jackstraws picking command and control connections from
play

Jackstraws : Picking Command and Control Connections from Bot - PowerPoint PPT Presentation

Jun 28, 2023 •178 likes •396 views

Jackstraws : Picking Command and Control Connections from Bot Traffic egoire Jacob 1 , Ralf Hund 2 , Christopher Kruegel 1 , Thorsten Holz 2 Gr 1 University of California, Santa Barbara / 2 Ruhr-University Bochum Fri Aug 12 2011 G. Jacob

  1. Jackstraws : Picking Command and Control Connections from Bot Traffic egoire Jacob 1 , Ralf Hund 2 , Christopher Kruegel 1 , Thorsten Holz 2 Gr´ 1 University of California, Santa Barbara / 2 Ruhr-University Bochum Fri Aug 12 2011 G. Jacob (UCSB) Fri Aug 12 2011 1 / 20

  2. Introduction: the botnet threat What do botnets do? ❼ Support large-scale malicious activities and the underground economy ❼ Coordination of malicious attacks e.g. , denial of service, spam campaigns, click fraud ❼ Sensitive information theft e.g. , credentials, credit card numbers Why are botnets so convenient for attackers? ❼ Command & Control (C&C) infrastructure for remote control ❼ Incoming commands to trigger attacks and updates ❼ Outgoing responses for status monitoring and information leakage G. Jacob (UCSB) Fri Aug 12 2011 2 / 20

  3. Introduction: fighting against botnets Botnet detection and mitigation ❼ Host-based techniques - Traditional malware detection and mitigation - Signature matching and behavior monitoring ❼ Network-based techniques - Blacklisting IPs related to C&C servers - Signatures matching C&C protocol and commands ❼ Automatic generation of these signatures, IP lists or models - Clean C&C only logs needed for traffic and system calls Difficulty of identifying C&C traffic ❼ Potentially encrypted C&C traffic ❼ Non-C&C or “noise” traffic interleaved - Malicious connections to 3 rd party websites ( e.g. , part of the attacks) - Configuration connections ( e.g. , connectivity tests, time recovery) - Fake benign connections ( e.g. , mimicry of legitimate applications) G. Jacob (UCSB) Fri Aug 12 2011 3 / 20

  4. Introduction: identifying C&C traffic Our approach: Jackstraws ❼ Combination of network traces and host-based activity - Rationale: C&C traffic results in observable host activity e.g. system modifications, critical information accesses - Host-based model: system call graphs with data dependency - Network-related link: each graph associated to a network connection ❼ Machine learning to identify and generalize C&C-related host activity - Rationale: similar commands result in similar core activities even for different bots - Mining significant activities: graph mining over known connections - Identifying similar activity types: graph clustering - Abstracting activity types: graph merging into templates - Detecting C&C activity: template matching over unknown connections G. Jacob (UCSB) Fri Aug 12 2011 4 / 20

  5. System: Jackstraws overview System architecture G. Jacob (UCSB) Fri Aug 12 2011 5 / 20

  6. System: graph collection Analysis environment ❼ Logging: system calls and network API calls ❼ Tainting: data flows in memory and over the file system Graph generation ❼ Input : trace of system and network calls ❼ Output : a call graph for each successful connection ❼ Algorithm : - Graph root: successful connect and associated sends / recvs - Nodes extension: recursive backward dependency over system calls - Nodes labeling: call parameters, resource names being abstracted - Graph collapsing: collapse duplicate nodes G. Jacob (UCSB) Fri Aug 12 2011 6 / 20

  7. System: graph collection Graph generation systemcall: NtCreateFile systemcall: NtCreateFile network: recv FileName: isSystemDirectory/isExecutable network: recv FileName: isSystemDirectory/isExecutable DesiredAccess: FileReadAttributes DesiredAccess: FileReadAttributes Attributes: AttributeNormal Attributes: AttributeNormal CreateDisposition: FileSupersede CreateDisposition: FileSupersede arg: Buffer=buf arg: Buffer=buf arg: FileHandle=FileHandle arg: Buffer=buf arg: FileHandle=FileHandle arg: Buffer=buf arg: FileHandle=FileHandle systemcall: NtWriteFile systemcall: NtWriteFile systemcall: NtWriteFile systemcall: NtWriteFile Collapse: isMultiple G. Jacob (UCSB) Fri Aug 12 2011 7 / 20

  8. System: graph mining Frequent subgraph mining: ❼ Input : call graphs associated to malicious vs. benign connections ❼ Output : significant subgraphs covering only malicious (C&C) activity ❼ Algorithm : - Graph mining: frequent subgraphs from malicious connections - Maximization: stripping induced subgraphs from the mined set - Set difference: stripping subgraphs included in benign connections G. Jacob (UCSB) Fri Aug 12 2011 8 / 20

