Presentation is loading. Please wait.

Presentation is loading. Please wait.

Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni.

Published byPatience Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni."— Presentation transcript:

1 Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009. 2015/9/8 1 Machine Learning and Bioinformatics Lab

2  Date Collect : 2009/1/25 ~ 2009/2/5  180’000 infections  70GB data  USD$ 83,000 ~ 8,300,000 (bank account and credit card) 2015/9/8 2 Machine Learning and Bioinformatics Lab

3  Introduction  Botnet Analysis  Threats and data analysis  Conclusion 2015/9/8Machine Learning and Bioinformatics Lab 3

4  The main purpose of this paper is to analyze the Torpig botnet’s operations. Botnet size. The personal information is stolen by botnets. 2015/9/8Machine Learning and Bioinformatics Lab 4

5  Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux. 2015/9/8Machine Learning and Bioinformatics Lab 5

6  Data Collection and Format  Submission Header  Botnet Size vs. IP Count 2015/9/8Machine Learning and Bioinformatics Lab 6

7  Date : 70GB (10 day)  Protocol : HTTP POST requests  Submission Header VS. Request body 2015/9/8Machine Learning and Bioinformatics Lab 7

8 2015/9/8Machine Learning and Bioinformatics Lab 8  Ts = time stamp  IP  Sport = SOCKS proxies port  Hport = HTTP port  OS = operation system version  Cn = locale  Nid = bot identifier  Bld and ver = build and version number of Torpig gh5

9  2015/9/8Machine Learning and Bioinformatics Lab 9

10  Counting Bots by Submission Header Fields  (nid, os, cn, bld, ver) decide to unique bot  Delete Probers and Researcher  18200 hosts 2015/9/8Machine Learning and Bioinformatics Lab 10

11 2015/9/8Machine Learning and Bioinformatics Lab 11 4690 Bots / hour 705 Bots / hour

12 2015/9/8Machine Learning and Bioinformatics Lab 12

13  DHCP (ISPs recycles IPs) 2015/9/8Machine Learning and Bioinformatics Lab 13

14  Financial Data Stealing  Password Analysis 2015/9/8Machine Learning and Bioinformatics Lab 14

15  In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217). 2015/9/8Machine Learning and Bioinformatics Lab 15

16 2015/9/8Machine Learning and Bioinformatics Lab 16

17  we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results. 2015/9/8Machine Learning and Bioinformatics Lab 17

18 2015/9/8Machine Learning and Bioinformatics Lab 18

Download ppt "Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Botnet Behavior and Detection Strategies Brad Wilder.

Botnet Behavior and Detection Strategies Brad Wilder.
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
8.1 DISTRIBUTED COMPUTER SECURITY Dr. Yanqing Zhang, CSc 8320 Presented by Kireet Kokala © 2009 Georgia State University.

8.1 DISTRIBUTED COMPUTER SECURITY Dr. Yanqing Zhang, CSc 8320 Presented by Kireet Kokala © 2009 Georgia State University.
BRETT STONE-GROSS, MARCO COVA, LORENZO CAVALLARO, BOB GILBERT, MARTIN SZYDLOWSKI, RICHARD KEMMERER, CHRISTOPHER KRUEGEL, AND GIOVANNI VIGNA PRESENTATION.

BRETT STONE-GROSS, MARCO COVA, LORENZO CAVALLARO, BOB GILBERT, MARTIN SZYDLOWSKI, RICHARD KEMMERER, CHRISTOPHER KRUEGEL, AND GIOVANNI VIGNA PRESENTATION.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.

Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.
Chapter Two: Internet Fundamentals: Operations, Management, the Web, and Wireless By: Laura Marshall, Mary Mauro, and Doug Moore.

Chapter Two: Internet Fundamentals: Operations, Management, the Web, and Wireless By: Laura Marshall, Mary Mauro, and Doug Moore.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
IP Addressing: introduction

IP Addressing: introduction
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
COS 420 DAY 22. Agenda Assignment 4 Corrected 2 B’s Assignment 5 posted Chap 22-26 Due May 4 Final exam will be take home and handed out May 4 and Due.

COS 420 DAY 22. Agenda Assignment 4 Corrected 2 B’s Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Similar presentations

Ads by Google