A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

Slides:



Advertisements
Similar presentations
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Advertisements

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
CHORD – peer to peer lookup protocol Shankar Karthik Vaithianathan & Aravind Sivaraman University of Central Florida.
Chord A Scalable Peer-to-peer Lookup Service for Internet Applications Prepared by Ali Yildiz (with minor modifications by Dennis Shasha)
Node Lookup in Peer-to-Peer Network P2P: Large connection of computers, without central control where typically each node has some information of interest.
Technische Universität Chemnitz Kurt Tutschku Vertretung - Professur Rechner- netze und verteilte Systeme Chord - A Distributed Hash Table Yimei Liao.
The Chord P2P Network Some slides have been borowed from the original presentation by the authors.
CHORD: A Peer-to-Peer Lookup Service CHORD: A Peer-to-Peer Lookup Service Ion StoicaRobert Morris David R. Karger M. Frans Kaashoek Hari Balakrishnan Presented.
Robert Morris, M. Frans Kaashoek, David Karger, Hari Balakrishnan, Ion Stoica, David Liben-Nowell, Frank Dabek Chord: A scalable peer-to-peer look-up.
Robert Morris, M. Frans Kaashoek, David Karger, Hari Balakrishnan, Ion Stoica, David Liben-Nowell, Frank Dabek Chord: A scalable peer-to-peer look-up protocol.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Chord: A Scalable Peer-to-Peer Lookup Protocol for Internet Applications Stoica et al. Presented by Tam Chantem March 30, 2007.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Secure routing for structured peer-to-peer overlay networks (by Castro et al.) Shariq Rizvi CS 294-4: Peer-to-Peer Systems.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Wide-area cooperative storage with CFS
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Research on cloud computing application in the peer-to-peer based video-on-demand systems Speaker : 吳靖緯 MA0G rd International Workshop.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Multi-level Hashing for Peer-to-Peer System in Wireless Ad Hoc Environment Dewan Tanvir Ahmed and Shervin Shirmohammadi Distributed & Collaborative Virtual.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Content Overlays (Nick Feamster). 2 Content Overlays Distributed content storage and retrieval Two primary approaches: –Structured overlay –Unstructured.
Chord & CFS Presenter: Gang ZhouNov. 11th, University of Virginia.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
Freenet: A Distributed Anonymous Information Storage and Retrieval System Presenter: Chris Grier ECE 598nb Spring 2006.
PRIVACY PRESERVING SOCIAL NETWORKING THROUGH DECENTRALIZATION AUTHORS: L.A. CUTILLO, REFIK MOLVA, THORSTEN STRUFE INSTRUCTOR DR. MOHAMMAD ASHIQUR RAHMAN.
SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Security Michael Foukarakis – 13/12/2004 A Survey of Peer-to-Peer Security Issues Dan S. Wallach Rice University,
Module 7: Resolving NetBIOS Names by Using Windows Internet Name Service (WINS)
Review of the literature : DMND:Collecting Data from Mobiles Using Named Data Takashima Daiki Park Lab, Waseda University, Japan 1/15.
Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications.
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.
1 Peer-to-Peer Technologies Seminar by: Kunal Goswami (05IT6006) School of Information Technology Guided by: Prof. C.R.Mandal, School of Information Technology.
Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter:
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
A Key Management Scheme for Distributed Sensor Networks Laurent Eschaenauer and Virgil D. Gligor.
CS 347Notes081 CS 347: Parallel and Distributed Data Management Notes 08: P2P Systems.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
The Chord P2P Network Some slides taken from the original presentation by the authors.
Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
CHAPTER 3 Architectures for Distributed Systems
Providing Secure Storage on the Internet
Prof. Leonardo Mostarda University of Camerino
ONLINE SECURE DATA SERVICE
Overview Multimedia: The Role of WINS in the Network Infrastructure
Instructor Materials Chapter 5: Ensuring Integrity
A Scalable Peer-to-peer Lookup Service for Internet Applications
Presentation transcript:

