Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Slides:

Advertisements

Similar presentations

Network Systems Sales LLC

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Threat infrastructure: proxies, botnets, fast-flux

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

An Evaluation model of botnet based on peer to peer Gao Jian KangFeng ZHENG,YiXian Yang,XinXin Niu 2012 Fourth International Conference on Computational.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

– Chapter 5 – Secure LAN Switching

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

FastTrack Network & Applications (KaZaA & Morpheus)

An analysis of Skype protocol Presented by: Abdul Haleem.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Defending against Hitlist Worms using NASR Khanh Nguyen.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Information Systems Design and Development Security Precautions Computing Science.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Working at a Small-to-Medium Business or ISP – Chapter 8

CONNECTING TO THE INTERNET

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

Future Internet Presenter : Eung Jun Cho

StratusLab Tutorial (Bordeaux, France)

Introduction to Networking

Hiding Network Computers Gateways

Digital Pacman: Firewall Edition

Modeling and Measuring Botnets

Attack Mechanism using botnets

Chapter 4: Protecting the Organization

Presentation transcript:

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao

 Introduction  Proposed hybrid P2P botnet  Two classes of bots  Command and control  Botmaster's monitoring  Botnet construction  Botnet robustness study  Defences against the proposed botnet  Discussions  Summary

 Most of current research focuses on existing botnets.  Studying current botnets is important, but not enough.  Botmasters may upgrade their future botnets.  It is necessary to conduct research on possible advanced future botnets.  How botnets will evolve?  How can we defend future botnets?

 Phatbot utilizes Gnutella cache servers for the bootstrap process.  Easy to shut down or block  Sinit removes the bootstrap procedure and uses random probing to find other bots.  Poor connectivity  Slapper does not implement command encryption and authentication.  Easy to hijack

 Proposed a hybrid P2P botnet with the following features  Two classes of bots – servent and client  Command authentication and individualized encryption  Limited-sized peer lists  Dynamically changeable sensor for bots monitoring  No bootstrap procedure  Balanced and robust connectivity  Analyzed several possible defences against this botnet

 Servent (server + client) bot  Public static IP address  Client bot  Dynamic IP, private IP, behind firewalls…  Only servents appear in the peer list.  Servents act as C&C servers.  Contains much more C&C servers than other botnets do

 Command authentication  Digital signature  Prevent hijacking  Individualized command encryption key  Symmetric encryption is used instead.  Each bot keeps a list of tuples (IP i, K i, P i ) in its peer list.  Messages between bots and servent i are encrypted with the key K i.

 Individualized service port  Each servent i picks port P i for communication.  The port can be randomly selected or chosen from standard encryption port like SSH (22), HTTPS (443), IMAPS (993), etc.  Benefits for botmasters  Prevent hijacking  No global exposure if some bots are captured  Dispersed network traffic, difficult to detect

 Botmasters need to know  Bot ID (used to find NAT and DHCP)  Bot population, connectivity, bandwidth, diurnal dynamics, …  IP address types (DHCP ones can be used for spam)  Challenges – monitoring should be easy for botmasters but difficult for defenders.  Monitor via dynamically changeable sensors  Each bot sends its information to one or some sensors after receiving the report command.  A botmaster can change the role of sensors each time she issues the report command.

 A botnet is networked by peer lists.  There are some initial servent bots.  New infection  Bot A passes its peer list to B when infecting B.  A and B may add each other into their lists.  Reinfection (A infects B)  B updates its list based on A's list.  Reinfection improves connectivity.  A cannot get B's list (prevent recursive infection).

 The updating procedure  It is triggered by the update command.  Every bot gets an updated peer list from a specified sensor.  Benefits  Balance the connectivity  Reconnect broken botnets  Risks  Expose parts of the botnet to defenders

 20,000 bots, including 5000 servents  Peer list size = 20.  The peer-list updating procedure runs once when 1000 servents are infected.  Connection degree  300 ~ 500 for the first 1000 servents  20 ~ 30 for the rest

Formula: C(p) = 1 - p M

 Annihilation  Attack initial bots  Quick detection is required for defenders.  Attack servents  It is easier to attack if the # of servent is small.  Use the honeypot techniques  Defenders can pretend to be servents and then shut down the botnet.  Large amount of defenders are required because the botnet can survive with 20% servents left.

 Opportunities  Collect information as bots reporting themselves to sensors  Know the target in an attack command and try to prevent the attack  Get peer list during peer-list updating

 I = 20000, # of bots  K = 1000, # of servents before peer- list updating  M = 20, peer list size  n: # of honeypots

 K = 1000, # of servents used in peer- list updating  M = 20, peer list size  x: # of infection attempts

 Detecting honeypots is important for botmasters.  Shutting down a botnet is harder than monitoring it.  The centralized sensor hosts are not as week as C&C servers in other botnets.  Connectivity maintenance and C&C communication is separated.

 It is important to be well prepared for such possible attack in the future.  A robust P2P botnet is proposed.  Two classes of bots  Command authentication and individualized encryption and service port  Botmaster's monitoring capability  Botnet construction  The botnet robustness is studied.  Honeypot-based defences are analyzed.