Presentation is loading. Please wait.

Presentation is loading. Please wait.

MURI Kickoff Welcome! First, introductions… all around Some context and expectations u We’re going to give some informal presentations about our plans.

Published byEaster Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "MURI Kickoff Welcome! First, introductions… all around Some context and expectations u We’re going to give some informal presentations about our plans."— Presentation transcript:

1 MURI Kickoff Welcome! First, introductions… all around Some context and expectations u We’re going to give some informal presentations about our plans »Project just started, so few results yet u Each will have a leader, but this is a collaborative effort so expect everyone to chime in u Please ask questions and give feedback anytime u We’ll try to keep to schedule, but we can go where you want

2 Rough schedule 10:00-10:30 UCB/UCSD Project overview/programatics 10:30-11:00 Botfarm and dynamic containment 11:00-11:30 Automated binary analysis 11:30-12:00 NLP of underground communications 12:00-1:30 Lunch 1:30-3:30 Wenke et al. (GATech/Umich/UCSB/Stanford) 3:30-4:00 Break 4:00-5:00 Feedback/brainstorming

3 3 Infiltration of Botnet Command & Control and Support Ecosystems MURI Kickoff 2009 PIs: Stefan Savage, Geoff Voelker (UCSD) Vern Paxson, Dawn Song and Dan Klein (UC Berkeley)

4 Key threat transformations of the 21 st century Efficient large-scale compromises u Internet communications model u Software homogeneity u User naïveity/fatigue Control networks u Cheap scalability for criminal applications (e.g. spam, info theft, DDoS, etc) u Platform economy Profit-driven applications u Commodity resources (IP, bandwidth, storage, CPU) u Unique resources (PII/credentials, data exfiltration) 4

5 Philosophy Need to understand and impact botnets from “the inside” instead of simply via their external actions Address real adversary – real bots and real botmasters Botnet infiltration (SIGINT) u Intelligence collection (what is the botnet doing?) u Command injection (tell botnet to do this) u Botnet disruption (shutdown and/or takeover botnet) Ecosystem intelligence (HUMINT) u Data mining/NLP on underground Web/chat to infer social relationships in the botnet ecosystem u Who is supplying which resources, what are stress points, points of attribution, etc

6 Botnet infiltration Key idea: distributed C&C is a vulnerability u Botnet authors like de-centralized communications for scalability and resilience, but… u … to do so, they trust their bots to be good actors u If you can modify the right bots you can observe and influence actions of the botnet via their communications We have done this once u Infiltrated Storm P2P botnet u Able to track everything botnet did and influence their actions u But… one off, and hard to scale 6 Kanich, Kreibich, Levchenko, Enright, Paxson, Voelker and Savage, Spamalytics: an Empirical Analysis of Spam Marketing Conversion, ACM CCS 2008

7 Botnet infiltration challenges Obtaining and grooming bots (tricky in practice) Safe execution environment u Must run bots, but contain their negative side-effects u Fine-grained containment control via network, VMs, etc (informed by past work on Potemkin/GQ honeyfarms) u Especially must control scope of our “attacks” C&C extraction from botnet binaries u Extract C&C protocol w/o extensive manual reverse-engineering u Use to feed containment, attacks and C&C proxy Attack development and testing u Passive, cooperatively active, adversarially active Legal/Policy issues

8 Ecosystem intelligence Key idea: botmasters and bot support ecosystem (clients, authors, cashiers, etc) social graph is implicit in underground communications u Underground forums, chat, etc u Marketing, sales, requests, complaints, side-deals, etc u By extracting this graph can relate actors to actions We have done something similar once u Analyzed 9mos of #ccpower underground IRC data u Extracted buyer/seller and pricing relationships u Manual, error prone, no notion of specific actor Franklin, Perrig, Paxson and Savage, An Inquiry in the Nature and Causes of the Wealth of Internet Miscreants, ACM CCS 2007

9 Pidgen/slang content (Eblish/ ) Extracting structure from short free-form agrammatical elements Identity aliasing and multiple identities/pseudonyms Matching across multiple sources Limited ground truth knowledge Access to data Ecosystem intelligence challenges WU confirmer can confirm males and females have drops in usa AM VERIFIED MSG ME i am boa cashout have wells and boa logins and i need to good drop man.......ripper f#@! off Have dropper for bots, all ie sploits whos a good reg for fluxing?

10 Goal/evaluation Botnet infiltration u Can safely execute new botnet software, while still becoming members of live botnets u Can efficiently extract botnet C&C u Can decode and interpret all commands, inject new commands (acted upon) and exploit bot vulnerabilities sucessfully u Validate that attacks only impact bots inside containment Ecosystem intelligence u Identify actor identities/attributes, inter-actor relationships, identify supply chain relationships, transactions, and roles u Validate automated mapping to human domain expert assessment u Correlate with external ground-truth data from other studies

11 Milestones for this year Design work and prototype infrastructure for botfarm containment/grooming, demonstrate safe hosting of many bot families Prototype binary C&C extractor on one or more bots, output to feed containment network proxy (interpret C&C) Design work on ecosystem intelligence effort, dataset gathering and gathering of some “ground-truth” data (via botnet output, domain registration, spam campaigns, etc)

12 Other sponsors/supporters Funding and in-kind (data, equipment, access) Several more who decline to be identified (industry)

13 Education elements Student training in research u Already have ~10 students involved in different aspects of project (including 3 undergrads) Class integration u Network security courses at Berkeley and UCSD u Internet Crime course at UCSD Workforce development u Talks/tutorials to industry u Input to defense contractors in this space

14 Project management Tightly integrated group (many have 3-5yrs of experience working w/each other) Communication via weekly teleconference, students on IM, physical student exchanges Lead on each campus (Stefan, Vern) responsible for local organization issues, but we cross lines routinely We attempt to centralize sensitive 3 rd -party data and protect it there (tricky issues wrt dual NDA negotiation) Advance legal review on any issues of risk Educational issues delegated to each PI, excepting distributed courses

15 Questions?

Download ppt "MURI Kickoff Welcome! First, introductions… all around Some context and expectations u We’re going to give some informal presentations about our plans."

Similar presentations

Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI 2010. All rights reserved.

Potential Smart Grid standardisation work in ETSI Security and privacy aspects Carmine Rizzo on behalf of Scott CADZOW, C3L © ETSI All rights reserved.
Operating System Security

Operating System Security
Introduction to Information System

Introduction to Information System
Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.

Josh Alcorn Larry Brachfeld An in depth review of ad hoc mobile network & cloud security concerns.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.

4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Using Economics to Quantify the Security of the Internet Jason Franklin.

Using Economics to Quantify the Security of the Internet Jason Franklin.
Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.

Understanding Botnets: How Massive Internet Break-Ins Fuel an Underground Economy Jason Franklin and Vern Paxson.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Similar presentations

Ads by Google