botnet dection system n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Botnet Dection system PowerPoint Presentation
Download Presentation
Botnet Dection system

Loading in 2 Seconds...

play fullscreen
1 / 28

Botnet Dection system - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

Botnet Dection system. Introduction. Botnet problem Challenges for botnet detection. What Is a Bot/Botnet?. Bot A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent Profit-driven, professionally written, widely propagated

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Botnet Dection system' - isaiah


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction
Introduction
  • Botnet problem
  • Challenges for botnet detection
what is a bot botnet
What Is a Bot/Botnet?
  • Bot
    • A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent
    • Profit-driven, professionally written, widely propagated
  • Botnet (Bot Army): network of bots controlled by criminals
    • Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”
    • Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)
    • “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)
botnets are used for
Botnets are used for …
  • All DDoS attacks
  • Spam
  • Click fraud
  • Information theft
  • Phishing attacks
  • Distributing other malware, e.g., spywarePCs are part of a botnet!” ( - Vint Cerf)
challenges for botnet detection
Challenges for Botnet Detection
  • Bots are stealthy on the infected machines

– We focus on a network-based solution

  • Bot infection is usually a multi-faceted and multiphased process

– Only looking at one specific aspect likely to fail

  • Bots are dynamically evolving

– Static and signature-based approaches may not be effective

  • Botnets can have very flexible design of C&C

channels

– A solution very specific to a botnet instance is not

desirable

roadmap to three detection systems
Roadmap to three Detection Systems
  • Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle
  • Botsniffer:works for IRC and http, can be extended to detect centralized C&C botnets
  • Botminer:independent of the protocol and structure
bothunter system detection on single infected client
BotHunter system-detection on single infected client
  • Detecting Malware Infection ThroughIDS-Driven Dialog Correlation
  • Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware
  • Correlates dialog trail of inbound intrusion alarms with outbound communication patterns
dialog based correlation
Dialog-based Correlation
  • BotHunter employs an

Infection Lifecycle Model

to detect host infection behavior

evaluation
Evaluation
  • Example: http://www.cyber-ta.org/releases/malware-analysis/public/2009-01-13-public/
botsniffer detection on centralized c c botnets irc http
BotSniffer-detection on centralized C&C botnets(IRC,HTTP)
  • WHY we will focus on C&C?
  • C&C is essential to a botnet

– Without C&C, bots are just discrete, unorganized infections

  • C&C detection is important

– Relatively stable and unlikely to change within botnets

– Reveal C&C server and local victims

– The weakest link

correlation engine
Correlation Engine
  • Based on two properties
  • Response crowd

– a set of clients that have (message/activity) response behavior

-A Dense response crowd: the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5).

  • A homogeneous response crowd

– Many members have very similar responses

why botminer
Why Botminer?
  • Botnets can change their C&C content

(encryption, etc.), protocols (IRC, HTTP, etc.),structures (P2P, etc.), C&C servers, dialog models

  • So bothunter, botsniffer systems may be evaded. We need to consider more
revisit botnet definition
Revisit Botnet Definition
  • “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”
  • We need to monitor two planes

– C-plane (C&C communication plane): “who is talking to whom”

– A-plane (malicious activity plane): “who is doing what”

c plane clustering
C-Plane clustering
  • What characterizes a communication flow (Cflow)

between a local host and a remote service?

– <protocol, srcIP, dstIP, dstPort>

cross clustering
Cross-clustering
  • Two hosts in the same A-clusters and

in at least one common C-cluster are

clustered together

botnet detection systems summary
Botnet Detection Systems summary
  • Bothunter: Vertical Correlation. Correlation on the behaviors of single host.
  • Botsniffer: Horizontal Correlation. On centralized C&C botnets
  • Botminer: Extension on Botsniffer, no limitations on the C&C types.
slide28

Thank you!

Questions?