Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modeling and Measuring Botnets

Published byVirginie Couture Modified over 6 years ago

Similar presentations

Presentation on theme: "Modeling and Measuring Botnets"— Presentation transcript:

1 Modeling and Measuring Botnets
David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida

2 Outline Motivation Diurnal modeling of botnet propagation
Botnet population estimation Botnet threat assessment Advanced botnet

3 Motivation Botnet becomes a serious threat
Not much research on botnet yet Empirical analysis of captured botnets Mainly based on honeypot spying Need understanding of the network of botnet Botnet growth dynamics Botnet (on-line) population, threat level … Well prepared for next generation botnet

4 Outline Motivation Diurnal modeling of botnet propagation
Botnet population estimation Botnet threat assessment Advanced botnet

5 Botnet Monitor: Gatech KarstNet
attacker A lot bots use Dyn-DNS name to find C&C C&C C&C cc1.com KarstNet informs DNS provider of cc1.com Detect cc1.com by its abnormal DNS queries bot bot DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot KarstNet sinkhole All/most bots attempt to connect the sinkhole

6 Diurnal Pattern in Monitored Botnets
Diurnal pattern affects botnet propagation rate Diurnal pattern affects botnet attack strength

7 Botnet Diurnal Propagation Model
Model botnet propagation via vulnerability exploit Same as worm propagation Extension of epidemic models Model diurnal pattern Computers in one time zone  same diurnal pattern “Diurnal shaping function” i(t) of time zone i Percentage of online hosts in time zone i Derived based on the continuously connection attempts by bots in time zone i to Gatech KarstNet

8 Modeling Propagation: Single Time Zone
: # of infected :# of online infected : # of vulnerable :# of online vulnerable Diurnal pattern means: removal Epidemic model Diurnal model

9 Modeling Propagation: K Multiple Time Zones (Internet)
Limited ability to model non-uniform scan scan rate from zone ji IP space size of zone i

10 Validation: Fitting model to botnet data
Diurnal model is more accurate than traditional epidemic model

11 Applications of diurnal model
Predict future botnet growth with monitored ones Use same vulnerability?  have similar (t) Improve response priority Released at different time

12 Outline Motivation Diurnal modeling of botnet propagation
Botnet population estimation Botnet threat assessment Advanced botnet

13 Population estimation I: Capture-recapture
# of observed (two samples) Botnet population # of observed in both samples How to obtain two independent samples? KarstNet monitors two C&C for one botnet Need to verify independence with more data Study how to get good estimation when two samples are not independent KarstNet + honeypot spying Guaranteed independence?

14 Population estimation II: DNS cache snooping
Estimate # of bots in each domain via DNS queries of C&C to its local DNS server Non-recursive query will not change DNS cache Cache TTL …. Time If queries inter-arrival time is exponentially distributed, then Ti follows the same exp. distr. (memoryless) Query rate/bot

15 Outline Motivation Diurnal modeling of botnet propagation
Botnet population estimation Botnet threat assessment Advanced botnet

16 Basic threat assessment
Botnet size (population estimation) Active/online population when attack (diurnal model) IP addresses of bots in botnets Basis for effective filtering/defense KarstNet is a good monitor for this Honeypot spying is not good at this Botnet control structure (easy to disrupt?) IPs and # of C&C for a botnet? P2P botnets?

17 Botnet attack bandwidth
Bot bandwidth: Heavy-tailed distribution Filtering 32% of bots cut off 70% of attack traffic How about bots bandwidth in term of ASes? If yes, then contacting top x% of ASes is enough for a victim to defend against botnet DDoS attack

18 Outline Motivation Diurnal modeling of botnet propagation
Botnet population estimation Botnet threat assessment Advanced botnet

19 Monitoring evasion by botmasters
Honeypot detection Honeypot defenders are liable for attacks sending out C&C bot sensor (secret) malicious traffic Inform bot’s IP Authorize C&C hijacking detection (e.g., KarstNet) Check if C&C names map to their real IPs Attacker knows which computers used for C&Cs Check if C&C passes trivial commands to bots

20 Advanced hybrid P2P botnet
Why use P2P by attackers? Remove control bottleneck (C&C) C&Cs are easy to be monitored One honeypot spy reveals all C&Cs One captured/hijacked C&C reveals all bots C&C are easy to be shut down (limited number) Current P2P protocols will not work for botnets Bootstrap process is vulnerable to be blocked Disable global view from each bot (prevent monitoring) Must consider DHCP, private IP, firewall, capture, removal

21 Advanced botnet designs
Servent bots Servent bots: static IP, no firewall blocking Peer-list based connection: Max number of servent bot IPs in each bot Limited view of botnet Built as a botnet spreads No bootstrap process No reveal of entire botnet Client bots Compare to C&C botnets: Large # of C&C bots interconnect to each other

22 Advanced botnet designs
Public key in bot code, private key in botmaster Ensure command authentication/integrity Individualized encryption, service port Defeat traffic-based detection Limited exposure when one bot is captured Peer list:

23 Advanced botnet designs
Easy monitoring by botmaster Command all bots report to a “sensor” host Each bot report: peer list, encryption key, service port, IP, diurnal property, IP property, link bandwidth…. Different sensor hosts in each round of report command Prevent sensors from being blocked, captured Robust botnet construction by peer-list updating With few re-infections, initial servent bots are highly connected (each connecting to >60% of bots in a botnet) “Peer-list Update” command: each bot goes to a “sensor” host to get its new peer list Peer list randomly selected from previous reported servent bots

24 Botnet robustness study
: remove top p fraction of servent bots used in “update” command : connected ratio – how many remaining bots are connected Simulation settings: 20,000-size botnet, are servent bots (hundreds of reinfections) 1000 servent bots used in update command

25 Future work Propagation modeling Population estimation:
Diurnal model of -based propagation Parameters: (t), , removal dynamics Population estimation: Validate the independence of monitor samples Validate the Poisson arrival in C&C DNS queries Threat assessment AS-level botnet bandwidth (heavy tailed?) Bot access link speed --- better representation? Monitor and model of advanced botnets

26 Reference NSF Cyber Trust grant: CNS-0627318
"Collaborative Research: CT-ISG: Modeling and Measuring Botnets" PI: Cliff Zou, PI: Wenke Lee David Dagon, Cliff C. Zou, and Wenke Lee. "Modeling Botnet Propagation Using Time Zones," in 13th Annual Network and Distributed System Security Symposium (NDSS), Feb., San Diego, 2006 (Acceptance ratio: 17/127=13.4%). Cliff C. Zou and Ryan Cunningham. "Honeypot-Aware Advanced Botnet Construction and Maintenance," in the International Conference on Dependable Systems and Networks (DSN), Jun., Philadelphia, 2006 (Acceptance ratio: 34/187=18.2%). Ping Wang, Sherri Sparks, Cliff C. Zou. “An Advanced Hybrid Peer-to-Peer Botnet,” in submission. Cliff Zou homepage:

Download ppt "Modeling and Measuring Botnets"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
1 Email Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.
2010. 5. Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

Similar presentations

Ads by Google