  9. System: graph mining Frequent subgraph mining G. Jacob (UCSB) Fri Aug 12 2011 9 / 20

  10. System: graph clustering and template generation Graph clustering: ❼ Input : significant malicious subgraphs ❼ Output : clusters group graphs that represent similar activity ❼ Algorithm : - Graph similarity: common edges in the maximal common subgraph - Graph clustering: clustering by repeated bisection Template generation: ❼ Input : clusters of similar malicious subgraphs ❼ Output : graph template covering the graphs of the cluster ❼ Algorithm : - Template construction: minimal common supergraph - Template generalization: supergraph weighted by node frequency + Frequent nodes constitute the core activity shared by bots + Infrequent nodes constitute optional activity specific to different bots G. Jacob (UCSB) Fri Aug 12 2011 10 / 20

  11. System: graph clustering and template generation Graph clustering and template generation G. Jacob (UCSB) Fri Aug 12 2011 11 / 20

  12. System: template matching Template matching: ❼ Input : template, unlabeled collected call graphs ❼ Output : match result ❼ Algorithm : - Core matching: subgraph isomorphism with core nodes + Mandatory nodes must be present - Extended match: maximal common supergraph for optional nodes + Isomorphism result used to initialize search G. Jacob (UCSB) Fri Aug 12 2011 12 / 20

  13. System: template matching Template matching systemcall: recv systemcall: NtAllocateVirtualMemory *: * arg: ObjectAttributes=buf arg: ip=buf arg: ObjectAttributes=buf arg: ObjectAttributes=RegionSize systemcall: NtCreateFile network: connect Filename: inProgramDirectory\isExecutable DesiredAccess: FileReadAttributes port: 443 Attributes: AttributeNormal #ip=193.23.126.55 CreateDisposition: FileSupersede #ip=94.75.255.138 #Filename=\??\C:\Program Files\temp\ldr.exe systemcall: NtCreateFile Filename: inProgramDirectory\isExecutable DesiredAccess: FileReadAttributes | FileWriteAttributes arg: Socket=Socket Attributes: AttributeNormal CreateDisposition: FileSupersede #Filename=\??\C:\Program Files\temp\ldr.exe network: recv arg: FileHandle=FileHandle arg: FileHandle=FileHandle Collapse: isMultiple arg: Buffer=buf arg: FileInformation=buf arg: InputBuffer=buf arg: buf=buf arg: Length=buf systemcall: NtSetInformationFile systemcall: NtDeviceIoControlFile process: start systemcall: NtWriteFile Collapse: isMultiple *: * Collapse: isMultiple G. Jacob (UCSB) Fri Aug 12 2011 13 / 20

  14. Evaluation: dataset presentation Collected botnet traffic ❼ 37,572 bot samples corresponding to 745 families ( e.g. EgroupDial, Palevo, Virut ) ❼ 130,635 network connections and associated behavior graphs ( successful connections only ) Labeling connections for ground truth ❼ Manually-crafted network signatures: 385 C&C, 162 benign ❼ 10,801 malicious connections ❼ 12,367 benign connections ❼ 66,538 unknown connections ❼ 40,929 incomplete or irrelevant graphs removed G. Jacob (UCSB) Fri Aug 12 2011 14 / 20

  15. Evaluation: dataset presentation Training and testing sets G. Jacob (UCSB) Fri Aug 12 2011 15 / 20

  16. Evaluation: training the system System configuration ❼ Mining frequency threshold: 10% - Trade-off between maximum coverage and mining runtime ❼ Bisection threshold: 60% average and 40% minimal similarity - Higher thresholds reduce the effect of generalization System runtime ❼ Mining: 16h, Clustering: 4.5h, Generalization: 30min ❼ Reasonable processing time wrt. the NP-hardness of algorithms Templates quality ❼ 417 templates generated - 397 templates semantically meaningful ❼ Different types of commands covered - Information leakage, download and execute, startup, stealth G. Jacob (UCSB) Fri Aug 12 2011 16 / 20

  17. Evaluation: testing the system Testing over labeled connections ❼ Detection rate: 81.6% ❼ Detection without the generalization: 66.0% ❼ Detection of new families that were missing in the training set ❼ False negatives: 18.4% mainly due to incomplete/infrequent activity ❼ False positives: 0.2% mainly due to weaker templates G. Jacob (UCSB) Fri Aug 12 2011 17 / 20