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE

Outline 1. INTRODUCTION 2. CURRENT BOTNETS 3. PROPOSED HYBRID STRUCTURE P2P BOTNET 4. BOTNET CONTROL 5. PERFORMANCE EVALUATION 6. CONCLUSIONS

1.INTRODUCTION One of the most significant threats to the Internet today is the threat of botnets. Botnets are networks of compromised computers, controlled by remote attackers. Attackers use botnets to scatter attack tasks over thousands of computers distributed all over the Internet.

1.INTRODUCTION A computer executing bot programs is called a bot. A collection of these bots connected to a network is called a botnet. Botnets run autonomously and automatically. Computers in botnets may be compromised via all kinds of attacking techniques.

1.INTRODUCTION After being compromised, bots log into a command-andcontrol(C&C) server. Botnet in this architecture is easy to construct and efficient in distributing botmaster's commands.

2. CURRENT BOTNETS At the beginning, bot masters used IRC servers as C&C servers. But once the IRC servers were shut down, the botnets would stop working. As botmasters gradually realize the limitation of traditional botnets, they notice the weakness inherent to the centralized architecture of C&C servers.

2. CURRENT BOTNETS Researcher proposed an advanced hybrid P2P botnet. Bots that had static IP addresses and were accessible from the Internet were called server bots. Others were called client bots.

2. CURRENT BOTNETS If servent bots do not change their IP addresses and never be offline, the botnet will keep working. But in reality, 67 percent of the hosts with static IP addresses will be offline in 72 hours. Servent bots will be invalid in 3days, and maybe the botnet will stop working until the bot masters renew the servent bot lists.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET Researcher proposed a hybrid structure P2P botnet based on Chord (Hsbotnet). A. Botnet Architecture

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ The main part of the botnet is a Chord ring consisted of many virtual nodes. ◦ Bots in the same virtual node may be also from the same or adjacent physical networks. ◦ Bots in the Hsbotnet are classified into two groups. ◦ The first group contains bots that have static IP addresses and are already online for more than 12 hours.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ Bots in the first group are called super bots. ◦ The second group contains the remaining bots, called peer bots. ◦ Hsbotnet implements a consistent hash operation that maps IP addresses of the first super bot in a virtual node to an m-bit sequence. ◦ Hsbotnet uses Chord to assign each virtual node an identifier with those m-bit sequences as the IDs. ◦ This identifier space can be viewed as a circle, in which the highest identifier is followed by zero.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ Each Hsbotnet contains 2 m virtual nodes at most, and there could be m-1 super bots in a virtual node. B.Update Architecture ◦ In order to maintain the integrity of this organization, each super bot in virtual node actually maintains a successor list, called finger table. ◦ Which contains the identities to the m virtual nodes that immediately follow the virtual node in the identifier circle.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ If a node's successor is not responsive, the node replaces it with the next entry in its successor list.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET StartSuccesso r Node IP1IP2IP3IP4IP5 G8+1G15S15_1S15_2Null G8+2G15S15_1S15_2Null G8+4G15S15_1S15_2Null G8+8G16S16_1S16_2S16_3Null G8+16G25S25_1Null G8+32G48S48_1S48_2S48_3S48_4Null

