Botnet Dection system - PowerPoint PPT Presentation

isaiah
botnet dection system n.
Skip this Video
Loading SlideShow in 5 Seconds..
Botnet Dection system PowerPoint Presentation
Download Presentation
Botnet Dection system

play fullscreen
1 / 28
Download Presentation
114 Views
Download Presentation

Botnet Dection system

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Botnet Dection system

  2. Introduction • Botnet problem • Challenges for botnet detection

  3. What Is a Bot/Botnet? • Bot • A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent • Profit-driven, professionally written, widely propagated • Botnet (Bot Army): network of bots controlled by criminals • Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” • Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P) • “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)

  4. Botnets are used for … • All DDoS attacks • Spam • Click fraud • Information theft • Phishing attacks • Distributing other malware, e.g., spywarePCs are part of a botnet!” ( - Vint Cerf)

  5. Challenges for Botnet Detection • Bots are stealthy on the infected machines – We focus on a network-based solution • Bot infection is usually a multi-faceted and multiphased process – Only looking at one specific aspect likely to fail • Bots are dynamically evolving – Static and signature-based approaches may not be effective • Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable


  6. Roadmap to three Detection Systems • Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle • Botsniffer:works for IRC and http, can be extended to detect centralized C&C botnets • Botminer:independent of the protocol and structure

  7. BotHunter system-detection on single infected client • Detecting Malware Infection ThroughIDS-Driven Dialog Correlation • Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware • Correlates dialog trail of inbound intrusion alarms with outbound communication patterns

  8. Bot infection case study: Phatbot

  9. Dialog-based Correlation • BotHunter employs an Infection Lifecycle Model to detect host infection behavior

  10. Bothunter Architecture

  11. Evaluation • Example: http://www.cyber-ta.org/releases/malware-analysis/public/2009-01-13-public/

  12. BotSniffer-detection on centralized C&C botnets(IRC,HTTP) • WHY we will focus on C&C? • C&C is essential to a botnet – Without C&C, bots are just discrete, unorganized infections • C&C detection is important – Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link

  13. Botnet C&C Communication Example

  14. Botnet C&C: Spatial-Temporal Correlation and Similarity

  15. BotSniffer Architecture

  16. Correlation Engine • Based on two properties • Response crowd – a set of clients that have (message/activity) response behavior -A Dense response crowd: the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5). • A homogeneous response crowd – Many members have very similar responses

  17. Evaluation

  18. Why Botminer? • Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.),structures (P2P, etc.), C&C servers, dialog models • So bothunter, botsniffer systems may be evaded. We need to consider more

  19. Revisit Botnet Definition • “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” • We need to monitor two planes – C-plane (C&C communication plane): “who is talking to whom” – A-plane (malicious activity plane): “who is doing what”

  20. C-Plane clustering • What characterizes a communication flow (Cflow) between a local host and a remote service? – <protocol, srcIP, dstIP, dstPort>

  21. A-plane clustering

  22. Cross-clustering • Two hosts in the same A-clusters and in at least one common C-cluster are clustered together

  23. Botminer Architecture

  24. Evaluation Data

  25. Evaluation Result(FP)

  26. Evaluation Result(Detection Rate)

  27. Botnet Detection Systems summary • Bothunter: Vertical Correlation. Correlation on the behaviors of single host. • Botsniffer: Horizontal Correlation. On centralized C&C botnets • Botminer: Extension on Botsniffer, no limitations on the C&C types.

  28. Thank you! Questions?