Presentation is loading. Please wait.

Presentation is loading. Please wait.

Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.

Similar presentations


Presentation on theme: "Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II."— Presentation transcript:

1 Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II

2 Outline Botnats SHADOW SERVER Investigating The Botnat World Further Work Conclusion 2015/11/10 2

3 Botnats (1/3) The earliest malware damaging system printing taunting messages Traditional computer viruses Self-copy themselves. Trojan horses. Worms Scanning and infecting. 2015/11/10 3

4 Infection DDoS attacks Spamming Espionage Proxies Clickthrough Fraud Botnats (2/3)

5 Botnats (3/3) The Underground Economy Hidden social network of cybercriminals. sell their services Spammers Bot-herders Malware authors Criminals gather Many botnets are actually rented to other criminal organizations phish attacks stock market pump-and-dump 2015/11/10 5

6 SHADOW SERVER (1/2) ShadowServer Nonprofit group. Honeypots Passively collect malware. Malware Analysis Passive:  AntiVirus engines. Active:  Sandbox.  Execute untrustworthy malicious code 2015/11/10 6

7 SHADOW SERVER (2/2) Snooping Newlydiscovered IRC networks Records all IRC traffic. The IRC logs are analyzed  Pattern-matching signature system, 2015/11/10 7

8 Investigating The Botnat World (1/9) Dataset Processing 2015/11/10 8 ID: C&C ID nickmane:IP:

9 Investigating The Botnat World (2/9) Classify known command strings DDoS command. Infection event. Password-theft event. Signature system Analyzed and classified Produced a compendium of what events 2015/11/10 9

10 Investigating The Botnat World (3/9) 1. Nickname Enumeration: Random numeric ID Dictionary Signature system Bot command strings Produced a sanitized list 2015/11/10 10

11 Investigating The Botnat World (4/9) 2. Drone Counting A simple approach state tracked in a lookup table A population counter A more refined approach IRC event Snoops channel. 2015/11/10 11

12 Investigating The Botnat World (5/9) 2015/11/10 12 600 400 200 白天 晚上 Bot, population Time

13 Investigating The Botnat World (6/9) Key Players The botnet herders by counting their controlled C&C Detect other’s botnet C&C channels Subvert their security mechanisms. 2015/11/10 13

14 Investigating The Botnat World (7/9) Criminal Social Network Analysis community structure All pre-filtered ”human” nicknames C&C channel. Any two nodes found collaborating Weights were assigned to the edges Jaccard metric measuring 2015/11/10 14

15 Investigating The Botnat World (8/9) Hierarchical agglomerative clustering algorithm minimum similarity of 50%. 957 nicknames. 104 clusters 2015/11/10 15

16 Investigating The Botnat World (9/9) Of the 104 clusters C : C&C D : DDoS B : Bot P : Victim passwords 2015/11/10 16 clusters

17 Further Work Many herders will use close variations of a similar nicknames. Profile behavioral characteristics of herders. hierarchical clustering Biclustering or hyperGraph  nicknames and channels. To better profile the DDoS attack motivations DDoS targets must be individually scrutinized.  IP addresses could be correlated with latitude and longitude 2015/11/10 17

18 Conclusion Recent years to encompass world-influencing crimes Tracking these miscreants and their botnets will become more and more challenging. individuals to secure themselves ShadowServer hopes to assist in whatever way we can to make the internet a safer place. 2015/11/10 18

19 END 2015/11/10 19


Download ppt "Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II."

Similar presentations


Ads by Google