Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC 2009 1.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Arnd Christian König Venkatesh Ganti Rares Vernica Microsoft Research Entity Categorization Over Large Document Collections.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
BotNet Detection Techniques By Shreyas Sali
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,
1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano.
BOTNET JUDO Fighting Spam with Itself By: Pitsillidis, Levchenko, Kreibich, Kanich, Voelker, Paxson, Weaver, and Savage Presentation by: Heath Carroll.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
Application Recognition Sam Larsen Determina. Process Control One method to improve computer security is through process control  Whitelist: user specifies.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Real-Time Botnet Command and Control Characterization at the Host Level JHEN-HUANG Gao.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
SEMINAR - SCALABLE, BEHAVIOR-BASED MALWARE CLUSTERING GUIDES : BOJAN KOLOSNJAJI, MOHAMMAD REZA NOROUZIAN, GEORGE WEBSTER PRESENTER RAMAKANT AGRAWAL.
Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.
Ch.22 INTRUSION DETECTION
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
ADVANCED PERSISTENT THREATS (APTs) - Simulation
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Yan Chen Detecting Missing RAT Attacks with Semantics on Windows
Midterm 2 Exam Review Release questions via webcourse “assignment” around 2pm, Wednesday Mar. 28th, due via webcourse at 2pm, next day Submit format: Word.
Data Mining & Machine Learning Lab
Real-Time RAT-based APT Detection
Presentation transcript:

Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC

OUTLINE 1.INTRODUCTION 2.THE PROPOSED METHOD 3.EXPERIMENTAL EVALUATION 4.DISCUSSION 5.CONCLUSION 2

OUTLINE 1.INTRODUCTION 2.THE PROPOSED METHOD 3.EXPERIMENTAL EVALUATION 4.DISCUSSION 5.CONCLUSION 3

About Botnets A major source of network threats – DDoS, spam, identity theft, click frauds A variety of protocols – IRC, HTTP, peer-to-peer Botnets is estimated to be in the millions of hosts 4

BotTee Monitoring and analyzing bot execution to identify the bot commands that are being executed. Bot commands with the same purpose that is highly correlated, across all types of bots. Bot commands can be accurately identified during execution. 5

OUTLINE 1.INTRODUCTION 2.THE PROPOSED METHOD 3.EXPERIMENTAL EVALUATION 4.DISCUSSION 5.CONCLUSION 6

System architecture for BotTee 7

Bot behavior classification through bot commands 8

Hooking API calls These bots invoke Windows functions through the API provided to applications. When each API call is intercepted, the time is also recorded. To hook only a limited set of Windows API calls. Approximately 300 commonly-used API functions from 50 real bot instances. 153 APIs were in file kernel32.dll ; the rest were found in user32.dll, advapi32.dll, ws2_32.dll ( Wsock32.dll ), etc. 9

Bot Command Identifier What sequence of system calls may correspond to a bot command? recv and send Repeated consecutive occurrences of the same API call in a trace are eliminated. γ = 2 – AAABCCAAAADDDA → AABCCAADDA Semantic unit ‘synflood’ – socket, TLSGetValue, InterlockedDecrement, ioctlsocket, connect, WaitForSingleObject, etc. 10

Correlation Engine This engine is used to create command templates, and to match captured system call traces to these templates. – Longest common subsequence algorithm (LCS), and statistical correlation Define θ1 as P(ρi,j > δ) | H1) 11

Common API Call Trace The CACTs for each command include important APIs for identifying the execution of the bot command. These are termed the featured APIs. CACT of ‘dns’ with the length 30. – recv, TlsGetValue, GetLocalTime, GetUserDefaultLCID, WideCharToMultiByte, GetTimeFormatA, GetConsoleMode, WriteConsoleA, WriteFile, inet_addr,..., GetTickCount, InterlockedExchange, CloseHandle, gethostbynam, inet_ntoa, send, 12

A Real-time Semantic Behavior Matcher Semantic unit is compared to all of the templates of bot commands. A candidate template must be identified. Computing the correlation of Semantic unit’s timing vector with each timing vector in the template. Additional information can be recorded about the arguments of API calls that are hooked. 13

OUTLINE 1.INTRODUCTION 2.THE PROPOSED METHOD 3.EXPERIMENTAL EVALUATION 4.DISCUSSION 5.CONCLUSION 14

Implementation and Experiments Prototype of BotTee – Used the Deviare API for intercepting Windows API calls on the fly. A botnet in a private network was deployed. Among 167 available bot source codes, there were 103 variants – Agobot, Spybot, Sdbot, and Jrbot 15

Performance Overhead of Hooking 16

Correlation Results 17

Identification of Specific Bot Commands 18

False Identification If CACTs are not distinctive enough to differentiate bots from non-bot programs. 19

Detection Rate with API Call Injection Attack Injection for obfuscation purposes may be intended to obfuscate timing analysis and correlation as well. 20

OUTLINE 1.INTRODUCTION 2.THE PROPOSED METHOD 3.EXPERIMENTAL EVALUATION 4.DISCUSSION 5.CONCLUSION 21

DISCUSSION The more accurately that botnet-driven network threats can be identified. BotTee can specify victims targeted by active botnets and infer the overall behaviors of the active botnets. The hooking technique allows potentially malicious bot commands to be replaced by more benign actions, or to be thwarted. 22

OUTLINE 1.INTRODUCTION 2.THE PROPOSED METHOD 3.EXPERIMENTAL EVALUATION 4.DISCUSSION 5.CONCLUSION 23

CONCLUSION A method for identifying the high-level commands being executed by a bot, in real time. Comparison of the resulting traces with a previously-captured set of bot command templates. This held true even for commands executed by bots from other bot families. 24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.