peer to peer botnet detection using netflow connor dillon
play

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System - PowerPoint PPT Presentation

Sep 25, 2023 •376 likes •610 views

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

  1. Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks

  2. Botnets Large group of infected computers, controlled by a criminal ● organization Bots harvest information – Perform DDoS attacks – Command & Control (C&C) botnets ● Centralized architecture – C&C servers are weak point – Peer-to-peer (p2p) botnets ● P2p architecture – More robust – More stealthy –

  3. Zeus P2P Malware (aka Zeus Gameover) Trojan horse ● Financial fraud ● Botnet takedown on June 2 nd ● 2014 P2P layer remains active –

  4. NetFlow

  5. IP Flow Information Export IP Flow Information Export (IPFIX) ● NetFlow v10 – IETF RFCs 7011 through RFC 7015 – Bidirectional flows RFC 5103 –

  6. Research Question Can p2p bots be detected effectively by analyzing traffic flow data?

  7. Related Research An Analysis of the Zeus Peer-to-Peer Protocol ● Dennis Andriesse and Herbert Bos – Technical Report IR-CS-74, VU University Amsterdam, 2014 – Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots ● Apart Ting-Fang Yen and Michael K. Reiter – Distributed Computing Systems (ICDCS), 2010 IEEE 30th International – Conference BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow ● Analysis Nizar Kheir and Chirine Wolley – Cryptology and Network Security vol. 8257, 2013 –

  8. Approach 1. Acquire samples of active p2p malware 2. Install samples and capture NetFlow data of malicious traffic 3. Acquire NetFlow data of benign traffic 4. Analyze benign and malicious p2p traffic and find key differences 5. Design detection algorithm 6. Implement detection algorithm (Proof of Concept) 7. Test for false/true positives

  9. Data Set: Benign Traffic Data generated specifically for this research ● Web browsing traffic – Web streams – p2p traffic: – Multiple clients: uTorrent ● FrostWire: BitTorrent ● Bearshare: gnutella ● iMesh: IM2Net ● Ares Galaxy: own supernode/leaf protocol ● Emule: eDonkey & Kademlia ● Shareaza: multiple protocols ●

  10. Data Set: Malicious Traffic Obtained active samples of Zeus P2P malware from public sandbox ● Installed samples in lab environment and captured traffic ● Data set contains: ● Traffic from 3 different Zeus P2P binaries – Packet Captures (pcaps) of 100 mins, 2 hours and 12 hours –

  11. Isolating P2P Traffic UDP p2p protocols initiate connections from a single source port ● Peers try to connect to peers that are unreachable ● Result: lots of failed connections, to multiple destinations, from a ● single source IP/port

  12. Benign vs Malicious: Finding Differences Per application, split up data in to 2 hour chunks ● Analyze ● Amount of traffic generated – Average bytes/packets per flow – Protocol characteristics – Traffic patterns – Etc. –

  13. Benign vs Malicious: Traffic Volume

  14. Benign vs Malicious: Packet Symmetry

  15. Benign vs Malicious: Traffic Pattern

  16. Benign vs Malicious: Traffic Pattern

  17. Benign vs Malicious: Traffic Pattern

  18. Detection Algorithm Group all flows by source IP/port ● Sources with more than 3 failed flows to different hosts are marked as ● p2p Zeus p2p traffic is identified by either: ● A packet ratio of less than 0.4 – A traffic pattern of more than 3 approximately equal intervals of time of – more than 5 mins

  19. Detection Algorithm def p2p_detect(flows): unreachables = set ( flow.dst_ip for flow in flows if flow.up_pkts > 0 and flow.down_pkts == 0 ) if len (unreachables) > 3: return True def zeus_ratio_detect(flows): up = sum (flow.up_packets for flow in flows) down = sum (flow.down_packets for flow in flows) if up / down > 0.4: return True

  20. Detection Algorithm def zeus_pattern_detect(flows): timestamps = list (flow.timestamp for flow in flows) intervals = list () previous_timestamp = timestamps [0] for timestamp in timestamps: if timestamp - previous_timestamp > 300: intervals.append(timestamp – previous_timestamp) previous_timestamp = timestamp if len (intervals) > 3: if stdev (intervals) < 150: return True

  21. Proof of Concept NetFlow collector with detection algorithm implemented in Python ● code will be available on GitHub – Tested without false positives on available data ● Detects the Zeus P2P malware ●

  22. Conclusion It's possible to detect p2p malware using flow data ● Malware could change its behavior to avoid detection – Detection algorithm: ● Packet symmetry is probably specific to Zeus protocol – Traffic pattern might also be applicable to other malware – Future research: ● Other p2p malware – Testing more (real) benign p2p data for false positives –

  23. Thank you Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems Rise of IoT Botnets

569 views • 52 slides
Peer-to-Peer Networks 09 Random Graphs for Peer-to-Peer-Networks Christian Ortolf Technical

