Presentation is loading. Please wait.

Presentation is loading. Please wait.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

Published byYuliana Sharper Modified over 9 years ago

Similar presentations

Presentation on theme: "RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from."— Presentation transcript:

1 RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from the author's slides https://ftp.isoc.org/isoc/conferences/ndss/09/slides/10.pdf

2 Outline Motivation of RB ‐ Seeker System Architecture Overview of subsystems Evaluation of results Conclusion

3 Redirection/Proxy Botnet Redirect users to malicious servers o Additional layer of misdirection o Protect mothership servers o Evade URL based detection or IP based black list

4 Motivation of RB ‐ Seeker Botnet is an ideal source for redirection/proxy servers Botnets used for multiple purposes/scams Previous research: detection of C&C channel

5 Overview of RB ‐ Seeker Automatic detection of redirection/proxy botnets Utilizes 3 cooperating subsystems Behavior ‐ based detection Quick identification of aggressivebotnets (FP < 0.01%) o Advertise manyIPs per query o Change IPs very often (short TTL) Accurate identification of stealthybotnets o Advertise fewIPs per query o Change IPs more slowly (very small TTL, closely monitored

6 System Architecture

7

8 SSS: Spam Source Subsystem Redirection/proxy botnet are commonly used by spam/phishing campaigns SSS exploits this close relatrionship o Real time collection of spam emails: > 50,000 monthly

9 SSS: Spam Source Subsystem Extract embedded URLs from message bodies Probe extracted URLs to identify redirection URL links Domains added to redirection domain database

10 System Architecture

11 NAS: NetFlow Analysis Subsystem Use NetFlow because: o Inspecting packet contents incurs too much overhead o Privacy concerns Spammers send image ‐ or PDF ‐ based emails o Evade content ‐ based filtering User redirected to RBnet by clicking on malicious webpage Inspecting each email not always possible o Privacy concerns/laws

12 NAS: NetFlow Analysis Subsystem NetFlow: core router on campus Looks for suspicious redirection attempts o Without analyzing packet contents

13 NAS: NetFlow Analysis Subsystem Sequential Hypothesis testing on: o Flow size, inter ‐ flow duration, and flow duration

14 NAS: NetFlow Analysis Subsystem Identifies IPs participating in redirection o Correlation engine uses DNS logs to add domains participating in redirection to redirection domain db

15 NAS: NetFlow Analysis Subsystem Redirection: obtained from SSS, servers identified as redirection Normal: normal web browsing over 2 days (removing redirection)

16 System Architecture

17 a ‐ DADS: active DNS Anomaly Detection Subsystem Actively performs DNS queries on domains in redirection domain db Uses CDN Filter to remove Content Delivery Networks o CDNs behave similarly to redirection/proxy botnets o Recursively removes

18 a ‐ DADS: active DNS Anomaly Detection Subsystem IP Usage: o RBnets will accrue more unique IPs over time o RBnets will have more unique IPs per valid query Reverse DNS names with “bad words” o e.g., broadband, cable, comcast, charter, etc… AS count o Number of different ASes the IPs belong to o RBnets consist of home computers scattered geographically

19 a ‐ DADS: active DNS Anomaly Detection Subsystem Applies 2 ‐ tier linear SVM on remaining domains o Trained: 124 valid, 18 aggressive, 10 stealth o 10 ‐ fold cross validation on multiple classifiers  knn, decision tree, naïve Bayesian, various SVMs and kernel functions

20 a ‐ DADS: active DNS Anomaly Detection Subsystem SVM-1: o detects Aggressive RBnets based on 2 valid queries o unique IPs, num ASes, DNS “bad words”

21 a ‐ DADS: active DNS Anomaly Detection Subsystem

22 SVM-2 o detects Stealth RBnets using a week of DNS queries o unique IPs, num ASes

23 a ‐ DADS: active DNS Anomaly Detection Subsystem

24 Evaluation of Results SSS and NAS identified 91,600+ suspicious domains over 2 month period a ‐ DADS CDN Filter o Removed 5,005 CDN domains o Recursion 16.8% increase in identified CDN domains (13.1% in IPs) o Similar technique for valid domains reduced this to 35,000+ domains to be monitored

25 Evaluation of Results

26 Aggressive RBnets: Redirection vs. Proxy Botnets

27 Stealth RBnets

28 Evaluation of Results FFSN detector: o Detected 124 of the 125 Aggressive RBnets o 1 FP: same as ours (mozilla.org) o Missed all the Stealth RBnets

29 Conclusion Designed and implemented system for detecting redirection/proxy botnets Uses network detection techniques o multiple data sources readily available to enterprise network environments Behavior ‐ based detection works despite use of C&C protocol or structure Capable of detecting Aggressive and Stealthy RBnets Automatic detection with low false positives (< 0.01%)

Download ppt "RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.

Detecting suspicious behaviors. BBAC currently examines data streams of HTTP requests and TCP traffic within a distributed stream processing framework.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Identifying Performance Bottlenecks in CDNs through TCP-Level Monitoring Peng Sun Minlan Yu, Michael J. Freedman, Jennifer Rexford Princeton University.

Identifying Performance Bottlenecks in CDNs through TCP-Level Monitoring Peng Sun Minlan Yu, Michael J. Freedman, Jennifer Rexford Princeton University.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.

1 BotGraph: Large Scale Spamming Botnet Detection Yao Zhao EECS Department Northwestern University.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Evaluation of the Proximity between Web Clients and their Local DNS Servers Z. Morley Mao UC Berkeley C. Cranor, M. Rabinovich,

Evaluation of the Proximity between Web Clients and their Local DNS Servers Z. Morley Mao UC Berkeley C. Cranor, M. Rabinovich,
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Similar presentations

Ads by Google