Presentation is loading. Please wait.

Presentation is loading. Please wait.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

Published byCharles Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings."— Presentation transcript:

1 2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007

2 Outline Introduction Background Communication Channel Detection Results and Evaluation Conclusion 2009/9/152Machine Learning and Bioinformatics Lab

3 Introduction Currently  stop a given botnet is to disable the communication channel for the bots However  the hosts stay infected and are in most cases still backdoored, allowing an attacker to reclaim the machine at any time. 2009/9/15Machine Learning and Bioinformatics Lab3

4 Background Internet Relay Chat(IRC)  Each of the different servers hosts a number of different chat rooms called channels  Every user connected to an IRC server has its own unique username called nickname 2009/9/15Machine Learning and Bioinformatics Lab4

5 Background BotMaster  communicate with the botnet is to use IRC Bots  join a specific channel on a public or private IRC server  to receive further instructions 2009/9/15Machine Learning and Bioinformatics Lab5

6 Communication Channel Detection All bots have one characteristic in common:  they need a communication channel Our approach focuses on  detecting the communication channel between the bot and the botnet controller  it is possible to detect a bot even before it performs any malicious actions 2009/9/15Machine Learning and Bioinformatics Lab6

7 Project Rishi Every captured packet extracts :  Time of suspicious connection  IP address and port of suspected source host  IP address and port of destination IRC server  Channels joined  Utilized nickname 2009/9/15Machine Learning and Bioinformatics Lab7

8 Network setup of Rishi 2009/9/15Machine Learning and Bioinformatics Lab8

9 Basic Concept - Rishi 2009/9/15Machine Learning and Bioinformatics Lab9

10 Scoring Function Checks for the occurrence of several criteria :  suspicious substrings the name of a bot (e.g., RBOT or l33t-)  special characters like [, ], and |  long numbers. nickname consists of many digits:  for each two consecutive digits 2009/9/15Machine Learning and Bioinformatics Lab10 1 point

11 Scoring Function True signs for an infected host raise the final score by more than one point  a match with one of the regular expressions  a connection to a blacklisted server  the use of a blacklisted nickname 2009/9/15Machine Learning and Bioinformatics Lab11 > 1 points

12 Regular Expression Each nickname is tested against several regular expressions  which match known bot names For example the following expression: \[[0-9]\|[0-9]{4,}  like [0|1234]  like |1234 2009/9/15Machine Learning and Bioinformatics Lab12 10 points

13 Whitelisting The software utilizes :  hard coded whitelist  dynamic whitelist Each nickname, which receives zero points  is added to the dynamic whitelist 2009/9/15Machine Learning and Bioinformatics Lab13

14 Blacklisting Two blacklists:  the first blacklist is hard coded in the configuration file  the second one is a dynamic list with nicknames added to it automatically according to the final score 2009/9/15Machine Learning and Bioinformatics Lab14

15 Example Imagine that the nickname  RBOT|DEU|XP-1234 was added to the blacklist The next captured nickname  RBOT|CHN|XP-5678 2009/9/15Machine Learning and Bioinformatics Lab15 1 point each due to the suspicious substrings RBOT,CHN, and XP 1 points each due to the two occurrences of the special character | 1 point each due to two occurrences of consecutive digits 7 points 10 points for more than 50% congruence with a name stored on the dynamic blacklist 17 points

16 Example 1 point each due to the suspicious substrings RBOT,CHN, and XP 1 points each due to the two occurrences of the special character | 1 point each due to two occurrences of consecutive digits 2009/9/15Machine Learning and Bioinformatics Lab16 7 points 17 points 10 points for more than 50% congruence with a name stored on the dynamic blacklist

17 Results and Evaluation RWTH Aachen university  30,000 computer users to support  Rishi runs on a Quad-CPU Intel Xeon 3,2Ghz system with 3GB of memory installed  we are monitoring a 10 GBit network 2009/9/15Machine Learning and Bioinformatics Lab17

18 Results and Evaluation 2009/9/15Machine Learning and Bioinformatics Lab18

19 Results and Evaluation 2009/9/15Machine Learning and Bioinformatics Lab19

20 Results and Evaluation 2009/9/15Machine Learning and Bioinformatics Lab20

21 Conclusion Based on characteristics of the communication channel  observe protocol messages  use n-gram analysis together with a scoring function  black-/whitelists 2009/9/15Machine Learning and Bioinformatics Lab21

22 Bot Nicknames 2009/9/15Machine Learning and Bioinformatics Lab22

23 Thank you for listening 2009/9/1523 The end Machine Learning and Bioinformatics Lab

Download ppt "2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Chat applications and IRC Presented by Tyler Maciolek.

Chat applications and IRC Presented by Tyler Maciolek.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Printer Installation Ben Wu A&S IT 09/18/2007. Outline  Preparation  Local Printer Installation  Network Printer Installation  Printer Sharing  Other.

Printer Installation Ben Wu A&S IT 09/18/2007. Outline  Preparation  Local Printer Installation  Network Printer Installation  Printer Sharing  Other.

Similar presentations

Ads by Google