BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1.

B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Active Botnet Probing to Identify Obscure Command and Control Channels Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee Georgia.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu 1, Vinod Yegneswaran 2, Yan Chen 1 1 Department of Electrical and Computer.

1 Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Distributed Honeynet System

BotNet Detection Techniques By Shreyas Sali

Amir Houmansadr CS660: Advanced Information Assurance Spring 2015

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Johannes Hassmund (2009), Project Report for Information Security Course, Linkoping University, Sweden. Speaker : Hung-Jen Chiang Studying IDS signatures.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

Host and Application Security Lesson 17: Botnets.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

GITG342 An Enhanced Model for Network Flow Based Botnet Detection Proceedings of the 38th Australasian Computer Science Conference (ACSC 2015), Sydney,

Advanced Science and Technology Letters Vol.44 (Networking and Communication 2013), pp The Design for.

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Modeling and Measuring Botnets

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee

Data Mining & Machine Learning Lab

Presentation transcript:

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology Presented by Joshua Cox

Botnet Group of compromised computers Controlled by remote commands Malicious activities DDoS attacks – spam phishing – identity theft Protocols IRC, HTTP, P2P

Centralized Botnets Botmaster sends command to designated C&C server Bots request commands from server

P2P Botnets No C&C server Botmaster sends command to any bot Bots share commands with neighbors

Rishi Detects IRC based botnets Monitors traffic Suspicious nicknames Suspicious servers Uncommon server ports

BotSniffer Network based anomaly detection All bots within a botnet will share similar traffic patterns Works with IRC and HTTP botnets Does not detect P2P botnets

BotHunter Works with Relies on “Infection Lifecycle Model” IRC and HTTP P2P botnets Relies on “Infection Lifecycle Model” What if we change the lifecycle?

BotMiner Objective Detect groups of compromised machines that are part of a botnet Independent of C&C communication structure and content Minimal false positives Resource efficient detection

BotMiner Architecture

BotMiner Architecture

C-plane Monitor Who is talking to whom? TCP and UDP traffic flows time, duration source, destination packet count, bytes transferred Manageable log size less than 1GB per day for 300 Mbps network

A-plane Monitor Who is doing what? Detects malicious activities scanning – binary downloading spamming – exploit attempts Snort with custom plugins expandable

C-plane Clustering Which machines have similar communication patterns? C-plane monitor logs → cluster reports

C-plane Clustering Basic Filtering Remove internal flows Remove one way flows

C-plane Clustering White Listing Remove flows to popular destination Google, Yahoo, etc.

C-plane Clustering Aggregation C-flow: all traffic flows over a period of time that share the same source, destination, and protocol

C-plane Clustering Feature Extraction flows per hour – bytes per packet packets per flow – bytes per second

C-plane Clustering Two-step Clustering Coarse-grain and Refined clustering X-means clustering algorithm

A-plane Clustering Which machines have similar activity patterns? A-plane monitor logs → cluster reports

A-plane Clustering Activity Type Clustering scan – spam binary download – exploit

A-plane Clustering Activity Feature Clustering target subnet – similar binary spam content – exploit type

Cross-plane Correlation Which machines are in a botnet? Botnet score Number of clusters Score of other hosts in cluster Activity weighting Which bots are in the same botnet?

Test Case Georgia Tech campus network Ran monitors for 10 days up to 300 Mbps Ran monitors for 10 days wide variety of protocols Obtained traces for 8 botnets IRC, HTTP, and P2P

Botnets Used Overlaid malicious traffic on normal traffic Mapped IPs from random hosts to bots

Filtering Results Internal/External filter reduces data by 90% 10 billion packets reduced to 50k C-flows

Detection Results All botnets detected 99.6% bot detection 0.3% false positive rate

Limitations Traffic randomization and mimicry C-plane cluster evasion Individual or group commands A-plane cluster evasion Delay bot tasks Cross-plane analysis evasion

References Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008. D. Pelleg and A. W. Moore. X-means: Extending k-means with efficient estimation of the number of clusters. In Proceedings of the Seventeenth International Conference on Machine Learning (ICML’00), pages 727–734, San Francisco, CA, USA, 2000. Morgan Kaufmann Publishers Inc. J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation. In Proceedings of USENIX HotBots’07, 2007. G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security’07), 2007. G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.