detecting botnets with temporal persistence
play

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar - PowerPoint PPT Presentation

Jan 30, 2023 •422 likes •888 views

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

  1. Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis

  2. Botnets: Why care?

  3. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit actuation home

  4. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home signature matching software patching

  5. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home signature matching software patching see RAID’09 proceedings

  6. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home signature matching software patching traffic anomaly detectors NBAD see RAID’09 proceedings

  7. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home traffic correlation signature matching port inspection software patching traffic anomaly detectors payload analysis NBAD noisy see RAID’09 prone to false positives proceedings

  8. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home traffic correlation signature matching port inspection software patching traffic anomaly detectors payload analysis NBAD noisy see RAID’09 hard to adapt prone to false positives proceedings a-priori knowledge req.

  9. Botnets C&C invariants • Botmasters seldom try to connect to the drones: • drones initiate the (rondezvous) connections • Drones need to call home often: • (if not) drone falls off the radar

  10. Botnets C&C invariants • Botmasters seldom try to connect to the drones: • drones initiate the (rondezvous) connections watch outgoing traffic • Drones need to call home often: • (if not) drone falls off the radar use a frequency based metric

  11. Our Solution: Canary A general purpose, non- specific learning based behavioral detector to uncover botnet C&C destinations at the end-host without a-priori assumptions about traffic types, destinations or protocols

  12. Our Solution: Canary A general purpose, non- specific learning based behavioral detector to uncover botnet C&C destinations at the end-host without a-priori assumptions about traffic types, destinations or protocols

  13. High Level Method Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  14. High Level Method watch destinations whitelist frequent destinations Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  15. High Level Method watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  16. High Level Method ignore whitelisted destinations track frequency for non-whitelisted destinations raise alarm for new high frequency destinations watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  17. High Level Method Botnet C&C’s are likely to be frequently visited ignore whitelisted destinations track frequency for non-whitelisted destinations raise alarm for new high frequency destinations watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  18. High Level Method adding to the whitelist is Botnet C&C’s are likely to a very rare event be frequently visited ignore whitelisted destinations track frequency for non-whitelisted destinations raise alarm for new high frequency destinations watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  19. Remaining Detail Destination granularity: tracking IP address = large whitelists! ➡ destination atoms (Frequency) metric needs to capture: 10 loosely periodic behavior at unknown 9 8 7 timescales 6 5 4 3 2 1 ➡ persistence 0 0 1 2 3 4 5 6 7 8 9 10 We track persistence of destination atoms & build whitelists of destination atoms

  20. Destination Atoms mail1.sc.intel.com mail3.sc.intel.com mail3.jf.intel.com circuit.intel.com cps.circuit.intel.com xyz.google.com abs.google.com

  21. Destination Atoms mail1.sc.intel.com mail.intel.com mail3.sc.intel.com mail3.jf.intel.com circuit.intel.com circuit.intel.com cps.circuit.intel.com google.com xyz.google.com abs.google.com

  22. Persistence sliding window 1 1 0 0 0 1 0 1 1 0 1 1 1 1

  23. Persistence sliding window w 1 1 0 0 0 1 0 1 1 0 1 1 1 1 W

  24. Persistence sliding window w 3/7 1 1 0 0 0 1 0 1 1 0 1 1 1 1 W

  25. Persistence sliding window w 3/7 1 1 0 0 0 1 0 6/7 1 1 0 1 1 1 1 W

  26. Picking Timescale suppose: w= 1hr, W=24hr Botnet X Botnet Y Botnet Z connect to C&C once a connect to C&C connect to C&C day hourly every 5-6 hours p-value: 1/24 =0.042 p-value: 24/24 =1 p-value: 4/24 = 0.17

  27. Picking Timescale suppose: w= 1hr, W=24hr Botnet X Botnet Y Botnet Z connect to C&C once a connect to C&C connect to C&C day hourly every 5-6 hours p-value: 1/24 =0.042 p-value: 24/24 =1 p-value: 4/24 = 0.17 Cannot assume a single, fixed timescale!!!!