Peer-to-Peer Networks 09 Random Graphs for Peer-to-Peer-Networks Christian Ortolf Technical

Peer-to-Peer Networks 09 Random Graphs for Peer-to-Peer-Networks Christian Ortolf Technical Faculty Computer-Networks and Telematics University of Freiburg Peer-to-Peer Networking Facts Hostile environment - Legal situation - Egoistic

882 views • 57 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Comparing Hybrid Peer-to-Peer Hybrid peer-to-peer systems Systems Beverly Yang and Hector

Comparing Hybrid Peer-to-Peer Hybrid peer-to-peer systems Systems Beverly Yang and Hector

Comparing Hybrid Peer-to-Peer Hybrid peer-to-peer systems Systems Beverly Yang and Hector Garcia-Molina Pure peer-to-peer systems are hard to scale Gnutella Look at hybrids between p2p and server-client Presented by Marco Barreno Servers

282 views • 6 slides
THE PEER-TO-PEER NETWORK JOHN NEWBERY @jfnewbery github.com/jnewbery THE PEER-TO-PEER NETWORK

THE PEER-TO-PEER NETWORK JOHN NEWBERY @jfnewbery github.com/jnewbery THE PEER-TO-PEER NETWORK

THE PEER-TO-PEER NETWORK JOHN NEWBERY @jfnewbery github.com/jnewbery THE PEER-TO-PEER NETWORK Introduction Types of nodes Message format Control messages Transaction propagation Block propagation THE PEER TO PEER

767 views • 38 slides
Serverless networking (peer-to-peer computing) Peer-to-peer models Client-server computing

Serverless networking (peer-to-peer computing) Peer-to-peer models Client-server computing

5/7/08 Serverless networking (peer-to-peer computing) Peer-to-peer models Client-server computing servers provide special services to clients clients request service from a server Pure peer-peer computing all systems have equivalent

586 views • 20 slides
Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17

Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17

Outline Introduction &amp; theory Research question Peacomm case study Detection Conclusion &amp; future work Detection of peer-to-peer botnets Matthew Steggink, Igor Idziejczak February 6, 2008 1 / 17 Outline Introduction &amp; theory

570 views • 17 slides
Peer-to-Peer Networking and Discovery Technologies Week 6 Whats Peer-to-Peer? A different

Peer-to-Peer Networking and Discovery Technologies Week 6 Whats Peer-to-Peer? A different

Peer-to-Peer Networking and Discovery Technologies Week 6 Whats Peer-to-Peer? A different network architecture than client/server Each peer is both a client and a server Appropriate for applications that dont require a

353 views • 11 slides
NSYNC Network Synchronization for Low-latency Peer-to-Peer Streaming Overlay Construction

NSYNC Network Synchronization for Low-latency Peer-to-Peer Streaming Overlay Construction

NSYNC Network Synchronization for Low-latency Peer-to-Peer Streaming Overlay Construction Shudong Jin Case Western Reserve University NEONet Workshop, March 1, 2006 Peer-to-Peer Streaming Peer-to-peer systems versus client/server systems

292 views • 15 slides
THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In

THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In

THE POLITICS OF BLOCKCHAIN From Primus Inter Pares to Peer-to-Peer HOW BLOCKCHAIN WORKS In peer-to-peer networks, all the operations Peer-to-peer networks Proof-of-work equally rely on each node in the system. Digital signature Registry

328 views • 18 slides
Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford

Economics of Peer-to-Peer Markets Jonathan Levin Stanford University Lear Conference July 25, 2015 1 Internet Marketplaces 2 On-Demand Services 3 Introduction Peer-to-peer

1.02k views • 25 slides
Peer-to-Peer Computing Peer-to-Peer (P2P) employ distributed resources to perform function in a

Peer-to-Peer Computing Peer-to-Peer (P2P) employ distributed resources to perform function in a

Introduction Peer-to-Peer Computing Peer-to-Peer (P2P) employ distributed resources to perform function in a decentralized manner Resource can be: computing, storage, bandwidth Function can be: computing, data sharing, D.

625 views • 6 slides
5th Grade Peer Ambassadors Parkway Elementary What is a Peer Ambassador? A Peer Ambassador is a

5th Grade Peer Ambassadors Parkway Elementary What is a Peer Ambassador? A Peer Ambassador is a

5th Grade Peer Ambassadors Parkway Elementary What is a Peer Ambassador? A Peer Ambassador is a good role model! She or he proudly represents the 6 pillars of character: Trustworthiness, Respect, Responsibility, Fairness, Caring, Citizenship A

258 views • 7 slides
P2P: Distributed Hash Tables Chord + Routing Geometries Nirvan Tyagi CS 6410 Fall16

P2P: Distributed Hash Tables Chord + Routing Geometries Nirvan Tyagi CS 6410 Fall16

