2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Slides:

Advertisements

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Advertisements

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Chat applications and IRC Presented by Tyler Maciolek.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

On the Feasibility of Large-Scale Infections of iOS Devices

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Printer Installation Ben Wu A&S IT 09/18/2007. Outline  Preparation  Local Printer Installation  Network Printer Installation  Printer Sharing  Other.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

BotNet Detection Techniques By Shreyas Sali

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

--Harish Reddy Vemula Distributed Denial of Service.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Chien-Chung Shen Bot and Botnet Chien-Chung Shen

IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 14 How Internet Chat and IM Work.

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Role Of Network IDS in Network Perimeter Defense.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

The OSI Model. Understanding the OSI Model In early 1980s, manufacturers began to standardize networking so that networks from different manufacturers.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Information Systems Design and Development Security Precautions Computing Science.

Computer Network Architecture Lecture 7: OSI Model Layers Examples II 1 26/12/2012.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Relevant Computer Info. The Computer Consists of: Hardware –The CPU and motherboard (and bus) –Storage Devices (hard disk, memory, …) –Input Devices (keyboard,

Instructor Materials Chapter 5 Providing Network Services

Backdoor Attacks.

Distributed Network Traffic Feature Extraction for a Real-time IDS

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Test 3 review FTP & Cybersecurity

Botnet Detection by Monitoring Group Activities in DNS Traffic

Presentation transcript:

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007

Outline Introduction Background Communication Channel Detection Results and Evaluation Conclusion 2009/9/152Machine Learning and Bioinformatics Lab

Introduction Currently  stop a given botnet is to disable the communication channel for the bots However  the hosts stay infected and are in most cases still backdoored, allowing an attacker to reclaim the machine at any time. 2009/9/15Machine Learning and Bioinformatics Lab3

Background Internet Relay Chat(IRC)  Each of the different servers hosts a number of different chat rooms called channels  Every user connected to an IRC server has its own unique username called nickname 2009/9/15Machine Learning and Bioinformatics Lab4

Background BotMaster  communicate with the botnet is to use IRC Bots  join a specific channel on a public or private IRC server  to receive further instructions 2009/9/15Machine Learning and Bioinformatics Lab5

Communication Channel Detection All bots have one characteristic in common:  they need a communication channel Our approach focuses on  detecting the communication channel between the bot and the botnet controller  it is possible to detect a bot even before it performs any malicious actions 2009/9/15Machine Learning and Bioinformatics Lab6

Project Rishi Every captured packet extracts :  Time of suspicious connection  IP address and port of suspected source host  IP address and port of destination IRC server  Channels joined  Utilized nickname 2009/9/15Machine Learning and Bioinformatics Lab7

Network setup of Rishi 2009/9/15Machine Learning and Bioinformatics Lab8

Basic Concept - Rishi 2009/9/15Machine Learning and Bioinformatics Lab9

Scoring Function Checks for the occurrence of several criteria :  suspicious substrings the name of a bot (e.g., RBOT or l33t-)  special characters like [, ], and |  long numbers. nickname consists of many digits:  for each two consecutive digits 2009/9/15Machine Learning and Bioinformatics Lab10 1 point

Scoring Function True signs for an infected host raise the final score by more than one point  a match with one of the regular expressions  a connection to a blacklisted server  the use of a blacklisted nickname 2009/9/15Machine Learning and Bioinformatics Lab11 > 1 points

Regular Expression Each nickname is tested against several regular expressions  which match known bot names For example the following expression: \[[0-9]\|[0-9]{4,}  like [0|1234]  like | /9/15Machine Learning and Bioinformatics Lab12 10 points

Whitelisting The software utilizes :  hard coded whitelist  dynamic whitelist Each nickname, which receives zero points  is added to the dynamic whitelist 2009/9/15Machine Learning and Bioinformatics Lab13

Blacklisting Two blacklists:  the first blacklist is hard coded in the configuration file  the second one is a dynamic list with nicknames added to it automatically according to the final score 2009/9/15Machine Learning and Bioinformatics Lab14

Example Imagine that the nickname  RBOT|DEU|XP-1234 was added to the blacklist The next captured nickname  RBOT|CHN|XP /9/15Machine Learning and Bioinformatics Lab15 1 point each due to the suspicious substrings RBOT,CHN, and XP 1 points each due to the two occurrences of the special character | 1 point each due to two occurrences of consecutive digits 7 points 10 points for more than 50% congruence with a name stored on the dynamic blacklist 17 points

Example 1 point each due to the suspicious substrings RBOT,CHN, and XP 1 points each due to the two occurrences of the special character | 1 point each due to two occurrences of consecutive digits 2009/9/15Machine Learning and Bioinformatics Lab16 7 points 17 points 10 points for more than 50% congruence with a name stored on the dynamic blacklist

Results and Evaluation RWTH Aachen university  30,000 computer users to support  Rishi runs on a Quad-CPU Intel Xeon 3,2Ghz system with 3GB of memory installed  we are monitoring a 10 GBit network 2009/9/15Machine Learning and Bioinformatics Lab17

Results and Evaluation 2009/9/15Machine Learning and Bioinformatics Lab18

Results and Evaluation 2009/9/15Machine Learning and Bioinformatics Lab19

Results and Evaluation 2009/9/15Machine Learning and Bioinformatics Lab20

Conclusion Based on characteristics of the communication channel  observe protocol messages  use n-gram analysis together with a scoring function  black-/whitelists 2009/9/15Machine Learning and Bioinformatics Lab21

Bot Nicknames 2009/9/15Machine Learning and Bioinformatics Lab22

Thank you for listening 2009/9/1523 The end Machine Learning and Bioinformatics Lab