Presentation is loading. Please wait.

Presentation is loading. Please wait.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

Published byAlivia Priddle Modified over 9 years ago

Similar presentations

Presentation on theme: "BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke."— Presentation transcript:

1 BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY: Bharat Soundararajan

2 INTRODUCTION activity  Network perimeter monitoring system called bothunter  Track two way communication between internal assets and external entities  Dialog correlator ties together these communications in the bothunter  Sequence of evidence is used for matching botnet infection

3 BOTNET INFECTION SEQUENCE  Propagates through remote exploit injection e.g. NetBIOS (139),My Doom(3127),Dame ware(6129).  After infection the victim host downloads the full Phatbot binary  Bot inserts itself into the boot process,security process off  Connection to C&C server.Infected host acts as a bot

4 MODEL OF THE DIALOG PROCESS

5 BOT INFECTION DECLARATION  Condition1: Evidence of local host infection (E2) and evidence of outward bot co-ordination or attack propagation (E3-E5)  Condition2: At least two distinct signs of outward bot coordination or attack propagation (E3-E5)

6 BOTHUNTER SYTEM ARCHITECTURE  Snort is used for detection  Extra plug-in such as SCADE and SLADE are used in snort  Network dialog correlation matrix is used for data structure  Report bot infection profiles to a remote repository  TLS over TOR (onion routing protocol)

7 BOTHUNTER SYTEM ARCHITECTURE

8 SCADE(Statistical Scan Anomaly Detection Systems) Inbound scan Detection  Specifically weighted towards the ports often used by malware Memory usage to the number of inside hosts Failed connection attempts on each ports  Ports are classified in bothunter as 1)Highly vulnerable ports: 80(HTTP),NETBIOS(445),26(TCP),4(UDP) 2)Low vulnerable ports

9 SCADE(Statistical Scan Anomaly Detection Systems) S = W 1 * F hs + W2* F ls (Inbound scan detection) Where W1 = weight of high severity ports W2= Weight of low severity ports F hs = No of connection failures in high severity ports F ls = No of connection failures in low severity ports

10 SCADE(Statistical Scan Anomaly Detection Systems) S = (W1 * Fhs + W2* Fls)/C (outbound scan detection) Where W1 = weight of high severity ports W2= Weight of low severity ports F hs = No of connection failures in high severity ports F ls = No of connection failures in low severity ports C = Total number of scans from the host within a window time

11 SLADE(Statistical Payload Anomaly Detection Engine)  1-gram payload system : occurrence frequency of one of the 256 possible bytes in the payload  Examines every request packet sent to the monitored services and outputs an alert if it deviates from the normal profile  n-gram will improve accuracy and hardness of evasion e.g. polymorphic worms

12 Time HostTimer E1E2 E3 E4E5 192.168.12.1 softAa…Ab 192.168.10.45 hardAc…AdAe..Af 192.168.10.66 hard AgAh..AiAj.. 192.168.12.46 hard … 192.168.11.123 hard & Soft AlAm.An A0 NETWORK DIALOG CORRELATION MATRIX

13  Dynamically-allocated row – summary of internal host to external entities  Cell – one or more sensor alerts that map into one of the five sensor devices  Correlation matrix – dynamically grows when a new activity involving the local host is detected and expires  Timers are set for expiry of observation window

14 TYPES OF TIMERS  HARD PRUNE TIMERS (filled clocks ) Fixed temporal interval over which the users are allowed to aggregate After evaluation,it leads to either bot declaration or to the complete removal of that dialog trace  SOFT PRUNE TIMERS(open faced clocks) smaller time window that allows users to configure tighter interval requirements Inbound scan warning are expired more quickly by the soft prune interval

15 BOT DECLARATION  Expectation table is used and compared with the values obtained from the Calculation  Dialog sequence crosses the threshold which leads to either bot declaration or non-bot declaration

16 Figure6: SCORING PLOTS : 2019 Real bot infections

17 EXPERIMENTS AND RESULTS E1 E2E3E4E5 agobotYes(2/2)Yes(9/8)Yes(6/6)Yes(38/8)Yes(4/1) Phat- alpha 5 Yes(14/4)Yes(5785/ 5721) Yes(3/3)Yes(28/26)Yes(4/2) Phatbot-rlsYes(11/3)Yes(2834/ 46) Yes(8/8)Yes(69/20)Yes(6/2) Rbot 0.6.6No(0)Yes(2/1)Yes(2/2)Yes(65/24)Yes(2/1) Rx-asn-2- re-worked version2 No(0)Yes(2/2) Yes(70/27)Yes(2/1) RxbotNo(0)Yes(4/3)Yes(2/2)Yes(59/18)Yes(2/1) SxbotNo(0)Yes(3/2)Yes(2/2)Yes(73/26)Yes(2/1) Yes/No – Indicate Dialog warning, (No of dialog warning in whole / No of warning victim involves)

18 RESULTS IN LIVE DEPLOYMENT http://www.cyber-ta.org/malware-analysis/public Website Stats: Spotlight: Top 50 ISP Infection SourcesTop 50 ISP Infection Sources Active Period Reported: 245 Days Botnet Attacks Detected: 23895 Botnet C&C channels Witnessed: 175 Botnet DNS lookups Witnessed: 8496

19 ADVANTAGES  only one bot profile is generated for infection  presented analysis of bothunter against more than 2000 recent bot infection experiences.  remote repository for global collection and evaluation of bot activity.

20 DISADVANTAGES  Bots could use encrypted communication channels for C&C  This correlator is not adaptable for botnets with the capability of doing stealth scanning  This is not polymorphic malwares as it uses 1-gram payload

21 THANK YOU

Download ppt "BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance slide 1 Cyber-TA: Massive and Distributed Data.

28 September 2006 ARO Kickoff Meeting Phillip Porras Cyber-TA: Secure Collaborative Threat Reconnaissance slide 1 Cyber-TA: Massive and Distributed Data.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology
Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.

Essential NetTools Pranay Kumar. Essential NetTools  This tool is a set of network tools useful in diagnosing networks and monitoring your computer's.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

Similar presentations

Ads by Google