BotSniffer: Detecting Botnet Command and Control Channels in - - PowerPoint PPT Presentation

botsniffer detecting botnet command and control channels
SMART_READER_LITE
LIVE PREVIEW

BotSniffer: Detecting Botnet Command and Control Channels in - - PowerPoint PPT Presentation

Sep 16, 2022 92 likes •381 views

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

slide-1
SLIDE 1

2008-2-25 Guofei Gu NDSS’08 1 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic

Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology

slide-2
SLIDE 2

2008-2-25 Guofei Gu NDSS’08 2 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Roadmap

  • Introduction
  • BotSniffer

– Motivation – Architecture – Algorithm – Experimental Evaluation

  • Summary
slide-3
SLIDE 3

2008-2-25 Guofei Gu NDSS’08 3 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Botnets: Big Problem

  • “Attack of zombie computers is growing threat”

(New York Times)

  • “Why we are losing the botnet battle”

(Network World)

  • “Botnet could eat the internet”

(Silicon.com)

  • “25% of Internet PCs are part of a botnet”

(Vint Cerf)

Introduction

BotSniffer Summary

Botnet Problem

Challenges in Botnet Detection Related Work Research Overview

slide-4
SLIDE 4

2008-2-25 Guofei Gu NDSS’08 4 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

What are Bots/Botnets?

  • Bot

(Zombie)

– Compromised computer controlled by botcodes (malware) without owner consent/knowledge – Professionally written; self-propagating

  • Botnets

(Bot Armies)

– Networks of bots controlled by criminals – Key platform for fraud and other for-profit exploits bot C&C Bot-master

Introduction

BotSniffer Summary

Botnet Problem

Challenges in Botnet Detection Related Work Research Overview

slide-5
SLIDE 5

2008-2-25 Guofei Gu NDSS’08 5 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Botnet Epidemic

  • More than 95% of all spam
  • All distributed denial of service (DDoS)

attacks

  • Click fraud
  • Phishing

& pharming attacks

  • Key logging & data/identity theft
  • Distributing other malware, e.g.,

spyware/adware

Botnet Problem

Challenges in Botnet Detection Related Work Research Overview

Introduction

BotSniffer Summary

slide-6
SLIDE 6

2008-2-25 Guofei Gu NDSS’08 6 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Botnet C&C Detection

  • C&C is essential to a botnet

– Without C&C, bots are just discrete, unorganized infections

  • C&C detection is important

– Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link

  • C&C detection is hard

– Use existing common protocol instead of new one – Low traffic rate – Obscure/obfuscated communication

Introduction

BotSniffer Summary

Botnet Problem

Challenges in Botnet Detection

Related Work Research Overview

slide-7
SLIDE 7

2008-2-25 Guofei Gu NDSS’08 7 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Related Work

  • [Binkley,Singh

2006]: IRC-based bot detection combine IRC statistics and TCP work weight

  • Rishi

[Goebel, Holz 2007]: signature-based IRC bot nickname detection

  • [Livadas

et al. 2006]: (BBN) machine learning based approach using some general network-level traffic features (IRC botnet)

  • [Karasaridis

et al. 2007]: (AT&T) network flow level detection of IRC botnet controllers for backbone network (IRC botnet)

  • [Gu

et al. 2007]: BotHunter

Botnet Problem Challenges in Botnet Detection

Related Work

Research Overview

Introduction

BotSniffer Summary

slide-8
SLIDE 8

2008-2-25 Guofei Gu NDSS’08 8 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Our Approaches: General Picture

Botnet Problem Challenges in Botnet Detection Related Work

Research Overview

Internet

Enterprise-like Network Horizontal Correlation Vertical Correlation BotHunter (Security’07) BotSniffer (NDSS’08)

Introduction

BotSniffer Summary

slide-9
SLIDE 9

2008-2-25 Guofei Gu NDSS’08 9 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Botnet C&C Communication

Introduction

BotSniffer

Summary

Motivation

Architecture Algorithm Experiment

slide-10
SLIDE 10

2008-2-25 Guofei Gu NDSS’08 10 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Botnet C&C: Spatial-Temporal Correlation and Similarity

Motivation

Architecture Algorithm Experiment

Introduction

BotSniffer

Summary

slide-11
SLIDE 11

2008-2-25 Guofei Gu NDSS’08 11 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

BotSniffer Architecture

Motivation

Architecture

Algorithm Experiment

Introduction

BotSniffer

Summary

slide-12
SLIDE 12

2008-2-25 Guofei Gu NDSS’08 12 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Correlation Engine

  • Group clients according to their destination IP

and Port pair (HTTP/IRC connection record)

  • Perform a group analysis on spatial-temporal

correlation and similarity property

– Response-Crowd-Density-Check – Response-Crowd-Homogeneity-Check

Motivation

Architecture

Algorithm Experiment

Introduction

BotSniffer

Summary

slide-13
SLIDE 13

2008-2-25 Guofei Gu NDSS’08 13 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Response-Crowd-Density-Check Algorithm

  • Response crowd

– a set of clients that have (message/activity) response behavior

  • A

Dense response crowd

– the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5).

