A Taxonomy of Botnet Structures

Similar documents
(Social) Networks Analysis III. Prof. Dr. Daning Hu Department of Informatics University of Zurich

Revisiting Botnet Models and Their Implications for Takedown Strategies

Lesson 4. Random graphs. Sergio Barbarossa. UPC - Barcelona - July 2008

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

Worm Detection, Early Warning and Response Based on Local Victim Information

Chapter 10: Denial-of-Services

State of the art and challenges

On the Robustness of Random Walk Algorithms for the Detection of Unstructured P2P Botnets

CSCI5070 Advanced Topics in Social Computing

M.E.J. Newman: Models of the Small World

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

CS-E5740. Complex Networks. Scale-free networks

Statistical Assessment of Peer-to-Peer Botnet Features. Teghan Godkin B.Eng., University of Victoria, 2010

Wednesday, March 8, Complex Networks. Presenter: Jirakhom Ruttanavakul. CS 790R, University of Nevada, Reno

Network Security Fundamentals

CE Advanced Network Security Botnets

Introduction to network metrics

Multi-Stream Fused Model: A Novel Real-Time Botnet Detecting Model

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Botnet Communication Topologies

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

Complex Networks. Structure and Dynamics

Fast Deployment of Botnet Detection with Traffic Monitoring

Basic Concepts in Intrusion Detection

Introduction to Peer-to-Peer Systems

REPORT DOCUMENTATION PAGE

Advanced Distributed Systems. Peer to peer systems. Reference. Reference. What is P2P? Unstructured P2P Systems Structured P2P Systems

A SMS-Based Mobile Botnet Using Flooding Algorithm

Erdős-Rényi Model for network formation

How Do Real Networks Look? Networked Life NETS 112 Fall 2014 Prof. Michael Kearns

4MMSR-Network Security Seminar. Peer-to-Peer Botnets: Overview and Case Study

Fighting the. Botnet Ecosystem. Renaud BIDOU. Page 1

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

SUPERCHARGE YOUR DDoS PROTECTION STRATEGY

OSSIR. 8 Novembre 2005

Introduction to OSPF

Citation for published version (APA): Stevanovic, M., & Pedersen, J. M. (2013). Machine learning for identifying botnet network traffic.

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

Peer-to-Peer Systems. Network Science: Introduction. P2P History: P2P History: 1999 today

modern database systems lecture 10 : large-scale graph processing

Building a hybrid experimental platform for mobile botnet research

RANDOM-REAL NETWORKS

CSE 190 Lecture 16. Data Mining and Predictive Analytics. Small-world phenomena

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Graph Structure Over Time

Outline. Motivation. Our System. Conclusion

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Chapter 1. Social Media and Social Computing. October 2012 Youn-Hee Han

Next Generation P2P Botnets: Monitoring under Adverse Conditions

Detecting Stealthy Malware Using Behavioral Features in Network Traffic

Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures?

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Protect vital DNS assets and identify malware

GIAN Course on Distributed Network Algorithms. Network Topologies and Local Routing

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Universal Properties of Mythological Networks Midterm report: Math 485

arxiv: v1 [cs.cr] 20 Dec 2015

Module 15: Network Structures

Increase Threat Detection & Incident Response

DECLUSTERING THE ITRUST SEARCH AND RETRIEVAL NETWORK TO INCREASE TRUSTWORTHINESS

Traceback Attacks in Cloud Pebbletrace Botnet nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee

Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

Lesson 18. Laura Ricci 08/05/2017

Security Trend of New Computing Era

Computer Network Architecture

CS224W: Social and Information Network Analysis Jure Leskovec, Stanford University

Post-Intrusion Report June White paper

University of Twente

Small World Properties Generated by a New Algorithm Under Same Degree of All Nodes

AS Connectedness Based on Multiple Vantage Points and the Resulting Topologies

Post Intrusion Report

Jaal: Towards Network Intrusion Detection at ISP Scale

The Shape of the Internet. Slides assembled by Jeff Chase Duke University (thanks to Vishal Misra and C. Faloutsos)

MITICATION OF PEER TO PEER BASED BOTNET FOR BUILDING A BOTNET ATTACK

Cybersecurity, Cybercrime, Cyberwar, Cyberespionage...

BotDigger: A Fuzzy Inference System for Botnet Detection

Introduction to Security. Computer Networks Term A15

Models of Network Formation. Networked Life NETS 112 Fall 2017 Prof. Michael Kearns

Synchronized Security

Visualizing Attack Graphs, Reachability, and Trust Relationships with NAVIGATOR*

Exercise set #2 (29 pts)

A Self-Learning Worm Using Importance Scanning

Intelligent and Secure Network

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Configuring BGP. Cisco s BGP Implementation

Module 16: Distributed System Structures

Failure in Complex Social Networks

Signal Processing for Big Data

Norman presentation. From Storm to Waledac. By Hans Christoffer Gaardløs Hansen virus analyst, Norman ASA

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

!!!!!!!!!!!!!!!!!!!!!!!!!!!"!#$%%!&'!"(&)'*!!!!!!"#$%!&'(!)*+',+%!!

Malware Research at SMU. Tom Chen SMU

A Multifaceted Approach to Understanding the Botnet Phenomenon

(Im)possibility of Enumerating Zombies. Yongdae Kim (U of Minnesota - Twin Cities)

γ : constant Goett 2 P(k) = k γ k : degree

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

Self Learning Networks An Overview

Security Gap Analysis: Aggregrated Results

Transcription:

A Taxonomy of Botnet Structures Martin Lyckander martily 08/04/2016

About the paper David Dagon, Guofei Gu, Christopher P. Lee, Wenke Lee Georgia Institute of Technology Published in 2007

What is a botnet? Hosts under control of a third party Infection vectors vary Can be self propogating Different means of communication in different botnets Various capabilites: Spam DDoS Keylogging / Data exfiltration Scanning/Bruteforce Clickfraud Two categories of reasons when a bot leaves the botnet Random failures Targeted responses Botnet topology can be seen as a network graph

The botmaster

The need for a taxonomy Botnets are diverse Size may vary greatly Threat of a botnet is not only about number of infected hosts High speed internet vs ADSL Uptime of nodes in the botnet Determine the potential of the botnet analysed

Purpose of a taxonomy (a) assist the defender in identifying possible types of botnets (b) describe key properties of botnet classes, so researchers may focus their efforts on beneficial response technologies. One method to take down one type of botnet is not necessarily as effective on other types

Metrics Effectiveness Robustness Efficiency

Effectiveness Measure of overall utility to the botmaster Size (The giant component, S) and bandwidth The giant component is the largest online/connected portion of bots reachable by the botmaster In a DDoS: largest amount of bots that can receive and execute commands Botnets are diurnal - affects available bandwidth Often related to link speed This is probably a lesser factor today in some parts of the world than when the paper was written Home-routers in botnets: http://www.securityweek.com/large-ddos-botnet-powered-routersinfected- spike -malware In the future: IoT, cellphones

Effectiveness cont. Available average bandwidth from a bot: B Complex problem for a single link - for botnets, even harder B is the average cumulative bandwidth available to the botmaster under ideal circumstances The paper classifies bots based on link speed Modem (type 1) DSL/cable (type 2) High speed internet (type 3) The chance of a bot belonging to a group is P, M=Max network bandwidth, A=Network bandwidth, W= Probability of a bot being online

Efficiency Communication in the botnet - C&C messages, updates or data exfiltration Network diameter The geodesic length between nodes Degrees of separation Six degrees of separation - l = 6 The inverse, l-inv is used in the taxonomy Average length of the shortest edge connecting two nodes If l-inverse is small, the communication can ble classified as slow. l-inv = 0, no connection l-inv = 1, fully connected d(v,w) = distance between node v and w

Efficiency cont. Distance is not the physical connections between the nodes One physical jump(lan) between could be several jumps in the botnet Topology defined by the botmaster The ideal network diameter is l-inv=1

Robustness The network diameter (l-inverse) is also relevant for robustness High connectivity between bots means high fault-tolerance Bots are added and removed from the botnet constantly Instead of only using the network diameter, local transitivity can be used to measure redundancy Given three nodes, u, w, v, with the existing pairs {u, w} and {u, v}, local transitivity measures the likelihood of u and v also being connected Clustering coefficient - average degree of local transitivity: (gamma) Ev is the number of edges around node v. Kv is the number of nodes around node v

Robustness cont. The three nodes u,v,w forms a triad measures the number of triads divided by the maximal number of triads = 1 means that the botnet topology is a complete mesh Local transitivity is important for some types of botnets Warez Key-/password-cracking Bruteforcing

Botnet network models

Erdős Rényi Random Graph Models Botnet structured as a random graph Equal probability N-1 that one node is connected to an other This means that a bot must know the address of all other bots to potentially create an edge Botmasters limit the maximum number of connections for their hosts Random graphs require some central logging of nodes in the network The first bot in a chain do not get information about subsequent infections Easy to discover infections for honeypot operators A challenge for botnets distributed through scanning/spam The first in the infection chain does not know of subsequent infections Scanning for active bots is a possibility

Erdős Rényi Random Graph Models

Watts-Strogatz Small World Models Network is created in a ring Each node has a probability of being connected to nodes on the opposite side of the ring During spreading in a self-propagating botnet: A new infection can receive a list of previously infected victims When the infected hosts then passes along the list of victims to new infections it appends its own address Typically limited number of addresses in list to hinder security researchers

