1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Slides:

Advertisements

Similar presentations

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

A Scalable Virtual Registry Service for jGMA Matthew Grove CCGRID WIP May 2005.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

Peer-to-Peer Networks João Guerreiro Truong Cong Thanh Department of Information Technology Uppsala University.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Slides to add  Botnet slides  Security regulations  Do we have similar laws for transportation?  Terrorism (look for some examples if possible)  Company.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Threat infrastructure: proxies, botnets, fast-flux

COEN 252: Computer Forensics Router Investigation.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

P2PComputing/Scalab 1 Gnutella and Freenet Ramaswamy N.Vadivelu Scalab.

XWN740 X-Windows Configuring and Using Remote Access (Chapter 13: Pages )‏

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

A Scalable Virtual Registry Service for jGMA Matthew Grove DSG Seminar 3 rd May 2005.

Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter:

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Denial of Convenience Attack to Smartphones Using a Fake Wi-Fi Access Point Erich Dondyk, Cliff C. Zou University of Central Florida.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

NAT、DHCP、Firewall、FTP、Proxy

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

Modeling and Measuring Botnets

Attack Mechanism using botnets

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Introduction to Internet Worm

Presentation transcript:

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central Florida, Florida

2 Motivation Most researches target current botnets only  Rely on current botnet’s architecture, infection methods, and control network  Study current botnets is important, but not enough  May not work if botmasters upgrade their future botnets  We must study one step ahead  How botnets will evolve?  How to defend future botnets?

3 Current Botnet Control Architecture bot C&C botmaster bot C&C

4 Peer-to-Peer (P2P) based Control Architecture? C&C  P2P control is a natural evolution  P2P-based botnet is much harder to shut down But the P2P upgrade is not so simple  Current P2P protocols are not suitable  Easy exposure of botnet members  Excess traffic susceptible to detection  Bootstrap process against the design goal  Botmasters need easy control/monitor of their botnets

5 Proposed Hybrid P2P Botnet Servent bots: static IPs, able to receive connections  Static IP requirement ensures a stable, long lifetime control topology Each bot connects to its “peer list”  Only servent bot IPs are in peer lists Servent bots Client bots bot C&C botmaster bot C&C Dramatically increase the number of C&C servers

6 Botnet Command and Control Individualized encryption key  Servent bot i generates its own symmetric key K i  Any bot connecting with bot i uses K i  A bot must have ( IP i, K i ) in its peer list to conect bot i Individualized service port  Servent bot i chooses its port P i to accept connections  A bot must have ( IP i, K i, P i ) in its peer list to connect bot i Benefits to botmasters:  No global exposure if some bots are captured  Dispersed network traffic  Go through some firewalls (e.g., HTTP, SMTP, SSH holes)

7 Botnet Monitor by Botmaster Botmasters need to know their weapons  Botnet size;  bot IPs, types (e.g., DHCP ones used for spam)  Distribution, bandwidth, diurnal … Monitor via dynamical sensor  Sensor IP given in monitor command  One sensor, one shot, then destroy it  Use a sensor’s current service to blend incoming bot traffic

8 P2P Botnet Construction Botnet networked by peer list Basic procedures  New infection: pass on peer list  Reinfection: mix two peer lists  Ensure balanced connectivity

9 P2P Botnet Construction OK? No!  Real botnet is small compared to vulnerable population  Most current botnet size  20,000  Reinfection happens rarely  Not balanced topology via new infection only Simulation results:  500,000 vulnerable population  Botnet stops infection after reach 20,000  Peer list = 20, 21 initial servent bots, 5000 bots are servent bots  Results:  < 1000 reinfection events  Initial servent bots: > 14,000 in-degree  80% of servent bots: < 30 in-degree

10 P2P Botnet Construction Peer-list updating procedure  Obtain current servent bots information  Ask every bot connect to sensor to obtain a new peer list Result: all bots have balanced connectivity to servent bots used in this procedure  Use once is enough for a robust botnet  Can be used to reconnect a broken botnet

11 Botnet Robustness Study  500,000 vulnerable population, botnet = 20,000  Peer list = 20, 5000 bots are servent bots  Run peer-list updating once when having 1000 servent bots

12 Botnet Robustness Analysis C(p)=1-p M M: peer list size

13 Defense Against the Botnet Shut down a botnet before the first peer-list updating procedure  Initial servent bots are the weak points at beginning Honeypot based defense:  Poison control by pretending as servent bots  But the botnet can survive with 20% servent bots left  Clone a large set of “servent” bots

14 Monitor Against the Botnet Forensic analysis of botmaster’s sensor  Could obtain IPs of all reported bots  Challenge:  Logging of unknown port service and IP beforehand  Distinguish normal clients from reporting bots Honeypot-based monitoring  Obtain peer lists in incoming infections  Obtain many copies of new peer lists in peer-list updating procedure

15 Summary P2P based botnets are much harder to defend Proposed a hybrid P2P botnet  Two classes of bots  Individualized encryption and service port  Limited exposure by each bot  Botmaster’s monitoring capability  Peer-list updating procedure

16 Discussion Any other effective ways to monitor/defend botnets besides honeypot? Is there a way to solve the dilemma of:  No exposure of a large part of botnet?  Easy botmaster’s monitoring and botnet construction without centralized sensor? How soon will botmasters really upgrade current C&C-based architecture? How soon will botmasters care of honeypot threat?

17 Points to Add Peer-list updating can be used to change the topology of current botnet Study how honeypot monitoring changes if more and more honeypots being as servent bots  Could have an analytical model

18

19 Weaknesses of Current Botnets Control structure by one layer of C&C servers  Bottleneck in control  Susceptible to monitor/interception of C&C servers Most rely on IRC based C&C servers  Susceptible to IRC traffic based monitor/detection Other issues:  Most have no or simple encryption, authentication  Have no honeypot detection feature

20 Botnet Command and Control Command authentication  Botmaster: private key used for commands  Each bot: public key contained in bot code Can be done in current botnets Not the focus of this paper