  18. Evaluation: testing the system Testing over unknown connections ❼ 66,538 unknow connections ❼ New matches: 9,464 connections ❼ New detected families: 193 not covered by network signatures ❼ New detected variants: missed by outdated network signatures ❼ False negatives: high proportion of benign traffic (manual verification) ❼ False positives: 27 G. Jacob (UCSB) Fri Aug 12 2011 18 / 20

  19. Evaluation: system limitations Testing over unknown connections Weakness Consequences Potential remediation Supported Dynamic analysis Incomplete Enhanced analysis environment: call logs e.g. multi-path execution ✕ Computational Non-termination Algorithm optimizations: time e.g. node labeling, ✓ graph collapsing ✓ Interleaved calls Noise against System calls selection: mining e.g. calls with data dependency ✓ Functional No core activity Normalizing graphs: polymorphism e.g. duplicate nodes collapsing, ✓ Rewriting rules: e.g. equivalent operations ✕ G. Jacob (UCSB) Fri Aug 12 2011 19 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien Maisonneuve Thesis supervisors: Olivier Hermant Franois Irigoin Thesis defense Paris, February 6, 2015 Control-Command Systems A control-command

1.17k views • 83 slides
Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2 WS) 2005-2007 2005-2007 Magdalena Hammervik Jenny Lindoff Martin Castor Lars Tydn Purpose of this presentation Purpose of this presentation

530 views • 24 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Key Human System Integration Plan Elements for Command & Control Acquisition Michael B.

Key Human System Integration Plan Elements for Command & Control Acquisition Michael B.

2010 Command and Control Research and Technology Symposium Key Human System Integration Plan Elements for Command & Control Acquisition Michael B. Cowen, Ph.D. SPAWAR Systems Center Pacific Code 53621 53560 Hull Street San Diego, CA 92152

492 views • 13 slides
The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to the 12th International Command and Control Research and Technology Symposium Paper I-156 Dr. Michael R. Hieb Sean Mackay Michael Powers Martin

332 views • 19 slides
Response: WCC, SDC & Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Response: WCC, SDC & Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Emergency Planning in Stratford Scrutiny Committee Michael Enderby Head of Service, CSW Resilience 6 th September 2017 04/09/2017 Civil Contingencies Act 2004 THE 7 DUTIES A single framework for civil protection in the United Kingdom to

419 views • 4 slides
C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

Command, Control, and Communications Engineering Center (C3CEN) C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and Communications Engineering Center Sustaining the PresentDeveloping the Future Command,

1.18k views • 49 slides
FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

Applying A Formal Language of Command and Control for Interoperability Between Systems Presented to the AFCEA - GMU C4I Center Symposium on Critical Issues in C4I Dr. Michael Hieb Dr. Ulrich Schade George Mason University FGAN-FKIE US

562 views • 14 slides
COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH APPROACH TO BY D. J. LAMB AND P. F. O'NEILL OPERATIONAL RESEARCH AND ANALYSIS NATIONAL DEFENCE HEADQUARTERS OTTAWA, CANADA OUTLINE OF PRESENTATION

680 views • 45 slides
Between Fluffy Bunnies and Command & Control Agile Adop8on

Between Fluffy Bunnies and Command & Control Agile Adop8on

Between Fluffy Bunnies and Command & Control Agile Adop8on in Prac8ce 5493 Benjamin Mitchell Independent Consultant @benjaminm Mixed Messages &

964 views • 48 slides
Beyond command and control: Learning from other policy areas Professor Christina Boswell

Beyond command and control: Learning from other policy areas Professor Christina Boswell

Beyond command and control: Learning from other policy areas Professor Christina Boswell & Dr Sarah Kyambi School of Social and Political Science University of Edinburgh This project has received funding from the European Unions

163 views • 14 slides
hip, transitioning from command and control to teaming and trust Dr. Scott Reed Head of

hip, transitioning from command and control to teaming and trust Dr. Scott Reed Head of

Joining Humans and Robots at the hip, transitioning from command and control to teaming and trust Dr. Scott Reed Head of Engineering The 5 Year Vision 1. Can you survey the 1 sq. km area immediately outside the harbour? 3. I see the ATR

279 views • 14 slides
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

1.02k views • 56 slides
CoCoSim, a code generation framework for control/command applications An overview of CoCoSim for

CoCoSim, a code generation framework for control/command applications An overview of CoCoSim for

CoCoSim, a code generation framework for control/command applications An overview of CoCoSim for multi-periodic discrete Simulink models Hamza Bourbouh, Pierre-Loc Garoche, Thomas Loquen, Eric Noulard and Claire Pagetti January 31 st 2020

