effective features for detecting effective features for
play

Effective features for detecting Effective features for detecting - PowerPoint PPT Presentation

Sep 25, 2022 •404 likes •614 views

Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e

  1. Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e Sistemistica University of Napoli Federico II University of Napoli Federico II via Claudio 21, 80125 Napoli (Italy) via Claudio 21, 80125 Napoli (Italy) {claudio.mazzariello, carlo.sansone}@unina.it {claudio.mazzariello, carlo.sansone}@unina.it Terzo workshop italiano su PRIvacy e SEcurity – “PRISE" – Roma 20 0ttobre 2008

  2. Problem Statement Problem Statement  Botnet  A network of infected hosts, named bots , under the control of an operator named botmaster  Control performed by using a Command & Control channel • Centralized (e.g. IRC, HTTP, ...) • Distributed (e.g. P2P...)  Commands out of a quite large and flexible set can be issued by the botmaster to each bot Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 2

  3. Motivation of this work Motivation of this work  Botnets keep spreading  Botnets are able to perform many malicious actions  Spam  ID theft  Clickfraud (e.g. Google AdSense abuse)  Cracking  Malware spreading  DDoS  Traffic Sniffing  Keylogging  Polls/statistics manipulation  …  Botnets involve economic interests  More dangerous than older attack types Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 3

  4. Contribution Contribution  Definition of a model of normal and botnet-related IRC channel usage  Definition of an architecture exploiting such a model for botnet detection  IRC user behavior classification aimed at botnet detection by means of pattern recognition techniques Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 4

  5. Presentation outline Presentation outline  An introduction to botnets  Details on IRC botnets  The proposed detection approach  IRC user behavior model  Detection system reference architecture  Experimental evaluation Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 5

  6. Centralized botnet's lifecycle Centralized botnet's lifecycle  bot-herder configures initial bot parameters and C&C details  register IP at DNS for rendezvous  bot-herder launches or seeds new bot(s) - bots spreading, botnet growing  Vulnerability discovery and exploitation  Malicious code download  DNS lookup for rendezvous  Join the C&C  Receive commands from the Botmaster  losing bots (stasis), botnet not growing  abandon botnet and sever traces  unregister DDNS Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 6

  7. Botnet Statistics Botnet Statistics  60% are IRC bots  70% of all the bots connect to a single IRC server  57,000 Active Bots per day for the first 6 months of 2006 ( Symantec )  4.7 million distinct computers being actively used in Botnets  Most Botnets are managed by a single server ( up to 15,000 bots )  Mocbot seized control of more than 7,700 machines within 24 hours Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 7

  8. Why IRC? Why IRC?  Oldest and most popular IM  Bots were commonly user by channel operator for management and monitoring purposes  Not owned by anyone – public  Defined in RFC 1459  Text based  Designed for both point-to-point and point-to-multipoint communication  one-to-one, or one-to-group chat  flexible, open-source protocol  Potentially able to manage a high number of clients  Grants anonymity for the botmaster Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 8

  9. Centralized C&C Centralized C&C  Easier to manage and use  Easier to disrupt  How do the bots know where the C&C is?  Hardcoded IP based rendezvous • easily uncovered • C&C needs replacement after disruption • All Bots need replacement  Domain names used for rendezvous • DNS RR can be updated to current C&C IP • Bots can dynamically point to the correct C&C IP Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 9

  10. Reference framework Reference framework Port based application protocol detection  RFC based IRC decoder  Model = representative features  Each IRC channel is represented by a  feature vector , representing its status Feature vectors are updated at each  event occurring in the corresponding IRC channel Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 10

  11. Intuitions about IRC based botnets Intuitions about IRC based botnets  Bursty channel activity  After command is issued, bots may respond at once, then be quiet  Limited vocabulary  Sentence structure  May resemble a shell command  The same recurring structure may be found in many sentences  Disproportion between user and control activity in a channel  “strange” words used for communication  Disproportion of consonants and vowels in words used for chatting • Language dependent  Changes and structure of chat room topic  Unusual nicknames  Completely random OR  Unexpextedly regular Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 11

