Web Botnet Detection Based on Flow Information Chia-Mei Chen, Ya-Hui Ou, and Yu-Chou Tsai, National Sun Yat –Sen University,IEEE 2010.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

1 Enhanced EDF Scheduling Algorithms for Orchestrating Network-wide Active Measurements Prasad Calyam, Chang-Gun Lee Phani Kumar Arava, Dima Krymskiy OARnet,

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

1 A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection 許富皓資訊工程學系中央大學 1.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

Chat applications and IRC Presented by Tyler Maciolek.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

School of Computer Science and Information Systems

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

On the Feasibility of Large-Scale Infections of iOS Devices

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

Design and Implementation of SIP-aware DDoS Attack Detection System.

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Anomaly Detection and Mitigation. Outline DoS and DDoS Anomaly Detection and Mitigation Systems Cisco DDoS Anomaly Detection and Mitigation Solutions.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Introduction to Honeypot, Botnet, and Security Measurement

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

BotNet Detection Techniques By Shreyas Sali

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.

Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Studying Spamming Botnets Using Botlab

Chien-Chung Shen Bot and Botnet Chien-Chung Shen

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Real-Time Botnet Command and Control Characterization at the Host Level JHEN-HUANG Gao.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

BotTracer: Bot User Detection Using Clustering Method in RecDroid

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

Future Internet Presenter : Eung Jun Cho

ADVANCED PERSISTENT THREATS (APTs) - Simulation

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Department of Computer Science University of Calgary

CloudBot: Advanced mobile botnets using ubiquitous cloud technologies

Offense Questions: Botnet detection

Botnet Detection by Monitoring Group Activities in DNS Traffic

Information Retrieval and Web Design

Presentation transcript:

Web Botnet Detection Based on Flow Information Chia-Mei Chen, Ya-Hui Ou, and Yu-Chou Tsai, National Sun Yat –Sen University,IEEE 2010

Outline The Proposed Approach TitleExperiment Environment Performance Ananlysis 2011/3/82

The Proposed Approach This study observes web botnet behaviors through Blackenergy. To distinguish abnormal web traffic from regular web requests, this study first conducts the experiments with normal web requests and one of the normal flows. 2011/3/83

The Proposed Approach Then, the experiments with web bots connecting to the C&C web server are conducted a sample. Such web flows are different from the normal user’s web browsing flows and can be used to identify web bots. 2011/3/84

5

The Proposed Approach Attribute Analysis –The major features can be divided into timeslot, data calculating, mutual authentication bots clustering analysis. 2011/3/86

The Proposed Approach Attribute Analysis –Mutual authentication can be explained by flows data, to put it more concretely, if the flow data of B2S (bots link to server) is quite similar to S2B, represent that the flow data was extraordinary. –Clustering analysis, in brief, classes the same feature as the same group. 2011/3/87

the bots connect with HTTP Server have regular time interval every data exist similar value. 2011/3/88

TitleExperiment Environment –In the simulative environment, setting four bots regularly connect to server and perform the DDos attack to the victims after get the command, –the attack command as follows: 2011/3/89

TitleExperiment Environment 2011/3/810

Experiment Environment –When Blackenergy performed DDoS attacks, the flows were significant increase in a short time. 2011/3/811

Performance Analysis Experiment Environment –There are four different network environments: –(1) a simulated LAN initially with one infected bot and 13 normal clients, –(2) a simulated LAN initially with 3 botnets and some normal clients, 2011/3/812

Performance Analysis Experiment Environment –(3) a real LAN deployed initially with one infected bot machine and 19 normal clients, and –(4) a university dorm network. 2011/3/813

2011/3/814

Performance Ananlysis Bot Infection Some Hosts in the LAN: – In this experiment, the system setting three botnets and three HTTP servers to obtain evidence of characteristics –designing time intervals are 1 minute, 10 minutes, and 15 minutes, respectively. 2011/3/815

2011/3/816

Performance Ananlysis 3) Real Network Environment: 2011/3/817

Performance Ananlysis 4) Demonstrate the usefulness in real network: –The data were primarily collected by school dormitory and conducted in roughly five days. 2011/3/818

2011/3/819