botnet detection through analyzing network traffic using
play

Botnet Detection through Analyzing Network Traffic using - PowerPoint PPT Presentation

Jan 03, 2023 •211 likes •609 views

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

  1. Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014 – Jumada Al-Akhirah 13-14, 1435 KFUPM, Dhahran, Saudi Arabia

  2. Approach Decomposer Control Data Internet Firewall Analyzer LAN Analyze network traffic through statistical signal processing methods 2

  3. Outline • Botnets • Network Traffic Behavior Analysis • Control and Data Planes • Periodic Behavior in Network Traffic • Results • Conclusions and Current Work 3

  4. Botnets • Large network of compromised computers (bots) controlled by bot masters Consist of an army of hundreds to ten of thousands of bots – Some predict that 16–25% of Internet hosts are part of botnet – • Pose a significant threat to network-based applications & communications – Magnify the level of destruction of attacks such as DDoS attacks and scanning – Make identity theft, phishing, and E-mail spam more effective • How big is the problem? Over 1 million victim computers in USA 1 – $20 M in economic losses in USA 1 – 3.04 million distinct botnet computers 2 – – Responsible for 69% of spam E-mail 1 FBI 2007 2 April 2013 Symantec global Internet security threat report 4

  5. The Life Cycle of a Bot 1. Be identified as future bot (Scanning) 2. Gaining access to it (Trojan horse) 3. Download bot software C2 Communication 4. Receive botnet commands 5. The actual execution of malicious activities 5

  6. Botnets C2 Communication Botnets rely on Command & Control (C2) communication channels • A bot master uses C2 communication channels to: • – Command bots to execute attack activities – Control bots to organize themselves to download malware code C2 communication ~ the intelligence communication prior to the attack • • Detecting C2 => detecting bots before any target is attacked • Problem: C2 has low volume and is well behaved • Bots are typically pre-programmed to check for updates every T sec • C2 traffic in many botnet variants exhibits periodic behavior per host-port pair 3 2.5 2 1.5 1 0.5 0 0 50 100 150 200 250 6

  7. Network Traffic Behavior Analysis • Understanding network traffic behavior helps to: – Detect abnormal behavior • In network security: attacks and malicious behavior • In network management: failures and malfunctions – Design and improve future networks • Difficulties include: – Large amount of traffic – Continuous emergence of new high bandwidth applications 7

  8. Network Traffic Behavior Analysis (Cont.) • Problem: High demands on methods that are: – Scalable – Efficient (Accurate & Fast) • Objective: – Reduce amount of traffic to consider during analysis – Develop accurate methods under this constrain • Proposed Solution: 1. Aggregate network traffic 2. Use control traffic as a surrogate for the whole traffic 3. Apply statistical signal processing methods (correlation, periodogram) 8

  9. Scalability: Aggregate Traffic • Preprocess packet traces to produce a discrete time sequence S 1 – Over a time unit, aggregate packets originating from S 2 or destined to a given: host, host-port pair, or subnet D – Extract a count-feature S 3 Examples: packet, byte, address, and port count – Coarse (multiple flows) instead of fine (single flow) granularity S 4 • Use discrete time series analysis to monitor aggregate traffic: – Pro: Reduce substantially the amount of traffic to process reduce computations and time => higher efficiency & scalability – Con: Track less details might mean having less knowledge => less accurate analysis 9

  10. Scalability: Control and Data Planes Use control traffic as a surrogate for whole traffic • – Control traffic’s volume is 4–8% of total traffic – Minimize amount of traffic to consider – Higher efficiency and scalability • Assumptions Data traffic generation is based on control traffic generation – They should have similar behaviors during benign uses – The relationship might differ during abnormal behavior 10

  11. Control and Data Planes (Cont.) • For an enterprise LAN traffic – Control traffic: Set, maintain, or tear down a connection – Data traffic: Actual transmission of data • TCP packets: Use flag and sequence number fields – Control packets: SYN, FIN, RST, and bare ACKs – Data packets: All other packets • UDP packets: Application dependent • ICMP packets: All control • UDP and ICMP packets are not considered 11

  12. Preprocessing: Network Traffic 1. Select a suitable time unit to aggregate packets – Objective: high count variability – Depends on the packet rate of the traffic No. packets time small large suitable 2. Extract count-features to produce discrete time sequences – Packet count – Distinct address count – Byte count – Distinct port count length src addr dest addr src port # dest port # 12