  12. IRC channel features IRC channel features  Users Number:  Join Number:  total number of users in the channel  JOIN rate in the channel  Average words number:  SetMode Number:  average number of unique words in a  SetMode rate in the channel sentence  Nickname Changes:  Average/Variance of Channel Dictionary  count of nickname changes in a channel Cardinality:  Ping Number:  Mean and variance of the vocabulary’s  PING rate in the channel cardinality  IRC Commands Number:  Unusual Nicknames*  overall IRC command rate  Equal Answers:  Active Users Number:  number of sentences with a common ordered subset of words  number of users active in the channel  Control Commands Number:  count of channel control commands issued *J. Goebel and T. Holz. Rishi: identify bot contaminated hosts by irc nickname evaluation. In HotBots’07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 8–8, Berkeley, CA, USA, 2007. USENIX Association. Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 12

  13. Experimental Setup Experimental Setup  Data collection  Botnet related traffic from the Georgia Institute of Technology network  Normal IRC chats logged from the University of Napoli network  Three datasets  50,000 samples (25,000 normal + 25,000 botnet-related) • Small, evenly split  149,999 samples (75,010 normal + 74,989 botnet-related) • Large, evenly split  165,000 samples (150,000 normal + 15,000 botnet-related) • Large, more realistic distribution of t-uples  Selected algorithms  SVM (Support Vector Machine) – very “popular”  J48 (Decision Tree) – very “quick”  Performance evaluation  10-fold cross validation Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 13

  14. Classification algorithms Classification algorithms  SVM – Kernel based method  Search for hyperplanes effectively separating ρ x data points r x′  Support vectors for providing better prediction performance  Non-linearly separable data can be trasformed by means of a kernel function in a space more suitable for linear separability  Separation hyperplane search is performed in transformed space φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ (.) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) φ ( ) Input space Feature space Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 14

  15. Classification algorithms Classification algorithms  J48 – Decision tree  Each attribute of the data can be used to make a decision which splits the data-set into smaller subsets  The normalized information gain is measured  The attribute generating the highest normalized information gain is chosen  The algorithm is recursively applied to the subsets Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 15

  16. Experimental results Experimental results Algorithm SVM J48 Samples 50000 149999 165000 50000 149999 165000 False alarm 0 0 0 < 0.001 0 0 Rate Missed 0 0 0 0 0 0 detection rate Most representative features  Limited vocabulary cardinality  Limited sentence variability  Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 16

  17. Conclusions Conclusions  Promising model for botnet activity detection  Tested on “real” data  Results hopefully valid in a general scenario  Model works with both a very reliable and a very quick classifier  Effective classification performed on a per-tuple basis  Botnet detection accuracy within strict performance boundaries Claudio Mazzariello, Carlo Sansone – Effective features for detecting IRC botnets 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Creating interesting effective presentations Presentation outline Composition Tips Features

Creating interesting effective presentations Presentation outline Composition Tips Features

Creating interesting effective presentations Presentation outline Composition Tips Features References KISS Keep it simple http:/ /www.fineartprintsondemand.com/artists/klimt/kiss-400.jpg Do not use different fonts on the same slide.

171 views • 14 slides
Benefits and Features Powerful to 23 C (-9 F) GroundWorks is powerful and effective

Benefits and Features Powerful to 23 C (-9 F) GroundWorks is powerful and effective

Natural Icemelter Benefits and Features Powerful to 23 C (-9 F) GroundWorks is powerful and effective GroundWorks works to a lower temperature than rock salt Calcium Chloride works to a lower temperature but its risks far

537 views • 11 slides
Status of the CBM experiment Claudia Hhne, GSI Darmstadt Features of the the phase phase

Status of the CBM experiment Claudia Hhne, GSI Darmstadt Features of the the phase phase

Status of the CBM experiment Claudia Hhne, GSI Darmstadt Features of the the phase phase diagramme diagramme Features of QCD inspired effective models predict rich structure of the phase diagramme at finite B . Substantial depletion

794 views • 50 slides
Exploiting New Sentiment-Based Meta-level Features for Effective Sentiment Analysis Srgio

Exploiting New Sentiment-Based Meta-level Features for Effective Sentiment Analysis Srgio

Exploiting New Sentiment-Based Meta-level Features for Effective Sentiment Analysis Srgio Canuto Marcos Andr Gonalves Fabrcio Benevenuto Federal University of Minas Federal University of Minas Federal University of Minas Gerais

748 views • 10 slides
WITCH A new algorithm for detecting Web spam using page features and hyperlinks Jacob Abernethy,

