11 A First Step towards Live Botmaster Traceback Daniel Ramsbrock, Xinyuan Wang, and Xuxian Jiang - the 11th International Symposium on Recent Advances.

Slides:

Advertisements

Similar presentations

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Advertisements

1 Message passing architectures and routing CEG 4131 Computer Architecture III Miodrag Bolic Material for these slides is taken from the book: W. Dally,

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.

ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.

Advanced Computer Networks : RED 1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking,

Kyle Wesson, Mark Rothlisberger, and Todd Humphreys

Toward Prevention of Traffic Analysis Fengfeng Tu 11/26/01.

11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Matching TCP/IP Packet to Detect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance.

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework Xinyuan Wang † Douglas S. Reeves †‡ S. Felix Wu †† Jim Yuill † † Department.

1 mmdump Reference: “mmdump: A Tool for Monitoring Internet Multimedia Traffic” J. van der Merwe, R. Cceres, Y-H. Chu, C. Sreenan. ACM SIGCOMM Computer.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

ACT: Attachment Chain Tracing Scheme for Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

1 Message passing architectures and routing CEG 4131 Computer Architecture III Miodrag Bolic Material for these slides is taken from the book: W. Dally,

ACN: RED paper1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking, Vol.1, No. 4, (Aug.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Traffic Analysis: Network Flow Watermarking Amir Houmansadr CS660: Advanced Information Assurance Spring CS660 - Advanced Information Assurance.

CprE 545 project proposal Long.  Introduction  Random linear code  LT-code  Application  Future work.

Optimal XOR Hashing for a Linearly Distributed Address Lookup in Computer Networks Christopher Martinez, Wei-Ming Lin, Parimal Patel The University of.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

1 LD-Sketch: A Distributed Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams Qun Huang and Patrick P. C. Lee The Chinese.

11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang /6/3.

Collision-free Time Slot Reuse in Multi-hop Wireless Sensor Networks

BZUPAGES.COM Presentation on TCP/IP Presented to: Sir Taimoor Presented by: Jamila BB Roll no Nudrat Rehman Roll no

Addressing Each station on an Ethernet network (such as a PC, workstation, or printer) has its own network interface card (NIC). The NIC fits inside the.

Leveraging Delivery for Spam Mitigation.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter:

Mapping IP Addresses to Hardware Addresses Chapter 5.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Transport Layer: Sliding Window Reliability

Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems Xinyuan Wang, Shiping Chen, Sushil Jajodia Presented by Eun Kyoung Kim.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

CS 6401 Intra-domain Routing Outline Introduction to Routing Distance Vector Algorithm.

1 Wireless Networks Lecture 21 WCDMA (Part I) Dr. Ghalib A. Shah.

UNIT 3 MULTIPLE ACCESS Adapted from lecture slides by Behrouz A. Forouzan © The McGraw-Hill Companies, Inc. All rights reserved.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Networking CS 3470, Section 1 Sarah Diesburg

Link Layer 5.1 Introduction and services

Part III. Data Link Layer

Networking CS 3470, Section 1 Sarah Diesburg

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.

The Variable-Increment Counting Bloom Filter

Worm Origin Identification Using Random Moonwalks

Multi-Node Broadcasting in Hypercube and Star Graphs

Local Area Networks: Ethernet

Scheduling Algorithms in Broad-Band Wireless Networks

Getting Connected (Chapter 2 Part 3)

Intradomain Routing Outline Introduction to Routing

Offense Questions: Botnet detection

IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.

Data Mining & Machine Learning Lab

ECE 5233 Satellite Communications

Statistical based IDS background introduction

Lu Tang , Qun Huang, Patrick P. C. Lee

Presentation transcript:

11 A First Step towards Live Botmaster Traceback Daniel Ramsbrock, Xinyuan Wang, and Xuxian Jiang - the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 08), Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/12/07

2 Outline Introduction ◦ Four challenges of tracking the botmaster Botmaster traceback model Length-based watermarking scheme ◦ Basic length-based watermarking scheme ◦ Hybrid length-timing watermarking for encrypted traffic Implementation and experiment Conclusion

3 Four Challenges of Tracking the Botmaster Botmaster does not directly connect to the C&C server Low traffic volume between bot & botmaster Encryption Flow mixing

4 Tracking the Botmaster by Watermarking Botnet Traffic

5 Basic Length-based Watermarking Scheme - Watermark Bit Encoding Notation: ◦ f : packet flow of n packets P 1, …, P n ◦ -bit watermark W : w 0, …, w l-1 ◦ packet pairs: ◦ : reference packet : encoding packet ◦ l r, l e : packet lengths of encoding packet & reference packet ◦ L : bucket size Assign watermark bit w k into Encoding function

6 Watermark Bit Decoding Decoding function Decode the watermark bit

7 Watermark Collision Probability (False Positive Rate) Error tolerance ◦ f contains watermark W if Watermark collision ◦ Watermark W is found in an unwatermarked flow ◦ Collision probability Experiment: decode 1,000 unwatermarked flows Choose h = 4 False positive rate = 9.64 x 10 -6

8 Watermark Collision Probability and Distribution

9 Hybrid Length-Timing Watermarking for Encrypted Traffic Chaff messages ◦ Unwatermarked messages from other bots Unencrypted traffic Encrypted traffic ◦ Send encoding packets at a specific time ◦ Assume the network jitter δ is limited ◦ Packets used for decoding :

10 Implementation of Length-Only Algorithm (Unencrypted Traffic)

11 Implementation of Hybrid Length- Timing Algorithm (Encrypted Traffic)

12 Hybrid Length-Timing Algorithm - Encoder & Decoder Encoder ◦ Packet flow of 64 packets & 32-bit watermark ◦ Time between messages: 2 ~ 2.35 s Decoder - offset self-synchronization ◦ Determine t 1 : time of the first watermarked packet ◦ Start : t 1 = offset, incrementing t 1 by step until t 1 =(offset + max) ◦ Decode the full watermark sequence for each t 1 ◦ Record the number of bits matching the watermark W

13 Offset Self-Synchronization

14 Chaff Messages Five different chaff levels (Chaff 1 to 5) ◦ Chaff 1: time between packets = 1 ~ 2 s δ = 200 ms Sliding offset = 0 ~ 10 s

15 Conclusion It address the four major challenges: ◦ Stepping stones ◦ Encryption ◦ Flow mixing ◦ Low traffic volume between bot & botmaster It can successfully trace a watermarked flow False positive rate <= 10 -5

16 Reference Daniel Ramsbrock, Xinyuan Wang, and Xuxian Jiang, “A first step towards live botmaster traceback.”, in the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 08), 2008.