  • Example: 5 clients connected to the same IRC/HTTP server,

and all of them scanned at similar time (or send IRC messages at similar time)

  • Accumulate the degree of suspicion

– Sequential Probability Ratio Testing (SPRT)

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-14
SLIDE 14

2008-2-25 Guofei Gu NDSS’08 14 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Sequential Probability Ratio Testing (SPRT)

  • Each round, observe whether current crowd is dense
  • r not (Y=1 or Y=0)

– Hypothesis

  • Pr(Y=1|H1) very high (for botnet)
  • Pr(Y=1|H0) very low (for benign)
  • Update accumulated likelihood ratio according to the
  • bservation Y
  • After several rounds, we may reach a decision (which

hypothesis is more likely, H1 or H0)

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-15
SLIDE 15

2008-2-25 Guofei Gu NDSS’08 15 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Sequential Probability Ratio Testing (cont.)

  • Also called TRW (Threshold Random Walk)
  • Bounded false positive and false negative rate (as

desired), and usually needs only a few rounds

Threshold B, (Botnet ) Threshold A (benign)

  • Acc. Likelihood ratio

Stopping time Time

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-16
SLIDE 16

2008-2-25 Guofei Gu NDSS’08 16 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Response-Crowd-Homogeneity-Check Algorithm

  • A homogeneous

response crowd

– Many members have very similar responses

  • Similarity is defined

– Message response

  • Similar payload (DICE distance)
  • E.g., “abcde” and “bcdef”, common 2-grams: “bc,cd,de”, DICE distance is

2*3/(4+4)=6/8=0.75

– Activity response (examples)

  • Scan same ports
  • Download same binary
  • Send similar spams

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-17
SLIDE 17

2008-2-25 Guofei Gu NDSS’08 17 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Real-Time IRC Message Correlation Flow Diagram

IRC PRIVMSG Message Response Crowd n Compute DICE Distance, Is there a major cluster? (calculate Yn ) Update >= B <= A Wait for more observation

  • f response crowd

Output “botnet” Output “benign” and put into a soft whitelist for a random time Yes Yes No No

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-18
SLIDE 18

2008-2-25 Guofei Gu NDSS’08 18 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Crowd Homogeneity: Relationship with Number of Clients

q: #clients t: threshold in clustering P=θ(2): basic probability of two clients sending similar messages

For a botnet, more clients, higher probability of crowd homogeneity For normal IRC channel, more clients, lower probability of crowd homogeneity

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-19
SLIDE 19

2008-2-25 Guofei Gu NDSS’08 19 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Number of Rounds Needed

Motivation Architecture

Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-20
SLIDE 20

2008-2-25 Guofei Gu NDSS’08 20 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Experiment

189 days’ of IRC traffic

Motivation Architecture Algorithm

Experiment

Introduction

BotSniffer

Summary

slide-21
SLIDE 21

2008-2-25 Guofei Gu NDSS’08 21 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Experiment (cont.)

Motivation Architecture Algorithm

Experiment

Introduction

BotSniffer

Summary

Thanks David Dagon, Fabian Monrose, and Chris Lee for providing some of the evaluation traces

slide-22
SLIDE 22

2008-2-25 Guofei Gu NDSS’08 22 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

BotSniffer Summary

  • Exploiting the underlying spatial-temporal correlation

and similarity property of botnet C&C (horizontal correlation)

  • New anomaly-based detection algorithm
  • New Botnet

C&C detection system: BotSniffer

  • Detected real-world botnets

with a very low false positive rate

Introduction BotSniffer

Summary

slide-23
SLIDE 23

2008-2-25 Guofei Gu NDSS’08 23 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Future Work

  • Improving accuracy and resilience to evasion
  • BotMiner: protocol-

and structure-independent botnet detection technique

Introduction BotSniffer

Summary

slide-24
SLIDE 24

2008-2-25 Guofei Gu NDSS’08 24 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Thanks! Q&A Http://www.cc.gatech.edu/~guofei

slide-25
SLIDE 25

2008-2-25 Guofei Gu NDSS’08 25 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Probability of Having Two Similar Length Messages Probability of having two similar content messages are even lower

Appendix

slide-26
SLIDE 26

2008-2-25 Guofei Gu NDSS’08 26 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

Single Client C&C Detection Under Certain Conditions

  • IRC: broadcast in the channel

– similar to the case we can monitor multiple message responses from multiple clients in the group

  • HTTP: AutoCorrelation

to find periodic patterns from background noise

Appendix

slide-27
SLIDE 27

2008-2-25 Guofei Gu NDSS’08 27 BotSniffer: Detecting Botnet C&C Channels in Network Traffic

BotSniffer Extension and Limitation

  • Improving BotSniffer

– Using activity response crowd homogeneity – Extension of suspicious C&C protocol matchers

  • Possible evasion

– Effect of encryption – Evasion by exploiting time window – Evasion by using random delay/period, injecting random noise, injecting random garbage in the packet

Appendix