395 views • 23 slides
Philosophy driving Ontology: Ideas from the Past Influencing The Future of Command (and Control)

Philosophy driving Ontology: Ideas from the Past Influencing The Future of Command (and Control)

Philosophy driving Ontology: Ideas from the Past Influencing The Future of Command (and Control) Jonathan E. Czarnecki, Ph.D. Naval War College Monterey Submission 006 For 15 th ICCRTS, Santa Monica, CA June, 2010 The Problem:

422 views • 11 slides
Command and Control By Loreal Froat Assistant Director, Emergency Management Definition

Command and Control By Loreal Froat Assistant Director, Emergency Management Definition

Command and Control By Loreal Froat Assistant Director, Emergency Management Definition The exercise of authority and direction by a properly designated commander over assigned and attached forces in the accomplishment of the mission.

439 views • 7 slides
Learning as Loss Minimization Machine Learning 1 Learning as loss minimization The setup

Learning as Loss Minimization Machine Learning 1 Learning as loss minimization The setup

Learning as Loss Minimization Machine Learning 1 Learning as loss minimization The setup Examples x drawn from a fixed, unknown distribution D Hidden oracle classifier f labels examples We wish to find a hypothesis h that mimics f

294 views • 25 slides
Online Monitoring developments Dorota, Robert and Voica LArSoft modules for OnlineMonitoring

Online Monitoring developments Dorota, Robert and Voica LArSoft modules for OnlineMonitoring

Online Monitoring developments Dorota, Robert and Voica LArSoft modules for OnlineMonitoring working on LArSoft dunetpc/dune/Protodune: git branch: feature_vradescu/OnlineMonitor 1. Module: RawEeventDisplay saves in root the event displays per

346 views • 10 slides
Mock Objects Maurcio F. Aniche M.F.Aniche@tudelft.nl Thats how it is in OO systems A

Mock Objects Maurcio F. Aniche M.F.Aniche@tudelft.nl Thats how it is in OO systems A

Mock Objects Maurcio F. Aniche M.F.Aniche@tudelft.nl Thats how it is in OO systems A does too much! A Thats how it is in OO systems A does too much again! A C Thats how it is in OO systems etc B A DB C What

190 views • 18 slides
When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware

When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware

When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware Detectors Charles Smutz Angelos Stavrou George Mason University Motivation Machine learning used ubiquitously to improve information security

814 views • 30 slides
Reading engines for Visual Narratives by Laurent Le Meur / EDRLab 18 September 2018 EDRLab

Reading engines for Visual Narratives by Laurent Le Meur / EDRLab 18 September 2018 EDRLab

Reading engines for Visual Narratives by Laurent Le Meur / EDRLab 18 September 2018 EDRLab / Readium European / Digital Reading / Development Lab Readium -> reading engines, open-source Mobile: iOS (Swift), Android (Kotlin)

643 views • 29 slides
W HAT IS P LAIN E NGLISH ? According to the Palin English Campaign in Britain, it is the

W HAT IS P LAIN E NGLISH ? According to the Palin English Campaign in Britain, it is the

U SING P LAIN E NGLISH TO C REATE E FFECTIVE W ORKPLACE /B USINESS D OCUMENTS ABC 82 th Annual International Conference 2017, Dublin, Ireland My Favorite Assignment Yingqin Liu, Ph.D. Cameron University, USA yliu@cameron.edu O BJECTIVES OF THE A

359 views • 10 slides
Lessons from Fukushima August 7, 2012 David Lochbaum Director, Nuclear Safety Project Union of

Lessons from Fukushima August 7, 2012 David Lochbaum Director, Nuclear Safety Project Union of

Lessons from Fukushima August 7, 2012 David Lochbaum Director, Nuclear Safety Project Union of Concerned Scientists www.ucsusa.org What Fukushima Was Not Unexpected. Reactors were designed with: Earthquakes in mind Tsunamis in mind

434 views • 20 slides
Mixed Strategies 4/24/17 Recall: Pursuit/Evasion Game Pursuit/Evasion Payoff Matrix L R L

Mixed Strategies 4/24/17 Recall: Pursuit/Evasion Game Pursuit/Evasion Payoff Matrix L R L

Mixed Strategies 4/24/17 Recall: Pursuit/Evasion Game Pursuit/Evasion Payoff Matrix L R L 0,1 5,-1 R 3,-1 0,1 None of the outcomes is a Nash equilibrium. Key idea: randomize your action so that it cant be guessed. Mixed

333 views • 15 slides

More recommend