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ All the super bots in virtual node keep the same finger table. ◦ While a virtual node join or quit the botnet, the finger tables will be updated automatically by Chord. ◦ The botnet communicates via the super file contained in each bot. ◦ Every virtual node has its own super file, IP addresses of super bots in that node are candidates in super file.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ All the bots in virtual node, including both super bots and peer bots, keep the same super file. ◦ Peer bots actively access super bots in their super files to retrieve commands. Super File.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ The bot master generates a pair of public/private keys, as K+ and K-, and codes K+ into the bot program. ◦ The commands could be digitally signed by the private key K- to ensure their authentication and integrity.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ The update process of Hsbotnet is briefly explained as follows. ◦ Virtual node G8 is taken for example. 1.Super bot S8_1 begins a countdown to update local finger table via Chord. 2.Once the finger table has been updated, S8_1 actively contacts the IP addresses in it, to retrieve the super files saved on successor nodes.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET 3.If S8_1 finds there’s a new command contained in the super files, it will copy the command into local super file. 4.S8_1 sends messages to other super bots in G8, reqires them to retrieve finger table and super file that is saved on S8_1.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ While another super bot in G8, such as S8_2, receives the message, it will check the sender’s IP address. ◦ If the IP address is contained in local super file, S8_2 will retrieve the files, and then replace local finger table and super file. ◦ After doing these, S8_2 add a random time to local countdown.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ However, if the message comes from a strange IP address, S8_2 will discard it and require the sender to join the botnet as a new host. ◦ Every 5 minutes, peer bots will randomly choose a super bot that contained in their local super file to access. ◦ Peer bots will retrieve the super files stored at super bots, and replace local file.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET C.Botnet Propagation ◦ As being compromised, a new bot receives a super file from the spreaders. ◦ Then, the new bot sends a join request to a super bot contained in the super file. ◦ The super bot will test the performance of the new bot, and decide to make it a peer bot or a super bot.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ New bots that have static IP addresses are accessible from the global Internet, and are already online for more than 12 hours, will become super bots, others will become peer bots. ◦ If new bot N can be a super bot, the following process will be executed by the super bot S that tested N, to decide which virtual node N will join in.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET 1.S Retrieves the super file stored at N, if it is a same file with local, fill it with “Null”. 2.If there are already m-1 IP addresses in the super file, S will create a new virtual cond and make N the first super bot in the new node. Go to 8). 3.If there are m-1 IP addresses in local super file, go to (6).

3. PROPOSED HYBRID STRUCTURE P2P BOTNET 4.S tests the Internet delay Td between local and N,if Td>3000ms, go to (6). 5.S adds the IP address of N into local super file,then sends messages to other super bots in current node, reqires them to retrieve the super file stored at localhost. Go to (8). 6.S adds local IP address into N’s super file. 7.S randomly chooses an IP address in local finger table, N will be sent there and test again. Go to (1). 8.Process is completed

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ This process assures that the new super bot N will be tested for m-1 times at most. ◦ If there is no suitable virtual node found, a new virtual node will be created and N will be the first super bot in it.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET D.Promption and Movement of Peer Bot ◦ While a peer bot has already been powered on for 12 hours, it will send a request for promotion to a super bot. ◦ Then the super bot will test it just like testing a new bot. ◦ If the peer bot can't be promoted to super bot, it could send the request again 12 hours later.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET ◦ In the proposed botnet, peer bots could move from current virtual node to another just by changing their super files. ◦ The moving process of peer bot P is briefly explained as follows. 1.If P has already stayed in current node for T minutes, it will test the average Internet delay Td between P and all the super bots in local super file.

3. PROPOSED HYBRID STRUCTURE P2P BOTNET 2.If Td>3000ms, P will send a message to a super bot, require a random IP address that is contained in its finger table. Go to (4) 3.Double T. Go to (1). 4.P connects to the IP address provided by the super bot, retrieves the super file and replaces local file. Set T equal 5. Goto (1). ◦ A peer bot will move from one virtual node to another, until it finds a node with low delay.

4. BOTNET CONTROL The essential component of a botnet is its command and control. Compared to the original botnet, the proposed botnet has a more robust and complex self control architecture. The major design challenge is to generate a botnet that is difficult to be shut down.

4. BOTNET CONTROL A. Offline Detection ◦ Every 5 minutes, a super bot will try to connect to the IP addresses that contained in its super file. ◦ If an IP address cannot be connected, it would be replaced with "Null" in file that means the super bot is offline. ◦ While super file edited, the super bot will sends messages to other super bots in current node, requires them to retrieve the super file saved on the local host.

