1 / 24

BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali. Course: Network Security (CSCI – 5235) Instructor: Dr. T Andrew Yang. Outline. Introduction to Botnet Botnet Life-cycle Botnet in Network Security Botnet Uses Botnet Detection Preventing Botnet Infection Botnet Research Conclusion

avery
Download Presentation

BotNet Detection Techniques By Shreyas Sali

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BotNet Detection TechniquesBy Shreyas Sali Course: Network Security (CSCI – 5235) Instructor: Dr. T Andrew Yang

  2. Outline • Introduction to Botnet • Botnet Life-cycle • Botnet in Network Security • Botnet Uses • Botnet Detection • Preventing Botnet Infection • Botnet Research • Conclusion • References

  3. Introduction to Botnet • A Botnet is a network of compromised computers under the control of a remote attacker. • Botnet Terminology • Bot Herder (Bot Master) • Bot • Bot Client • IRC Server • Command and Control Channel (C&C)

  4. Introduction to Botnet (Terminology) IRC Server IRC Channel Code Server Bot Master IRC Channel C&C Traffic Updates Attack Victim Bots

  5. Botnet Life-cycle

  6. Botnet Life-cycle

  7. Botnet Life-cycle

  8. Botnet Life-cycle

  9. Botnet In Network Security • Internet users are getting infected by bots • Many times corporate and end users are trapped in botnet attacks • Today 16-25% of the computers connected to the internet are members of a botnet • In this network bots are located in various locations • It will become difficult to track illegal activities • This behavior makes botnet an attractive tool for intruders and increase threat against network security

  10. Botnet is Used For Bot Master

  11. How Botnet is Used? • Distributed Denial of Service (DDoS) attacks • Sending Spams • Phishing (fake websites) • Addware (Trojan horse) • Spyware (keylogging, information harvesting) • Click Fraud So It is really Important to Detect this attack

  12. Botnet Detection Two approaches for botnet detection based on • Setting up honeynets • Passive traffic monitoring • Signature based • Anomaly based • DNS based • Mining based

  13. Botnet Detection: Setting up Honeynets Windows Honeypot • Honeywall Responsibilities: • DNS/IP-address of IRC server and port number • (optional) password to connect to IRC-server • Nickname of bot • Channel to join and (optional) channel-password

  14. Botnet Detection: Setting up Honeynets Bot Sensor 1. Malicious Traffic 3. Authorize 2. Inform bot’s IP Bot Master

  15. Botnet Detection: Traffic Monitoring • Signature based: Detection of known botnets • Anomaly based: Detect botnet using following anomalies • High network latency • High volume of traffic • Traffic on unusual port • Unusual system behaviour • DNS based: Analysis of DNS traffic generated by botnets

  16. Botnet Detection: Traffic Monitoring • Mining based: • Botnet C&C traffic is difficult to detect • Anomaly based techniques are not useful • Data Mining techniques – Classification, Clustering

  17. Botnet Detection • Determining the source of a botnet-based attack is challenging: • Traditional approach: • Every zombie host is an attacker • Botnets can exist in a benign state for an arbitrary amount of time before they are used for a specific attack • New trend: • P2P networks

  18. Preventing Botnet Infections • Use a Firewall • Patch regularly and promptly • Use Antivirus (AV) software • Deploy an Intrusion Prevention System (IPS) • Implement application-level content filtering • Define a Security Policy and • Share Policies with your users systematically

  19. Botnet Research • Logging onto herder IRC server to get info • Passive monitoring • Either listening between infected machine and herder or spoofing infected PC • Active monitoring: Poking around in the IRC server • Sniffing traffic between bot & control channel

  20. Hi! Botnet Research: Monitoring Attacker Infected IRC Herder Researcher

  21. Conclusion • Botnets pose a significant and growing threat against cyber security • It provides key platform for many cyber crimes (DDOS) • As network security has become integral part of our life and botnets have become the most serious threat to it • It is very important to detect botnet attack and find the solution for it

  22. References • B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005 • Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, BhavaniThuraisingham • A Survey of Botnet and Botnet DetectionFeily, M.; Shahrestani, A.; Ramadass, S.; Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273 IEEE CONFERENCES • Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, AnupGoyal, and Yan Chen Northwestern University, Evanston, IL 60208 • Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.; Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA 2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162 IEEE CONFERENCES • Spamming botnets: signatures and characteristics YinglianXie, Fang Yu

  23. QUESTIONS

  24. Thank you

More Related