Download presentation
Presentation is loading. Please wait.
Published byLetitia Harper Modified over 9 years ago
1
Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST) Northwestern University * UC Berkeley / ICSI
2
2 Motivation Administrators IPv4 Space Enterprise Botnets Does this attack specially target us? Can we answer this question with only limited information observed locally in the enterprise?
3
3 Motivation Can we infer the probe strategy used by botnets? Can we infer whether a botnet probing attack specially targets a certain network, or we are just part of a larger, indiscriminant attack? Can we extrapolate botnet global properties given limited local information?
4
4 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties Evaluation Conclusions
5
5 Botnet Probing Events Big spikes of larger numbers of probers mainly caused by botnets
6
6 System Framework See the paper for subtle system details.
7
7 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties Evaluation Conclusions
8
8 Discover the Botnet Probing Strategies Use statistical tests to understand probing strategies –Leverage on existing statistical tests Monotonic trend checking: detect whether bots probe the IP space monotonically Uniformity checking: detect whether bots scan the IP range uniformly. –Design our own Hitlist (liveness) checking: detect whether they avoid the dark IP space Dependency checking: do the bots scan independently or are they coordinated?
9
9 Design Space
10
10 Hitlist Checking Configure the sensor to be half darknet and half honeynet Use metric θ = # src in darknet/ # src in honeynet. Threshold 0.5
11
11 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties –Global scan scope, total # of bots, total # of scans, total scan rate for each bot Evaluation Conclusions
12
12 Extrapolate Global Properties: Basic Ideas and Validation Observe the packet fields that change with certain patterns in continuous probes. –IPID: a packet field in IP header used for IP defragmentation –Ephemeral port number: the source port used by bots –Increment for a fixed # per scan Validation –IPID continuity: All versions of Windows and MacOS –Ephemeral port number continuity: botnet source code study Agobot, Phatbot, Spybot, SDbot, rxBot, etc. –Control experiments with NAT
13
13 Estimate Global Scan Rate of Each Bot Count the IPID & ephemeral port # changes –Recover the overflow of IPID and ephemeral port number –Estimate the rate with linear regression when correlation coefficient > 0.99 –Counter overestimation: use less of the two T IPID
14
14 Extrapolate Global Scan Scope IPv4 Space Botnets Total scans from bot i : scan rate R i * scan time T i = 100*1000=100,000 bot i n i =100 Aggregating multiple bots Local/global ratio
15
15 Extrapolate Global # of Bots Idea: similar to Mark and Recapture Assumption: All bots have the same global scan range Bots Total M=4000 First half m1=1000 Observed by both m12= 250 Second half m2=1000 M=m1*m2/m12 M m1m2 m12
16
16 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties Evaluation Conclusions
17
17 Dataset Based on a 10 /24 honeynet in a National Lab (LBNL) 293GB packet traces in 24 months (2006-07) Totally observed 203 botnet probing events –Average observed #bots/event is 980. Mainly on SMB/WINRPC, VNC, Symantec, MSSQL, HTTP, Telnet Size of the system: 13,900 lines: Bro (6,000), Python (4,000), C++ (2,500), R (1,400)
18
18 More than 80% uniform scanning Validate the results through visualization and find the results are highly accurate. Property Checking Results
19
19 Extrapolation Results Most of extrapolated global scopes are at /8 size, which means the botnets do not target the enterprise (LBNL). Validation based with DShield data –DShield: the largest Internet alert repository –Find the /8 prefixes in DShield with sufficient source (bots) overlap with the honeynet events Due to incompleteness of Dshield data, 12 events validated –Calculate the scan scope in each /8 based on sensor coverage ratio.
20
20 Extrapolation Validation Define scope factor as max(DShield/Honeynet,Honeynet/DShield) CDF of the scope factor 75% within 1.35 All within 1.5
21
21 Conclusions Develop a set of statistical approaches to assess four properties of botnet probing strategies Designed approaches to extrapolate the global properties of a scan event based on limited local view Through real-world validation based on DShield, we show our scheme are promisingly accurate
22
22 Backup
23
23 Event size distribution
24
24 Extrapolate the scope Local/global ratio Probing time window Estimate global probing rate Probes observed locally
25
25 Monotonic trend checking Goal: detect whether the bots probe the IP space monotonically –E.g. simple sequential probing Technique: –Mann-Kendall trend test –Intuition: check whether the aggregated sign value (sign(A i+1 -A i )) out of the range of randomness can achieve. –When most (>80%) senders in an events follow trend we label the events follow trends
26
26 Uniformity Checking Goal: detect whether the botnet scan the IP range uniformly. Technique: –Chi-Square test –Intuition: put address into bins. The scan observed in each bin should be similar. –Significance level of 0.5%
27
27 Dependency Checking Goal: Is the bots try to get out each other’s way? Idea: account the number of address receive zero scan and comparing with confidence interval of the independent random case.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.