Botnet Dection system
description
Transcript of Botnet Dection system
![Page 1: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/1.jpg)
Botnet Dection system
![Page 2: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/2.jpg)
Introduction
Botnet problem Challenges for botnet detection
![Page 3: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/3.jpg)
What Is a Bot/Botnet? Bot
A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent
Profit-driven, professionally written, widely propagated
Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware
instances that are controlled by a botmaster via some C&C channel”
Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)
“25% of Internet PCs are part of a botnet!” ( - Vint Cerf)
![Page 4: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/4.jpg)
Botnets are used for …
All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g.,
spywarePCs are part of a botnet!” ( - Vint Cerf)
![Page 5: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/5.jpg)
Challenges for Botnet Detection Bots are stealthy on the infected machines – We focus on a network-based solution Bot infection is usually a multi-faceted and
multiphased process – Only looking at one specific aspect likely to fail Bots are dynamically evolving – Static and signature-based approaches may not be
effective Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable
![Page 6: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/6.jpg)
Roadmap to three Detection Systems
Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle
Botsniffer:works for IRC and http, can be extended to detect centralized C&C botnets
Botminer:independent of the protocol and structure
![Page 7: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/7.jpg)
BotHunter system-detection on single infected client
Detecting Malware Infection ThroughIDS-Driven Dialog Correlation
Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware
Correlates dialog trail of inbound intrusion alarms with outbound communication patterns
![Page 8: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/8.jpg)
Bot infection case study: Phatbot
![Page 9: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/9.jpg)
Dialog-based Correlation
BotHunter employs an
Infection Lifecycle Model
to detect host infection behavior
![Page 10: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/10.jpg)
Bothunter Architecture
![Page 11: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/11.jpg)
Evaluation Example:
http://www.cyber-ta.org/releases/malware-analysis/public/2009-01-13-public/
![Page 12: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/12.jpg)
BotSniffer-detection on centralized C&C botnets(IRC,HTTP)
WHY we will focus on C&C? C&C is essential to a botnet – Without C&C, bots are just discrete,
unorganized infections C&C detection is important – Relatively stable and unlikely to change
within botnets – Reveal C&C server and local victims – The weakest link
![Page 13: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/13.jpg)
Botnet C&C Communication Example
![Page 14: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/14.jpg)
Botnet C&C: Spatial-Temporal Correlation and Similarity
![Page 15: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/15.jpg)
BotSniffer Architecture
![Page 16: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/16.jpg)
Correlation Engine Based on two properties Response crowd – a set of clients that have
(message/activity) response behavior -A Dense response crowd: the fraction of
clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5).
A homogeneous response crowd – Many members have very similar responses
![Page 17: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/17.jpg)
Evaluation
![Page 18: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/18.jpg)
Why Botminer?
Botnets can change their C&C content(encryption, etc.), protocols (IRC, HTTP,
etc.),structures (P2P, etc.), C&C servers, dialog models
So bothunter, botsniffer systems may be evaded. We need to consider more
![Page 19: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/19.jpg)
Revisit Botnet Definition
“ A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”
We need to monitor two planes – C-plane (C&C communication plane):
“who is talking to whom” – A-plane (malicious activity plane):
“who is doing what”
![Page 20: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/20.jpg)
C-Plane clustering What characteriz
es a communication flow (Cflow)
between a local host and a remote service?
– <protocol, srcIP, dstIP, dstPort>
![Page 21: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/21.jpg)
A-plane clustering
![Page 22: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/22.jpg)
Cross-clustering
Two hosts in the same A-clusters andin at least one common C-cluster areclustered together
![Page 23: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/23.jpg)
Botminer Architecture
![Page 24: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/24.jpg)
Evaluation Data
![Page 25: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/25.jpg)
Evaluation Result(FP)
![Page 26: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/26.jpg)
Evaluation Result(Detection Rate)
![Page 27: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/27.jpg)
Botnet Detection Systems summary
Bothunter: Vertical Correlation. Correlation on the behaviors of single host.
Botsniffer: Horizontal Correlation. On centralized C&C botnets
Botminer: Extension on Botsniffer, no limitations on the C&C types.
![Page 28: Botnet Dection system](https://reader036.fdocuments.net/reader036/viewer/2022062315/56815007550346895dbdde60/html5/thumbnails/28.jpg)
Thank you!
Questions?