Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Published byBrendan Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan."— Presentation transcript:

1 Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18 BotSniffer Slides made by Andrew Tjang Paper: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic by Guofei Gu, Junjie Zhang, and Wenke Lee (NDSS 08)

19 Motivation ● Botnets serious security threats ● Realtime Command+Control from centralized source ● Use characteristics of this Command+Control to detect botnets in sstems

20 Contributions ● Identify characteristics of C&C in Botnets ● Capture spatial-temporal correlation of network traffic to detect botnets ● Implement anomaly based detection algorithms as Snort plugins ● Evaluation of BotSniffer on real world traces ● Show botnets can be detected with high accuracy and low false positive rate

21 Command & Control ● Centralized control of bots in botnets ● Can be push (i.e. IRC) or pull (i.e. HTTP) ● Difficult to detect because protocol usage similar to normal traffic, low traffic volume, few bots, encryption

22 Spatial-Temporal correlation ● Invariants to all botnets  1. need to connect to central server to get commands  2. respond to commands ● perform tasks and report back (keeping long connection, or making frequent connections) ● Responses: message/activity response ● Multiple bots in channel likely to respond in similar fashion  Leverage “response crowd”  Bots have stronger/consistent synchronization and correlation in responses than humans do.

23 BotSniffer Architecture ● Monitor Engine  Examines network traffic, detects activity response behavior, suspicious C&C protocols ● Correlation Engine  Group analysis of spatial-temporal correlation, similarity of activity or message responses connected to same IRC/HTTP server

24

25

26 BotSniffer Architecture Illustrated

27 Group Analysis ● Intuition:  P(botnet | 100 clients send similar messages) > P(botnet | 10 clients send similar messages)  IF botnet, THEN more clients more likely to form homogeneous cluster  IF not botnet, THEN unlikely to send similar messages

28 Evaluation ● Datasets  University wide network IRC traffic 2005-2007 (189 days)  All network wide traffic (10min/1-5h)  Botnet traces (synthetic) ● Honeypot (8hr) ● IRC server logs ● Modified bot software in virtual environment ● Implemented 2 botnets using HTTP

29 Results – Normal Trace

30 Detection

31 Attacks on Botsniffer and Their Defenses ● Misuse of whitelist  Whitelists not necessary  Can use soft whitelists ● Encryption  Doesn’t affect activity response ● Long & random response delays  ? ● Random noise packets  Activity response unaffected

Download ppt "Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu1,2, Roberto Perdisci3, Junjie Zhang1,
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Active Botnet Probing to Identify Obscure Command and Control Channels Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee Georgia.

Active Botnet Probing to Identify Obscure Command and Control Channels Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee Georgia.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Slides to add  Botnet slides  Security regulations  Do we have similar laws for transportation?  Terrorism (look for some examples if possible)  Company.

Slides to add  Botnet slides  Security regulations  Do we have similar laws for transportation?  Terrorism (look for some examples if possible)  Company.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Written by Guofei Gu, Roberto Perdisci, Junjie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.

Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Similar presentations

Ads by Google