Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amir Houmansadr CS660: Advanced Information Assurance Spring 2015

Published bySilvester Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Amir Houmansadr CS660: Advanced Information Assurance Spring 2015"— Presentation transcript:

1 Amir Houmansadr CS660: Advanced Information Assurance Spring 2015
Content may be borrowed from other resources. See the last slide for acknowledgements! Botnet Detection Amir Houmansadr CS660: Advanced Information Assurance Spring 2015

2 What is a Bot? A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated You might have seen them before in chat rooms, online games, etc.

3 CS660 - Advanced Information Assurance - UMassAmherst
What is a Botnet Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” Coordinated: do coordinated actions Group: yes, it’s a group of bots! Botmaster: meet the cybercriminal C&C channel: command and control channel CS660 - Advanced Information Assurance - UMassAmherst

4 CS660 - Advanced Information Assurance - UMassAmherst

5 CS660 - Advanced Information Assurance - UMassAmherst
Structures Centralized IRC channels HTTP Distributed P2P CS660 - Advanced Information Assurance - UMassAmherst

6 CS660 - Advanced Information Assurance - UMassAmherst
Breadth Numerous variations of botnets According to a study in 2013 by Incapsula, more than 61 percent of all Web traffic is now generated by bots 25% of Internet PCs are part of a botnet!” ( - Vint Cerf) It’s a real threat! CS660 - Advanced Information Assurance - UMassAmherst

7 What is the Command and Control (C&C) Channel?
The Command and Control (C&C) channel is needed so bots can receive their commands and coordinate fraudulent activities The C&C channel is the means by which individual bots form a botnet

8 Amercia’s 10 Most Wanted Botnets
Zeus (3.6 million) Koobface (2.9 million) TidServ (1.5 million) Trojan.Fakeavalert (1.4 million) TR/DIdr.Agent.JKH (1.2 million) Monkif (520,000) Hamweq (480,000) Swizzor (370,000) Gammima (230,000) Conficker (210,000) Source

9 What are they used for? Distributed Denial-of-Service Attacks Spam
Phishing Information Theft Distributing other malware

10 Botnet Detection is Hard!
One out of four PC infected Bots are stealthy on infected machines Botnets are dynamically evolving and becoming more flexible Static and signature-based approached less effective Come in many variations Centralized/distributed, different channels, etc. There’s no one-size-fits-all solution

11 Existing Techniques not Effective
AntiVirus tools are evaded need to update frequently Bots use rootkit Intrusion detection systems Do not have a big picture Past research aims are too specific Some apply to specific type of botnet (e.g., IRC-based only, or centralized only) Some apply to specific instances of botnet CS660 - Advanced Information Assurance - UMassAmherst

12 CS660 - Advanced Information Assurance - UMassAmherst
BotMiner Observation: Bots part of a botnet have similar communications Bots part of a botnet take similar actions Bots stay there for long term Approach: Let’s find machines that have correlated (similar) communication and actions over time CS660 - Advanced Information Assurance - UMassAmherst

13 CS660 - Advanced Information Assurance - UMassAmherst
BotMiner Analysis is done over two planes: C-plane (Communication plane): “who is talking to whom, and how” A-plane (Activity plane): “who is doing what” CS660 - Advanced Information Assurance - UMassAmherst

14 BotMiner’s Main Architecture
CS660 - Advanced Information Assurance - UMassAmherst

15 MAIN COMPONENTS OF BOTMINER DETECTION SYSTEM
C-PLANE MONITOR A-PLANE MONITOR C-PLANE CLUSTERING A-PLANE CLUSTERING CROSS-PLANE CORRELATOR

16 Traffic Monitors C-PLANE MONITOR A-PLANE MONITOR
Captures network flows and records information on “who is talking to whom” The fcapture tool was used (very efficient on high-speed networks) Each flow record contained: time, duration, source IP, destination IP, destination port, and # packets/bytes transferred in both directions Logs information on “who is doing what” Based on Snort (open-source intrusion detection tool) Capable of detecting scanning activities, spamming, and binary downloading

17 C-plane Clustering Responsible for reading logs generated by the C-plane monitor and finding clusters of machines that share similar communication patterns Start Irrelevant traffic flows are filtered out (2 steps: basic filtering and white-listing) After basic filtering and white-listing, traffic is reduced further by aggregating related flows into communication flows (C-flows)

