Botnet Detection through Analyzing Network Traffic using - - PowerPoint PPT Presentation
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014
Department of Electrical Engineering & Center of Excellence in Information Assurance
King Saud University April 13-14, 2014 – Jumada Al-Akhirah 13-14, 1435 KFUPM, Dhahran, Saudi Arabia
2
Firewall
LAN
Internet
Analyzer
Control Data
Decomposer
Analyze network traffic through statistical signal processing methods
3
– Consist of an army of hundreds to ten of thousands of bots – Some predict that 16–25% of Internet hosts are part of botnet
– Magnify the level of destruction of attacks such as DDoS attacks and scanning – Make identity theft, phishing, and E-mail spam more effective
– Over 1 million victim computers in USA1 – $20 M in economic losses in USA1 – 3.04 million distinct botnet computers2 – Responsible for 69% of spam E-mail
1 FBI 2007 2 April 2013 Symantec global Internet security threat report
4
5
– Command bots to execute attack activities – Control bots to organize themselves to download malware code
6
50 100 150 200 250 0.5 1 1.5 2 2.5 3
7
High demands on methods that are:
– Scalable – Efficient (Accurate & Fast)
– Reduce amount of traffic to consider during analysis – Develop accurate methods under this constrain
1. Aggregate network traffic 2. Use control traffic as a surrogate for the whole traffic 3. Apply statistical signal processing methods (correlation, periodogram)
8
– Over a time unit, aggregate packets originating from
– Extract a count-feature Examples: packet, byte, address, and port count – Coarse (multiple flows) instead of fine (single flow) granularity
– Pro: Reduce substantially the amount of traffic to process reduce computations and time => higher efficiency & scalability – Con: Track less details might mean having less knowledge => less accurate analysis
9
D S1 S2 S3 S4
– Control traffic’s volume is 4–8% of total traffic – Minimize amount of traffic to consider – Higher efficiency and scalability
– Data traffic generation is based on control traffic generation They should have similar behaviors during benign uses – The relationship might differ during abnormal behavior
10
– Control traffic: Set, maintain, or tear down a connection – Data traffic: Actual transmission of data
– Control packets: SYN, FIN, RST, and bare ACKs – Data packets: All other packets
11
1. Select a suitable time unit to aggregate packets – Objective: high count variability – Depends on the packet rate of the traffic 2. Extract count-features to produce discrete time sequences – Packet count – Distinct address count – Byte count – Distinct port count
12
length src addr dest addr src port # dest port #
time
small large suitable
– Intersubnet traffic – Wide area traffic between enterprise network and the rest of the Internet – NOT the intrasubnet traffic that remained within the subnet
– Has couple of hours of activity – Has 17.8 million to 64.7 million packets – Includes 1,500–2,500 monitored hosts – Covers the traffic communication of 18–22 internal subnets
– Uses the same anonymized network ID for hosts belonging to the same internal subnet – Except for scanners as this might risk revealing the original host
13
14 Aggregation Interval: 60 seconds Packet Count: Control Traffic 40% Byte Count: Control Traffic 2.5%
Efficiency Scalability
15 Aggregation Interval: 60 seconds Address Count: Control Traffic 52% Port Count: Control Traffic 52%
An attack that manifests itself in the control plane only An attack that manifests itself in both control and data planes
Packet Traces from 1999 DARPA Dataset
16
– Benign applications: E-mail, software updates – Malicious applications: Botnets
17
Q: How significant should the peak be?
( )
− = − ≤ ≤ 1 1
] [ 2 1 ] [ max
m k xx xx m k
k P m k P
18
TinyP2P is used by real botnets
– Only the traffic of one of them is discussed
19
20
g*= 61.7 > zα= 23.5 313 mHz, 3.2 second g*= 70.7 > zα= 23.5 313 mHz, 3.2 second
TinyP2P is used by real botnets
3, 4, 5, 6, 7, 3 seconds
21
22
g*= 101.4 > zα= 24.9 273 mHz, 3.7 second g*= 77.0 > zα= 24.9 176 mHz, 5.9 second g* is higher when the duty cycle is higher
With Injected Random Poisson Noise (SNR= –6 dB)
23
g*= 31.8 > zα= 24.9 273 mHz, 3.7 second g*= 17.0 < zα= 24.9 No longer periodic What about address count?
1 1 *
SNR 1 SNR
− −
+ +
x
g
24
1 *
SNR 1
−
+
x
g
Upper Bound Lower Bound Averaging 2000 runs of added Poisson noise
bot master
– Only the traffic of one of them is discussed
25
26
g*= 40.8 > zα= 24.9 195 mHz, 5.1 second g*= 46.2 > zα= 24.9 195 mHz, 5.1 second
27
Bytes: 2.5% g*= 35.7 > zα= 24.9 195 mHz, 5.1 second g*= 34.9 > zα= 24.9 195 mHz, 5.1 second Control plane traffic: Packets: 47%
HTTP traffic obtained from LBNL/ICSI
28
29
g*= 61.7 > zα= 23.5 313 mHz, 3.2 second g*= 70.7 > zα= 23.5 313 mHz, 3.2 second
30
g*= 54.1 > zα= 23.5 313 mHz, 3.2 second g*= 57.7 > zα= 23.5 313 mHz, 3.2 second
31
g*= 21.4 < zα= 23.5 No longer periodic g*= 46.6 > zα= 23.5 313 mHz, 3.2 second
32
g*= 14.6 < zα= 23.5 No longer periodic g*= 49.5 > zα= 23.5 313 mHz, 3.2 second
33
g*= 22.4 < zα= 23.5 No longer periodic g*= 35.8 > zα= 23.5 313 mHz, 3.2 second
– This can be modeled by a random phase – Detectability will depend on:
– The signal is no longer periodic – This will succeed in evading the test – However will limit the efficiency of the exchange of C2 channel traffic
– Can be solved with white listing
34
– Scalability Aggregate traffic – Efficiency Control plane traffic
– Detect periodic behavior of C2 traffic – Independent of the structure and communication protocol used in the botnet – Does not require a priori knowledge (e.g., signature of botnet behavior)
– Botnet C2 traffic exhibits periodic behavior – E-mail traffic exhibits periodic behavior (not shown in presentation) – True whether we look at the control plane traffic only or the whole traffic – Develop bounds on the effect of injected noise traffic – Address count of C2 traffic resists background HTTP traffic – Performance increases with: increase of duty cycle, decrease of period, and/or observing traffic longer
35
36
Control Plane Traffic,” Journal of Advanced Research, 2013, available online at: http://dx.doi.org/10.1016/j.jare.2013.11.005.
Botnets' Command and Control Channels Traffic,” in Proceedings of International Conference on Information and Communication Systems (ICICS), Irbid, Jordan, April 1–3, 2014.
False Alarm Rate Anomaly-Based Approach for Network Intrusion Detection,” in Proceedings of International Conference on High-capacity Optical Networks and Emerging/Enabling Technologies (HONET), Magosa, Cyprus, December 11–13, 2013.
Traffic,” accepted at IEEE GLOBECOM, Honolulu, Hawaii, USA, Nov 30–Dec 4 2009.
Command and Control Traffic,” in Proceedings of IEEE International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, July 9–11 2009.
into Control and Data Planes,” in Proceedings of the 4th International Workshop on Security in Systems and Networks (SSN) in conjunction with IEEE IPDPS 2008, Miami, FL, USA, April 18, 2008.
37
38
39