botsniffer detecting botnet command and control channels
play

BotSniffer: Detecting Botnet Command and Control Channels in - PowerPoint PPT Presentation

Sep 16, 2022 •92 likes •379 views

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

  1. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 1 Traffic

  2. Roadmap • Introduction • BotSniffer – Motivation – Architecture – Algorithm – Experimental Evaluation • Summary 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 2 Traffic

  3. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Botnets: Big Problem • “ Attack of zombie computers is growing threat ” (New York Times) • “ Why we are losing the botnet battle ” (Network World) • “ Botnet could eat the internet ” (Silicon.com) • “ 25% of Internet PCs are part of a botnet ” (Vint Cerf) 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 3 Traffic

  4. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview What are Bots/Botnets? • Bot (Zombie) – Compromised computer controlled by botcodes (malware) without owner consent/knowledge – Professionally written; self-propagating • Botnets (Bot Armies) – Networks of bots controlled by criminals – Key platform for fraud and other for-profit exploits Bot-master bot C&C 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 4 Traffic

  5. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Botnet Epidemic • More than 95% of all spam • All distributed denial of service (DDoS) attacks • Click fraud • Phishing & pharming attacks • Key logging & data/identity theft • Distributing other malware, e.g., spyware/adware 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 5 Traffic

  6. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Botnet C&C Detection • C&C is essential to a botnet – Without C&C, bots are just discrete, unorganized infections • C&C detection is important – Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link • C&C detection is hard – Use existing common protocol instead of new one – Low traffic rate – Obscure/obfuscated communication 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 6 Traffic

  7. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Related Work • [Binkley,Singh 2006]: IRC-based bot detection combine IRC statistics and TCP work weight • Rishi [Goebel, Holz 2007]: signature-based IRC bot nickname detection • [Livadas et al. 2006]: (BBN) machine learning based approach using some general network-level traffic features (IRC botnet) • [Karasaridis et al. 2007]: (AT&T) network flow level detection of IRC botnet controllers for backbone network (IRC botnet) • [Gu et al. 2007]: BotHunter 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 7 Traffic

  8. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Our Approaches: General Picture Vertical Correlation BotHunter Enterprise-like Network (Security’07) Horizontal Correlation BotSniffer (NDSS’08) Internet 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 8 Traffic

  9. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Botnet C&C Communication 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 9 Traffic

  10. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Botnet C&C: Spatial-Temporal Correlation and Similarity 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 10 Traffic

  11. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment BotSniffer Architecture 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 11 Traffic

  12. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Correlation Engine • Group clients according to their destination IP and Port pair (HTTP/IRC connection record) • Perform a group analysis on spatial-temporal correlation and similarity property – Response-Crowd-Density-Check – Response-Crowd-Homogeneity-Check 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 12 Traffic

  13. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Response-Crowd-Density-Check Algorithm • Response crowd – a set of clients that have (message/activity) response behavior • A Dense response crowd – the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5). • Example: 5 clients connected to the same IRC/HTTP server, and all of them scanned at similar time (or send IRC messages at similar time) • Accumulate the degree of suspicion – Sequential Probability Ratio Testing (SPRT) 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 13 Traffic

  14. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Sequential Probability Ratio Testing (SPRT) • Each round, observe whether current crowd is dense or not (Y=1 or Y=0) – Hypothesis • Pr(Y=1|H1) very high (for botnet) • Pr(Y=1|H0) very low (for benign) • Update accumulated likelihood ratio according to the observation Y • After several rounds, we may reach a decision (which hypothesis is more likely, H1 or H0) 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 14 Traffic

  15. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Sequential Probability Ratio Testing (cont.) Acc. Likelihood ratio Threshold B , (Botnet ) Stopping time Time Threshold A (benign) • Also called TRW (Threshold Random Walk) • Bounded false positive and false negative rate (as desired), and usually needs only a few rounds 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 15 Traffic

  16. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Response-Crowd-Homogeneity-Check Algorithm • A homogeneous response crowd – Many members have very similar responses • Similarity is defined – Message response • Similar payload (DICE distance) • E.g., “ abcde ” and “ bcdef ” , common 2-grams: “ bc,cd,de ” , DICE distance is 2*3/(4+4)=6/8=0.75 – Activity response (examples) • Scan same ports • Download same binary • Send similar spams 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 16 Traffic

  17. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Real-Time IRC Message Correlation Flow Diagram IRC PRIVMSG Message Response Crowd n Compute DICE Distance, Is there a major cluster? (calculate Y n ) Update Yes Output “botnet” >= B No Output “benign” and Yes <= A put into a soft whitelist No for a random time Wait for more observation of response crowd 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 17 Traffic

  18. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Crowd Homogeneity: Relationship with Number of Clients For a botnet, more clients, higher probability of crowd homogeneity For normal IRC channel, more clients, lower probability of crowd homogeneity q: #clients t: threshold in clustering P= θ (2): basic probability of two clients sending similar messages 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 18 Traffic

  19. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Number of Rounds Needed 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 19 Traffic

  20. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Experiment 189 days’ of IRC traffic 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 20 Traffic