WITCH A new algorithm for detecting Web spam using page features and hyperlinks Jacob Abernethy,

WITCH A new algorithm for detecting Web spam using page features and hyperlinks Jacob Abernethy, UC Berkeley (Thanks to Yahoo! Research for two internships and a fellowship!) Joint work with Olivier Chapelle and Carlos Castillo (Chato) from

514 views • 28 slides
New Staff Training Effective Use of PAs Effective Use of PAs How to Use PAs Effectively

New Staff Training Effective Use of PAs Effective Use of PAs How to Use PAs Effectively

Changing lives. Making a difference. New Staff Training Effective Use of PAs Effective Use of PAs How to Use PAs Effectively Performance Measure 2 Effective Use of PAs Introduction Roles and Limitations of a PA Who Is a

519 views • 15 slides
The natural character of the Sounds. its outstanding features and landscapes and the

The natural character of the Sounds. its outstanding features and landscapes and the

The natural character of the Sounds. its outstanding features and landscapes and the community appreciation of these. The importance of the defence of the community plan by the Council and the effective disenfranchisement of the

331 views • 5 slides
Learning Spatiotemporal Features with 3D Convolutional Networks Du Tran, Lubomir Bourdev, Rob

Learning Spatiotemporal Features with 3D Convolutional Networks Du Tran, Lubomir Bourdev, Rob

Learning Spatiotemporal Features with 3D Convolutional Networks Du Tran, Lubomir Bourdev, Rob Fergus, Lorenzo Torresani, Manohar Paluri ada BAK 29.03.16 Effective Video Descriptor Generic Can represent different types Compact

355 views • 20 slides
DRUG CHECKING SERVICE AN EFFECTIVE STRATEGY FOR CONTACTING WITH DRUG USERS AND DETECTING NEW

DRUG CHECKING SERVICE AN EFFECTIVE STRATEGY FOR CONTACTING WITH DRUG USERS AND DETECTING NEW

DRUG CHECKING SERVICE AN EFFECTIVE STRATEGY FOR CONTACTING WITH DRUG USERS AND DETECTING NEW TRENDS MIREIA VENTURA VILAMALA, PhD Asociacin Bienestar y Desarrollo. Energy Control Club Health, Zurich 9 June 2010 DRUG CHECKING A RISK REDUCTION

599 views • 22 slides
Towards the Effective Descriptive Set Theory Victor Selivanov A.P. Ershov Institute of

Towards the Effective Descriptive Set Theory Victor Selivanov A.P. Ershov Institute of

Introduction Classes of effective spaces Effective hierarchies in wcb 0 -spaces Effective descriptive theory of functions Suslin-Kleene theorem Effective Hausdorff theorem Conclusion Towards the Effective Descriptive Set Theory Victor

882 views • 43 slides
Effective Java TM : Still Effective, After All These Years Joshua Bloch Effective Java: Still

Effective Java TM : Still Effective, After All These Years Joshua Bloch Effective Java: Still

Effective Java TM : Still Effective, After All These Years Joshua Bloch Effective Java: Still Effective After All These Years 1 Good Morning! This is not really a keynote There will be code lots of it But first, a bit of eye candy

654 views • 51 slides
Introduction Welcome to Effective Teaching Practices. Effective teaching depends on effective

Introduction Welcome to Effective Teaching Practices. Effective teaching depends on effective

ETT4 - Effective Teaching Practices: Instructional Presentation and Follow-Up Course of Study This course supports the assessments for ETT4. The course covers 10 competencies and represents 6 competency units Introduction Welcome to Effective

498 views • 19 slides
Detecting Categories in News Video Using Image Features Slav Petrov, Arlo Faria, Pascal

Detecting Categories in News Video Using Image Features Slav Petrov, Arlo Faria, Pascal

Detecting Categories in News Video Using Image Features Slav Petrov, Arlo Faria, Pascal Michaillat, Alex Berg, Andreas Stolcke, Dan Klein, Jitendra Malik System Overview Images GB SVM Category correlation Sequential context Source Video

701 views • 18 slides
Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

ELC 2010 Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2 Creating an Embedded Product Time to market Linux kernel Quality uClibc Features Busybox Cost Other open source

