botnet detection and response
play

Botnet Detection and Response The Network is the Infection David - PowerPoint PPT Presentation

Dec 28, 2022 •217 likes •675 views

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

  1. Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet Detection and Response

  2. Motivation/Overview Taxonomy Detection Response Outline based on joint work with: UMass CS: Cliff Zou GaTech CS: Sanjeev Dwivedi, Robert Edmonds, Wenke Lee, Richard Lipton, and Merrick Furst GaTech ECE: Julian Grizzard Georgia Tech Campus (Cross Sectional View) David Dagon Botnet Detection and Response

  3. Motivation/Overview Taxonomy Detection Response Outline Motivation/Overview 1 Definitions The Network is the Infection Taxonomy 2 Propagation Command and Control Detection 3 The Rallying Problem Detection Opportunities Response 4 David Dagon Botnet Detection and Response

  4. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Definition: Bots Hard to Define; Easy to Detect Definitions, Examples Definition: autonomous programs automatically performing tasks, absent a real user. Benign bots countless examples at http://www.botknowledge.com/ Gray-area bots Blogbots, e.g., wikipedia, xanga Note: http://en.wikipedia.org/wiki/Wikipedia:Bots Other examples: xdcc, fserve bots for IRC Trainer bots (MMORPGs) Malicious bots Key characteristics: process forking, with network and file access, and propagation potential. David Dagon Botnet Detection and Response

  5. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Definition: Botnets Bot nets : Also hard to define Definition: networks of autonomous programs capable of acting on instructions. Again, gray areas: FServe bot farms, spider farms, etc. Today, just a narrow definition: organized network of malicious bot clients Key Insights The network is the infection. We must track bot nets , not just bots David Dagon Botnet Detection and Response

  6. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Definition: Botnets Bot nets : Also hard to define Definition: networks of autonomous programs capable of acting on instructions. Again, gray areas: FServe bot farms, spider farms, etc. Today, just a narrow definition: organized network of malicious bot clients Key Insights The network is the infection. We must track bot nets , not just bots David Dagon Botnet Detection and Response

  7. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Botnets as a Root Cause Botnets are a Root Problem Spam bots Click fraud Large-scale identity theft; “vicpic” sites Proxynets (for launching other attacks) Lightning Attacks The short vulnerability-to-exploitation window makes bots particularly dangerous. – Emerging Cybersecurity Issues Threaten Federal Information Systems, GAO-05-231 David Dagon Botnet Detection and Response

  8. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Botnets as a Root Cause Botnets are a Root Problem Spam bots Click fraud Large-scale identity theft; “vicpic” sites Proxynets (for launching other attacks) Lightning Attacks The short vulnerability-to-exploitation window makes bots particularly dangerous. – Emerging Cybersecurity Issues Threaten Federal Information Systems, GAO-05-231 David Dagon Botnet Detection and Response

  9. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Botnet vs Bot Detection What’s the Difference? Why track both bots and botnets? Bot Detection Benefits RE → signature IDS (content) Partial victim identification Response Policy: RBL, Quarantine Host vulnerability analysis David Dagon Botnet Detection and Response

  10. Motivation/Overview Taxonomy Definitions Detection The Network is the Infection Response Botnet vs Bot Detection What’s the Difference? Why track both bots and botnets? Bot net Detection Benefits Critical Infrastructure Protection, prioritize on harm to network , not just victims. RE → signature IDS (flows) More Complete victim identification Remediation Policies: Windows 2003 Network Access Protection (NAP), ISP quarantines David Dagon Botnet Detection and Response

  11. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Botnet Propagation I email Requires user interaction, social engineering Easiest method; common. Interesting: pidgin English affects propagation. instant message Various: social eng., file xfer, vulnerabilities David Dagon Botnet Detection and Response

  12. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Botnet Propagation II remote software vulnerability Often, no interaction needed Predator, Prey and Superpredator: worms vs. worms (dabber) web page Plain vanilla malware, or even Xanga ghetto botnets “seed” botnets Botnets create botnets. Used for upgrades. Most significant for detection David Dagon Botnet Detection and Response

  13. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Command and Control Taxonomy Goals: Anticipate future botnet structures Taxonomy of botnet controls An “important and sensible goal for an attack taxonomy ... should be to help the defender” – R. Maxion Thus, create a taxonomy based on detection opportunities, instead of random bot/botnet characteristics. David Dagon Botnet Detection and Response

  14. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Command and Control Taxonomy Resources Public, private Botmaster’s administrative control over a resource Rallying Services Medium used for rallying 1 E.g., HTTP , IRCd, DNS tunnel, etc. 2 Reminder: public and private versions of the above 3 David Dagon Botnet Detection and Response

  15. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Command and Control Taxonomy Resources (cont’d) Public, private Botmaster’s administrative control over a resource Name Services hosts(5) , e.g., corrupting 1 WINDOWS/system32/drivers/etc/hosts DNS, public and private 2 DDNS, public/private 3 Hit lists 4 David Dagon Botnet Detection and Response

  16. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Command and Control Taxonomy I RFC Compliance The degree of standards compliance. E.g., non-responsive IRCd Ad-hoc protocols. P2P port-knocking Tunneling (NSTx, sinit, bobax) David Dagon Botnet Detection and Response

  17. Motivation/Overview Taxonomy Propagation Detection Command and Control Response Command and Control Taxonomy II Activity Level The degree to which bots are in constant contact with botmaster. Time division: periodic phone in, flow-based, sessionless, stateless Proximity: delegation of contact; clique connections Insight Note: other lists possible. Key: organize them into categories. Can we detect these categories ? David Dagon Botnet Detection and Response