4. BOTNET CONTROL ◦ Then all the super bots in node will delete the IP of the super bot that is offline. ◦ While the super bot is online again, it will be a stranger, and will be required to join the botnet as a new bot. ◦ The offline of peer bots could not affect the operation of the proposed botnet. ◦ AS they are powered on again, they will connect to the IP addresses contained in their super files, and join the botnet.

4. BOTNET CONTROL B. Command Authentication ◦ When a new super bot was emerged, it sent an to the bot master's mailbox. ◦ Each contains an IP address of super bot. ◦ While the bot master wants to send commands, he could find a super bot via the s. ◦ Then he would inject a command message, which is digitally signed by his private key K- into the super file saved on that super bot.

4. BOTNET CONTROL ◦ Because of the super file is edited, the super bot will send messages to other super bots in current node, it's just the same process as update. ◦ The command of bot master could be sent to every bots via the process of update. ◦ This template provides authors with most of the formatting spec.

5. PERFORMANCE EVALUATION Simulation tests were operated to evaluate the proposed botnet. Two performance criteria were used for comparison: the command transmission speed and botnet robustness.

5. PERFORMANCE EVALUATION A. Simulation Parameters ◦ Researcher used Network Simulator 2.34 under the Ubuntu9.10 to simulate a network with 8000 nodes, and there were 500 nodes in them could be super bots. ◦ Time in the simulated network was moving 60 times faster than normal. ◦ The open source P2P bot program Phatbot was used to compare with the proposed botnet.

5. PERFORMANCE EVALUATION B. Command Transmission Speed ◦ In order to test the command transmission speeds in the proposed botnet and the botnet of Phatbot (Phatbotnet), the same command was injected into both botnets. ◦ The command was sending a UDP package to a designated IP address.

5. PERFORMANCE EVALUATION ◦ Because of the peer bots would start attacking when they received the command, we could get the command transmission speed through analyzing the relationship between time and the number of UPD packages that the target host received.

5. PERFORMANCE EVALUATION ◦ Nevertheless, command transmission speed in the proposed botnet is a little slower than it in the Phatbotnet.

5. PERFORMANCE EVALUATION C. Botnet Robustness ◦ In order to test the botnet robustness in the proposed botnet and the Phatbotnet, we reduced the number of super bots and send the command again. ◦ 50 super bots were removed in each time and the command of sending UDP package was injected again.

5. PERFORMANCE EVALUATION ◦ So we could get the botnet robustness through analyzing the relationship between the number of decreased super bots and the number of UPD packages that the target host received.

5. PERFORMANCE EVALUATION ◦ The result shows the strong resistance of the proposed botnet against defense. ◦ It’s much stronger than Phatbotnet.

5. PERFORMANCE EVALUATION D. Robustness Mathematical Analysis ◦ Assume that each virtual node contains m super bots. ◦ A virtual node is disconnected from the others when all super bots in it have been removed. ◦ Because of the random removal, each super bot has the equal probability p to be removed.

5. PERFORMANCE EVALUATION ◦ Thus, the probability that a virtual node is disconnected is p m. ◦ Therefore, any virtual node has the same probability 1-p m to stay connected. ◦ Those virtual nodes provide a robust botnet.

6. CONCLUSION ◦ Researching the evolvement of botnets, as well as possible botnets construction methods, can improve us in depth understanding of details of botnets, and also guide us in the botnets defense research. ◦ In this paper, we present the design of hybrid structure P2P botnet based on Chord. ◦ Simulation results show that, compared with current botnets, the proposed one is much harder to be shut down.

6. CONCLUSION ◦ It provides robust network connectivity and individualized encryption. ◦ Therefore, we should invest more research into defending against such new botnets.

Q&A

感謝觀看