Presentation is loading. Please wait.

Presentation is loading. Please wait.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Published byBarry Elvin Hubbard Modified over 6 years ago

Similar presentations

Presentation on theme: "BotCatch: A Behavior and Signature Correlated Bot Detection Approach"— Presentation transcript:

1 BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Yuede Ji, Qiang Li, Yukun He and Dong Guo Jilin University 11/13/2013

2 OUTLINE INTRODUCTION THE PROPOSED APPROACH EXPERIMENTAL EVALUATION
DISCUSSION CONCLUSION

3 OUTLINE INTRODUCTION THE PROPOSED APPROACH EXPERIMENTAL EVALUATION
DISCUSSION CONCLUSION

4 What is botnet and bot? Botnet is a network composed by a large scale of infected hosts under the control of botmaster through Command and Control (C&C) channel. Bot is the infected host. Botmaster C&C Infrastructure Bot Infected Hosts

5 What is botnet and bot? 3 basic elements: Various C&C channels
Bot, C&C channel, botmaster Various C&C channels Centralized: IRC, HTTP Decentralized: peer-to-peer(P2P) A major threat to Internet security DDoS, spam, identity theft, phishing

6 Existing Detection Approaches
Network-based Analyze network traffic to filter out the bot host Host-based Signature-based approach extracts the feature information of the suspicious program to match with a knowledge database Behavior-based approach Monitors the abnormal behaviors on host to determine whether the host is infected

7 The Problem Signature VS. Behavior A question occurred
Advantage Disadvantage Signature-based Low risk Low false positives Low overhead Unable to detect novel bots Unable to deal with obfuscations Require a lot of prior knowledge Behavior-based Can detect novel bots Can deal with obfuscations Perform real-time detection High risk Low detection accuracy High overhead A question occurred -Is it better if we combine these two approaches? BotCatch -Combine behavior and signature detection to overcome their drawbacks.

8 OUTLINE INTRODUCTION THE PROPOSED APPROACH EXPERIMENTAL EVALUATION
DISCUSSION CONCLUSION

9 System architecture of BotCatch

10 M1: Analysis Engine Submission interface Schedule
3 ways: web, submission API, database interface Schedule Assigns the sample to signature and behavior analysis engine.

11 M2: Signature Analysis Engine
Submit the sample to virustotal a free online service that analyzes files and URLs using popular antivirus engines and website scanners. return the result of about 47 different antivirus engines Signature result: d/47

12 M3: Behavior Analysis Engine
Run the suspicious sample in an isolated environment. Monitor the Registry, file system, and network behaviors to generate the behavior feature vector. Index Feature Description 1 Creation or Modification of AutoRun Key in Registry 2 Creation or Modification of Process Injection Key in Registry 3 Creation or Modification of Other Critical Registry Key 4 DLL Creation into System Directory 5 EXE Creation into System Directory 6 Modification of Files in System Directory 7 Creation of Other Files in System Directory 8 Number of Ports Opened 9 Number of Suspicious Ports 10 Number of Unique IPs Contacted 11 Number of Suspicious IP

13 M3: Behavior Analysis Engine
Use Support Vector Machine (SVM) Need a more accurate value about how likely a feature vector belongs to a particular class, not only the label result (malicious or benign) Calibrate the distance score to a posterior classification probability. Three variants: A, B, f

14 M4: Correlation Engine Input Output behavior suspicion value b
signature suspicion value s Output Compare w with a threshold to determine malicious or benign

15 Feedback mechanism Object Procedure
Dynamic guide the learning procedure of behavior analysis engine. Procedure between behavior and correlation engine Specifically for the samples, signature returns high ratio, while behavior returns a low value. Then we can flag the samples as malicious and add it to the retraining set. Gradually make our approach more accurate

16 OUTLINE INTRODUCTION THE PROPOSED APPROACH EXPERIMENTAL EVALUATION
DISCUSSION CONCLUSION

17 Implementation Use cuckoo as our analysis system Binaries
a leading open source automated malware analysis system. Binaries collected from Open Malware 625 binaries, about 237 are ineffective, 388 samples (338 bots and 50 benign)

18 Experiments We make three experiments:
signature-based bot detection behavior-based bot detection behavior and signature correlated bot detection In behavior-based bot detection experiment, we divide the samples into 10 groups, 9 of them are used for training, and the rest 1 is for evaluation.

19 Experiment Results Signature has 0% FP;
False Positive Rate (FP) False Negative Rate(FN) Signature Detection 0% 1.78% Behavior Detection 16.7% Correlated Detection 5.56% Signature has 0% FP; Correlated approach decreases FP to 5.56% Correlated approach can have a better detection accuracy

20 OUTLINE INTRODUCTION THE PROPOSED APPROACH EXPERIMENTAL EVALUATION
DISCUSSION CONCLUSION

21 Discussion Correlation engine Feedback mechanism
Can get a well detection result A little straightforward Not well enough to balance the weights of signature and behavior in different situations Feedback mechanism An interesting mechanism Can get a well imaginable result Need further theoretical proof and evaluation

22 OUTLINE INTRODUCTION THE PROPOSED APPROACH EXPERIMENTAL EVALUATION
DISCUSSION CONCLUSION

23 CONCLUSION Correlated detection approach can get a better detection result than pure signature or pure behavior. Need a lot of further works…

24 Thanks! Questions?

Download ppt "BotCatch: A Behavior and Signature Correlated Bot Detection Approach"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Oral Defense by Sunny Tang 15 Aug 2003

Oral Defense by Sunny Tang 15 Aug 2003
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Similar presentations

Ads by Google