A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Network Security Highlights Nick Feamster Georgia Tech.

Performance Assessment

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

Phishing for Phish in the Phispond A lab on understanding Phishing attacks and defenses … Group 21-B Sagar Mehta.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

1 A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection 許富皓資訊工程學系中央大學 1.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Introduction to Honeypot, Botnet, and Security Measurement

Chapter 33 Conducting Marketing Research. The Marketing Research Process 1. Define the Problem 2. Obtaining Data 3. Analyze Data 4. Rec. Solutions 5.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

© 2006, iPolicy Networks, Inc. All rights reserved. Security Technology Correlation Proneet Biswas Sr. Security Architect iPolicy Networks

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

A lustrum of malware network communication: Evolution & insights

Modeling and Measuring Botnets

Modeling Botnet Propagation Using Time Zones

Data Mining & Machine Learning Lab

Presented by Shashank Shekhar Sahoo

Presentation transcript:

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24

Basic Information Title: - A Survey of Botnet Size Measurement Author & Institution: - Shangdong Liu (Jiangsu Province Southeast University) - Jian Gong - Wang Yang - Ahmad Jakalan Publication: Second International Conference on Networking and Distributed Computing Year: 2011 Cited (Google): 2 2/24

Problems to Solve 1. Botnets have exerted serious threat against cyber-security. 2. Botnet size is one of the most important characteristics to evaluate the threat of botnet. 3. As far as the size of botnet is concerned, it is more difficult to calculate. 4. A great many of challenges to measure botnet size still exist, for example, how to eliminate the influence of DDNS, NAT, DHCP and botnet migration or clone? 3/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 4/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 5/24

Definition of Botnet Size The definition of botnet size has been clearly proposed by M. A. Rajab in the meeting of USENIX HotBots Footprint: Refers to the overall size of infected population of botnet at any time in its lifetime. Range of infection 2. Live population: The number of live bots simultaneously present in C2 channel. Attack volume 6/24

Issues for Measurement of Botnet Size 1. The measurement of botnet live population. 2. The measurement of botnet footprints. 3. Dynamic tracing of botnet size. 4. Area issue of botnet size. 7/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 8/24

Three Classes of Methods 1. Detection methods based on active/passive DNS detection 2. Detection methods based on botnet C2 features 3. Detection methods based on correlation of multiple bases 9/24

Active DNS Detection Based on actively utilizing domain name of C2 controller. Take DNS redirection for example, 1. Map the domain name of botnet C2 server to prepared sinkhole 2. Records all the connections between bots and C2 server 3. Count the number of hosts who take connections 4. The live population of the botnet can be obtained 10/24

Methods based on botnet C2 features One of the examples exploring spam to detect is method by analyzing spam content. 1. Hunting hosts which send a large amount of in the short term on mail servers 2. These hosts will be judged to suspects 3. The mails embedded with same key URL will be classified as spam from the same botnet 4. Counting the spammers from one botnet will obtain the botnet’s live population 11/24

Methods based on correlation of multiple bases BotHunter The basic idea is: By capturing the data exchange, generated in the process of spread and attack of botnet, between inside and outside of network border, “chain of evidence” of botnet activity will be formed through correlating the captured data exchange according to the botnet working process. 95.1% of detection rate can be reached! 12/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 13/24

How to calculate botnet footprint? Solution 1: Determine whether hosts are infected by botnet, and then take count of infected hosts. Solution 2: Statistical inference is usually the only choice to calculate botnet footprint. Not accurate! Till this survey is written, there are no literatures which focus on accurate estimation of offline hosts in observed network. 14/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 15/24

Aspects of dynamically tracking botnet size 1. Means or patterns of botnet propagation 2. Obfuscation produced by some botnet activities, such as botnet clone and botnet migration 3. Dynamic model of botnet 16/24

Scanning manner of botnet - A propagation way: Vulnerability scanning 1. Worm class: A way using more primitive style through which botnet has large scanning volume and holds a large amount of infected hosts in short time. 2. Non-worm class: Integrated with a variety of scanning algorithm, including scanning on a network segment, hit- list and random scanning. The amount of infections caused by non-worm scanning is less than worm class scanning, but the detection is more difficult. 17/24

Detection of IRC botnets The multiple IRC bots collections detected by communication between C2 controller and bots, due to the existence of botnet clone, migration and hierarchical management, these collections might belong to a same botnet. The algorithm uses: 1. Distance of communication’s characteristics 2. Overlap rate of bots 3. IP aggregation (Calculate “Overlap rate of bots”) More accurate footprint can be obtained by this method for 89% of IRC botnets. 18/24

Detection of IRC botnets - Advantages: Resolve migration, clone and hierarchical management issues of IRC botnet. - Disadvantages: 1. Multiple collections of bots should be known before using the algorithm 2. It is only applicable for the botnets with centralized structure. 19/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 20/24

Area Issues of Botnet Size - Live population, footprint of botnet also have regional issues (local or global). - Global footprints need to consider the impact of time zones. - Two approaches to calculate the global size of botnet: 1. Statistical inference 2. Empirical estimation 21/24

Problems still to be solved - Unresolved problems of tracking botnet size include… 1. Dynamic IP addresses and NAT addresses. 2. How to track entire life cycle while every stages in life cycle have different characteristics. 3. How to identify botnets detected at different time in the existence of botnet clone and migration. 22/24

Outline - INTRODUCTION - MEASUREMENT OF BOTNET LIVE POPULATION - MEASUREMENT OF BOTNET FOOTPRINT - DYNAMIC TRACKING OF BOTNET SIZE - AREA ISSUE OF BOTNET SIZE - SUMMARY 23/24

Summary - The measurement of botnet size is not an isolated problem. It is related closely with capturing of bot programs, botnet detection and behavior analysis of botnet etc. - Just as blind men touching an elephant, each way to measure botnet size reflects only a perspective of observation. 24/24