Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Report on statistical Intrusion Detection systems By Ganesh Godavari.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Botnets An Introduction Into the World of Botnets Tyler Hudak

1 Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

Honeypot and Intrusion Detection System

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Lexical Feature Based Phishing URL Detection Using Online Learning Reporter: Jing Chiu Advisor: Yuh-Jye Lee /3/17Data.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /3/17 1 Data Mining and Machine Learning Lab.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Ensemble Learning for Low-level Hardware-supported Malware Detection

BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.

Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

2012 Malnet Report: Breaking the Vicious Cycle Grant Asplund Senior Technology Evangelist.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Chapter 4: Protecting the Organization

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee

Data Mining & Machine Learning Lab

Botnet Detection by Monitoring Group Activities in DNS Traffic

Presentation transcript:

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing Chiu /11/29 1 Data Mining & Machine Learning Lab

Outlines Introduction Methodology Dataset Description Evaluation Conclusions 2015/11/29 2 Data Mining & Machine Learning Lab

Introduction How do bots get rid of existing defenses? ▫Polymorphic engines ▫packing engines ▫AV vendor reports 3000 distinct samples daily Anomaly detection methods for botnet ▫Use traffic feature distributions for analysis ▫Detect bots activated for generating attacks ▫Latency exist from infection to activation Covert channel between bots and C&C server ▫Last for an extended period ▫Lightweight and spaced out over irregular time period 2015/11/29 3 Data Mining & Machine Learning Lab

Methodology Assumptions ▫Communication between Zombie and C&C server is not limited to a few connections ▫Zombie is not programmed to use a completely new C&C server at each new attempt Persistence and destination atoms ▫Destination atoms for building white lists ▫Persistence for lightweight repetition 2015/11/29 4 Data Mining & Machine Learning Lab

Methodology (cont.) Why use white lists? ▫Regularly communicate hosts is a stable, small set  Examples:  Work related, news and entertainment websites  Mail servers, update servers, patch servers, RSS feeds  Advantages:  Search fast  Easy to management ▫These hosts require infrequent updating 2015/11/29 5 Data Mining & Machine Learning Lab

Methodology (cont.) Destination atoms ▫(dstService, dstPort, proto) ▫Different domains: second level domain name  Yahoo.com, cisco.com ▫The same domains: third level domain name  Mail.intel.com, print.intel.com ▫Multiple ports is allowed  (ftp.service.com, 21:>1024, tcp) ▫ When address cannot be mapped to names, use IP address as service name ▫ExamplesExamples2015/11/29 6 Data Mining & Machine Learning Lab

Methodology (cont.) Persistence metric ▫d: destination atom W = [s 1, s 2,…, s n ] ▫W: observation window s i : measurement window ▫Timescale: (W,s) ▫For each timescale(W j,s j ): 1≤j≤k 2015/11/29 7 Data Mining & Machine Learning Lab

Methodology (cont.) C&C Detection Implementation ▫Use long bitmap to track connections at each timescale ▫Procedure  Update bitmap, count persistence  If updated persistence crosses the threshold p *, raise alarm  After enough samples, the persistence is below the threshold, free bitmap up Bitmap example 2015/11/29 8 Data Mining & Machine Learning Lab

Dataset Description End host traffic traces ▫Collected at 350 enterprise user’s hosts ▫Over 5 week ▫Use 157 of the 350 traces, common 4 week period Botnet traffic traces ▫Collected 55 known botnet binaries ▫Executed inside a Windows XP SP2 VM and run for as long as a week ▫Experience  A lot of binaries simply crashed the VM  C&C deactivated  Only 27 binaries yielded traffic  12 of the 27 binaries yielded traffic that lasted more than a day  List of sampled Botnet binaries List of sampled Botnet binaries2015/11/29 9 Data Mining & Machine Learning Lab

Evaluation System Properties CDF of p(d) across all the atoms seen in training data Distribution of per host whitelist sizes (p * = 0.6) 2015/11/29 10 Data Mining & Machine Learning Lab

Evaluation C&C Detection Other results RoC curveFalse positives across usres(p * = 0.6) 2015/11/29 11 Data Mining & Machine Learning Lab

Evaluation Improvement in detection rate after filtering 2015/11/29 12 Data Mining & Machine Learning Lab

Conclusions Introduce “persistence” as a temporal measure of regularity in connection to “destination atoms” Persistence could help detect malware without ▫protocol semantics ▫payloads Proposed a method for detecting C&C server and has no false negative in experiment Both centralized and p2p infrastructure could be uncovered by this method Low overhead and low user annoyance factor 2015/11/29 13 Data Mining & Machine Learning Lab

Destination atoms 2015/11/29 14 Data Mining & Machine Learning Lab

Bitmap Example 2015/11/29 15 Data Mining & Machine Learning Lab

List of Botnet binaries 2015/11/29 16 Data Mining & Machine Learning Lab

C&C detection result 2015/11/29 17 Data Mining & Machine Learning Lab