BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots - - PowerPoint PPT Presentation

botsuer botsuer botsuer botsuer suing stealthy p2p bots
SMART_READER_LITE
LIVE PREVIEW

BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots - - PowerPoint PPT Presentation

Jan 07, 2023 246 likes •437 views

Orange Labs Products and Services BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis 12th International 12th International 12th International 12th International Conference

slide-1
SLIDE 1

Orange Labs Products and Services

BotSuer BotSuer BotSuer BotSuer: : : : Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

12th International 12th International 12th International 12th International Conference Conference Conference Conference on

  • n
  • n
  • n Cryptology

Cryptology Cryptology Cryptology and Network and Network and Network and Network Security (CANS 2013) Security (CANS 2013) Security (CANS 2013) Security (CANS 2013) Nizar Nizar Nizar Nizar Kheir Kheir Kheir Kheir and Chirine Wolley

November 21st, 2013

slide-2
SLIDE 2

2

France Telecom Group confidential Nizar Kheir

Outline

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

Introduction and Motivations System Description Experimentations Conclusion

slide-3
SLIDE 3

3

France Telecom Group confidential Nizar Kheir

Botnet threat: Myth or reality

Do botnets constitute a real threat … Or just a storm in a teacup ?

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-4
SLIDE 4

4

France Telecom Group confidential Nizar Kheir

Understanding the botnet phenomenon

Modern cybercrime increasingly relies on malicious software

  • Self-replication, code obfuscation, executable packing
  • Multiple attack vectors: Spam, Denial of Service, data theft and sabotage

Multiple loopholes to break into an information system

– Phishing attacks, infected websites, social networks

Control multiple terminals during single infection campaigns

– Nodes connecting to a common Command & Control (C&C) infrastructure Botnets are networks of infected nodes controled by a single master, and that abide to a common C&C infrastructure

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-5
SLIDE 5

5

France Telecom Group confidential Nizar Kheir

Observing botnet trends

P2P topologies constitute a growing trend in botnet C&C

communications

Rise of viruses and use of botnets to trigger distributed attacks (e.g. spam, ddos, scan)

C&C bot bot bot bot bot

  • Ease of administratrion
  • High responsiveness

But But But But

  • Single node of failure

C&C master master bot bot bot bot

  • Ease of administratrion
  • High responsiveness
  • Obfuscation (e.g. DNS flux)
  • Better robustness

But But But But

  • Week failover strategies

Botnets becoming stealthier Botnets becoming stealthier Botnets becoming stealthier Botnets becoming stealthier and seeking financial gain and seeking financial gain and seeking financial gain and seeking financial gain

  • Robust botnet architecture
  • Strong Failover mechanisms

But But But But

  • Difficult administration
  • Low responsiveness
  • Management delays

bot bot bot bot bot bot bot bot bot master master master

  • Robust botnet architecture
  • Strong Failover mechanisms
  • Ease of administration
  • High responsiveness
  • Persistance

IRC botnet IRC botnet IRC botnet IRC botnet HTTP botnet HTTP botnet HTTP botnet HTTP botnet P2P botnet P2P botnet P2P botnet P2P botnet HTTP2P HTTP2P HTTP2P HTTP2P botnet !! botnet !! botnet !! botnet !! BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-6
SLIDE 6

6

France Telecom Group confidential Nizar Kheir

Malware detection – AntiVirus limitations

Malware uses binary polymorphism to evade anti-virus detection Inadequacy with new technologies such as Cloud infrastructures Multiple OS environments (e.g. Android, Microsoft, IOS)

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-7
SLIDE 7

7

France Telecom Group confidential Nizar Kheir

Botnet detection challenge – Network activity

Network communications are the cornerstone for botnet operation

– Extract updates and commands from the C&C infrastructure – Exfiltrate private data to external drop zones – Trigger attacks such as spam, Denial of Service, adclicks, etc. – Spread infections using zero-day exploits

Malware source code Polymorphism renderer Polymorphic malware binaries Week AV signatures Week AV signatures Week AV signatures Week AV signatures Sandbox application

DNSQuery DNSQuery DNSQuery DNSQuery malicious.org GET GET GET GET /images/log.gif?72cea=325 Nick Nick Nick Nick bot25325

Same network activity Strong network Strong network Strong network Strong network footprints footprints footprints footprints

The swarm effect provides stronger network footprints that efficiently characterize a family of malware, as opposed to pattern-based signatures.

