BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.

Slides:

Advertisements

Similar presentations

Applications of one-class classification

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

Decision Tree Approach in Data Mining

Search Engines Information Retrieval in Practice All slides ©Addison Wesley, 2008.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Decision Trees for Server Flow Authentication James P. Early and Carla E. Brodley Purdue University West Lafayette, IN 47907

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Distributed and Efficient Classifiers for Wireless Audio-Sensor Networks Baljeet Malhotra Ioanis Nikolaidis Mario A. Nascimento University of Alberta Canada.

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Automated malware classification based on network behavior

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Traffic Classification through Simple Statistical Fingerprinting M. Crotti, M. Dusi, F. Gringoli, L. Salgarelli ACM SIGCOMM Computer Communication Review,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

1 Measurement and Classification of Humans and Bots in Internet Chat By Steven Gianvecchio, Mengjun Xie, Zhenyu Wu, and Haining Wang College of William.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Exploiting Context Analysis for Combining Multiple Entity Resolution Systems -Ramu Bandaru Zhaoqi Chen Dmitri V.kalashnikov Sharad Mehrotra.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.

Unconstrained Endpoint Profiling Googling the Internet Ionut Trestian, Supranamaya Ranjan, Alekandar Kuzmanovic, Antonio Nucci Reviewed by Lee Young Soo.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

DATA MINING WITH CLUSTERING AND CLASSIFICATION Spring 2007, SJSU Benjamin Lam.

Presenter: Kuei-Yu Hsu Advisor: Dr. Kai-Wei Ke 2013/4/29 Detecting Skype flows Hidden in Web Traffic.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao.

High Throughput and Programmable Online Traffic Classifier on FPGA Author: Da Tong, Lu Sun, Kiran Kumar Matam, Viktor Prasanna Publisher: FPGA 2013 Presenter:

Real-Time Botnet Command and Control Characterization at the Host Level JHEN-HUANG Gao.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

1 Discriminative Frequent Pattern Analysis for Effective Classification Presenter: Han Liang COURSE PRESENTATION:

Corrado LeitaSymantec Research Labs Ulrich Bayer Technical University Vienna Engin KirdaInstitute iSecLab.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

Learning to Detect and Classify Malicious Executables in the Wild by J

Intrusion Detection using Deep Neural Networks

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Unknown Malware Detection Using Network Traffic Classification

DDoS Attack Detection under SDN Context

Automatic Discovery of Network Applications: A Hybrid Approach

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee

An Incremental Self-Improvement Hybrid Intrusion Detection System Mahbod Tavallaee, Wei Lu, and Ali A. Ghorbani Faculty of Computer Science, UNB Fredericton.

Transport Layer Identification of P2P Traffic

Unconstrained Endpoint Profiling (Googling the Internet)‏

Presentation transcript:

BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010

Reference Wei Lu, Mahbod Tavallaee, Goaletsa Rammidi, Ali A. Ghorbani, "BotCop: An Online Botnet Traffic Classifier," cnsr, pp.70-77, 2009 Seventh Annual Communication Networks and Services Research Conference, /1/11

Outline Introduction Traffic classification Botnet detection Experimental evaluation Conclusions 32016/1/11

Introduction Honeypots: To capture malware, understand the basic behavior of botnets, and create bot binaries or botnet signatures. Based on the existing botnets and provides no solution for the new botnets. Automatically detect the botnets: ◦ (1) passive anomaly analysis. ◦ (2) traffic classification. 2016/1/114

Hierarchical Framework In the higher level all unknown network traffic are labeled and classified into different network application communities. ◦ P2P, HTTP Web, Chat, DataTransfer, Online Games, Mail Communication, Multimedia(streaming and VoIP) and Remote Access. In the lower level focusing on each application community, we investigate and apply the temporal- frequent characteristics of network flows to differentiate the malicious botnet behavior from the normal application traffic. 2016/1/115

Traffic Classification We first model and generate signatures for more than 470 applications according to port numbers and protocol specifications of these applications. Second, concentrating on unknown flows that cannot be identified by signatures, we investigate their temporal-frequent characteristics in order to differentiate them into the already labeled applications based on a decision tree. Fred-eZone, a free WiFi for Fredericton, Canada. 2016/1/116

Signatures Based Classifier For most applications, their initial protocol handshake steps are usually different and thus can be used for classification. 2016/1/117

Decision Tree Based Classifier A general result is that about 40% flows cannot be classified by the current payload signatures based classification method. Extend n-gram frequency into a temporal domain. Generate a set of 256-dimentional vector representing the temporal-frequent characteristics of the 256 ASCII binary bytes on the payload over a predefined time interval. The n-gram (i.e. n = 1 in particular) over a one second time interval for both source flow payload and destination flow 2016/1/118

9 Temporal-frequent metric for source flow payload of LimeWire application. Temporal-frequent metric for source flow payload of BitTorrent application.

2016/1/1110 Temporal-frequent metric for source flow payload of HTTPWeb application. Temporal-frequent metric for source flow payload of SecureWeb application.

Profiling Applications We denote the 256-dimensional n-gram byte distribution as a vector. : The frequency of the ASCII character on the flow payload over a time window. Given n historical known flows for each specific application, we define a n× 256 matrix,, for profiling applications, 2016/1/1111

A Typical Decision Tree 2016/1/1112

Botnet Detection Botnets behavior: ◦ Response time. ◦ Synchronized. 2016/1/1113

Botnet Detection Approach A set of N data objects, where. Initialization: each cluster contains only one data instance. Repeat: find the closest pair of clusters and then merge them into a single cluster. Until: clusters number = /1/1114

Experimental evaluation The botnet traffic is collected on a honeypot deployed on a real network, aggregated them into 243 flows. Traffic trace collected over 2 days are used for training and the realtime traffic flows collect on the 3rd day are used for testing. The size of input data for training decision tree is 11000× typical applications belonging to 8 typical application groups. 2016/1/1115

Applications in training dataset 2016/1/1116

Distribution of "unknown" application flows More than 90,000 flows are collected over the testing day and been identified as unknown. 2016/1/1117

Source Flow Based Decision Tree Classifier 2016/1/1118 Total number of flows correctly indentified: %

Destination Flow Based Decision Tree Classifier 2016/1/1119 Total number of flows correctly indentified: %

IRC Application Communities 2016/1/1120

Conclusions Unknown applications on the current network are firstly classified into different application communities. Then focusing on each application community. A temporal-frequent characteristic. How to evaluate the approach on the P2P community and measure its performance on P2P based botnets? 2016/1/1121