Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
Guide to Network Defense and Countermeasures Third Edition
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Active Botnet Probing to Identify Obscure Command and Control Channels Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee Georgia.
Guide to Network Defense and Countermeasures Second Edition
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Slides to add  Botnet slides  Security regulations  Do we have similar laws for transportation?  Terrorism (look for some examples if possible)  Company.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 15 Denial of Service Attacks
09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.
Lecture 11 Intrusion Detection (cont)
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
INTRUSION DETECTION SYSTEM
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
11 Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu 1, Vinod Yegneswaran 2, Yan Chen 1 1 Department of Electrical and Computer.
1 Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
BotNet Detection Techniques By Shreyas Sali
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
Amir Houmansadr CS660: Advanced Information Assurance Spring 2015
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Using Failure Information Analysis to Detect Enterprise Zombies Zhaosheng Zhu, Vinod Yegneswaran, Yan Chen Lab of Internet and Security Technology Northwestern.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Studying Spamming Botnets Using Botlab
Chien-Chung Shen Bot and Botnet Chien-Chung Shen
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
CS526: Information Security Chris Clifton November 25, 2003 Intrusion Detection.
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
Future Internet Presenter : Eung Jun Cho
Offense Questions: Botnet detection
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee
CIPSEC Framework components: XL-SIEM
Data Mining & Machine Learning Lab
Presentation transcript:

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan

BotSniffer Slides made by Andrew Tjang Paper: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic by Guofei Gu, Junjie Zhang, and Wenke Lee (NDSS 08)

Motivation ● Botnets serious security threats ● Realtime Command+Control from centralized source ● Use characteristics of this Command+Control to detect botnets in sstems

Contributions ● Identify characteristics of C&C in Botnets ● Capture spatial-temporal correlation of network traffic to detect botnets ● Implement anomaly based detection algorithms as Snort plugins ● Evaluation of BotSniffer on real world traces ● Show botnets can be detected with high accuracy and low false positive rate

Command & Control ● Centralized control of bots in botnets ● Can be push (i.e. IRC) or pull (i.e. HTTP) ● Difficult to detect because protocol usage similar to normal traffic, low traffic volume, few bots, encryption

Spatial-Temporal correlation ● Invariants to all botnets  1. need to connect to central server to get commands  2. respond to commands ● perform tasks and report back (keeping long connection, or making frequent connections) ● Responses: message/activity response ● Multiple bots in channel likely to respond in similar fashion  Leverage “response crowd”  Bots have stronger/consistent synchronization and correlation in responses than humans do.

BotSniffer Architecture ● Monitor Engine  Examines network traffic, detects activity response behavior, suspicious C&C protocols ● Correlation Engine  Group analysis of spatial-temporal correlation, similarity of activity or message responses connected to same IRC/HTTP server

BotSniffer Architecture Illustrated

Group Analysis ● Intuition:  P(botnet | 100 clients send similar messages) > P(botnet | 10 clients send similar messages)  IF botnet, THEN more clients more likely to form homogeneous cluster  IF not botnet, THEN unlikely to send similar messages

Evaluation ● Datasets  University wide network IRC traffic (189 days)  All network wide traffic (10min/1-5h)  Botnet traces (synthetic) ● Honeypot (8hr) ● IRC server logs ● Modified bot software in virtual environment ● Implemented 2 botnets using HTTP

Results – Normal Trace

Detection

Attacks on Botsniffer and Their Defenses ● Misuse of whitelist  Whitelists not necessary  Can use soft whitelists ● Encryption  Doesn’t affect activity response ● Long & random response delays  ? ● Random noise packets  Activity response unaffected

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.