Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Published byFay Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing."— Presentation transcript:

1 Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing Chiu Email: D9815023@mail.ntust.edu.tw 2015/11/29 1 Data Mining & Machine Learning Lab

2 Outlines Introduction Methodology Dataset Description Evaluation Conclusions 2015/11/29 2 Data Mining & Machine Learning Lab

3 Introduction How do bots get rid of existing defenses? ▫Polymorphic engines ▫packing engines ▫AV vendor reports 3000 distinct samples daily Anomaly detection methods for botnet ▫Use traffic feature distributions for analysis ▫Detect bots activated for generating attacks ▫Latency exist from infection to activation Covert channel between bots and C&C server ▫Last for an extended period ▫Lightweight and spaced out over irregular time period 2015/11/29 3 Data Mining & Machine Learning Lab

4 Methodology Assumptions ▫Communication between Zombie and C&C server is not limited to a few connections ▫Zombie is not programmed to use a completely new C&C server at each new attempt Persistence and destination atoms ▫Destination atoms for building white lists ▫Persistence for lightweight repetition 2015/11/29 4 Data Mining & Machine Learning Lab

5 Methodology (cont.) Why use white lists? ▫Regularly communicate hosts is a stable, small set  Examples:  Work related, news and entertainment websites  Mail servers, update servers, patch servers, RSS feeds  Advantages:  Search fast  Easy to management ▫These hosts require infrequent updating 2015/11/29 5 Data Mining & Machine Learning Lab

6 Methodology (cont.) Destination atoms ▫(dstService, dstPort, proto) ▫Different domains: second level domain name  Yahoo.com, cisco.com ▫The same domains: third level domain name  Mail.intel.com, print.intel.com ▫Multiple ports is allowed  (ftp.service.com, 21:>1024, tcp) ▫ When address cannot be mapped to names, use IP address as service name ▫ExamplesExamples2015/11/29 6 Data Mining & Machine Learning Lab

7 Methodology (cont.) Persistence metric ▫d: destination atom W = [s 1, s 2,…, s n ] ▫W: observation window s i : measurement window ▫Timescale: (W,s) ▫For each timescale(W j,s j ): 1≤j≤k 2015/11/29 7 Data Mining & Machine Learning Lab

8 Methodology (cont.) C&C Detection Implementation ▫Use long bitmap to track connections at each timescale ▫Procedure  Update bitmap, count persistence  If updated persistence crosses the threshold p *, raise alarm  After enough samples, the persistence is below the threshold, free bitmap up Bitmap example 2015/11/29 8 Data Mining & Machine Learning Lab

9 Dataset Description End host traffic traces ▫Collected at 350 enterprise user’s hosts ▫Over 5 week ▫Use 157 of the 350 traces, common 4 week period Botnet traffic traces ▫Collected 55 known botnet binaries ▫Executed inside a Windows XP SP2 VM and run for as long as a week ▫Experience  A lot of binaries simply crashed the VM  C&C deactivated  Only 27 binaries yielded traffic  12 of the 27 binaries yielded traffic that lasted more than a day  List of sampled Botnet binaries List of sampled Botnet binaries2015/11/29 9 Data Mining & Machine Learning Lab

10 Evaluation System Properties CDF of p(d) across all the atoms seen in training data Distribution of per host whitelist sizes (p * = 0.6) 2015/11/29 10 Data Mining & Machine Learning Lab

11 Evaluation C&C Detection Other results RoC curveFalse positives across usres(p * = 0.6) 2015/11/29 11 Data Mining & Machine Learning Lab

12 Evaluation Improvement in detection rate after filtering 2015/11/29 12 Data Mining & Machine Learning Lab

13 Conclusions Introduce “persistence” as a temporal measure of regularity in connection to “destination atoms” Persistence could help detect malware without ▫protocol semantics ▫payloads Proposed a method for detecting C&C server and has no false negative in experiment Both centralized and p2p infrastructure could be uncovered by this method Low overhead and low user annoyance factor 2015/11/29 13 Data Mining & Machine Learning Lab

14 Destination atoms 2015/11/29 14 Data Mining & Machine Learning Lab

15 Bitmap Example 2015/11/29 15 Data Mining & Machine Learning Lab

16 List of Botnet binaries 2015/11/29 16 Data Mining & Machine Learning Lab

17 C&C detection result 2015/11/29 17 Data Mining & Machine Learning Lab

Download ppt "Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Similar presentations

Ads by Google