phoenix dga based botnet tracking and intelligence
play

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 - PowerPoint PPT Presentation

Sep 18, 2023 •784 likes •1.39k views

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway, University of London, UK Stefano Schiavoni Politecnico di Milano, Italy and Google, UK @sschiav, sschiavoni@google.com Federico Maggi ,

  1. Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 – Royal Holloway, University of London, UK Stefano Schiavoni Politecnico di Milano, Italy and Google, UK @sschiav, sschiavoni@google.com Federico Maggi , Politecnico di Milano, Italy Lorenzo Cavallaro , Royal Holloway, University of London, UK Stefano Zanero , Politecnico di Milano, Italy

  2. Introduction State of the Art System Description System Evaluation Conclusions Introduction Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  3. Introduction State of the Art System Description System Evaluation Conclusions Botnets A largely widespread and highly lucrative criminal activity. Four examples: Flashback: year 2012, 600K compromised Macs, credentials stealing Grum: from 2008 to 2012, 840K compromised devices, 40bln/mo spam emails TDL-4: from 2011, 4,5M victims in the first 3 months, known as "indestructible" . Gameover ZeuS from 2011, 500K - 1M infections as of last month, huge effort and collaboration to take down. Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  4. Introduction State of the Art System Description System Evaluation Conclusions C&C Channel It’s the logical communication channel used by the botmaster to communicate with his bots. Security defenders strive to disable C&C channels as means to disable botnets without sanitizing the infected machines. Bot C&C Server Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  5. Introduction State of the Art System Description System Evaluation Conclusions C&C Channels Security Botnet architects need to buid sinkholing-proof C&C infrastructures. No perfect solution exists, but sinkholing can be made hard or antieconomic . Employing P2P architectures helps, but these are difficult to manage and provide little guarantees. Client-server C&C infrastructures can be effective if a strong rallying mechanism is employed. Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  6. Introduction State of the Art System Description System Evaluation Conclusions Rallying Mechanism The process with which a bot looks up for a rendezvous point with its master, before starting the actual communication. The rendezvous point can be: • an IP address, • a domain name. In the most basic scenario, the IP addresses or domain names are hardcoded in the binary . Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  7. Introduction State of the Art System Description System Evaluation Conclusions General Issues Hardcoding IP addresses or domain names is not great because: 1 the rendezvous coordinates can be leaked by the malware binary through reverse engineering; 2 a rendezvous point change needs an explicit agreement . The mechanism of domain generation algorithms (DGAs) targets and solves these issues. Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  8. Introduction State of the Art System Description System Evaluation Conclusions Domain Generation Algorithms Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  9. Introduction State of the Art System Description System Evaluation Conclusions Domain Generation Algorithms: Functioning Bot DNS Resolver Every day the bots generate a long list of pseudo-random domains , with an un- predictable seed (e.g., Twitter TT). DNS query: ahj.info DNS reply: NXDOMAIN The botmaster registers one of them . DNS query: bqy.info When the bots find it, they find the ren- DNS reply: NXDOMAIN dezvous point . DNS query: sjq.info DNS reply: 131.75.67.3 Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  10. Introduction State of the Art System Description System Evaluation Conclusions Domain Generation Algorithms: Properties Malware code is agnostic : reverse engineering it is useless. There is an asymmetry in the costs and efforts : botmaster: needs to register one domain to talk to his bots, defender: needs to register all the domain pool , to avoid it. Migrations of C&C servers do not need explicit agreement . Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  11. Introduction State of the Art System Description System Evaluation Conclusions Domain Generation Algorithms: Defense It is necessary to study defensive solutions that allow to identify and block DGA-related domains timely. The natural observation point is the DNS infrastructure . Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  12. Introduction State of the Art System Description System Evaluation Conclusions State of the Art and Motivation Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  13. Introduction State of the Art System Description System Evaluation Conclusions Domain Reputation Systems Domain reputation systems exist able to tell malicious and benign domains apart . Some exist that do so by mining DNS network traffic , e.g., Exposure [Bilge et al. 2011], Kopis [Antonakakis et al. 2011], Notos [Antonakakis et al. 2010] Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  14. Introduction State of the Art System Description System Evaluation Conclusions Domain Reputation Systems: Drawbacks They fail in correlating distinct yet related domains. 256 malicious domains 4 distinct threats Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  15. Introduction State of the Art System Description System Evaluation Conclusions DGA Detection Systems Bot DNS Resolver Detection systems exist that specifically identify active DGAs and related do- mains [Yadav et al. 2010, Yadav and Reddy 2012, Antonakakis et al. 2012]. DNS query: ahj.info DNS reply: NXDOMAIN They are driven by the hypothesis that DNS query: bqy.info malware-infected machines operating a DNS reply: NXDOMAIN DGA generate huge amounts of NX- DNS query: sjq.info DOMAIN DNS replies. DNS reply: 131.75.67.3 Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  16. Introduction State of the Art System Description System Evaluation Conclusions DGA Detection Systems: Drawbacks DNS Infrastructure Nevertheless, they require access ➋ ➌ to network data that: DNS Resolver • is not publicly available to Observation point: academics, because of 192.168.0.100 privacy concerns, requested badsite.org ➊ ➍ • leads to non-repeatable DNS query: badsite.org experiments. Requesting host IP: 192.168.0.100 Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  17. Introduction State of the Art System Description System Evaluation Conclusions Objectives Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  18. Introduction State of the Art System Description System Evaluation Conclusions Objectives Given the limitations of the state-of-the-art systems, we propose Phoenix , which: 1 identifies active DGAs and the related domains with realistic hypoteses, 2 correlates the activities of different domains related to the same DGAs. 3 produces novel knowledge and intelligence insights . Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  19. Introduction State of the Art System Description System Evaluation Conclusions System Description Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  20. Introduction State of the Art System Description System Evaluation Conclusions Overview Phoenix works in two phases: DGA-Domain DGA Discovery Detection Boostrap Online execution DGA Discovery: Discovers DGAs active in the wild and characterizes the generation processes. DGA-Domain Detection: Detects previously-unseen DGA-domains and assigns them to a specific DGA. During its execution, it produces novel intelligence knowledge . Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  21. Introduction State of the Art System Description System Evaluation Conclusions DGA Discovery Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  22. Introduction State of the Art System Description System Evaluation Conclusions DGA-Domain Filtering: Rationale DGA-domains are the result of randomized computations . They look like “high-entropy” strings : vljiic.org 79ec8...f57ef.co.cc vitgyyizzz.biz f0938...772fb.co.cc gkeqr.org nlgie.org jyzirvf.info xtknjczaafo.biz aawrqv.biz hughfgh142.tk yxzje.info yxipat.cn fyivbrl3b0dyf.cn ukujhjg11.tk rboed.info We automate the process of recognizing the randomness of domain names. We do so by computing linguistic-based features . Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