  18. Motivation/Overview Taxonomy The Rallying Problem Detection Detection Opportunities Response The Rallying Problem Let’s focus on “rallying” to identify detection opportunities. C&C used to rally victims Detecting C&C ⇒ detecting botnet Goal: detect C&C during formation Therefore, reason like an attacker Attacker design goals: Robustness Mobility Stealth Assumption: The attackers are always motived by these three goals. David Dagon Botnet Detection and Response

  19. Motivation/Overview Taxonomy The Rallying Problem Detection Detection Opportunities Response The Rallying Problem Suppose we create virus Download vx code; fiddle; compile Uses email propagation/social engr. We mail it... VX V 1 V 4 V 2 V V 5 3 Welcome to the 1980s. What if we want to use victim resources? David Dagon Botnet Detection and Response

  20. Motivation/Overview Taxonomy The Rallying Problem Detection Detection Opportunities Response Simple Rallying I Naively, we could have victims contact us... Problems VX must include author’s address (no stealth) Single rallying point (not robust) VX has hard-coded address (not mobile) VX V 1 V 4 V 2 V V 5 3 David Dagon Botnet Detection and Response

  21. Motivation/Overview Taxonomy The Rallying Problem Detection Detection Opportunities Response Simple Rallying II Or, the victims could contact a 3d party, e.g., post to Usenet Some connections dropped, single point of failure (not robust) Rival VXers and AVers obtain list (not stealthy) Public, lasting record of victims (not stealthy) VX V 1 V 4 V 2 V V 5 3 V R David Dagon Botnet Detection and Response

  22. Motivation/Overview Taxonomy The Rallying Problem Detection Detection Opportunities Response Simple Rallying III Or, the victims could contact a robust service, e.g., IRCd No single point of failure (is robust) Rival VXers and AVers id list (not stealthy) Addressed by adjusting protocol adherence or private nature of service. Portability of IRCd DNS (is mobile) VX V 1 V 4 V 2 V V 5 3 David Dagon Botnet Detection and Response

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor:

Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor:

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser Introduction - Botnets Great

748 views • 17 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J.

423 views • 21 slides
Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

Collision Detection I Motivation F d X S, X Collision Force detection response F d F r

CPSC 599.86 / 601.86 Sonny Chan - University of Calgary Collision Detection I Motivation F d X S, X Collision Force detection response F d F r Control algorithms Haptic rendering Problem Definition We seek efficient algorithms to

822 views • 42 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Detection & Eradication About RedIRIS Spanish Academic & Research Network

Detection & Eradication About RedIRIS Spanish Academic & Research Network

Detection & Eradication About RedIRIS Spanish Academic & Research Network Interconnect 250 Universities & Research centers Part of goverment company, red.es IRIS-CERT, CSIRT inside RedIRIS Botnet Detection 1. By

716 views • 48 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Real-Time Bidding & Behavioral Targeting Weinan Zhang Shanghai Jiao Tong University

Real-Time Bidding & Behavioral Targeting Weinan Zhang Shanghai Jiao Tong University

2019 EE448, Big Data Mining, Lecture 12 Real-Time Bidding & Behavioral Targeting Weinan Zhang Shanghai Jiao Tong University http://wnzhang.net http://wnzhang.net/teaching/ee448/index.html Content of This Course Real-time bidding based

979 views • 69 slides
The security and fraud exemp3ons in DNT Christopher Soghoian

The security and fraud exemp3ons in DNT Christopher Soghoian

The security and fraud exemp3ons in DNT Christopher Soghoian Security and fraud exemp3ons can undermine data reten3on policies: Ex. Yahoo The

283 views • 4 slides
Ad click fraud detection Christian Benson and Adam Thuvesen Problem Ad click fraud

Ad click fraud detection Christian Benson and Adam Thuvesen Problem Ad click fraud

Ad click fraud detection Christian Benson and Adam Thuvesen Problem Ad click fraud Mobile Click fraud is a major issue for advertisers Pay per click ads The app creator (publisher) will profit from more clicks

744 views • 17 slides
The Pompeii Bibliography and Mapping Project: A new Resource for Pompeii, a new Model Complex

The Pompeii Bibliography and Mapping Project: A new Resource for Pompeii, a new Model Complex

The Pompeii Bibliography and Mapping Project: A new Resource for Pompeii, a new Model Complex for Classical Sites Has it been done before? How do I do it? But 15,000+ total citations Pic of GYG (Was) Hard to access: expensive

428 views • 19 slides
Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University

Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University

Combating Click Fraud Using Premium Clicks Sid Stamm , RavenWhite Inc. and Indiana University Joint Work With Ari Juels , RSA Laboratories, RSA/EMC Corp Markus Jakobsson , RavenWhite Inc. Research Performed at RavenWhite Inc. 1 Click

600 views • 46 slides
Advertising, Analytics and Tracking Thierry Sans Advertising I have a cool car to sell and

Advertising, Analytics and Tracking Thierry Sans Advertising I have a cool car to sell and

Advertising, Analytics and Tracking Thierry Sans Advertising I have a cool car to sell and Design an ad and give it to me I want people to know about it Advertiser I have a cool website, many viewers, Put this ad on your webpage! and I want

459 views • 23 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West

CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West

CLOUD NINJA Catch Me If You Can! RSA 2014 Thursday, February 27, 2014 | 8:00am 9:00am | West | Room: 3002 Overview What are these guys talking about? Main Topics Could we build a botnet from freely available cloud services? Will we

887 views • 39 slides

More recommend