  28. Selecting Timescale(s) • Select n overlapping timescales TS 1 =(w 1 ,W 1 ), TS 2 =(w 2 ,W 2 ), TS 3 =(w 3 ,W 3 ),...., TS n =(w n ,W n ) • p i := persistence of atom for TS i =(w i ,W i ) • track p i concurrently for all the timescales • p(atom) := max i p i (atom)

  29. Selecting Timescale(s) • Select n overlapping timescales TS 1 =(w 1 ,W 1 ), TS 2 =(w 2 ,W 2 ), TS 3 =(w 3 ,W 3 ),...., TS n =(w n ,W n ) • p i := persistence of atom for TS i =(w i ,W i ) • track p i concurrently for all the timescales • p(atom) := max i p i (atom) Can become very expensive! Trick: select W i = k. w i Then, use a single bitmap of size k.w max

  30. Dataset: Training • Normal user traces collected from 157 end-hosts for 4 weeks • Data collected on end-hosts • winpcap + wrapper code • traces assumed clean (some suspicious traffic observed: ground truth not available) • Initial 2 weeks of data used for training • pick threshold for persistence • construct per user whitelists

  31. Picking threshold(s) 1 → seems reasonable 0.9 0.8 0.7 # of atoms 0.6 80 % of destinations 0.5 have a p-value <0.2 0.4 20% of destinations have a p-value > 0.2 0.3 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 persistence if p(atom) > 0.6 add to whitelist

  32. Whitelist Sizes 25 # users 12.5 0 40 70 90 110 125 145 whitelist size 14

  33. Validation • Started with 55 distinct malware binaries windows auto update • 27 had traffic; 12 had traffic for longer than 1 day • Ran each malware for 1 week; all traffic logged • Packet traces ➜ flow traces [Bro] • Flow traces manually analyzed to isolate C&C traffic malware

  34. ClamAV Signature C&C type # of C&C atoms C&C Volume min - max Trojan.Aimbot-25 port 22 1 0-5.7 Trojan.Wootbot-247 IRC port 12347 4 0-6.8 Trojan.Gobot.T IRC port 66659 1 0.2-2.1 Trojan.Codbot-14 IRC port 6667 2 0-9.2 Trojan.Aimbot-5 IRC via http proxy 3 0-10 Trojan.IRCBot-776* HTTP 16 0-1. Trojan.VB-666* IRC port 6667 1 0-1.3 Trojan.IRC-Script-50 IRC ports 6662-6669,9999,7000 8 0-2.1 8 Trojan.Spybot-248 port 9305 4 3.8-4.6 Trojan.MyBot-8926 IRC port 7007 1 0-0.1 Trojan.IRC.Zapchast-11 IRC ports 6666, 6667 9 0-1 Trojan.Peed-69 [Storm] P2P/Overnet 19672 0-30 Converted packet traces to flow traces and hand analyzed each trace individually to identify/isolate C&C traffic to identify/isolate attack traffic

  35. 3 Detailed Examples • SDBot • 2 atoms in covert channel- identified by IRC server names • attack traffic- scans on ports 135, 139, 445 & 2097* • Zapchast • 9 atoms in covert channel- popular IRC ports • attack traffic- netbios(?) • Storm/Peacomm • ~82,000 atoms (almost all atoms are singletons) • no well known port/address for C&C destinations • attack traffic is SMTP (overwhelmingly), and possibly some http & ssh

  36. Connection Rates (per min) C&C Attack 150.0 112.5 75.0 37.5 SDBot 0 ZapChast Storm

  37. C&C Detection 24 hr SDBot 18 hr 12 hr Storm 6 hr ZapChast 1 hr 0.0 0.2 0.4 0.6 0.8 1.0 persistence

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e

614 views • 19 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by an application in order to persist its state, that is to store and retrieve information using some sort of database management system. Presentation

633 views • 60 slides
BaySTDetect: Detecting unusual temporal patterns in small area disease rates using Bayesian

BaySTDetect: Detecting unusual temporal patterns in small area disease rates using Bayesian

BaySTDetect: Detecting unusual temporal patterns in small area disease rates using Bayesian posterior model probabilities Guangquan Li, Sylvia Richardson, Lea Fortunato, Isma l Ahmed, Anna Hansell, Mireille Toledano and Nicky Best

381 views • 36 slides
ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks NUS-Singtel Cyber

ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks NUS-Singtel Cyber

ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks NUS-Singtel Cyber Security R&amp;D Corp. Lab Dinil Mon Divakaran, Rhishi Pratap Singh, Kalupahana Liyanage Kushan Sudheera, Mohan Gurusamy, Vinay Sachidananda Context

745 views • 27 slides
Databases SWEN-250 Persistence First a detour Persistence is the key to solving most

Databases SWEN-250 Persistence First a detour Persistence is the key to solving most

Databases SWEN-250 Persistence First a detour Persistence is the key to solving most mysteries. Christopher Pike, Black Blood Persistence when you are stuck on a piece of new code is hardly ever a virtue. Try redesigning the

619 views • 25 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a Nuisance Spam: Ham: unsolicited bulk

523 views • 28 slides
Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata Andrew G. West

Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata Andrew G. West

Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata Andrew G. West June 10, 2010 ONR-MURI Presentation Where we left off. FROM THE LAST MURI REVIEW 2 6/10/2010 ONR-MURI Review Spatio-Temporal Reputation

964 views • 40 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX &amp; CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano &amp; Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes

Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes

01 Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes Security Data Science Team Lead @ Akamai Technologies My things - Botnets, Traffic, Data, Algorithms, Reading, Painting and a bit of Gaming (:

533 views • 42 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Studying Spamming Botnets Using BotLab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

291 views • 15 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Embracing Empathy in Addiction Response Trisha Cooke &amp; Elizabeth Morrison LCSW, MAC

Embracing Empathy in Addiction Response Trisha Cooke &amp; Elizabeth Morrison LCSW, MAC

Addressing Stigma &amp; Embracing Empathy in Addiction Response Trisha Cooke &amp; Elizabeth Morrison LCSW, MAC Disclosure: Elizabeth Morrison and Trisha Cooke With respect to the following presentation, I have no actual or potential conflict

677 views • 29 slides
Outline Random Networks Basics Basics Basics Definitions Definitions How to build

Outline Random Networks Basics Basics Basics Definitions Definitions How to build

Random Networks Random Networks Outline Random Networks Basics Basics Basics Definitions Definitions How to build Definitions How to build Complex Networks, Course 295A, Spring, 2008 Some visual examples Some visual examples How to

1.27k views • 16 slides
ProtoDUNE-DP (NP02) status Filippo Resnati (CERN) on behalf of the NP02 collaboration DUNE

ProtoDUNE-DP (NP02) status Filippo Resnati (CERN) on behalf of the NP02 collaboration DUNE

ProtoDUNE-DP (NP02) status Filippo Resnati (CERN) on behalf of the NP02 collaboration DUNE Collaboration Call - 28 th of June 2019 ProtoDUNE-DP Single 6x6x6 m 3 liquid argon active volume. Electrons drift upwards, they are extracted into the

1.71k views • 19 slides
The Engagement-Diversity Connection: Evidence from a Field Experiment on Spotify David Holtz

The Engagement-Diversity Connection: Evidence from a Field Experiment on Spotify David Holtz

The Engagement-Diversity Connection: Evidence from a Field Experiment on Spotify David Holtz MIT Sloan Joint work with Ben Carterette, Praveen Chandar, Zahra Nazari, Henriette Cramer, and Sinan Aral Recommender systems What effect do

454 views • 4 slides
RE for Data Cleaning with Machine Learning CS 846 Presenter: Ishank Jain OUTLINE

RE for Data Cleaning with Machine Learning CS 846 Presenter: Ishank Jain OUTLINE

RE for Data Cleaning with Machine Learning CS 846 Presenter: Ishank Jain OUTLINE Motivation Introduction Challenges Related Work Conclusion Questions ?? Architecting Time-Critical Big-Data Systems PAGE 2

2.86k views • 38 slides
Fall 2010 CS 3200 Class Project: Milestone 8 (Final) The goal for this milestone is to use

Fall 2010 CS 3200 Class Project: Milestone 8 (Final) The goal for this milestone is to use

Fall 2010 CS 3200 Class Project: Milestone 8 (Final) The goal for this milestone is to use transactions and understand better the tradeoff between consistency and performance. This milestone is to be completed individually (i.e., no teams). You

250 views • 4 slides
Dijkstra Monads for Free Guido Martnez , Gordon Plotkin, Jonathan Protzenko, Danel Ahman,

Dijkstra Monads for Free Guido Martnez , Gordon Plotkin, Jonathan Protzenko, Danel Ahman,

f a t i c r t A C o m p * * l t e t n e e * A t * s i W s n E e o L l l C C P D * o O * e c u s P u m e e E R * n o e t v t d y s a E * d a l e u t a 1 / 16 POPL 17

965 views • 50 slides
Lecture 5 Transactions Wednesday October 27 th , 2010 Dan Suciu -- CSEP544 Fall 2010 1

Lecture 5 Transactions Wednesday October 27 th , 2010 Dan Suciu -- CSEP544 Fall 2010 1

Lecture 5 Transactions Wednesday October 27 th , 2010 Dan Suciu -- CSEP544 Fall 2010 1 Announcement HW3: due next week Each customer has exactly one rental plan A many-one relationship: NO NEW TABLE ! Postgres

1.23k views • 94 slides

More recommend