  23. Introduction State of the Art System Description System Evaluation Conclusions DGA-domain Filtering: Features I R : percentage of symbols of the domain name d composing meaningful words . For instance: d = facebook . com d = pub03str . info R ( d ) = | face | + | book | | pub | = 1 R ( d ) = | pub03str | = 0 . 375 . | facebook | likely humanly-generated domain likely DGA-domain Stefano Schiavoni Phoenix: DGA-based Botnet Tracking and Intelligence

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks

Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks

Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks Founded in 2000 ~150 employees worldwide Peakflow product lines Peakflow SP for service providers Peakflow X for enterprises

879 views • 41 slides
Botnet Population and Intelligence Gathering Techniques David Dagon 1 & Chris Davis 2

Botnet Population and Intelligence Gathering Techniques David Dagon 1 & Chris Davis 2

BlackHat DC 2008 Botnet Population and Intelligence Gathering Techniques David Dagon 1 & Chris Davis 2 dagon@cc.gatech.edu Georgia Institute of Technology College of Computing cdavis@damballa.com Damballa, Inc. BlackHat DC Meeting 2008

431 views • 41 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Entropy-Based Measurement of IP Address Inflation in the Waledac Botnet Rhiannon Weaver 1 Chris

Entropy-Based Measurement of IP Address Inflation in the Waledac Botnet Rhiannon Weaver 1 Chris

Entropy-Based Measurement of IP Address Inflation in the Waledac Botnet Rhiannon Weaver 1 Chris Nunnery 2 Gautam Singaraju 2 Brent ByungHoon Kang 3 1 CERT/SEI 2 University of North Carolina 3 George Mason University January 11, 2011 Introduction

471 views • 22 slides
Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J.

