11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Networking, Sensing and Control (ICNSC), th IEEE International Conference on 黃川洁 1/25.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu 1, Vinod Yegneswaran 2, Yan Chen 1 1 Department of Electrical and Computer.
1 Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
BotNet Detection Techniques By Shreyas Sali
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Amir Houmansadr CS660: Advanced Information Assurance Spring 2015
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Presenter: Kuei-Yu Hsu Advisor: Dr. Kai-Wei Ke 2013/4/29 Detecting Skype flows Hidden in Web Traffic.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.
Real-Time Botnet Command and Control Characterization at the Host Level JHEN-HUANG Gao.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham,
Transport layer identification of P2P traffic Victor Gau Yi-Hsien Wang
11 A First Step towards Live Botmaster Traceback Daniel Ramsbrock, Xinyuan Wang, and Xuxian Jiang - the 11th International Symposium on Recent Advances.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Intrusion Detection using Deep Neural Networks
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Unknown Malware Detection Using Network Traffic Classification
Automatic Discovery of Network Applications: A Hybrid Approach
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee
An Incremental Self-Improvement Hybrid Intrusion Detection System Mahbod Tavallaee, Wei Lu, and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton.
Transport Layer Identification of P2P Traffic
Presentation transcript:

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS’09) Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/09/28

2 Outline Introduction Methodology Traffic Classification ◦ Payload signature based classification ◦ Identifying unknown traffic applications Botnet Detection Experimental Evaluation Conclusions

3 Life-cycle of an IRC Botnet

4 Approaches of Botnet Detection Honeypots ◦ Capture malware & understand the behavior of botnets. Passive anomaly analysis ◦ Usually independent of the traffic content ◦ Example: Botsniffer & Botminer Traffic application classification ◦ Classifying traffic into IRC traffic & non-IRC traffic ◦ Can only detected IRC based botnets

5 Two Challenges of Botnet Detection Detect new (or recent) appeared botnets ◦ Centralized C&C structure -> decentralized (P2P) structure ◦ Network protocols: IRC or HTTP -> own developed protocol Identify applications for network traffic ◦ Port number: limited information ◦ Examine the payload of network flows and then create signatures for each application  Legal issues related to privacy  Encrypted traffic  40% network flows cannot be classified

6 Methodology

7 Payload Signature based Classification Characteristics of bit strings in the payload

8 Payload Signature based Classification (cont’d)

9 Identifying Unknown Traffic Applications Basic idea: ◦ Association relationship between known traffic & unknown traffic Step 1: ◦ Cluster flows in terms of the src IP & the dst IP ◦ Generate a set of rectangles -> community Step 2: ◦ Cluster flows in terms of the dst IP & the dst port ◦ Generate a set of rectangles -> application community Label each application community ◦ Assign unknown flows according to probability of known flows

10 Identifying Unknown Traffic Applications (cont’d)

11 Identifying Unknown Traffic Applications (cont’d)

12 Botnet Detection Object: ◦ Differentiate the botnet behavior from the normal traffic on a specific application community Concept: ◦ Temporal-frequent characteristics of the 256 ASCII binary bytes in the payload over a time period Botnet behavior: ◦ Response time of bots: immediate and accurate once they receive commands ◦ Bots might be synchronized with each other

13 Detection Algorithm

14 Detection Algorithm (cont’d) Metric: standard deviation for  m each cluster m ◦ The higher the value of average  m  over 256 ACSII characters for flows on a cluster m, the more normal the cluster m is. Given the frequency vectors for n flows: ◦ j = standard deviation of the j th ASCII over n flows ◦ average standard deviation  over 256 ACSII characters for flows

15 Detection Algorithm (cont’d)

16 Tested Network Topology

17 Evaluation on Traffic Classification Part of known traffic → label them as unknown

18 Evaluation on Botnet Detection

19 Evaluation on Botnet Detection (cont’d)

20 Conclusions They propose a novel application discovery approach for automatically classifying network applications on a large-scale WiFi ISP network. They develop a generic algorithm to discriminate general botnet behavior from the normal network traffic on a specific application community, which is based on n-gram (frequent characteristics) of flow payload over a time period (temporal characteristics). Evaluation results show that their approach obtains a very high detection rate (approaching 100% for IRC bot) with a low false alarm rate when detecting IRC botnet traffic.

21 Reference Lu, W., M. Tavallaee, and A.A. Ghorbani, “ Automatic Discovery of Botnet Communities on Large‐Scale Communication Networks ”, in ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS’09). 2009: Sydney, Australia.