Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Slides:



Advertisements
Similar presentations
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Advertisements

12-1 Last time Security in Networks Threats in Networks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Introduction to Honeypot, Botnet, and Security Measurement
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
Penetration Testing Security Analysis and Advanced Tools: Snort.
BotNet Detection Techniques By Shreyas Sali
By: Sharad Sharma, Somya Verma, and Taranjit Pabla.
Network-based Intrusion Detection and Prevention in Challenging and Emerging Environments: High-speed Data Center, Web 2.0, and Social Networks Yan Chen.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Network-based Intrusion Detection, Prevention and Forensics System 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST)
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
1 NetShield: Massive Semantics-Based Vulnerability Signature Matching for High-Speed Networks Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu,
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Yan Chen Department of Electrical Engineering and Computer Science
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Yan Chen Dept. of Electrical Engineering and Computer Science Northwestern University Spring Review 2008 Award # : FA Intrusion Detection.
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
Towards High Speed Network Defense Zhichun Li EECS Deparment Northwestern University.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Monitoring, Diagnosing, and Securing the Internet 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for.
Intro to Network Security. Vocabulary Vulnerability Weakness that can be compromised Threat A method to exploit a vulnerability Attack Use of one or more.
CS5261 Information Security CS 526 Topic 15 Malware Defense & Intrusion Detection Topic 15: Malware Defense.
Northwestern Lab for Internet & Security Technology (LIST)
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
EN Lecture Notes Spring 2016
Network-based Intrusion Detection, Prevention and Forensics System
Intrusion Detection/Prevention Systems
CS4622 Team 4 Worms, DoS, and Smurf Attacks
Zhichun Li, Gao Xia, Yi Tang, Yan Chen, and Bin Liu
Internet Worm propagation
Yan Chen Department of Electrical Engineering and Computer Science
Offense Questions: Botnet detection
Data Mining & Machine Learning Lab
Presentation transcript:

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University Network-based Botnet Detection Filtering, Containment, and Destruction Motorola Liaisons Z. Judy Fu and Philip R. Roberts Motorola Labs

New Internet Attack Paradigm Botnets have become the major attack force Symantec identified an average of about 10,000 bot infected computers per day # of Botnets - increasing Bots per Botnet - decreasing –Used to be 80k-140k, now 1000s More firepower: –Broadband (1Mbps Up) x 100s = OC3 More stealthy –Polymorphic, metamorphic, etc. Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance

Birth of a Bot Bots are born from program binaries that infect your PC Various vulnerabilities can be used – viruses –Shellcode (scripts)

Botnet Distribution

Project Goal Understand the trend of vulnerabilities and exploits used by the botnets in the wild Design vulnerability based botnet detection and filtering system –Deployed at routers/base stations w/o patching the end users –Complementary to the existing intrusion detection/prevention systems –Can also contain the botnets from infecting inside machines Find the command & control (C&C) of botnets and destroy it

Limitations of Exploit Based Signature Our network Traffic Filtering Internet Signature: 10.*01 X X Polymorphic worm might not have exact exploit based signature Polymorphism!

Vulnerability Signature Work for polymorphic worms Work for all the worms which target the same vulnerability Vulnerability signature traffic filtering Internet X X Our network Vulnerability X X

Emerging Botnet Vulnerability and Exploit Analysis Large operational honeynet dataset Massive dataset on the botnet scan with payload Preliminary analysis show that the number of new exploits outpace the # of new vulnerabilities. LBLNU Sensor5 /2410 /24 Traces883GB287GB Duration37 months7 months

Vulnerability based Botnet Filtering/Containment Vulnerability Signature IDS/IPS framework Detect and filter incoming botnet Contain inside bots and quarantine infected customer machines Packet Sniffing TCP Reassembly Protocol Identification: port# or payload Protocol Parsing Vulnerability Signature Matching Single Matcher Matching Combine multiple matchers

Introduction 1-10 Residential Access: Cable Modems Diagram:

Snort Rule Data Mining NetbiosHTTPOracleSUNRPCRemainingTotal Rule%55.3%25.8 % 5.3%2.3%11.3%100% PSS%99.9%56.0 % 96.6%100%84.7%86.7 % Reduction Ratio Exploit Signature to Vulnerability Signature reduction ratio PSS means: Protocol Semantic Signature NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols

Preliminary Results HTTPWINRPC Trace size558MB468MB #flows580K743K #PSS Signatures79145 #Snort Rule Covered Parsing Speed2.893Gbps15.186Gbps Parsing + Matching speed1.033Gbps13.897Gbps Experiment Setting –PC XEON 3.8GHz with 4GB memory –Real traffic after TCP reassembly preload to memory Experiment Results

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.