FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Paper Reading: Reporter: Shao-Yu Peng( 彭少瑜 ) Date: 2013/10/28.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.

Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Threat infrastructure: proxies, botnets, fast-flux

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

Networking Basics: DNS IP addresses are usually paired with more human-friendly names: Domain Name System (DNS). internet.rutgers.edu HostnameOrganizationTop-level.

Norman SecureSurf Protect your users when surfing the Internet.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.

PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.

URL AND DNS A SHORT INTRODUCTION Rachel White7/11/2014.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

«FAST-FLUX problem & domains registrars» Pavel Khramtsov Slovenia-2009 The centre of registration of domains.

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

Beyond Blacklists: Learning to Detect Malicious Web Sites from Suspicious URLs Justin Ma, Lawrence Saul, Stefan Savage, Geoff Voelker Computer Science.

Using Social Networks to Harvest Addresses Reporter: Chia-Yi Lin Advisor: Chun-Ying Huang Mail: 9/14/

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 9/19/2015Slide 1 (of 32)

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

Anti-Phishing Approaches Lifeng Hu

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Application of Content Computing in Honeyfarm Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Qing-Cai Chen; Xiao-Hong Yang; Xiao-Long Wang Machine Learning and Cybernetics (ICMLC), 2011 International Conference on Year: 2011, Page(s): 1878 – 1883.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao, Yinglian Xie, Fang Yu, Qifa Ke, Yuan Yu, Yan Chen, and Eliot Gillum Speaker: 林佳宜.

Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Lexical Feature Based Phishing URL Detection Using Online Learning Reporter: Jing Chiu Advisor: Yuh-Jye Lee /3/17Data.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority Reporter: Jing Chiu Adviser: Yuh-Jye Lee 2016/3/191Data Mining & Machine Learning.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Domain Name System The Technology Context Presentation.

How dynamic are IP addresses? Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, Ted Wobber SIGCOMM ‘07 Chulhyun Park

Under the Shadow of sunshine

Learning to Detect and Classify Malicious Executables in the Wild by J

Distributed Network Traffic Feature Extraction for a Real-time IDS

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

IS4680 Security Auditing for Compliance

Presentation transcript:

FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2008) Date: 2011/02/14 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang 1

Outline Introduction Characterizing Fast-Flux Service Networks Combining the Features for Detection Architecture and Implementation of the System Experimental Results Conclusion 2

Introduction Malware –With malicious intents –Be “installed” on the machines => bots –spam mails, DDoS attacks, and phishing websites Fast-Flux Service Networks –Round-Robin DNS (RRDNS). Content Distribution Networks (CDNs) Network Load-balanced FluXOR system –Detect and monitor fast-flux service networks –9 distinguishing features 3

Comparison of Normal Network and Fast-Flux Network 4

Characterizing Fast-Flux Service Networks 5

Features Characterizing the Domain Name Domain age (F1) –Benign domain => long age –Malicious domain => short period of time Less than five weeks Domain registrar (F2) –Register through a limited number of registrars –A lax legislation 6

Features Characterizing the Degree of Availability of the Network Number of distinct DNS “A” records (F3) –Query and return multiple “A” records –Fast-Flux mother-ship will update –“A” records ↑, Fast-Flux ↑ Time-to-live DNS resource records (F4) –Agents are update very frequently –Short time-to-live (TTL) –TTL ↑, Fast-Flux ↓ 7

Features Characterizing the Heterogeneity of the Agents Number of distinct networks (F5) –Agents are around the world=>different networks –Benign => same network –distinct networks ↑, Fast-Flux ↑ Number of distinct autonomous system (F6) –distinct networks, physically close => same AS –Benign => same AS –Fast-Flux => different AS 8

Features Characterizing the Heterogeneity of the Agents (cont.) Number of distinct resolved qualified domain name (F7) –Own by the same company or organization Number of distinct assigned network names(F8) –Multiple network addresses =>same network name Number of distinct organizations (F9) –Same organization can own multiple network names 9

Features Characterizing the Heterogeneity of the Agents (cont.) 10 98

Combining the Features for Detection A short period of time => 3 hours –75 benign and 215 malicious naive Bayesian classifier –Training data Malicious (spam mail), benign (spam and non-spam mail) 11

Architecture and Implementation of the System Three components –Collectors(1~n), monitors(1~n), detector(1) 12

Components Collectors –Current ( s), Future (Web crawlers, honeypots) Monitors –Suspicious and malicious hostname –Query name servers and WHOIS servers Detector –naive Bayesian classifier 13

Experimental Results Run FluXOR system –Beginning ~ middle of January –Monitors and detector on the same machine –Collectors on the mail server of the lab 14

Detection Accuracy Extract the features –after one, two, three hours –Training dataset (50 benign + 75 malicious) –Cross-validation with 5 and 10 folds Filter the benign –Only two or less IP addresses Some fast- flux networks –After 1 hours (3~5 IPs), after 3 hours (7~8 IPs) –After several days (hundred of hosts) Zero false-positives 15

Empirical Analysis of the Fast-Flux Service Networks Phenomenon 16

Conclusion - Advantages Distinguishing features –DNS information such as domain age and registrar Long TTL time improvement –1~3 hours Effectiveness result –Accuracy rate is 100% 17

Conclusion - Limitations Delay detection problem –Wait 1~3 hours for extracting the features Long TTL time problem –If TTL time of Fast-Flux network is more longer Efficiency problem –A large number of WHOIS queries 18

19