An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
School of Computer Science and Information Systems
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.
Lecture 11 Intrusion Detection (cont)
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Introduction to Honeypot, Botnet, and Security Measurement
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu 1, Vinod Yegneswaran 2, Yan Chen 1 1 Department of Electrical and Computer.
1 Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Amir Houmansadr CS660: Advanced Information Assurance Spring 2015
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Cryptography and Network Security Sixth Edition by William Stallings.
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
Chapter 4: Protecting the Organization
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee
Data Mining & Machine Learning Lab
Presentation transcript:

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

2009/5/26 Speaker: Li-Ming Chen 2 Reference Guofei Gu, Wenke Lee, et al.  BotHunter: Detecting Malware Infection through IDS-driven Dialog Correlation USENIX Security 2007  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic ACM NDSS 2008  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-independent Botnet Detection USENIX Security 2008 Moheeb Abu Rajab, et al.  A Multifaceted Approach to Understanding the Botnet Phenomenon ACM IMC 2006

2009/5/26 Speaker: Li-Ming Chen 3 Lifecycle of a Typical Botnet Infection Why Botnet is hard to detect? involving multiple steps flexible design of C&C channels 6. Malicious activities (e.g., DDoS) (borrow infection strategies from traditional malicious attacks) (optional) authentication

2009/5/26 Speaker: Li-Ming Chen 4 C&C (Command and Control) Channels Centralized C&C channel P2P C&C channel Message Response Crowd Activity Response Crowd

2009/5/26 Speaker: Li-Ming Chen 5 Comparison of the 3 Approaches BotHunterBotSnifferBotMiner Detection Target BotBotnet DescriptionDetect the lifecycle of a bot, including infection and command execution Detect group of hosts with spatial-temporal similarity in C&C communication BotSniffer extension. Support various C&C comm. framework. AssumptionsPredefine bot infection lifecycle Focus on centralized C&C communication Bots will perform tasks and response InsightVertical correlation of IDS alerts Horizontal correlation of similar behaviors Cluster hosts with similar traffic patterns Approach detect individual events identify parts of the lifecycle group hosts connect to the same C&C server detect similar activity or message response behaviors cluster similar C&C comm. cluster similar malicious traffic. cross clustering

2009/5/26 Speaker: Li-Ming Chen 6 BotHunter Utilize Snort to detect sign of local infection Signs match the predefined evidences (dialog transitions) A Bot could be: E2 AND E3-E5 At least two distinct signs of E3-E5 Predefined Lifecycle

2009/5/26 Speaker: Li-Ming Chen 7 BotHunter (cont ’ d) Current bots are multi-vector Design two modules (inbound/outbound) for scan detection Assign high weight to ports often used by malware (predefined) Observe outbound scan rate, outbound connection failure rate, and address dispersion Anomaly-based payload exploit detection Learn normal profile (using 2-gram PAYL) Check deviation distance of a test payload from the normal profile Use bot-specific heuristics to build signatures (rules)

2009/5/26 Speaker: Li-Ming Chen 8 BotHunter: Evaluation Results (1/2) Experiments in a virtual network  To test FN rate (by examining 10 different bots) # of generated dialog warnings # involving the victim

2009/5/26 Speaker: Li-Ming Chen 9 BotHunter: Evaluation Results (2/2) Honeynet-based experiments  Use SRI honeynet to capture real-world bot infection  Use BotHunter to analysis these traces  95.1% TP rate (1920/2019 in 3 weeks)  FN is due to: Infection failure, honeynet setup and policy failure, data corruption failure. Experiments in a campus network  98 profiles were generated in 4 months (no FP) Experiments in SRI laboratory network  Generate 1 bot profile and it is FP (a 1.6 GB multifile FTP transfer matchs “E2 & E3”)

2009/5/26 Speaker: Li-Ming Chen 10 BotHunter: Pros and Cons Pros:  Real-time detection of bot infections  Evidence trail gathering for investigation of putative infections Cons:  Use heuristic (2 conditions) to decide a bot infection  Less flexible

2009/5/26 Speaker: Li-Ming Chen 11 BotSniffer Response crowd: Density check Homogeneity check (data reduction) Port-independent, payload inspection

2009/5/26 Speaker: Li-Ming Chen 12 BotSniffer: Evaluation Methodology Use normal traffic traces to test the FP rate and use botnet traces (mix normal traffic) to test the detection performance Normal traces:  Capture 8 IRC traces (port 6667) and 5 complete traces from campus network Botnet traces:  Collect 3 real-world IRC-based botnet traces  Generate 3 botnet traffic by modifying source codes of 3 common botnets  Implement 2 http-based botnet

2009/5/26 Speaker: Li-Ming Chen 13 BotSniffer: Evaluation Results (1/2) All FP are generated due to single client incoming message response analysis. (Apply both activity response and message response group analysis)

2009/5/26 Speaker: Li-Ming Chen 14 BotSniffer: Evaluation Results (2/2) honeynet IRC logs (both message and activity) (periodically connect to server) (random delay) (the randomization of connection periods did not cause a problem, because there were still several clients performing activity responses at the time window)

2009/5/26 Speaker: Li-Ming Chen 15 BotSniffer: Pros and Cons Pros  Successfully detect all botnets (low FP rate)  Efficient alert reduction  More robust than other botnet detection system Cons  Focus on centralized C&C communication  Configure time window for group analysis  Possible evasions (e.g., misusing whitelist, encryption, protocol matcher, long response delay, obfuscation)

2009/5/26 Speaker: Li-Ming Chen 16 BotMiner (similar to BotSniffer) Focus on flow statistics, not message response! log Combine results and make final decision (more straightforward) (more complex)

2009/5/26 Speaker: Li-Ming Chen 17 BotMiner: Evaluation Methodology (same) use normal traffic traces to test the FP rate and use botnet traces (mix normal traffic) to test the detection performance Normal traces:  Capture 10 days traffic record at the campus network Botnet traces:  4 IRC, 2 HTTP and 2 P2P botnets 2 IRC and 2 HTTP are also used for BotSniffer P2P: 2 real-world traces (Nugache and Storm) TCP, encryptedUDP

2009/5/26 Speaker: Li-Ming Chen 18 BotMiner: Evaluation Results (1/3) (C-plan data reduction) Most useful, Only record internal to external flows. Remove helf-open TCP flows Whitelist

2009/5/26 Speaker: Li-Ming Chen 19 BotMiner: Evaluation Results (2/3) 4 features: temporal – fph, bps spatial – ppf, bpp Cluster by using the mean and variance of the features Further cluster by separating each feature as a vector of 13 elements according to their distribution Ignore clusters only contain 1 host Most FP clusters contain only 2 hosts

2009/5/26 Speaker: Li-Ming Chen 20 BotMiner: Evaluation Results (3/3) FN

2009/5/26 Speaker: Li-Ming Chen 21 BotMiner: Pros and Cons Pros:  Anomaly-based botnet detection system (independent of the protocol and structure used by botnets)  Low FN and FP rate Cons:  Stealthy: botmaster can commond the bots to perform extremely delayed task (evade cross clustering)

2009/5/26 Speaker: Li-Ming Chen 22 Summary Bothunter:  Vertical Correlation  Correlation on the behaviors of single host Botsniffer:  Horizontal Correlation  Focus on centralized C&C botnets Botminer:  Extension on Botsniffer  No limitations on the C&C types.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.