Multi-phase IRC Botnet & Botnet Behavior Detection Model

Similar documents
Outline. Motivation. Our System. Conclusion

BotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

A brief Incursion into Botnet Detection

Journal of Chemical and Pharmaceutical Research, 2014, 6(7): Research Article

HTTP BASED BOT-NET DETECTION TECHNIQUE USING APRIORI ALGORITHM WITH ACTUAL TIME DURATION

Towards a collaborative, flow-based, distributed inter-domain Intrusion Detection System

BotDigger: A Fuzzy Inference System for Botnet Detection

Intrusion Detection by Combining and Clustering Diverse Monitor Data

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Basic Concepts in Intrusion Detection

Introduction to Security. Computer Networks Term A15

Security activities in Japan towards the future standardization. Cybersecurity

International Journal of Computer Trends and Technology (IJCTT) Volume54 Issue 1- December 2017

Application of Revised Ant Colony Optimization for Anomaly Detection Systems

ECESSA / TRACKING DOWN MALICIOUS TRAFFIC

Botnets Behavioral Patterns in the Network

Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Detecting P2P Botnets through Network Behavior Analysis and Machine Learning

Automating Security Response based on Internet Reputation

AN INTELLIGENT NETWORK TRAFFIC BASED BOTNET DETECTION SYSTEM

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

UTM 5000 WannaCry Technote

Detecting Malicious Hosts Using Traffic Flows

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Traceback Attacks in Cloud Pebbletrace Botnet nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee

Detection of Network Intrusion and Countermeasure Selection in Cloud Systems

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Multi-Stream Fused Model: A Novel Real-Time Botnet Detecting Model

How to Configure DNS Sinkholing in the Firewall

ABSTRACT. threats in a network. Because, it becomes a route to launch several attacks such as Denial

Peer-to-Peer Botnet Detection Using NetFlow. Connor Dillon

NfSen and NFDUMP 16th TF-CSIRT Meeting Sept 15th 2005, Lisbon Peter Haag

Graph-based Detection of Anomalous Network Traffic

Automatic Discovery of Botnet Communities on Large-Scale Communication Networks

The UCSD Network Telescope

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

Detecting Botnets Using Cisco NetFlow Protocol

P2P Botnet Detection Method Based on Data Flow. Wang Jiajia 1, a Chen Yu1,b

Improving Intrusion Detection on Snort Rules for Botnet Detection

IDS: Signature Detection

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

REMINDER course evaluations are online

CE Advanced Network Security Botnets

On Optimizing Load Balancing of Intrusion Detection and Prevention Systems. Anh Le, Ehab Al-Shaer, and Raouf Boutaba

Intrusion Detection System using AI and Machine Learning Algorithm

Early detection of Crossfire attacks using deep learning

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Overview of nicter - R&D project against Cyber Attacks in Japan -

Network Security Fundamentals

Detecting Spam Zombies by Monitoring Outgoing Messages

Detecting P2P Botnets through Network Behavior Analysis and Machine Learning

UNIVERSITY OF NAIROBI

intelop Stealth IPS false Positive

ARAKIS An Early Warning and Attack Identification System

ZOMBIE ZOMBIE BOTNET PDF

Network Anomaly Detection Using Autonomous System Flow Aggregates

Intelligent and Secure Network

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Botnet Behaviour Analysis using IP Flows

DDOS Attack Prevention Technique in Cloud

Network Based Peer-To-Peer Botnet Detection

ISSN: (Online) Volume 2, Issue 7, July 2014 International Journal of Advance Research in Computer Science and Management Studies

Detecting Spam Zombies By Monitoring Outgoing Messages

A Review- Botnet Detection and Suppression in Clouds Miss Namrata A. Sable #1, Prof. Dinesh S. Datar #2

Fast Deployment of Botnet Detection with Traffic Monitoring

Heuristics for Detecting Botnet Coordinated Attacks

Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification

Symantec vs. Trend Micro Comparative Aug. 2009

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

Avoiding Information Overload: Automated Data Processing with n6

CS395/495 Computer Security Project #2

How to Configure Virus Scanning in the Firewall for FTP Traffic

The Challenge of Spam An Internet Society Public Policy Briefing

A Multifaceted Approach to Understanding the Botnet Phenomenon

Deployment of Proposed Botnet Monitoring Platform using Online Malware Analysis for Distributed Environment

FPGA based Network Traffic Analysis using Traffic Dispersion Graphs

Network Security. Chapter 0. Attacks and Attack Detection

Figure 1: Attempts for /ws/v1/cluster/apps/new-application

CINBAD. CERN/HP ProCurve Joint Project on Networking. Post-C5 meeting, 12 June 2009 (hepix, 26 May 2009)

P2P Botnet Detection Based on Traffic Behavior Analysis and Classification

P2P Botnet Detection Using Min-Vertex Cover

9. Security. Safeguard Engine. Safeguard Engine Settings

A Review of Network Intrusion Detection and Countermeasure

A Review-Botnet Detection and Suppression in Clouds

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Check Point DDoS Protector Simple and Easy Mitigation

REPORT DOCUMENTATION PAGE

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

Internet Security: Firewall

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Integrated Security Incident Management Concepts & Real world experiences

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

A SURVEY TO ANALYSE MITIGATION TECHNIQUES FOR DISTRIBUTED DENIAL OF SERVICE ATTACKS

Managing SonicWall Gateway Anti Virus Service

Transcription:

Software Verification and Validation Multi-phase IRC Botnet & Botnet Behavior Detection Model Aymen AlAwadi aymen@tmit.bme.hu Budapest university of technology and economics Department of Telecommunications and Media Informatics 1

Content 1. Introduction 2. Understanding botnet problem 3. Solution 4. Botnet specification 5. Module design 6. Process flows of the model 7. Module implementation 8. Validation testing 9. Summary 2

1. Introduction Botnet problem: Bot: is a malicious software like the common computer viruses and worms, can be distributed either by itself or by Trojan insertion. Bots can threaten the existing services and resources. Bots can easily evade AV tools. Bots implementing command-and-control (C&C) which is used by the botmaster to direct and update the bots through communication protocol like (IRC or HTTP). 3

1. Introduction Botnet Architecture: Botnet is a group of bots mainly have two kinds of architecture, centralized and P2P. Fig. 1 Botnet architecture 4

2. Understanding Botnet Botnet life cycle Phase 1 Phase 3 Phase 1 Phase 2 Fig. 3: Common life-cycle for IRC botnet (Lu and Ghorbani, 2008) 5

2. Understanding Botnet Global Botnet Threat Activity Map Fig. 3 Current botnet map distribution (trend micro, 2017) 6

3. Solution We proposed a model for IRC botnet and botnet behaviors detection based on botnet life-cycle phases. The proposed model includes 2 phases. The proposed method would be used to detect IRC bots based on botnet phase 2 and botnet behaviors based on botnet phase 3. The detection method is depending on spatial-temporal correlation and similarities strategy. We evaluated the model accuracy and efficiency. 7

4. Botnet specification For IRC Botnet detection: Phase 2 of botnet life-cycle (Bot initial communication) (NICK and C&C response message (PRIVMSG)). (Phase 1 (part 1 & 2) on the proposed model). For Botnet behavior detection: Phase 3 for Botnet attacks behaviors. (attacks or any malicious activities). Phase 2 on the proposed model. Fig. 4 Common architecture of IRC botnet 8

5. Module design Input IDS Raw Alert Filtering Sus. Bot Cluttering Correlation IRC (C&C ini. - clustering (Report responses) on The Proposed Work 1.1) non-std. IRC 2: ports alerts filtering IRC (C&C ini. responses) on Std. IRC ports alerts filtering IRC (C&C responses) alerts filtering IRC (C&C responses) on non-std. IRC ports alerts IRC (C&C responses) on Std. IRC ports alerts Similarity Sus. Bot - clustering (Report 1.2) IRC responses clustering (Report 2) Botnet IRC attacks hosts on non-std. IRC ports (Report 3.1) Botnet IRC attacks hosts on Std. IRC ports (Report 3.2) Phase 1 2 Phase 2-1 Phase 1 1 Spatial- Temporal Correlation & similarity Final result of Detection (Report 5) Output Malicious IRC messages Botnet attacks filtering Botnet attacks hosts (Report 4) Phase 2-2 IRC (C&C response) alerts filtering Fig. 5 The phases and the Process Flows Modes of the Model 9

5. Process Flows of the Model There are two process flows on the purposed model to track the IRC botnet activities. Coherent mode: representing the IRC responses messages that related to initial IRC bot activities. Phase 1 and continue with the result of phase 2. Non-coherent mode: representing the IRC responses messages which are not related to the initial IRC activity. Phase 1 part 2 and continue with the results of the phase 2. The filtering stage is depending on filtering the C&C responses that are directed to the same IRC server with same (destination IP, destination port and timestamp). 10

Module implementation

6. Module implementation (Module testing) The detection efficiency and accuracy of the proposed model have been evaluated with three case studies and multiple botnet scenarios. 1. Virtual machines by using Vmware with real botnets. 2. Dataset like DARPA 2000-Windows NT Attack Data Set. 3. CAIDA DDoS Attack 2007 Dataset. 12

6.1 Module implementation (Module testing) Case Study 1: The main objective of first case study is: To show different situations of existing botnet inside the monitored network with different intervals of monitoring time. To achieve this case study, we had three IRC botnet scenarios inside the Vmware environment. 13

6.1 Module implementation (Module testing) Case study 1: 1. Botnet scenario 1: Detecting multiple kinds of bots in initial IRC activity. 2. Botnet scenario 2: Detecting multiple kinds of bots in middle of IRC activity. 3. Botnet Scenario 3: Detecting single bot members at different situations. Fig. 6: VMware testbed environment 14

6.2 Module implementation (Module testing) Case study 2: Windows NT Attack DARPA 2000 Network Traffic Data Set. The chosen data set does not contain any kind of botnet, but it has normal IRC chatting traffic that comes with many Windows NT attacks. The main objective is to show that the proposed model can pass normal IRC chatting on IRC port 6667 without any botnet false positive result. This data set contains two flows from two networks; one for Inside and one for Outside network. 15

6.3 Module implementation (Module testing) Case study 3: CAIDA DDoS Attack 2007 DataSet This data set includes TCP-based DDoS attack to certain victim with responses from that victim to the attackers. The main objective is to evaluate the proposed model to detect botnet behavior (attack) which is happening regardless to the type of botnet communication protocol. 16

Validation testing

7. Validation testing The proposed model will be evaluated regarding detection accuracy and the model execution performance. The detection accuracy will be measured by evaluating the achieved objectives for each case study and scenario. The model performance will be measured by evaluating the average execution time of the proposed model to achieve the objectives. 18

7.1 Validation testing Case study1-botnet Scenario1: Botnet scenario 1: Detecting multiple kinds of bots in initial IRC activity results and discussion: Total Alerts IRC MSG IRC % of total alerts Normal IRC Malicious IRC % Normal IRC to total IRC Table 1: Results of IRC Botnet Scenario 1 % Malicious IRC to total IRC The achieved objectives: All of the infected IRC bots (the 5 bots) have been detected and their current state was accurate except one bot. The proposed model was able to detect IRC botnet members that work in different IRC ports with different destination IP addresses. IRC Bots Detected IRC Bots 10,259 324 3% 142 182 44% 56% 5 5 19

7.1 Validation testing Aelrts number 350 324 Number of IRC alerts 300 250 200 150 142 182 Number of alerts 100 50 0 Total IRC messages Normal IRC messages Malicious IRC messages Aerlts types Fig. 7: The filtered normal and malicious IRC alerts compared with the total number of IRC message As for performance evaluation, the proposed model took 2 seconds as an average execution time. 20

7.2 Validation testing Botnet scenario 2: Detecting multiple kinds of bots in middle of IRC activity results and discussion: Total Alerts IRC MSG IRC % of total alerts Normal IRC Malicious IRC % Normal IRC to total IRC Table 2: Results of IRC Botnet Scenario 2 % Malicious IRC to total IRC The achieved objectives: Detected IRC bots are in coherent mode or non-coherent mode. There were some functional conflicts after rules updating. Normal IRC messages for single IRC server have been filtered out. IRC Bots Detected IRC Bots 2,073 163 8% 96 67 59% 41% 4 4 21

7.2 Validation testing Aelrts number Number of alerts 180 163 160 140 120 100 96 80 67 60 40 20 0 Total IRC messages Normal IRC messages Malicious IRC messages Aerlts types Number of alerts Fig. 8: The filtered normal and malicious IRC alerts compared with the total number of IRC message of the botnet scenario 2 As for performance evaluation, the proposed model took 0.3 of a second as an average execution time, since there was no botnet attack in this scenario. 22

7.3 Validation testing Botnet scenario 3: Detecting single bot members at different situations results and discussion: Total Alerts IRC MSG IRC % of total alerts Normal IRC Malicious IRC % Normal IRC to total IRC Table 3: Results of IRC Botnet Scenario 3 % Malicious IRC to total IRC The achieved objective: Detecting singles IRC botnet member(s) inside the monitoring network even when they were in different situations with different activities (botnet attacks). IRC Bots Detected IRC Bots 60,989 149 0.2% 99 50 66% 34% 3 3 23

7.3 Validation testing Aelrts number Number of IRC alerts 160 149 140 120 99 100 80 60 50 40 20 0 Total IRC messages Normal IRC messages Malicious IRC messages Aerlts types Number of alerts Fig. 9: The filtered normal and malicious IRC alerts compared with the total number of IRC message of the botnet scenario 3 As for performance evaluation, the proposed model took 28.66 seconds as an average execution time, since there were 59,087 alerts belong to botnet attack. 24

7.4 Validation testing Case study 2: Windows NT Attack DARPA 2000 Network Traffic: No. Alerts No. of IRC % IRC msg to No. of Alerts The achieved objective: Normal IRC Malicious IRC % Normal IRC to total No. of IRC messages % Malicious IRC to total No. of IRC IRC Bots 930 35 4% 35 0 100% 0% 0 0 Table 4: Results of case study 2 for the inside Tcpdump file False positive botnet behaviors of case study 2 for the Inside Tcpdump file (2 hosts out of 40 hosts inside the network). The proposed method took from (0 to 0.3) of a second as average of execution time. Detected IRC Bots 25

7.5 Validation testing Case study 3: CAIDA DDoS Attack 2007 Dataset: No. Alerts No. of TCP traffic alerts %TCP traffic alerts to the total No. of Alerts No. of Port scanning alerts %Port scanning to the total No. of Alerts Detected DDoS Hosts %Detected DDoS hosts to TCP traffic alerts 1,033 871 84% 160 16% 113 13% Table 5: Results of IRC case study 3 for CAIDA DDoS Attack 2007 Dataset The achieved objective: The proposed model proved that it was able to detect and verify botnet behaviors even without prior knowledge to the type of the used protocol for botnet communication. As for performance evaluation, the proposed model took 0.3 of a second to analyze the alerts. 26

7.6 Validation testing (Comparison) Botnet model characteristics Approach Basis IRC Flow-Chars Time Net-Det Syntax BotHunter Net- Yes No Yes Yes Yes BotSniffer Net- Yes No Yes Yes Yes Rishi Net- Yes No No No Yes The proposed model Net- Yes pps No Yes Yes Table 6: Comparison of the proposed model with the other approaches based on botnet characteristics The flow characteristics are including number of packet per flow (ppf), number of bytes per packets (bpp), number of bytes per second (bps) and number of packets per second (pps) (Lu et al., 2011). 27

8. Summary 1- The main goal of the proposed model is to detect IRC botnet members and botnet behaviors based on that bots, malicious IRC messages will be filtered. 2- The proposed model considers the two botnet life-cycle phases for detection (IRC messages and attacks). 3- The proposed model assigns different status messages to describe the current status of the detected bot (IRC responses messaging and/or attacks). 4. The model evaluation shows that the proposed model was able to detect IRC botnet member(s) with minimum false positive results. 28

9. References 1. Al, Aymen Hasan Rashid, and Bahari Belaton. "Multi-phase IRC Botnet and Botnet Behavior Detection Model." International Journal of Computer Applications 66.15 (2013). 2. Lu, Wei, and Ali A. Ghorbani. "Botnets detection based on irc-community." Global Telecommunications Conference, 2008. IEEE GLOBECOM 2008. IEEE. IEEE, 2008. 3. Lu, Wei, Goaletsa Rammidi, and Ali A. Ghorbani. "Clustering botnet communication traffic based on n-gram feature selection." Computer Communications 34.3 (2011): 502-514. 29

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback