Data Mining & Machine Learning Lab

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance slide 1 Cyber-TA: Massive and Distributed Data.
Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
School of Computer Science and Information Systems
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Lecture 11 Intrusion Detection (cont)
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
Introduction to Honeypot, Botnet, and Security Measurement
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu 1, Vinod Yegneswaran 2, Yan Chen 1 1 Department of Electrical and Computer.
1 Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
BotNet Detection Techniques By Shreyas Sali
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Role Of Network IDS in Network Perimeter Defense.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.
IDS Intrusion Detection Systems
A lustrum of malware network communication: Evolution & insights
Real-time protection for web sites and web apps against ATTACKS
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
James Logan CS526 Dr. Chow April 29, 2009
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Intrusion Prevention Systems
Chapter 4: Protecting the Organization
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee
Intrusion Detection Systems
PCAV: Evaluation of Parallel Coordinates Attack Visualization
HoneyStat: Local Worm Detection Using Honeypots
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Data Mining & Machine Learning Lab BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Author: Guofei Gu, et al. Report: Chien-Yi Chiu Mail: jingkrad@gmail.com 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Outlines Introduction Challenges Case Study: Phatbot BotHunter System Infection Lifecycle Model Correlation Framework Architecture Overview BotHunter Sensor Suite: SCADE SLADE Signature Engine Example BotHunter Infection Profile Experiment & Evaluation Detection Performance SRI Honeynet Georgia Tech Summary References 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Introduction Bots: malware that has A remote control facility (C&C) A spreading mechanism to propagate Botnets – networks of bots Bots/Botnets are used for DDoS, Spam, Click fraud, Data theft… 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Challenges Bots are actively evolving Infection vectors Binary updates C&C servers/communications Scanning strategies Traditional IDSs/IPSs are less helpful in identifying bots (too many false positives) Only looking at one specific aspect is probably not enough 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Case Study: Phatbot 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab BotHunter System Infection Lifecycle Model Correlation Framework Architecture Overview BotHunter Sensor Suite: SCADE SLADE Signature Engine Example BotHunter Infection Profile 2019/4/7 Data Mining & Machine Learning Lab

Infection Lifecycle Model Egress point (internal – external) Search for duplex communication sequences that map to I.L. model Stimulus does not require strict ordering, but does require temporal locality 2019/4/7 Data Mining & Machine Learning Lab

Correlation Framework Characteristics of Bot Declarations External stimulus alone cannot trigger bot alert 2 x internal bot behavior triggers bot alert 2019/4/7 Data Mining & Machine Learning Lab

Architecture Overview 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab SCADE Statistical sCan Anomaly Detection Engine Custom malware specific weighted scan detection system for inbound and outbound sources Bounded memory usage to the number of inside hosts, less vulnerable to DoS attacks Inbound (E1: Initial Scan Phase): Suspicious port scan detection using weighted score Failed connection to vulnerable port = high weight Failed connection to other port = low weight Outbound (E5: Victim Outbound Scan): S1 - Scan rate of V over time t S2 – Scan failed connection rate (weighted) of V over t S3 – Scan target entropy (low revisit rate implies bot search) over t Combine model assessments: OR, Majority Voting, AND scheme 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab SLADE Statistical payLoad Anomaly Detection Engine Suspicious payload detect: new “lossy” n-gram byte distribution analyzer over a limited set of network services Implements a lossy data structure to capture 4-gram hash space: Default vector size = 2048. (Versus n-4, 2564 = 232 = 4Gb). Comparable accuracy as full n-gram scheme: low FP and FN General performance comparable to PAYL [Wang2004]: to detect all 18 attacks, the false positive of PAYL is 4.02%, SLADE is 0.3601% Ke Wang, Salvatore J. Stolfo. “Anomalous Payload-based network Intrusion Detection”, RAID’04 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Signature Engine Signature Set Replaces all standard snort rules with five custom rulesets: e[1-5].rules Scope: Dialog content Known worm/bot exploit signatures, shell/code/script exploits, malware update/download, C&C command exchanges, outbound scans Rule sources Bleeding Edge malware rulesets Snort community rules Cyber-TA custom bot-specific rules Current Set 1383 rules, operating on SRI/CSL and Georgia Tech networks, low FP 2019/4/7 Data Mining & Machine Learning Lab

Example BotHunter Infection Profile 2019/4/7 Data Mining & Machine Learning Lab

Experiment & Evaluation Detection Performance SRI Honeynet Georgia Tech 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab SRI Honeynet False Positive Test: 1 false positive in a 10-day trace http://www.cyber-ta.org/releases/malware-analysis/public/ 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Georgia Tech Virtual network, detect all 10 bots, including AgoBot, Phatbot RBot, RxBot WisdomBot/SdBot/SpyBot GTBot Real capture in live network Feb. 2007, Georgia Tech, CoC network BotHunter declared a bot infection via dialog warnings E1, E4, E5 E4 (C&C Server) address seen in both Shadow Server and the botnet mailing list False Positive Test Less than 1 (false profiles) per day in a 4 month real-time operation 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab Summary New network perimeter monitoring strategy: Dialog correlation New bot detection system: BotHunter Free Internet release: http://www.bothunter.net/ 2019/4/7 Data Mining & Machine Learning Lab

Data Mining & Machine Learning Lab References BotHunter: Detectin Malware Infection Through IDS-Driven Dialog Correlation Authors: Guofei Gu, Philip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee BotHunter USENIX Security’07 slides Cyber-Threat Analytics Project Page http://www.cyber-ta.org/ 2019/4/7 Data Mining & Machine Learning Lab

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.