days
Evading Cross-plane Analysis
• A-plane monitoring is useless against botnet with encrypted communication• Be able to detect botnet in only
attack phase
Other weaknesses
Questions