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-8
SLIDE 8

8

France Telecom Group confidential Nizar Kheir

P2P botnet detection strategy

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

P2P botnets evade web

P2P botnets evade web P2P botnets evade web P2P botnets evade web-

  • based signatures

based signatures based signatures based signatures

– Replace signatures with behavioral network models

Goals

Goals Goals Goals

– Extract Extract Extract Extract P2P traffic P2P traffic P2P traffic P2P traffic – Build Build Build Build detection system detection system detection system detection system – Detect Detect Detect Detect P2P malware P2P malware P2P malware P2P malware

Based on empirical facts & behavioral patterns of P2P applications Based on empirical facts & behavioral patterns of P2P applications Based on empirical facts & behavioral patterns of P2P applications Based on empirical facts & behavioral patterns of P2P applications Extract P2P network flows and cluster similar P2P applications Setup a labelled dataset of malicious and benign P2P flow clusters Setup a labelled dataset of malicious and benign P2P flow clusters Setup a labelled dataset of malicious and benign P2P flow clusters Setup a labelled dataset of malicious and benign P2P flow clusters Machine learning to build an appropriate malware detection system Inline detection of botnet covert channels using Netflow records Inline detection of botnet covert channels using Netflow records Inline detection of botnet covert channels using Netflow records Inline detection of botnet covert channels using Netflow records Intelligent metrics that characterize time, space and flow features Strategy

Strategy Strategy Strategy

– Obtain a ground truth of P2P traffic including malicious and benign applications – Test and validate the concept using real-world traffic – Detect P2P botnets that avoid web applications for C&C

slide-9
SLIDE 9

9

France Telecom Group confidential Nizar Kheir

P2P botnet detection architecture

Network traffic

P2P bot traffic

P2P coarse filter Dropped traffic Flow clustering (Unsupervised) P2P fine filter Netflow clusters P2P flow clusters Supervised learning Intrusion detection system P2P Malware database

Alert Alert Alert Alert

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-10
SLIDE 10

10

France Telecom Group confidential Nizar Kheir

Behavioral P2P flow filter

Multiple heuristics to discard flows unlikely to show P2P activity

– Only behavioral P2P characteristics with no pattern signatures – DNS filter: P2P applications operate outside the DNS system – Failed Connection filter: Use chunk rates to identify P2P flows – Two filtering steps, including coarse-grained and fine-grained filtering – Clustering P2P flows by signaling activity – Discarding non-P2P flows using geographical distribution and destination ports statistics

network trafic P2P flow filter P2P trafic

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-11
SLIDE 11

11

France Telecom Group confidential Nizar Kheir

P2P botnet detection model

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

Supervised machine learning to build P2P botnet detection model Three categories of features to characterize P2P flows:

– Time features describe long term malware P2P signaling activity – Space features describe chunk rate and distribution of P2P botnets – Flow-size features describe control operations in P2P botnets

Testing Multiple supervised learning algorithms (e.g. SVM, J48, C4.5)

– Tell apart benign P2P applications and P2P botnet operation

slide-12
SLIDE 12

12

France Telecom Group confidential Nizar Kheir

Experimentation – Malware dataset

Initial dataset of up to 20 thousand distinct malware samples Using virusTotal API to identify P2P malware in our initial dataset An overall number of 1,317 P2P malware samples to build our

malware classifier, belonging to 8 different malware families

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-13
SLIDE 13

13

France Telecom Group confidential Nizar Kheir

Experimentation – P2P learning set

Use P2P flow filter to discard non-P2P flows triggered by malware Build clusters of P2P flows using our P2P flow clustering module We obtained 2,975 P2P flow clusters that we used to build our

supervised P2P botnet detection model

Benign P2P learning set includes 794 benign P2P flow clusters

– 415 P2P clusters using our P2P filter applied to a corporate network traffic – 379 P2P clusters obtained by manually executing P2P applications (e.g. eMule, Kademlia, bitTorrent, Gnutella)

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

slide-14
SLIDE 14

14

France Telecom Group confidential Nizar Kheir

Experimentation – Detection accuracy

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

Use cross-validation to evaluate our P2P botnet detection model

Contribution of features towards detection

slide-15
SLIDE 15

15

France Telecom Group confidential Nizar Kheir

Experimentation – Impact of P2P filter

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

The P2P flow filter has little impact on false positives, but reduces

the detection rate for high filtering thresholds

Detection accuracy vs P2P filtering threshold

slide-16
SLIDE 16

16

France Telecom Group confidential Nizar Kheir

Experimentation – Live ISP flows

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

3 hours of anonymized netflow for 4,347 distinct IP addresses 793 P2P flow clusters discovered by the P2P filter, associated with

146 distinct IP addresses

– No False positives and 3.4% False negatives using ground truth data provided by the ISP

11 P2P flow clusters identified by our system as being malicious

botnet communications

– 4 P2P flow clusters associated with the same IP address – 20% Suspicious destination IPs according to the rbls framework ⇒1 true positive associated with a P2P botnet infection

0.8% False positives rate during evaluation on live internet traffic

slide-17
SLIDE 17

17

France Telecom Group confidential Nizar Kheir BotSuer: Suing Stealthy P2P bots in Network Traffic through Netflow Analysis

Conclusion

Noval and fully behavioral P2P botnet detection system Use only network-level features, without deep packet inspection Automated back-end for botnet detection systems Higher accuracy than traditional AV systems

slide-18
SLIDE 18

18

France Telecom Group confidential Nizar Kheir

Thank you

BotSuer: Suing Stealthy P2P bots in Network Traffic through Netflow Analysis