Botnet behavior and detection October 2014 - RONOG Silviu Sofronie – a Head of Forensics.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.
Basic Communication on the Internet:
A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Threat infrastructure: proxies, botnets, fast-flux
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Viruses, Phishing and Pharming Megan, Matt, Rishi.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Leveraging Delivery for Spam Mitigation.
Studying Spamming Botnets Using Botlab
Security fundamentals Topic 9 Securing internet messaging.
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
A lustrum of malware network communication: Evolution & insights
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
Internet Worm propagation
Botnet Detection by Monitoring Group Activities in DNS Traffic
Presentation transcript:

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics

1 Topic: Botnets What do they look like How they behave Why should we care

Botnet quick overview

There’s always a C&C server in control Domain Generating Algorithm – DGA Malware sample needed Honeypot to monitor

Botnet quick overview How about an emerging botnet ? A botnet no one heard of yet … what then ?

Botnets: How do they behave A few possible approaches: Internet user behavior – buckets of users Network traffic patterns Fortunately they behave in a predictable manner

Internet user behavior Straight forward approach: -Anonymize user’s personal data (IP address) -(machine) learn about its usual internet behavior -Create buckets of behaviors -Throw users in buckets -Observe anomalies occuring -Ex.: A user that never visited a.ru site, is now doing different DNS requests that end up in timeout. Next day there are 100 users with the same behavior.

Network traffic patterns Spam bots and why they are special Spam botnets are the most common way of sending spam because they can easily be automated: 1. An outbreak of viruses and worms is sent in the wild, infecting systems and deploying a malicious application – the bot. 2. The bot registers with a command and control (C&C) server controlled by the botnet operator and is ready to receive and serve several commands, such as sending s from via SMTP. 3. Spammers purchase -sending services from the operator, providing them with templates and target address lists. 4. The operator instructs the compromised machines to send out spam messages.

Network traffic patterns client.write( buff5k ); [ ] ( ) ( )...

Network traffic patterns Typical example with consistent segment size.

Network traffic patterns Another typical example – MSS improves to multiples of the base value. Relay servers can be configured in numerous ways, but this pattern stands out.

Network traffic patterns The headers are clearly sent in a distinct writing sequence. The SMTP sequence for ending the data transmission is sent in its own segment Distinct FROM header

Takeaway There are interesting approaches for detecting botnets, besides sinkholes. -Analyzing user behavior with machine learning and event correlation engines -Network traffic patterns

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.