18 Architecture of C-plane Clustering

19 C-plane Clustering Given an epoch E (1 day)
A communication flow (C-flow) is determined by: protocol (TCP or UDP) source IP destination IP Port All matching TCP/UDP flows are aggregated into the same C-flow

20 Vector Representation of C-flows
To apply clustering algorithms to C-flows they must be translated into suitable vector representation A number of statistical features are extracted from each C-flow and then they are translated into a d-dimensional pattern of vectors. Given a C-flow, the discrete sample distribution is computed for 4 variables: The number of flows per hour (fph) The average # of bytes per second (bps) The number of packets per flow (ppf) The average # of bytes per packet (bpp)

21 CS660 - Advanced Information Assurance - UMassAmherst

22 2-Step Clustering Clustering C-flows is very expensive
Because the % of machines in a network that are infected by bots is generally small, the authors separate the botnet-related C-flows from a large number of benign C-flows To cope with the complexity of clustering the task is broken down into steps

23 2-Step Clustering of C-flows
At the first step, they perform coarse-grained clustering on a reduced feature space using a simple clustering algorithm. The results of the first-step clustering is a set of C-flows (relatively large clusters). Later a second step of clustering is done on each different dataset. They implemented the 1st and 2nd step using the X means clustering algorithm (which is a efficient algorithm based on K-means). X-means is fast and scales well with respect to the size of the dataset.

24 A-plane Clustering In this stage, 2 layer clustering is performed on activity logs A scan activity could include scanning ports (e.g, two machines scanning the same ports) Another feature could be target subnet/distribution (e.g. when machines are scanning the same subnet) For spam activity, two machines could be clustered together if their SMTP connection destinations are highly overlapped In the paper, the authors cluster scanning activities according to the destination scanning ports

25 Cross-Plane Clustering
The idea is to cross-check both clusters (A-PLANE & C-PLANE) to find out whether there is evidence of the host being a part of a botnet The first step is to compute the bot score s(h) for each host h on which at least one kind of suspicious activity has been performed Host that have a score below a certain threshold are filtered out The remaining most suspicious host are grouped together according to a similarity metric that takes into account A-PLANE and C-PLANE clusters Two hosts in the same A-luster and at least one common C-cluster are clustered together Hierarchical clustering

26 Evaluations Tested performance on several real-world network traces (campus network) C-PLANE and A-PLANE monitors were ran continuously for 10 days Collected 6 different botnets (IRC and HTTP) Two P2P botnets, namely Nugache (82 bots) and Storm(13 bots); the network trace lasted a whole day

27 10 Days

28 CS660 - Advanced Information Assurance - UMassAmherst
Detection Results CS660 - Advanced Information Assurance - UMassAmherst

29 Limitations of BotMiner
Can adversaries who know how BotMiner work evade it? Or decrease its accuracy? CS660 - Advanced Information Assurance - UMassAmherst

30 Evading C-PLANE Monitoring and Clustering
Evasion Method Examples Manipulate communication patterns Switch between multiple C&C servers Randomizing individual communication patterns (e.g. injecting random packets in a flow or by padding random bytes in a packet) Bots could use covert channels to hide their actual C&C communications

31 Evading A-plane Monitoring and Clustering
Evasion Method Example Performing very stealthy malicious activities Vary the way bots are commanded in the same monitored network Scan very slow (e.g. send one scan per hour) The “botmaster” sends out different commands to each bot

32 Evading Cross-Plane Analysis
The “botmaster” can send commands that are extremely delayed tasks Malicious activities are performed on different days Trade-off: The “botmaster” also suffers because as the C&C communications slow down, efficiency of controlling the bot army declines

33 CS660 - Advanced Information Assurance - UMassAmherst
Acknowledgement Some of the slides, content, or pictures are borrowed from the following resources, and some pictures are obtained through Google search without being referenced below: Latasha A. Gibbs’s slides for BotMiner Guofi Gu’s slides CS660 - Advanced Information Assurance - UMassAmherst

Download ppt "Amir Houmansadr CS660: Advanced Information Assurance Spring 2015"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.

09 Dec 2010 DETECTION OF SIP BOTNET BASED ON C&C COMMUNICATIONS Mohammad AlKurbi.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Similar presentations

Ads by Google