1 / 19

Integrating BotMiner & SNARE into SMITE

Integrating BotMiner & SNARE into SMITE. Nick Feamster and Wenke Lee Georgia Tech Students: Shuang Hao, Junjie Zhang. Status Report. Summary of BotMiner and SNARE Integration on GaTech campus network Preliminary evaluation results Next steps. SMITE Integration.

conan-woodard
Download Presentation

Integrating BotMiner & SNARE into SMITE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating BotMiner & SNARE into SMITE Nick Feamster and Wenke LeeGeorgia Tech Students: Shuang Hao, Junjie Zhang

  2. Status Report • Summary of BotMiner and SNARE • Integration on GaTech campus network • Preliminary evaluation results • Next steps

  3. SMITE Integration

  4. BotMiner: Structure and Protocol Independent Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers, infection models …

  5. Definition of a Botnet “A coordinated group of malwareinstances that are controlled by a botmaster via some C&C channel” Hosts that have similar C&C-like traffic and similar malicious activities We need to monitor two planes C-plane (C&C communication plane): “who is talking to whom” A-plane (malicious activity plane): “who is doing what”

  6. BotMiner Architecture Sensors Algorithms Correlation

  7. SNARE: Network-Level Spam Filter • Single-Packet • AS of sender’s IP • Distance to k nearest senders • Status of email service ports • Geodesic distance • Time of day • Single-Message • Number of recipients • Length of message • Aggregate (Multiple Message/Recipient)

  8. Test Environment • Port mirrored from College of Computing network switch • About 300 Mbps

  9. Current Status Real-time test on college network Summary of results Pipeline runs in real-time (200 to 300 Mbps) BotMiner & SNARE run in batch mode, detecting bots/spammers based on data of one day Results from 4 days of testing: September 21-24, 2009

  10. Volume N1: raw by pipeline. N2: raw flows recorded. N3-B: C-flows. (BotMiner) N4-S: SMTP flows (SNARE) Time T1: Dumping raw flows T2-B: Aggregating raw flows to c-flows T3-B: Clustering and correlation. T4-S: Feature extraction (single-packet based) T5-S: Building classifier (based on sampled flows) T6-S: Detection Metrics

  11. Detection Metrics BotMiner TP: Detection Rate (6 botnets including HTTP-, IRC-, P2P-based botnets). FP: False positive rate SNARE TP: (Ground truth from DNSBL) FP: False positive rate

  12. Reducing Flow Volume N2 (# of flows recorded) < N1 (# of raw flows) Policies for reducing volume Keep the only flows whose SrcIP is from internal networks and DstIP is to external networks For TCP flows, to eliminate flows for scanning, we only record flows in database which have at least 2 packets in outgoing or incoming direction. BotMiner detects scanning/spamming behaviors on raw flows (rather than flow recorded in database) SNARE works on SMTP flows Discard the flows whose IP appear on the whitelist (e.g., internal major HTTP/DNS)

  13. Pipeline Configuration Device Info Box Intel(R) Xeon(TM) CPU 3.00GHz 2G Memory Debian Linux 2.6.16 NIC information Link encap:Ethernet HWaddr 00:15:c5:e6:72:96 inet6 addr: 2610:148:1f02:8f00:215:c5ff:fee6:7296/64 Scope:Global inet6 addr: fe80::215:c5ff:fee6:7296/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Pipeline Configuration -pcaplive device=eth1 -addressanalysis -flow_analyzer dump_period=600 (10 minutes)

  14. Volume: Number of Flows

  15. BotMiner Evaluation: Time All times in minutes

  16. BotMiner Evaluation: Detection The number of the hosts we used to evaluate the false positives is the number of internal hosts in the recorded flows.

  17. SNARE Evaluation Single packet/header features (for initial testing): AS number Geodesic distance between the sender and the recipient Message size (bytes sent) Local hour when the email was sent

  18. Evaluation of SNARE SNARE trains on sampled SMTP flows (in T5-S) All times in seconds 1) The detection time (T6-S) is relatively small (note: all SMTP flows) 2) Time for training 50,000 samples (in T5-S) is high, probably because it reaches the physical memory limitations.

  19. Next Steps Optimize the flow dumping process to improve efficiency. In the case of SNARE, evaluate with more features.

More Related