423 views • 21 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
AST TRACKING SOLUTIONS V2.0_May2010 System Based on ASTs DataNet DataGate tracking

AST TRACKING SOLUTIONS V2.0_May2010 System Based on ASTs DataNet DataGate tracking

AST TRACKING SOLUTIONS V2.0_May2010 System Based on ASTs DataNet DataGate tracking server software Can be AST based or end user installed Available with full end to end encryption DataHost user interface software

637 views • 25 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Apache Phoenix We put the SQL back in NoSQL http://phoenix.incubator.apache.org James Taylor

Apache Phoenix We put the SQL back in NoSQL http://phoenix.incubator.apache.org James Taylor

Apache Phoenix We put the SQL back in NoSQL http://phoenix.incubator.apache.org James Taylor @JamesPlusPlus http://phoenix-hbase.blogspot.com/ About me Engineer at Salesforce.com in BigData group o Started Phoenix as internal project ~2.5

1.16k views • 77 slides
Phoenix ix O One Guests: 50 Sle leeps: 8 Locatio ion: Whitsundays and Gold Coast A crown

Phoenix ix O One Guests: 50 Sle leeps: 8 Locatio ion: Whitsundays and Gold Coast A crown

Phoenix ix O One Guests: 50 Sle leeps: 8 Locatio ion: Whitsundays and Gold Coast A crown jewel of the South Pacific, PHOENIX ONE is a luxury motor yacht that can do package or individually customized charters. Based on the east coast of

200 views • 3 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Non-commutative association schemes of rank 6 M. Muzychuk (joint work with A. Herman and B. Xu),

Non-commutative association schemes of rank 6 M. Muzychuk (joint work with A. Herman and B. Xu),

Non-commutative association schemes of rank 6 M. Muzychuk (joint work with A. Herman and B. Xu), Netanya Academic College, Israel , October, 2016, Pilsen, Czech Republick Non-commutative association schemes of rank 6 1. Y. Asaba and A.

950 views • 78 slides
rt tt ts t strs

rt tt ts t strs

rt tt ts t strs tr trt s t r r s

728 views • 44 slides
Challenges in the Development and Operation of the MW-class SNS Mercury Target Bernie Riemer

Challenges in the Development and Operation of the MW-class SNS Mercury Target Bernie Riemer

Challenges in the Development and Operation of the MW-class SNS Mercury Target Bernie Riemer SNS Upgrades Office J-PARC Symposium 2019 September 23-27, 2019 ORNL is managed by UT-Battelle, LLC for the US Department of Energy SNS mission is

228 views • 20 slides
A family of two-dimensional AKLT models with a spectral gap above the ground state Bruno

A family of two-dimensional AKLT models with a spectral gap above the ground state Bruno

1 Venice, 22 August 2019 A family of two-dimensional AKLT models with a spectral gap above the ground state Bruno Nachtergaele (UC Davis) Joint work with Houssam Abdul-Rahman (U Arizona), Marius Lemm (Harvard), Angelo Lucia (Caltech), Amanda

336 views • 18 slides
Virtual Data Language: A Typed Workflow Notation for Diversely Structured Scientific Data Yong

Virtual Data Language: A Typed Workflow Notation for Diversely Structured Scientific Data Yong

Virtual Data Language: A Typed Workflow Notation for Diversely Structured Scientific Data Yong Zhao 1 , Michael Wilde 23 , Ian Foster 123 1 Department of Computer Science, University of Chicago 2 Computational Institute, University of Chicago 3

317 views • 20 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
Is the Helmholtz equation really sign-indefinite? Andrea Moiola D EPARTMENT OF M ATHEMATICS AND S

Is the Helmholtz equation really sign-indefinite? Andrea Moiola D EPARTMENT OF M ATHEMATICS AND S

B RITISH C OMPUTATIONAL PDE S C OLLOQUIUM : N EW T RENDS ICMS E DINBURGH , 2324 J ANUARY 2014 Is the Helmholtz equation really sign-indefinite? Andrea Moiola D EPARTMENT OF M ATHEMATICS AND S TATISTICS , U NIVERSITY OF R EADING Joint work

581 views • 37 slides
Margit Sutrop University of Tartu, Estonia y Hong Kong, 4-5 January 2010 Change in ethical

Margit Sutrop University of Tartu, Estonia y Hong Kong, 4-5 January 2010 Change in ethical

Margit Sutrop University of Tartu, Estonia y Hong Kong, 4-5 January 2010 Change in ethical frameworks Change in ethical frameworks Comparison of biometric and human genetic databases databases Lack of public debate as a problem

368 views • 17 slides

More recommend