Barabási-Albert Scale Free Model Highly connected central nodes, hubs Leaf nodes has fewer connections IRC based botnets Very vulnerable to targeted responses by researchers Taking down the central hubs, e.g. the IRC servers used

P2P models Structured and unstructured topologies The unstructured P2P botnets tend to have similar link distributions as the scale free botnets Some nodes have a much larger peer list than others Distributed hash table(dht) Structured botnets are more similar to random networks, as each bot in the botnet is connected to approximately the same amount of other bots Kazaa/Gnutella

Response strategies The response strategies proposed is based on previous research, and an empirical study on two different botnets in January 2006 Previously known: Targeting C&C infrastructure is efficient!

Random graph and P2P models Empirical studies have shown a median node degree k = 5,5 Network diameter is logarithmically increasing with values for k, but this is only for larger values of k. Realistic values show a linear growth Giant (S), number of reachable hosts for the botmaster Local transitivity ( ) is also logarithmically increasing, but not for realistic values of k

Random graph and P2P models - loss of nodes Targeted responses and random failures have the same effect Low impact! P2P networks often have a k equal to log N where N is the size of the botnet Therefore slightly more resilient than random graph Loss of nodes are constant in the three metrics Random graph and p2p botnets are very resilient Remediation techniques Remove a large number of nodes at once Targeted respones : Address list poisoning, P2P index poisoning

Wattz-Strogatz model Research shows some botnets using this model Low utility to the botmaster The average degree in a small world model is equal to the number of edges each vertex has Constant decay of all metrics as nodes are removed Other advantages Stealthy propogation Anonymity In other domains researchers state that small world model is essentially a random graph

Scale free and structured P2P models Targeted responses are highly effective The core size, C, is the number of bots which function as hubs Distributing commands 5k botnet Adding a large amount of cores does not affect network diameter measures the number of triads Dip in the graph is caused by Core-nodes forming squares, while triads are measured locally Upon adding more cores, transitivity grows as Core-nodes also form triads

Transitivity loss in scale free The botmaster whishes to avoid transitivity A low amount of core nodes makes the botnet vulnerable to takedowns By increasing number of links for leaf nodes, the dip is lower A high link count makes bots vulnerable to anomaly detection (e.g. netflow analysis) Changes in transitivity vs core size

Scale free targeted responses and random loss Centralizing information makes the network vulnerable Targeted responses are highly effective

Case study: Nugache botnet Uses the WASTE file sharing protocol Hard-coded IP-addresses to retrieve a list of initial peers Continues to connect and discover to new peers Spread through P2P, resulting mesh is a scale free network Low link count for each leaf node Link count in Nugache leaf nodes

Takedown of the ZeroAccess botnet (Not covered in the paper) Clickfraud, search-hijacking P2P based New peers were pushed to all bots using a broadcast mechanism Unstructured Cost online advertizers $2,7 million each month More than 2 million infected hosts, 800k active each day Takedown in 2013 by Microsoft, Europol and FBI Sinkholed 18 IP-adresses, 49 domains Targeted the mechanism to broadcast new configurations/updates to newly infected bots P2P layer was still intact, botnet masters still making money Botnet still alive today, but at limited capacity http://www.darkreading.com/attacks-and-breaches/microsoft-fails-to-nuke-zeroaccess-botnet/d/d-id/1113008 https://news.microsoft.com/2013/12/05/microsoft-the-fbi-europol-and-industry-partners-disrupt-the-notorious-zeroaccess-botnet/#sm.0000a9ziod396dqxqk714erddbw47

Empirical study: Available bandwidth in botnets Botnet 1: 50,000 unique members, sample size of 7,326 Measured in January 2005 Botnet 2: 48,000 unique members, sample size of 3,391 Measured in January 2006

Bandwidth in botnets cont. - Taking diurnal activity into account, with [2, 4,24] for each class of bots - Botnet 1 has a DDoS capability of ~1 Gbps - 2,000 less members in botnet 2, but only half the DDoS capability - Could potentially be used to determine which botnet to target in takedowns - Targeted responses against high speed bots can be very impactfull Botnet 1 Botnet 2 Average available bandwidth ~53 Kbps ~39 Kbps Accounted for diurnal ~22 Kbps ~14 Kbps

Summary Proposed metrics to measure botnets utility to the botmaster Structured P2P botnets and random graph botnets are resilient to both targeted and random responses Targeted responses are effective on scale free botnets

Questions?

Further reading - Paper published in 2013 about resilience of different P2P botnets - P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets - http://www.ieee-security.org/tc/sp2013/papers/4977a097.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback