Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection."— Presentation transcript:

1 Botnet Dection system

2 Introduction  Botnet problem  Challenges for botnet detection

3 What Is a Bot/Botnet?  Bot A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated  Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)

4 Botnets are used for …  All DDoS attacks  Spam  Click fraud  Information theft  Phishing attacks  Distributing other malware, e.g., spywarePCs are part of a botnet!” ( - Vint Cerf)

5 Challenges for Botnet Detection  Bots are stealthy on the infected machines – We focus on a network-based solution  Bot infection is usually a multi-faceted and multiphased process – Only looking at one specific aspect likely to fail  Bots are dynamically evolving – Static and signature-based approaches may not be effective  Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable

6 Roadmap to three Detection Systems  Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle  Botsniffer:works for IRC and http, can be extended to detect centralized C&C botnets  Botminer:independent of the protocol and structure

7 BotHunter system-detection on single infected client  Detecting Malware Infection Through IDS-Driven Dialog Correlation  Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware  Correlates dialog trail of inbound intrusion alarms with outbound communication patterns

8 Bot infection case study: Phatbot

9 Dialog-based Correlation  BotHunter employs an Infection Lifecycle Model to detect host infection behavior

10 Bothunter Architecture

11 Evaluation  Example: http://www.cyber- ta.org/releases/malware- analysis/public/2009-01-13-public/

12 BotSniffer-detection on centralized C&C botnets(IRC,HTTP)  WHY we will focus on C&C?  C&C is essential to a botnet – Without C&C, bots are just discrete, unorganized infections  C&C detection is important – Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link

13 Botnet C&C Communication Example

14 Botnet C&C: Spatial-Temporal Correlation and Similarity

15 BotSniffer Architecture

16 Correlation Engine  Based on two properties  Response crowd – a set of clients that have (message/activity) response behavior -A Dense response crowd: the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5).  A homogeneous response crowd – Many members have very similar responses

17 Evaluation

18 Why Botminer?  Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.),structures (P2P, etc.), C&C servers, dialog models  So bothunter, botsniffer systems may be evaded. We need to consider more

19 Revisit Botnet Definition  “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”  We need to monitor two planes – C-plane (C&C communication plane): “who is talking to whom” – A-plane (malicious activity plane): “who is doing what”

20 C-Plane clustering  What characterizes a communication flow (Cflow) between a local host and a remote service? –

21 A-plane clustering

22 Cross-clustering  Two hosts in the same A-clusters and in at least one common C-cluster are clustered together

23 Botminer Architecture

24 Evaluation Data

25 Evaluation Result(FP)

26 Evaluation Result(Detection Rate)

27 Botnet Detection Systems summary  Bothunter: Vertical Correlation. Correlation on the behaviors of single host.  Botsniffer: Horizontal Correlation. On centralized C&C botnets  Botminer: Extension on Botsniffer, no limitations on the C&C types.

28 Thank you! Questions?

Download ppt "Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.

B OT GAD: D ETECTING B OTNETS BY C APTURING G ROUP A CTIVITIES IN N ETWORK T RAFFIC Hyunsang Choi, Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,

A Hierarchical Hybrid Structure for Botnet Control and Command A Hierarchical Hybrid Structure for Botnet Control and Command Zhiqi Zhang, Baochen Lu,
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.

09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.

Similar presentations

Ads by Google