RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

Application of Bayesian Network in Computer Networks Raza H. Abedi.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

Identifying Performance Bottlenecks in CDNs through TCP-Level Monitoring Peng Sun Minlan Yu, Michael J. Freedman, Jennifer Rexford Princeton University.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Evaluation of the Proximity between Web Clients and their Local DNS Servers Z. Morley Mao UC Berkeley C. Cranor, M. Rabinovich,

Threat infrastructure: proxies, botnets, fast-flux

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Department Of Computer Engineering

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.

Leveraging Delivery for Spam Mitigation.

Studying Spamming Botnets Using Botlab

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Security System for KOREN/APII-Testbed

Don’t Follow me : Spam Detection in Twitter January 12, 2011 In-seok An SNU Internet Database Lab. Alex Hai Wang The Pensylvania State University International.

Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Microsoft Research, Silicon Valley Geoff Hulten,

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.

John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.

Whole Page Performance Leeann Bent and Geoffrey M. Voelker University of California, San Diego.

How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park

An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

Some Great Open Source Intrusion Detection Systems (IDSs)

Learning to Detect and Classify Malicious Executables in the Wild by J

Computer Data Security & Privacy

Server Concepts Dr. Charles W. Kann.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Dieudo Mulamba November 2017

Preventing Internet Denial-of-Service with Capabilities

Spam Detection Algorithm Analysis

Presented by Aaron Ballew

Presentation transcript:

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from the author's slides

Outline Motivation of RB ‐ Seeker System Architecture Overview of subsystems Evaluation of results Conclusion

Redirection/Proxy Botnet Redirect users to malicious servers o Additional layer of misdirection o Protect mothership servers o Evade URL based detection or IP based black list

Motivation of RB ‐ Seeker Botnet is an ideal source for redirection/proxy servers Botnets used for multiple purposes/scams Previous research: detection of C&C channel

Overview of RB ‐ Seeker Automatic detection of redirection/proxy botnets Utilizes 3 cooperating subsystems Behavior ‐ based detection Quick identification of aggressivebotnets (FP < 0.01%) o Advertise manyIPs per query o Change IPs very often (short TTL) Accurate identification of stealthybotnets o Advertise fewIPs per query o Change IPs more slowly (very small TTL, closely monitored

System Architecture

SSS: Spam Source Subsystem Redirection/proxy botnet are commonly used by spam/phishing campaigns SSS exploits this close relatrionship o Real time collection of spam s: > 50,000 monthly

SSS: Spam Source Subsystem Extract embedded URLs from message bodies Probe extracted URLs to identify redirection URL links Domains added to redirection domain database

System Architecture

NAS: NetFlow Analysis Subsystem Use NetFlow because: o Inspecting packet contents incurs too much overhead o Privacy concerns Spammers send image ‐ or PDF ‐ based s o Evade content ‐ based filtering User redirected to RBnet by clicking on malicious webpage Inspecting each not always possible o Privacy concerns/laws

NAS: NetFlow Analysis Subsystem NetFlow: core router on campus Looks for suspicious redirection attempts o Without analyzing packet contents

NAS: NetFlow Analysis Subsystem Sequential Hypothesis testing on: o Flow size, inter ‐ flow duration, and flow duration

NAS: NetFlow Analysis Subsystem Identifies IPs participating in redirection o Correlation engine uses DNS logs to add domains participating in redirection to redirection domain db

NAS: NetFlow Analysis Subsystem Redirection: obtained from SSS, servers identified as redirection Normal: normal web browsing over 2 days (removing redirection)

System Architecture

a ‐ DADS: active DNS Anomaly Detection Subsystem Actively performs DNS queries on domains in redirection domain db Uses CDN Filter to remove Content Delivery Networks o CDNs behave similarly to redirection/proxy botnets o Recursively removes

a ‐ DADS: active DNS Anomaly Detection Subsystem IP Usage: o RBnets will accrue more unique IPs over time o RBnets will have more unique IPs per valid query Reverse DNS names with “bad words” o e.g., broadband, cable, comcast, charter, etc… AS count o Number of different ASes the IPs belong to o RBnets consist of home computers scattered geographically

a ‐ DADS: active DNS Anomaly Detection Subsystem Applies 2 ‐ tier linear SVM on remaining domains o Trained: 124 valid, 18 aggressive, 10 stealth o 10 ‐ fold cross validation on multiple classifiers  knn, decision tree, naïve Bayesian, various SVMs and kernel functions

a ‐ DADS: active DNS Anomaly Detection Subsystem SVM-1: o detects Aggressive RBnets based on 2 valid queries o unique IPs, num ASes, DNS “bad words”

a ‐ DADS: active DNS Anomaly Detection Subsystem

SVM-2 o detects Stealth RBnets using a week of DNS queries o unique IPs, num ASes

a ‐ DADS: active DNS Anomaly Detection Subsystem

Evaluation of Results SSS and NAS identified 91,600+ suspicious domains over 2 month period a ‐ DADS CDN Filter o Removed 5,005 CDN domains o Recursion 16.8% increase in identified CDN domains (13.1% in IPs) o Similar technique for valid domains reduced this to 35,000+ domains to be monitored

Evaluation of Results

Aggressive RBnets: Redirection vs. Proxy Botnets

Stealth RBnets

Evaluation of Results FFSN detector: o Detected 124 of the 125 Aggressive RBnets o 1 FP: same as ours (mozilla.org) o Missed all the Stealth RBnets

Conclusion Designed and implemented system for detecting redirection/proxy botnets Uses network detection techniques o multiple data sources readily available to enterprise network environments Behavior ‐ based detection works despite use of C&C protocol or structure Capable of detecting Aggressive and Stealthy RBnets Automatic detection with low false positives (< 0.01%)