BotMiner

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee

College of Computing, Georgia Institute of Technology

• Introduction to botnets• BotMiner Detection Framework• Experiments Setup• Results• Limitations• Other weaknesses• Questions

Outline

• Botnet background• Structure of botnets

o Centralized botneto Decentralized botnet

• Botnet attack facilitatoro Internet Relay Chat (IRC)o Fast-flux

Single-flux Double-flux

o Domain-flux

Introduction to botnets

● Botnet is a network of compromised computers by malwares called bot

● Botmaster can command bots under his control to perform many activities○ DDoS attacks○ Spamming○ Stealing sensitive information○ Click fraud○ Fast flux○ Recruiting other hosts

Botnet background

• Centralized botneto Having a central point for exchanging

command and data called command and control server (C&C server)

o C&C server usually run service network such IRC or HTTP

o Bots will connect to the C&C server and wait for the command

Structure of botnets (1)

Centralized botnet

Structure of botnets (2)

• Decentralized botneto Each bot can act as both client and

server by using the idea of Peer-to-peer (P2P) communication

o Each bot have to connect to other botso Still need some gathering place

Structure of botnets (3)

Decentralized botnet

Structure of botnets (4)

• Proso Centralized botnet

Small latency High synchronization

o Decentralized botnet Hard to take down Hard to detect

Structure of botnets (5)

• Conso Centralized botnet

Easy to take down Easy to detect

o Decentralized botnet High latency Poor synchronization

Structure of botnets (6)

• Internet Relay Chat (IRC)o It is a protocol for live chato Mainly designed for group

communicationo Allow sending text message and file

sharingo Clients have to connect to the IRC

servero Clients can join or create a chat room in

the server called channel

Botnet attack facilitator (1)

o Fast-flux Single-flux

• Having multiple IP address register to a single domain name

• Each IP address is registered and de-registered rapidly with short TTL, possible to be as short as 3 minutes

Botnet attack facilitator (2)

o Fast-flux Double-flux

• It is a more advance version of single flux by adding one layer of domain name server flux

• Multiple DNS servers are registered and de-registered

• Each DNS server also have multiple IP addresses for the domain name

Botnet attack facilitator (3)

• Domain-fluxo It is a technique for botnets to hide its

C&C server or gathering point for P2P botnet

o Each bot will generate a list of domain name using certain algorithm and try to locate its central point to receive command in those list

Botnet attack facilitator (4)

• Traffic monitoro A-plane monitoro C-plane monitor

• A-plane clustering• C-plane clustering• Cross-plane correlation

BotMiner Detection Framework

• A-plane monitoro Monitor and log internal host activitieso Using SCADE (Statistical sCan Anomaly

Detection Engine)from BotHunter to detect high rate of scan activities and high rate of fail connection

o Detect spam-related activities by checking Simple Mail Transfer Protocol (SMTP) connection to mail server

o Detect suspicious binary download activities, IRC bot

Traffic monitor (1)

• C-plane monitoro Monitor and log flow record

time duration source IP source port destination IP destination port number of packets and bytes transferred in

both directions.

Traffic monitor (2)

• Listing clients that perform suspicious activities• Clustering them by type of activities,

scan, spam, binary downloading, exploit• Clustering each group of activity

type

A-plane clustering (1)

A-plane clustering (2)

• Reading and clustering the log from C-plane monitor• Clustering method

o Basic filtering filter out flows initiated by external hosts

and flows between internal hostso Whitelisting

Filter out flows to legitimate serverso Aggregation to C-Flow

All flows that share protocol, source and destination IP, port are group together

C-plane clustering (1)

o Translating C-Flow to vectors Computing 4 variables into vectors with 13

elements for each vector• the number of flows per hour (fph)• the number of packets per flow (ppf)• the average number of bytes per packets (bpp)• the average number of bytes per second (bps)

o Reducing a total of 52 features into 8 features by computing the mean and variance of each vector

C-plane clustering (2)

o Performing coarse-grained clustering with only 8 features as step 1

o Performing another clustering on each cluster from earlier step with complete 52 features as step 2

C-plane clustering (3)

C-plane clustering (4)

• Cross-check clusters to find out intersections• Computing botnet score on clients

with suspicious activitieso High score for spam and exploit

activitieso Low score for scan and binary

download activitieso High score for performing more than 1

type of suspicious activitieso Filter out clients with score less than

threshold

Cross-plane correlation

• Monitor traffic at the College of Computing at Georgia Tech.

• Traffic contain many protocols such as HTTP, SMTP, Post Office Protocol (POP), FTP, Secure Shell (SSH), Simple Network Management Protocol (SNMP), Instant Message (IM), DNS, P2P, IRC

Experiment Setup (1)

• Collection of botnets traceso IRC bots

Botnet-IRC-spybot Botnet-IRC-sdbot Botnet-IRC-rbot Botnet-IRC-N

o HTTP bots Botnet-HTTP-1 Botnet-HTTP-2

o P2P bots Botnet-P2P-Storm Botnet-P2P-Nugache

Experiment Setup (2)

Experiment Setup (3)

Results

• Evading C-plane Monitoring and Clustering• Evading A-plane Monitoring and

Clustering• Evading Cross-plane Analysis

Limitations and solutions

• Botnet may use legitimate website for their C&C lookupo Don’t perform whitelisting

• Using multiple C&C serverso Can do the same as P2P clustering

• Randomize communication patterno Randomization may provide some

similaritieso Randomized pattern may rise

suspicious

• Mimic normal communication patterno A-plane may still be able to detect

Evading C-plane Monitoring and Clustering

• Botnet can evade detection at the cost of its own efficiencyo Having low rate of suspicious activitieso Performing randomly and individually

task

Evading A-plane Monitoring and Clustering

• Delaying command executiono Checking data back several days

Evading Cross-plane Analysis

• A-plane monitoring is useless against botnet with encrypted communication• Be able to detect botnet in only

attack phase

Other weaknesses

Questions