P2P: Distributed Hash Tables Chord + Routing Geometries Nirvan Tyagi CS 6410 Fall16 Peer-to-peer (P2P) Peer-to-peer (P2P) Decentralized! Hard to coordinate with peers joining and leaving Peer-to-peer (P2P) Napster (1999) Peer-to-peer

869 views • 68 slides
Lets Put a Peer Worker on Campus! Keely Phillips, Self Help &amp; Peer Support OPDI

Lets Put a Peer Worker on Campus! Keely Phillips, Self Help &amp; Peer Support OPDI

Lets Put a Peer Worker on Campus! Keely Phillips, Self Help &amp; Peer Support OPDI Conference, October 2018 About Self Help &amp; Peer Support Peer Navigator Services at Conestoga College A full-time Peer Navigator will provide:

579 views • 16 slides
Peer-to-peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale

Peer-to-peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale

UNIVERSITY OF MODENA AND REGGIO EMILIA Peer-to-peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale Mirco Marchetti, Michele Messori and Michele Colajanni WebLab, University of Modena and Reggio Emilia, Italy

297 views • 19 slides
Path Query Routing in Unstructured Peer-to-Peer Networks Nicolas Bonnel, Gildas Mnier,

Path Query Routing in Unstructured Peer-to-Peer Networks Nicolas Bonnel, Gildas Mnier,

Introduction Related work Content based routing of path queries Conclusion Path Query Routing in Unstructured Peer-to-Peer Networks Nicolas Bonnel, Gildas Mnier, Pierre-francois Marteau Laboratoire Valoria - Universit de Bretagne Sud

416 views • 22 slides
COMMUNITY LIVING COALITION Presented by John Hardy and Lorraine Zeller, Consumer Affairs Hilary

COMMUNITY LIVING COALITION Presented by John Hardy and Lorraine Zeller, Consumer Affairs Hilary

COMMUNITY LIVING COALITION Presented by John Hardy and Lorraine Zeller, Consumer Affairs Hilary Armstrong and Kim Pederson, Mental Health Advocacy Project Jung Pham, Disability Rights California STEERING COMMITTEE MEMBERSHIP Consumers &amp;

492 views • 9 slides
Investor Presentation (NYSE: HRTG) September 2019 SAFE HARBOR Statements in this presentation

Investor Presentation (NYSE: HRTG) September 2019 SAFE HARBOR Statements in this presentation

Investor Presentation (NYSE: HRTG) September 2019 SAFE HARBOR Statements in this presentation that are not historical facts are forwardlooking statements that are subject to certain risks and uncertainties that could cause actual events and

732 views • 26 slides
learning of innovation agencies Horizon 2020 call Innosup-5- 2014/2015 Agnieszka Stasiakowska

learning of innovation agencies Horizon 2020 call Innosup-5- 2014/2015 Agnieszka Stasiakowska

Info Day: Peer learning of innovation agencies Horizon 2020 call Innosup-5- 2014/2015 Agnieszka Stasiakowska EASME A2 Horizon 2020 SME Program Introduction Agnieszka Stasiakowska, EASME Twinning Advanced Methodology

441 views • 16 slides
One Year of Peer to Peer Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom

One Year of Peer to Peer Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom

One Year of Peer to Peer Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom Applications Research Alliance Doctoral Student, Faculty of Computer Science, Dalhousie University Presentation Summary This presentation will profile

750 views • 35 slides
Optimal File Distribution in Peer-to-Peer Networks Kai-Simon Goetzmann Technische Universitt

Optimal File Distribution in Peer-to-Peer Networks Kai-Simon Goetzmann Technische Universitt

Optimal File Distribution in Peer-to-Peer Networks Kai-Simon Goetzmann Technische Universitt Berlin goetzmann@math.tu-berlin.de joint work with Tobias Harks, Max Klimm, and Konstantin Miller ISAAC 2011, Yokohama Motivation Motivation

637 views • 48 slides
Peer to Peer Learning &amp; Support Aims and Objectives of this Workshop Workshop 3: Peer to

Peer to Peer Learning &amp; Support Aims and Objectives of this Workshop Workshop 3: Peer to

Peer to Peer Learning &amp; Support Aims and Objectives of this Workshop Workshop 3: Peer to Peer Learning &amp; Support is designed to encourage peer to peer support, learning and development and sharing best practice amongst the

495 views • 11 slides
Building Youth Engagement and Involvement: Technical Assistance Azaria Georger Youth Peer

Building Youth Engagement and Involvement: Technical Assistance Azaria Georger Youth Peer

Building Youth Engagement and Involvement: Technical Assistance Azaria Georger Youth Peer Services Training And Credentialing Coordinator Bianca Logan Youth Peer Development And Training Manager Alex Frisina Long Island Regional Youth Partner

550 views • 20 slides

More recommend