Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

Published byQuentin Jackson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours."— Presentation transcript:

1 1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April 2007. Reporter: 高嘉男 Advisor: Chin-Laung Lei 2009/06/09

2 2 Outline Introduction ◦ Botnet size? Definitions & estimation techniques Experiment Hidden botnet connections Conclusion

3 3 Introduction How big are today’s botnets? ◦ Botnet size is currently poorly defined ◦ Different metrics lead to widely different results ◦ Some issues increase the difficulty  Cloning  Temporary migration  Hidden structures Expecting a definitive answer is unreasonable

4 4 Definitions Different definitions of botnet size ◦ Footprint : the overall size of the infected population at any point in its lifetime ◦ Live population : the number of live bots simultaneously present in the command and control channel

5 5 Estimation Techniques Two broad categories ◦ Counting bots connecting to a particular server directly  Botnet infiltration  DNS redirection ◦ Exploiting external information

6 6 Botnet Infiltration Infiltrating the botnet by joining the command and control channel An IRC tracker mimics the behavior of actual bots and joins many botnets Recording any information observed on the command and control channel Limitations ◦ Botmasters may suppress bot identities ◦ Counting can lead to different estimates

7 7 DNS Redirection Manipulating the DNS entry associated with a botnet’s IRC server and redirecting connections to a sinkhole The sinkhole completed the three-way TCP handshake with bots attempting to connect to the (redirected) IRC server and recorded their IP addresses Limitations ◦ It can only measure the botnet’s footprint ◦ There is no way of knowing if the bots are connecting to the same command and control channel ◦ Botmasters can redirect their bots to another IRC server

8 8 Exploiting External Information DNS cache snooping ◦ Bots normally make a DNS query to resolve the IP address of their IRC server ◦ A cache hit implies that at least one bot has queried its nameserver ◦ The total number of cache hits provides an indication of the botnet’s DNS footprint DNS footprint provides (at best) only a lower bound of its actual footprint

9 9 Experiment

10 10 Result : Footprint & Live Population

11 11 Result : DNS Footprint

12 12 Temporary Bot Migration Botmasters command bots to temporarily migrate from one botnet to another

13 13 Bot Cloning Botmasters command bots to create copies of themselves and join a new channel on the same server ◦ Clone flooding ◦ Normal cloning

14 14 Hidden Botnet Connections A d-dimensional structural feature vector Features to represent a botnet’s unique identity ◦ DNS name and/or IP address of IRC Server ◦ IRC server or IRC network name (e.g.,ToXiC.BoTnEt.Net) ◦ Server version (e.g., Unreal3.2.3) ◦ IRC channel name. ◦ Botmaster ID For a pair of vectors the pair-wise score is a weighted dot product of the two vectors

15 15 Botnet Cluster

16 16 Number of Botnets Affiliated with Botnet Cluster

17 17 Conclusion No single metric is sufficient for describing all aspects of a botnet’s size A prudent step towards providing more reliable size estimates is to synthesize the results from multiple concurrent and independent views of a botnet’s behavior

18 18 References Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “My Botnet is Bigger than Yours (Maybe, Better than Yours) : why size estimates remain challenging.” in Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets, April 2007. Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis, “A Multifaceted Approach to Understanding the botnet phenomenon.” in Proceedings of ACMSIGCOMM/USENIX Internet Measurement Conference (IMC), pages 41–52, 2006.

Download ppt "1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)

Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
1 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis) Ryan Hannan Rohit Bhat Alan Mui Irfan Siddiqui.

1 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis) Ryan Hannan Rohit Bhat Alan Mui Irfan Siddiqui.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.

A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Similar presentations

Ads by Google