  13. “LBNL/ICSI Enterprise Tracing Project” Packet Trace • tcpdump traffic collected from two internal network locations at LBNL • LBNL is a research institute with a medium-sized enterprise network Only header information is released to the public for privacy reasons • The traffic to and from a given subnet is only collected: • – Intersubnet traffic – Wide area traffic between enterprise network and the rest of the Internet – NOT the intrasubnet traffic that remained within the subnet • The packet traces are divided into five datasets, each dataset: Has couple of hours of activity – – Has 17.8 million to 64.7 million packets Includes 1,500–2,500 monitored hosts – – Covers the traffic communication of 18–22 internal subnets • IP addresses are carefully anonymized Uses the same anonymized network ID for hosts belonging to the same internal subnet – – Except for scanners as this might risk revealing the original host • We extracted packet, byte, address, and port counts 13

  14. Control vs. Data: LBNL/ICSI Dataset Packet Count: Control Traffic 40% Efficiency Byte Count: Control Traffic 2.5% Scalability Aggregation Interval: 60 seconds 14

  15. Control vs. Data: LBNL/ICSI Dataset Address Count: Control Traffic 52% Port Count: Control Traffic 52% Aggregation Interval: 60 seconds 15

  16. Attack Detection An attack that manifests An attack that manifests itself itself in the control plane only in both control and data planes Packet Traces from 1999 DARPA Dataset 16

  17. Periodic Behavior in Network Traffic • Periodic behavior arises in network traffic: – Benign applications: E-mail, software updates – Malicious applications: Botnets • Power Spectral Density (PSD) provides the power at different frequencies Q: How significant should the peak be? ( ) max P [ k ] xx ≤ ≤ − 0 k m 1 − m 1 1 ∑ P [ k ] xx 2 m = k 0 17

  18. RESULTS 18

  19. SLINGbot: 1 st TinyP2P Botnet • 5 bots and 1 bot master in a mesh topology • TinyP2P protocol on port number 11375 TinyP2P is used by real botnets Each bot is pre-programmed to update its data every 3 seconds by contacting • other bots • Run time: ~ 20 seconds • C2 traffic in each bot is similar Only the traffic of one of them is discussed – • We use an aggregation interval of 100 ms We select the false alarm probability α = 0.1% • 19

  20. Periodic Behavior: 1 st TinyP2P C2 Traffic g * = 61.7 > z α = 23.5 g * = 70.7 > z α = 23.5 313 mHz, 3.2 second 313 mHz, 3.2 second 20

  21. SLINGbot: 2 nd TinyP2P Botnet • 5 bots and 1 bot master in a mesh topology • TinyP2P protocol on port number 11375 TinyP2P is used by real botnets Bots are pre-programmed to update their data by contacting other bots every • 3, 4, 5, 6, 7, 3 seconds • Run time: ~ 35 seconds The traffic of the 4 and 6 seconds bots is discussed • We use an aggregation interval of 100 ms • We select the false alarm probability α = 0.1% • 21

  22. Duty Cycle: 2 nd TinyP2P C2 Traffic g * is higher when the duty cycle is higher g * = 101.4 > z α = 24.9 g * = 77.0 > z α = 24.9 273 mHz, 3.7 second 176 mHz, 5.9 second 22

  23. Periodic Behavior: 2 nd TinyP2P C2 Traffic With Injected Random Poisson Noise (SNR= –6 dB) What about address count? g * = 31.8 > z α = 24.9 g * = 17.0 < z α = 24.9 No longer periodic 273 mHz, 3.7 second 23

  24. Bounding the Effect of Random Noise Traffic Averaging 2000 runs of added Poisson noise Upper Bound ( ) − + * 1 g SNR x − + 1 1 SNR Lower Bound * g x − + 1 1 SNR 24

  25. SLINGbot: IRC Botnet • 20 bots and 1 bot master in a star topology • IRC protocol on port number 6667 • Each bot is pre-programmed to update its data every 5 seconds by contacting bot master • Run time: ~ 40 seconds • C2 traffic in each bot is similar Only the traffic of one of them is discussed – We use an aggregation interval of 100 ms • We select the false alarm probability α = 0.1% • 25

  26. Periodic Behavior: IRC C2 Traffic g * = 40.8 > z α = 24.9 g * = 46.2 > z α = 24.9 195 mHz, 5.1 second 195 mHz, 5.1 second 26

  27. Periodic Behavior: IRC C2 Control Plane Traffic Control plane traffic: Packets: 47% Bytes: 2.5% g * = 35.7 > z α = 24.9 g * = 34.9 > z α = 24.9 195 mHz, 5.1 second 195 mHz, 5.1 second 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&amp;M University 2008-7-31

549 views • 22 slides
Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1 Presentation By Henk van Doorn &amp; Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&amp;C

379 views • 27 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov,

Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov,

Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney, Zhi Wang, Davide Papini, Lorenzo Cavallaro Netflow, network traces Internet Bot TCP/ netflow Date

576 views • 20 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
Detection &amp; Eradication About RedIRIS Spanish Academic &amp; Research Network

Detection &amp; Eradication About RedIRIS Spanish Academic &amp; Research Network

Detection &amp; Eradication About RedIRIS Spanish Academic &amp; Research Network Interconnect 250 Universities &amp; Research centers Part of goverment company, red.es IRIS-CERT, CSIRT inside RedIRIS Botnet Detection 1. By

716 views • 48 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman.