  21. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Experiment (cont.) Thanks David Dagon, Fabian Monrose, and Chris Lee for providing some of the evaluation traces 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 21 Traffic

  22. Introduction BotSniffer Summary BotSniffer Summary • Exploiting the underlying spatial-temporal correlation and similarity property of botnet C&C (horizontal correlation) • New anomaly-based detection algorithm • New Botnet C&C detection system: BotSniffer • Detected real-world botnets with a very low false positive rate 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 22 Traffic

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What do we Track and Why? + Overview of Information Stealing Trojans How/What they steal Phoning Home Popular Kits + Detecting C&amp;C

378 views • 25 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis &amp; Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&amp;C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

1.02k views • 56 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&amp;C) Dynamic Graph Model Botnet

195 views • 18 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien Maisonneuve Thesis supervisors: Olivier Hermant Franois Irigoin Thesis defense Paris, February 6, 2015 Control-Command Systems A control-command

1.17k views • 83 slides
Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2 WS) 2005-2007 2005-2007 Magdalena Hammervik Jenny Lindoff Martin Castor Lars Tydn Purpose of this presentation Purpose of this presentation

530 views • 24 slides
Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B.

Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B.

2010 Command and Control Research and Technology Symposium Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B. Cowen, Ph.D. SPAWAR Systems Center Pacific Code 53621 53560 Hull Street San Diego, CA 92152

492 views • 13 slides
The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to the 12th International Command and Control Research and Technology Symposium Paper I-156 Dr. Michael R. Hieb Sean Mackay Michael Powers Martin

332 views • 19 slides
Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Marks Basic graphical elements in an image Channels Visual channels to control the

667 views • 43 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Response: WCC, SDC &amp; Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Response: WCC, SDC &amp; Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Emergency Planning in Stratford Scrutiny Committee Michael Enderby Head of Service, CSW Resilience 6 th September 2017 04/09/2017 Civil Contingencies Act 2004 THE 7 DUTIES A single framework for civil protection in the United Kingdom to

419 views • 4 slides
Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in

Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in

Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in Los Angeles County Flood channels vary in shape and composition vertical sides sloped banks natural river Swiftwater Review Water

738 views • 35 slides
Seminar on Internetworking: Routing - from baseline to state-of-the-art Topic proposals Zheng

Seminar on Internetworking: Routing - from baseline to state-of-the-art Topic proposals Zheng

Seminar on Internetworking: Routing - from baseline to state-of-the-art Topic proposals Zheng Yan Nokia Research Center zheng.z.yan@nokia.com 19.01.2004 Topics Routing Security Solution and challenges Trust evaluation based

493 views • 10 slides
BGP Introduction and Basic Procedures 2005/03/11 (C) Herbert Haas Border Gateway Protocol

BGP Introduction and Basic Procedures 2005/03/11 (C) Herbert Haas Border Gateway Protocol

BGP Introduction and Basic Procedures 2005/03/11 (C) Herbert Haas Border Gateway Protocol (BGP) BGP-3 Was classful Central AS needed (didn't scale well) Not further discussed here! RFC 1267 BGP-4 Classless Meshed

472 views • 15 slides
Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities

Transport Layer How TCP, UDP, and Ports fit into IP Layer 4: the Transport Layer Responsibilities and Services Overall: message delivery End-to-end&quot; communications between processes ( i.e. running programs) Communicating

467 views • 17 slides
Communication Systems OSPF, BGP University of Freiburg Computer Science Computer Networks and

Communication Systems OSPF, BGP University of Freiburg Computer Science Computer Networks and

Communication Systems OSPF, BGP University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Open Shortest Path First (OSPF) Last lecture: OSPF as an example of Link State Routing algorithm

608 views • 25 slides
Agenda Overview of deep learning Building a FAQ model with DeepLearning4J Integrating

Agenda Overview of deep learning Building a FAQ model with DeepLearning4J Integrating

Agenda Overview of deep learning Building a FAQ model with DeepLearning4J Integrating with a chatbot application Overview of deep learning AI ML Deep Learning Neural network architecture Neural network architecture Neural

469 views • 46 slides
BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots in Network Traffic through

BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots in Network Traffic through

Orange Labs Products and Services BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis 12th International 12th International 12th International 12th International Conference

433 views • 18 slides
Accelerating SE research adoption with Analysis Bots https://github.com/AnalysisBotsPlatform

Accelerating SE research adoption with Analysis Bots https://github.com/AnalysisBotsPlatform

Accelerating SE research adoption with Analysis Bots https://github.com/AnalysisBotsPlatform Ivan Beschastnikh, Mircea F. Lungu, Yanyan Zhuang U. of British U. of Groningen U. of Colorado Columbia Colorado Springs Canada Wanted: SE

467 views • 23 slides
https://woebot.io/ Soft awareness 2017 chats with Replika https://vimeo.com/250440998#t=40s

https://woebot.io/ Soft awareness 2017 chats with Replika https://vimeo.com/250440998#t=40s

https://woebot.io/ Soft awareness 2017 chats with Replika https://vimeo.com/250440998#t=40s https://www.pandorabots.com/mitsuku/ 80% of companies will use ChatBots by the end of 2020 Chatbots can cut operational costs by up to 30%.

493 views • 7 slides

More recommend