Botnet Detection by Monitoring Group Activities in DNS Traffic

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Threat infrastructure: proxies, botnets, fast-flux
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.
An Autonomic Framework in Cloud Environment Jiedan Zhu Advisor: Prof. Gagan Agrawal.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
BFTCloud: A Byzantine Fault Tolerance Framework for Voluntary-Resource Cloud Computing Yilei Zhang, Zibin Zheng, and Michael R. Lyu
Botnets By: Brandon Sherman. What is a Botnet? Botnet is a term referring to a network of multiple computers being affected by software robots. These.
Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Speaker:Chiang Hong-Ren Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic.
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.
Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.
Web Botnet Detection Based on Flow Information Chia-Mei Chen, Ya-Hui Ou, and Yu-Chou Tsai, National Sun Yat –Sen University,IEEE 2010.
Overload Prediction Based on Delay in Wireless OFDMA Systems E. O. Lucena, F. R. M. Lima, W. C. Freitas Jr and F. R. P. Cavalcanti Federal University of.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Studying Spamming Botnets Using Botlab
Research of P2P Architecture based on Cloud Computing Speaker : 吳靖緯 MA0G0101.
SocialVoD: a Social Feature-based P2P System Wei Chang, and Jie Wu Presenter: En Wang Temple University, PA, USA IEEE ICPP, September, Beijing, China1.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
Victor Farbman and Maxim Trosman Under guidance of Amichai Shulman.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Real-Time Botnet Command and Control Characterization at the Host Level JHEN-HUANG Gao.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority Reporter: Jing Chiu Adviser: Yuh-Jye Lee 2016/3/191Data Mining & Machine Learning.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park
Distributed Network Traffic Feature Extraction for a Real-time IDS
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
Future Internet Presenter : Eung Jun Cho
Networking Applications
ADVANCED PERSISTENT THREATS (APTs) - Simulation
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
DNS-based Detection of Computer Worms in an Enterprise Environment
Providing Secure Storage on the Internet
Modeling and Measuring Botnets
Attack Mechanism using botnets
Modeling Botnet Propagation Using Time Zones
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee
COMP4442 Cloud Computing: Assignment 1
Transport Layer Identification of P2P Traffic
Presented by Aaron Ballew
Presentation transcript:

Botnet Detection by Monitoring Group Activities in DNS Traffic Speaker: Jun-Yi Zheng 2009/11/23

Reference H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection by monitoring group activities in dns traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology (CIT’07), Washington, DC, October 2007.

Outline INTRODUCTION FEATURES of BOTNET DNS DNS-BASED BOTNET DETECTION MECHANISM EVALUATION CONCLUSION

Introduction Most of bots use DNS in rallying process

Rally Problem Static IP address or DDNS?

C&C Server Migration Botnets were migrate their C&C server frequently There observed most of them (65%) are moved only up for 1 day

Features of Botnet DNS At the rallying procedure At the malicious behaviors of a botnet At C&C server link failures At C&C server migration At C&C server IP address changes

Differences Source IPs accessed to domain name Activity and Appearance Patterns DNS Type Botnet DNS Fixed size Group (Botnet members) Group activity Intermittently appeared (Specific situation) Usually DDNS Legitimate Anonymous (Legitimate users) Non-group activity Randomly and continuously appered (Usually)

Botnet DNS Query Detection Algorithm Insert-DNS-Query

Botnet DNS Query Detection Algorithm Delete-DNS-Query If the size of IP list do not exceed the size threshold or the domain name is legitimate which already exist in a whitelist Detect-BotDNS-Query Similarity A C B

Migrating Botnet Detection Algorithm Insert-DNS-Query Delete-DNS-Query Detect-BotDNS-Query compare the IP lists of different domain name which have similar size of IP list

Evaluation the system is executed on a campus network with botnet 50 machines are used in the botnet (Agobot) captured the traffic for 10 hours parameter A time unit is 1 hour A size threshold for the detection algorithm is 5(size of IP List) similarity threshold is 0.8

Botnet DNS Query Detection During 1 hour Over 80% was 1 92.5% 5

Botnet DNS Query Detection (a),(c),(d),(e) were identified as P2P cites or a cite of enormous size of file transferring

Migrating Botnet Detection the ”similar size” are settled within 10% of the size of IP list

Conclusions significant features of botnet DNS queries a simple mechanism to detect a botnet by using a DNS queries The two different algorithm for botnet detection