A brief Incursion into Botnet Detection

Similar documents
Multi-phase IRC Botnet & Botnet Behavior Detection Model

BotDigger: A Fuzzy Inference System for Botnet Detection

Revealing Botnet Membership Using DNSBL Counter-Intelligence

Detecting Spam Zombies by Monitoring Outgoing Messages

Botnet Detection Using Honeypots. Kalaitzidakis Vasileios

Dynamic Botnet Detection

HTTP BASED BOT-NET DETECTION TECHNIQUE USING APRIORI ALGORITHM WITH ACTUAL TIME DURATION

BotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts

Outline. Motivation. Our System. Conclusion

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Very Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL

Forensic Network Analysis in the Time of APTs

How to Configure DNS Sinkholing in the Firewall

Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Chapter 7. Denial of Service Attacks

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

REPORT DOCUMENTATION PAGE

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

Configuring the Botnet Traffic Filter

Security Events and Alarm Categories (for Stealthwatch System v6.9.0)

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine

The evolution of malevolence

NETWORK SECURITY. Ch. 3: Network Attacks

Botnets Behavioral Patterns in the Network

Detecting Spam Zombies by Monitoring Outgoing Messages

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Analyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS

Seceon s Open Threat Management software

GFI product comparison: GFI MailEssentials vs. McAfee Security for Servers

exam. Number: Passing Score: 800 Time Limit: 120 min File Version: CHECKPOINT

Fool Me If You Can: Mimicking Attacks and Anti-Attacks in Cyberspace

Detecting Specific Threats

Multi-Stream Fused Model: A Novel Real-Time Botnet Detecting Model

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Intrusion Detection System

Application Firewalls

Mapping Internet Sensors with Probe Response Attacks

CIS Controls Measures and Metrics for Version 7

Malware, , Database Security

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

4 rd class Department of Network College of IT- University of Babylon

CIS Controls Measures and Metrics for Version 7

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Detecting Protected Layer-3 Rogue APs

Distributed Denial of Service (DDoS)

BOTNET-GENERATED SPAM

A5500 Configuration Guide

Automating Security Response based on Internet Reputation

Chapter 2 Malicious Networks for DDoS Attacks

Security activities in Japan towards the future standardization. Cybersecurity

Check Point DDoS Protector Simple and Easy Mitigation

Anonymous communications: Crowds and Tor

Understanding the Dynamic Update Mechanism Tech Note

Microsoft Installing, Configuring, and Administering Microsoft Exchange 2003 Server Implementing &Managing MS Exchange Server 2003

DNS Security. Ch 1: The Importance of DNS Security. Updated

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

DDoS PREVENTION TECHNIQUE

GFI product comparison: GFI MailEssentials vs. Barracuda Spam Firewall

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

UTM 5000 WannaCry Technote

Accepted Manuscript. Original article. Fast Flux Watch: A Mechanism for Online Detection of Fast Flux Networks

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Game Traffic Analysis: An MMORPG Perspective

Journal of Chemical and Pharmaceutical Research, 2014, 6(7): Research Article

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Monitoring GSS Global Server Load-Balancing Operation

Synchronized Security

Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science

CE Advanced Network Security Botnets

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Detecting Spam Zombies By Monitoring Outgoing Messages

Activating Intrusion Prevention Service

Traceback Attacks in Cloud Pebbletrace Botnet nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee

Secure Telephony Enabled Middle-box (STEM)

Base64 The Security Killer

Mapping Internet Sensors with Probe Response Attacks

Anti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

AMP-Based Flow Collection. Greg Virgin - RedJack

Advanced Settings. Help Documentation

Denial of Service (DoS)

Detecting bots using multilevel traffic analysis

Using Diagnostic Tools

Sender Reputation Filtering

Computer Networks. Routing

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

Computer Networks - Midterm

Security: Worms. Presenter: AJ Fink Nov. 4, 2004

Networking Security SPRING 2018: GANG WANG

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Configuring NAT Policies

A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION

GFI product comparison: GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.5

Electronic Mail Paradigm

Multidimensional Investigation of Source Port 0 Probing

Transcription:

A brief Incursion into Anant Narayanan Advanced Topics in Computer and Network Security October 5, 2009

What We re Going To Cover 1 2 3 Counter-intelligence 4

What Are s? Networks of zombie computers The perpetrator compromises a series of systems using various tools on existing security holes Then, he simply controls these bots to do his bidding

Why Are They Bad?

How Do They Work? PULL HTTP(S) is the most commonly used protocol A simple GET request at regular interval to receive commands PUSH IRC(S) is the most commonly used protocol All bots join a chat room and wait for commands

How Can We Stop Them? Prevent computer from being infected in the first place? Impractical, given the thousands of vulnerable machines that will probably never be patched Actively prevent commands from reaching bots, or prevent bots from acting on those commands (use the network) Passively detect a botnet s presence and take offline action

Detecting C&C Traffic C&C Traffic is difficult to detect because: Uses normal protocols in ordinary ways Traffic volume is low Number of bots in a monitored network may be small Traffic may use encrypted channels

Spatial-Temporal Correlation! Pre-programmed response activities Command is sent to all bots around the same time (especially true for PUSH models) Bots process and usually perform some network operation in response Ordinary network traffic is unlikely to demonstrate such synchronized or correlated behavior Response Types Message response: Execution result, status or progress Activity response: Actual (malicious) network activity

Message Response (e.g., IRC PRIVMSG) (a) Message response crowd. : Activity Response (binary downloading) (b) Activity response crowd. Figure 2. Spatial-temporal correlation and similarity in bot responses (message response an response). Monitor Engine Activity Response Reports Network Traffic Preprocessing (WhiteList WatchList) Protocol Matcher HTTP IRC Scan Spam Binary Downloading Malicious Activity Events HTTP/IRC Connection Records Message Records Correlation Engine Activity Log Network Traffic of IRC PRIVMSG Message Response Incoming PRIVMSG Analyzer Outgoing PRIVMSG Analyzer Reports Figure 3..