494 views • 35 slides
Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1

Supervised Learning Given: a set of inputs features X 1 , . . . , X n a set of target features Y 1 , . . . , Y k a set of training examples where the values for the input features and the target features are given for each example a new

323 views • 18 slides
Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features

Efficient visual search of local features Cordelia Schmid Bag-of-features [Sivic&amp;Zisserman03] Query Set of SIFT centroids image descriptors (visual words) sparse frequency vector Bag-of-features Harris-Hessian-Laplace processing

574 views • 33 slides
IRC C 471( 471(c) &amp; &amp; 280E 280E Presented by Greenspoon Marder &amp; Bridge West LLC

IRC C 471( 471(c) &amp; &amp; 280E 280E Presented by Greenspoon Marder &amp; Bridge West LLC

IRC C 471( 471(c) &amp; &amp; 280E 280E Presented by Greenspoon Marder &amp; Bridge West LLC Nick J. Richards, Esq and Calvin Shannon, CPA IRC Sect ction 280E 280E: EXPENDITURES IN CONNECTION WITH THE ILLEGAL SALE OF DRUGS No deduction

288 views • 9 slides
Humanitarian Program Experiences in Food Security Activities From Harm to Home | Rescue.org IRC

Humanitarian Program Experiences in Food Security Activities From Harm to Home | Rescue.org IRC

International Rescue Committee (IRC) Afghanistan Humanitarian Program Experiences in Food Security Activities From Harm to Home | Rescue.org IRC FSAC Presentation Overview IRC Humanitarian Program Timeline Projects/Interventions

281 views • 9 slides
Improving SIP authentication Lars Strand Wolfgang Leister The Tenth International Conference on

Improving SIP authentication Lars Strand Wolfgang Leister The Tenth International Conference on

Improving SIP authentication Lars Strand Wolfgang Leister The Tenth International Conference on Networks (ICN2011) January 23-28, 2011 St. Maarten, The Netherlands Antilles &quot;It's appalling how much worse VoIP is compared to the PSTN. If

355 views • 17 slides
CMB Power Spectrum Formula in the Background-Field Method . . . . . Shoichi Ichinose

CMB Power Spectrum Formula in the Background-Field Method . . . . . Shoichi Ichinose

. . CMB Power Spectrum Formula in the Background-Field Method . . . . . Shoichi Ichinose ichinose@u-shizuoka-ken.ac.jp Laboratory of Physics, SFNS, University of Shizuoka Aug. 7, 2012 The 3rd UTQuest workshop ExDiP 2012 Superstring

396 views • 25 slides
Does social capital make you healthier? Lorenzo Rocco University of Padova Marc Suhrcke

Does social capital make you healthier? Lorenzo Rocco University of Padova Marc Suhrcke

Does social capital make you healthier? Lorenzo Rocco University of Padova Marc Suhrcke University of East Anglia Social Capital and Health I Social capital: complex definition Putnam 1993: features of social organization, such as

410 views • 22 slides
Oshkosh Corporation Investor Presentation MAY 2019 (NYSE: OSK) Forward-Looking Statements This

Oshkosh Corporation Investor Presentation MAY 2019 (NYSE: OSK) Forward-Looking Statements This

Oshkosh Corporation Investor Presentation MAY 2019 (NYSE: OSK) Forward-Looking Statements This presentation contains statements that the Company believes to be forward-looking statements within the meaning of the Private Securities

830 views • 33 slides
403(b) Plan PETERSBURG CITY PUBLIC SCHOOLS OCTOBER 3, 2018 403(b) Background Information A

403(b) Plan PETERSBURG CITY PUBLIC SCHOOLS OCTOBER 3, 2018 403(b) Background Information A

403(b) Plan PETERSBURG CITY PUBLIC SCHOOLS OCTOBER 3, 2018 403(b) Background Information A 403(b) plan is a retirement plan for certain public school employees Although the VRS provides retirement benefits, this Plan is offered to

189 views • 7 slides
Co Commi mmitte ttee International Rescue Committee Founded in 1933 at the request of

Co Commi mmitte ttee International Rescue Committee Founded in 1933 at the request of

In Internati ternational onal Res escue cue Co Commi mmitte ttee International Rescue Committee Founded in 1933 at the request of Albert Einstein First rst to Land nd, , Last t to Leave Emergency response team sent to

787 views • 20 slides

More recommend