On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman.

Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015

690 views • 24 slides
A Spectral Approach Towards Analyzing Air Traffic Network Disruptions (Li et al., ATM2019) Two

A Spectral Approach Towards Analyzing Air Traffic Network Disruptions (Li et al., ATM2019) Two

A Spectral Approach Towards Analyzing Air Traffic Network Disruptions (Li et al., ATM2019) Two knowledge gaps: high delay high delay correlation correlation How do we distinguish BOS delays: 90 min BOS delays: 10 min unexpected spatial

357 views • 3 slides
Wireshark network analyzing tool 19/03/2018 1 Wireshark network analyzing tool What?

Wireshark network analyzing tool 19/03/2018 1 Wireshark network analyzing tool What?

Wireshark network analyzing tool 19/03/2018 1 Wireshark network analyzing tool What? One of the best open source packet analyzers available today Captures network packets and tries to display content as detailed as possible

338 views • 5 slides
Families CoP State 6.24.19 Team Core Belief: All people and their families have the right to

Families CoP State 6.24.19 Team Core Belief: All people and their families have the right to

SD Supporting Families CoP State 6.24.19 Team Core Belief: All people and their families have the right to live, love, work, play and pursue their life aspirations in their community. 2 What is a Community of Practice? A community of

326 views • 15 slides
Monadnock Developmental Services Open Enrollment For Benefits Effective January 1, 2021 Welcome

Monadnock Developmental Services Open Enrollment For Benefits Effective January 1, 2021 Welcome

Monadnock Developmental Services Open Enrollment For Benefits Effective January 1, 2021 Welcome to our 2021 Open Enrollment! We are very pleased to be offering the same benefits as 2021 with a few benefit enhancement changes: We are

806 views • 65 slides
Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2

Wherefore Art Thou, OAuth? 1 What is OAuth? 2 What is OAuth? Your Valet Key for the Web 2 What is OAuth? Your Valet Key for the Web Delegated Authentication Protocol 2 What is OAuth? Your Valet Key for the Web Delegated Authentication

357 views • 33 slides
Studying the Impact of Multimodality in Sentiment Analysis Ahmad Elshenawy Steele Carter

Studying the Impact of Multimodality in Sentiment Analysis Ahmad Elshenawy Steele Carter

Studying the Impact of Multimodality in Sentiment Analysis Ahmad Elshenawy Steele Carter Goals/Motivation How are judgments influenced by different modalities? Compare sentiment contributions of different modalities Use

367 views • 17 slides
Bounce

Bounce

Bounce rate (sometimes confused with exit rate) [1] is an internet marketing term used in web traffic analysis. It represents the percentage of visitors who

214 views • 7 slides
Effectiveness Marketing Director Certification Program: Module 3 with Ken Hardison The

Effectiveness Marketing Director Certification Program: Module 3 with Ken Hardison The

Youre about to discover Measuring Marketing Effectiveness Marketing Director Certification Program: Module 3 with Ken Hardison The Authority on Legal Marketing Key Metrics Number of Leads Source of Leads Conversion Rates for

335 views • 17 slides
An introduction to A/B testing using a Google Optimize example Juan M. Fonseca-Sol s

An introduction to A/B testing using a Google Optimize example Juan M. Fonseca-Sol s

An introduction to A/B testing using a Google Optimize example Juan M. Fonseca-Sol s https://juanfonsecasolis.github.com March 1, 2020 Juan M. Fonseca-Sol s A/B testing with Google Optimize March 1, 2020 1 / 36 Introduction A/B

1.14k views • 95 slides
GOOGLE ANALYTICS 101 #WOWWEBINAR Private and Confidential. Property of Whereoware, LLC. ABOUT

GOOGLE ANALYTICS 101 #WOWWEBINAR Private and Confidential. Property of Whereoware, LLC. ABOUT

GOOGLE ANALYTICS 101 #WOWWEBINAR Private and Confidential. Property of Whereoware, LLC. ABOUT US 20 years of experience Marketing Automation Personalized Websites Cloud-based Solutions Mobile Applications Data

629 views • 35 slides

More recommend