1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Slides:



Advertisements
Similar presentations
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Threat infrastructure: proxies, botnets, fast-flux
On the Feasibility of Large-Scale Infections of iOS Devices
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Introduction to Honeypot, Botnet, and Security Measurement
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.
Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.
1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.
Detecting Botnets 1 Detecting Botnets With Anomalous DNS Traffic Wenke Lee and David Dagon Georgia Institute of Technology College of Computing {wenke,
Code Red Worm Propagation Modeling and Analysis Cliff Changchun Zou, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
CODE RED WORM PROPAGATION MODELING AND ANALYSIS Cliff Changchun Zou, Weibo Gong, Don Towsley.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Cross-Analysis of Botnet Victims: New Insights and Implication Seungwon Shin, Raymond Lin, Guofei Gu Presented by Bert Huang.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
PRISM: Private Retrieval of the Internet’s Sensitive Metadata Ang ChenAndreas Haeberlen University of Pennsylvania.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
1 Monitoring and Early Warning for Internet Worms Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
A lustrum of malware network communication: Evolution & insights
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Modeling and Measuring Botnets
Attack Mechanism using botnets
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Modeling Botnet Propagation Using Time Zones
Modeling, Early Detection, and Mitigation of Internet Worm Attacks
Data Mining & Machine Learning Lab
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Botnet Detection by Monitoring Group Activities in DNS Traffic
Introduction to Internet Worm
Presentation transcript:

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust Program, 2006

2 Outline Motivation Diurnal modeling of botnet propagation Botnet population estimation Botnet threat assessment

3 Motivation Botnet becomes a serious threat Not much research on botnet yet  Empirical analysis of captured botnets  Mainly based on honeypot spying Need understanding of the network of botnet  Botnet growth dynamics  Botnet (on-line) population, threat level … Well prepared for next generation botnet

4 Outline Motivation Diurnal modeling of botnet propagation Botnet population estimation Botnet threat assessment

5 Botnet Monitor: Gatech KarstNet A lot bots use Dyn-DNS name to find C&C bot C&C attacker C&C KarstNet sinkhole cc1.com KarstNet informs DNS provider of cc1.com  Detect cc1.com by its abnormal DNS queries DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot All/most bots attempt to connect the sinkhole

6 Diurnal Pattern in Monitored Botnets Diurnal pattern affects botnet propagation rate Diurnal pattern affects botnet attack strength

7 Botnet Diurnal Propagation Model Model botnet propagation via vulnerability exploit  Same as worm propagation  Extension of epidemic models Model diurnal pattern  Computers in one time zone  same diurnal pattern  “Diurnal shaping function”  i (t) of time zone i  Percentage of online hosts in time zone i  Derived based on the continuously connection attempts by bots in time zone i to Gatech KarstNet

8 Modeling Propagation: Single Time Zone : # of infected : # of vulnerable :# of online infected :# of online vulnerable Epidemic model Diurnal pattern means: Diurnal model removal

9 Modeling Propagation: K Multiple Time Zones (Internet) Limited ability to model non-uniform scan scan rate from zone j  i IP space size of zone i

10 Validation: Fitting model to botnet data Diurnal model is more accurate than traditional epidemic model

11 Applications of diurnal model Predict future botnet growth with monitored ones  Use same vulnerability?  have similar  (t) Improve response priority Released at different time

12 Outline Motivation Diurnal modeling of botnet propagation Botnet population estimation Botnet threat assessment

13 Population estimation I: Capture-recapture How to obtain two independent samples?  KarstNet monitors two C&C for one botnet  Need to verify independence with more data  Study how to get good estimation when two samples are not independent  KarstNet + honeypot spying  Guaranteed independence? Botnet population # of observed (two samples) # of observed in both samples

14 Population estimation II: DNS cache snooping Estimate # of bots in each domain via DNS queries of C&C to its local DNS server  Non-recursive query will not change DNS cache Time …. Cache TTL If queries inter-arrival time is exponentially distributed, same then T i follows the same exp. distr. ( memoryless ) Query rate/bot

15 Outline Motivation Diurnal modeling of botnet propagation Botnet population estimation Botnet threat assessment

16 Basic threat assessment Botnet size (population estimation) Active/online population when attack (diurnal model) IP addresses of bots in botnets  Basis for effective filtering/defense  KarstNet is a good monitor for this  Honeypot spying is not good at this Botnet control structure (easy to disrupt?)  IPs and # of C&C for a botnet?  P2P botnets?

17 Botnet attack bandwidth Bot bandwidth: Heavy-tailed distribution  Filtering 32% of bots cut off 70% of attack traffic How about bots bandwidth in term of ASes?  If yes, then contacting top x% of ASes is enough for a victim to defend against botnet DDoS attack