Monitor Engine Preprocessing: Unlikely protocols White lists Protocol Matcher Currently focuses on IRC/HTTP Message Response IRC PRIVMSG responses Activity Response Abnormally high scan rates Weighted failed connection rates SMTP connections

Correlation Engine First, the groups clients according to their destination IPs and ports Then, it perform correlation analysis on these groups

Group Activity Response Response-Crowd-Density-Check H 0 Not, H 1, Y i i th group member n = ln P r (Y 1,..., Y n H 1 ) P r (Y 1,..., Y n H 0 ) = ln Y i H 1 P r H 0 i User chooses α (false positive rate) and β (false negative rate) Threshold Random Walk When Y i = 1, increment by ln θ 1 θ 0 When Y i = 0, decrement by ln 1 θ 1 1 θ 0 If the walk reaches ln 1 β α it is a botnet If it reaches ln β 1 α it is not Otherwise, we watch the next round

Group Message Response Instead of looking at density, let s look at homogeneity Response-Crowd-Homogeneity-Check Let Y i denote if the i th crowd is homogenous or not Homogeneity is decided by the Dice factor Dice(X, Y ) = 2 ngrams(x ) ngrams(y ) ngrams(x ) + ngrams(y ) Now, for q clients in the crowd, compare all unique pairs and calculate their Dice distances. If (for eg.) > 50% are within a threshold t, the crowd is marked as homogenous

i.e., Pr(X = i) = ( ) m i p i (1 p) m i.thentheprobability of having more than k similar pairs is Pr(X k) = m ( m ) i=k i p i (1 p) m i. If we pick k = mt where t is the threshold to decide whether a crowd is homogeneous, we obtain the probability θ(q) =Pr(X mt). Selecting q and t θ(q) 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 q=2,t=0.5 q=4,t=0.5 q=6,t=0.5 q=4,t=0.6 q=6,t=0.6 is eve reaso thoug the T [17, 2 In botne round where negat is no messa 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Figure 4. θ(q), the probability of crowd homogeneity with q responding clients, and p These

Single client detection IRC We can make use of the fact that IRC is a broadcast protocol and apply the homogeneity check on incoming messages to a single client HTTP Bots have strong periodical visiting patterns (to connect and retrieve commands)

Did it Work? Trace trace size duration Pkt TCP flows (IRC/Web)servers FP IRC-1 54MB 171h 189,421 10,530 2,957 0 IRC-2 14MB 433h 33,320 4,061 335 0 IRC-3 516MB 1,626h 2,073,587 4,577 563 6 IRC-4 620MB 673h 4,071,707 24,837 228 3 IRC-5 3MB 30h 19,190 24 17 0 IRC-6 155MB 168h 1,033,318 6,981 85 1 IRC-7 60MB 429h 393,185 717 209 0 IRC-8 707MB 1,010h 2,818,315 28,366 2,454 1 All-1 4.2GB 10m 4,706,803 14,475 1,625 0 All-2 6.2GB 10m 6,769,915 28,359 1,576 0 All-3 7.6GB 1h 16,523,826 331,706 1,717 0 All-4 15GB 1.4h 21,312,841 110,852 2,140 0 All-5 24.5GB 5h 43,625,604 406,112 2,601 0 Table 1. Normal traces statistics (left part) and detection results (right columns).

Did it Work? BotTrace trace size duration Pkt TCP flow Detected B-IRC-G 950k 8h 4,447 189 Yes B-IRC-J-1 - - 143,431 - Yes B-IRC-J-2 - - 262,878 - Yes V-Rbot 26MB 1,267s 347,153 103,425 Yes V-Spybot 15MB 1,931s 180,822 147,921 Yes V-Sdbot 66KB 533s 474 14 Yes B-HTTP-I 6MB 3.6h 65,695 237 Yes B-HTTP-II 37MB 19h 395,990 790 Yes Table 2. traces statistics and detection results.

Passive DNS Blackhole Lists contain IP addresses that are sources of spam. Botmasters sell bots not on any at a premium price Thus, Botmasters themselves perform lookups on s to determine the status of their bots. Can we use this?

Heuristics Spatial A legitimate mail server will perform queries and be the object of queries. Bots will only perform queries, they will be not be queried for by other hosts

Heuristics Temporal Legitimate lookups are typically driven automatically when emails arrive at the mail server and will this arrive at a rate that mirrors arrival rates of emails

Types Self Lookup: Each bot looks up it s own record. Usually a dead giveaway, thus not used Third-party Lookup: All bots are looked up by a single dedicated machine. If that machine isn t a mail server, we can simply use Spatial heuristics and detect botnet membership Distributed Lookups: Each bot looks up a set of records for other bots in the network. Complicated to implement and spatial heuristics will fail. Temporal heuristics, however, may help in detection

Thanks for Listening Detecting botnets is hard work, but certainly possible! Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback