Peer-to-Peer Botnet Detection Using NetFlow. Connor Dillon

Similar documents
Network Based Peer-To-Peer Botnet Detection

Stochastic Blockmodels as an unsupervised approach to detect botnet infected clusters in networked data

Covert channel detection using flow-data

Detecting Botnets Using Cisco NetFlow Protocol

Survey of the P2P botnet detection methods

Analysis the P2P botnet detection methods

BOTNET DETECTION IN VIRTUAL ENVIRONMENTS USING NETFLOW

OpenFlow DDoS Mitigation

Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure

Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification

Towards a collaborative, flow-based, distributed inter-domain Intrusion Detection System

A Novel Botnet Detection System for P2P Networks

Multi-phase IRC Botnet & Botnet Behavior Detection Model

A Comparative Analysis of the Resilience of Peer to Peer Botnets

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

ECESSA / TRACKING DOWN MALICIOUS TRAFFIC

Visualizing Network Data for Intrusion Detection. Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland June 16, 2005

(Im)possibility of Enumerating Zombies. Yongdae Kim (U of Minnesota - Twin Cities)

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Hidden Figures: Securing what you cannot see

NAT logging basics. David Ford OxCERT (OUCS)

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Detecting Malicious Hosts Using Traffic Flows

NetFlow Multiple Export Destinations

DNS Security. Ch 1: The Importance of DNS Security. Updated

Data Confirmation for Botnet Traffic Analysis

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Realtime C&C Zeus Packet Detection Based on RC4 Decryption of Packet Length Field

Botnets Behavioral Patterns in the Network

John Munro / Jason Trost / FlonCon 2013 January 7 10 Albuquerque, New Mexico

Network Intrusion Analysis (Hands on)

Network Security Monitoring with Flow Data

Detection of DNS Traffic Anomalies in Large Networks

Monitoring and Threat Detection

Automated Threat Management - in Real Time. Vectra Networks

NetFlow Optimizer. User Guide. Version (Build X) November 2017

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

NetFlow Optimizer. User Guide. Version (Build ) May 2017

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

APT Protection.

Synchronized Security

Master Course Computer Networks IN2097

Botnet Behaviour Analysis using IP Flows

Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University

Graph-based Detection of Anomalous Network Traffic

Advanced BGP using Route Reflectors

Outline. Motivation. Our System. Conclusion

Unique Phishing Attacks (2008 vs in thousands)

Lecture 2: Streaming Algorithms for Counting Distinct Elements

Detecting bots using multilevel traffic analysis

Chapter 10: Denial-of-Services

Multi-Stream Fused Model: A Novel Real-Time Botnet Detecting Model

Covert Channel in the BitTorrent Tracker Protocol

ID: Cookbook: urldownload.jbs Time: 22:46:20 Date: 19/02/2018 Version:

Configuring Data Export for Flexible NetFlow with Flow Exporters

Master Course Computer Networks IN2097

ID: Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/2018 Version:

The situation of threats in cyberspace in the first half of 2018

Cisco Encrypted Traffic Analytics Security Performance Validation

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Virus Analysis. Introduction to Malware. Common Forms of Malware

Cisco Stealthwatch. Internal Alarm IDs 7.0

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

ID: Cookbook: browseurl.jbs Time: 17:39:02 Date: 22/03/2018 Version:

!!!!!!!!!!!!!!!!!!!!!!!!!!!"!#$%%!&'!"(&)'*!!!!!!"#$%!&'(!)*+',+%!!

DDoS Protection in Backbone Networks

This chapter provides information to configure Cflowd.

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

Advanced Threat Defense Certification Testing Report. Trend Micro Incorporated Trend Micro Deep Discovery Inspector

Announcements. CS 5565 Network Architecture and Protocols. Outline for today. The Internet: nuts and bolts view. The Internet: nuts and bolts view

1. Arista 7124s Switch Report

Data Plane Protection. The googles they do nothing.

The evolution of malevolence

Malicious Activity and Risky Behavior in Residential Networks

Identifying and Disrupting Mirai Botnets. Chuck McAuley

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Statistical Assessment of Peer-to-Peer Botnet Features. Teghan Godkin B.Eng., University of Victoria, 2010

Encrypted Traffic Security (ETS) White Paper

User Guide Check Point Analytics App by QOS

RTP. Prof. C. Noronha RTP. Real-Time Transport Protocol RFC 1889

State of the art and challenges

Dynamics of Hot-Potato Routing in IP Networks

Stealthwatch System v6.9.0 Internal Alarm IDs

Application of Revised Ant Colony Optimization for Anomaly Detection Systems

BUILDING A SCALED SYSTEM FOR SECRET P2P- BOTNET DETECTION

ID: Sample Name: numbering.xml Cookbook: defaultandroidfilecookbook.jbs Time: 05:15:39 Date: 27/04/2018 Version:

ACN Peer-to-Peer Networks. Günther Langmann

Firewall Stateful Inspection of ICMP

Driving Network Visibility

RSA Web Threat Detection

Detecting Stealthy Malware Using Behavioral Features in Network Traffic

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

Introduction to Security. Computer Networks Term A15

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

DDoS Testing with XM-2G. Step by Step Guide

Security: Internet of Things

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Transcription:

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks

Botnets Large group of infected computers, controlled by a criminal organization Bots harvest information Perform DDoS attacks Command & Control (C&C) botnets Centralized architecture C&C servers are weak point Peer-to-peer (p2p) botnets P2p architecture More robust More stealthy

Zeus P2P Malware (aka Zeus Gameover) Trojan horse Financial fraud Botnet takedown on June 2 nd 2014 P2P layer remains active

NetFlow

IP Flow Information Export IP Flow Information Export (IPFIX) NetFlow v10 IETF RFCs 7011 through RFC 7015 Bidirectional flows RFC 5103

Research Question Can p2p bots be detected effectively by analyzing traffic flow data?

Related Research An Analysis of the Zeus Peer-to-Peer Protocol Dennis Andriesse and Herbert Bos Technical Report IR-CS-74, VU University Amsterdam, 2014 Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart Ting-Fang Yen and Michael K. Reiter Distributed Computing Systems (ICDCS), 2010 IEEE 30th International Conference BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis Nizar Kheir and Chirine Wolley Cryptology and Network Security vol. 8257, 2013

Approach 1. Acquire samples of active p2p malware 2. Install samples and capture NetFlow data of malicious traffic 3. Acquire NetFlow data of benign traffic 4. Analyze benign and malicious p2p traffic and find key differences 5. Design detection algorithm 6. Implement detection algorithm (Proof of Concept) 7. Test for false/true positives

Data Set: Benign Traffic Data generated specifically for this research Web browsing traffic Web streams p2p traffic: Multiple clients: utorrent FrostWire: BitTorrent Bearshare: gnutella imesh: IM2Net Ares Galaxy: own supernode/leaf protocol Emule: edonkey & Kademlia Shareaza: multiple protocols

Data Set: Malicious Traffic Obtained active samples of Zeus P2P malware from public sandbox Installed samples in lab environment and captured traffic Data set contains: Traffic from 3 different Zeus P2P binaries Packet Captures (pcaps) of 100 mins, 2 hours and 12 hours

Isolating P2P Traffic UDP p2p protocols initiate connections from a single source port Peers try to connect to peers that are unreachable Result: lots of failed connections, to multiple destinations, from a single source IP/port

Benign vs Malicious: Finding Differences Per application, split up data in to 2 hour chunks Analyze Amount of traffic generated Average bytes/packets per flow Protocol characteristics Traffic patterns Etc.

Benign vs Malicious: Traffic Volume

Benign vs Malicious: Packet Symmetry

Benign vs Malicious: Traffic Pattern

Benign vs Malicious: Traffic Pattern

Benign vs Malicious: Traffic Pattern

Detection Algorithm Group all flows by source IP/port Sources with more than 3 failed flows to different hosts are marked as p2p Zeus p2p traffic is identified by either: A packet ratio of less than 0.4 A traffic pattern of more than 3 approximately equal intervals of time of more than 5 mins

Detection Algorithm def p2p_detect(flows): unreachables = set( flow.dst_ip for flow in flows if flow.up_pkts > 0 and flow.down_pkts == 0 ) if len(unreachables) > 3: return True def zeus_ratio_detect(flows): up = sum(flow.up_packets for flow in flows) down = sum(flow.down_packets for flow in flows) if up / down > 0.4: return True

Detection Algorithm def zeus_pattern_detect(flows): timestamps = list(flow.timestamp for flow in flows) intervals = list() previous_timestamp = timestamps[0] for timestamp in timestamps: if timestamp - previous_timestamp > 300: intervals.append(timestamp previous_timestamp) previous_timestamp = timestamp if len(intervals) > 3: if stdev(intervals) < 150: return True

Proof of Concept NetFlow collector with detection algorithm implemented in Python code will be available on GitHub Tested without false positives on available data Detects the Zeus P2P malware

Conclusion It's possible to detect p2p malware using flow data Malware could change its behavior to avoid detection Detection algorithm: Packet symmetry is probably specific to Zeus protocol Traffic pattern might also be applicable to other malware Future research: Other p2p malware Testing more (real) benign p2p data for false positives

Thank you Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback