1 / 15

MURI Kickoff Welcome!

MURI Kickoff Welcome!. First, introductions… all around Some context and expectations We’re going to give some informal presentations about our plans Project just started, so few results yet Each will have a leader, but this is a collaborative effort so expect everyone to chime in

ludlow
Download Presentation

MURI Kickoff Welcome!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MURI Kickoff Welcome! • First, introductions… all around • Some context and expectations • We’re going to give some informal presentations about our plans • Project just started, so few results yet • Each will have a leader, but this is a collaborative effort so expect everyone to chime in • Please ask questions and give feedback anytime • We’ll try to keep to schedule, but we can go where you want

  2. Rough schedule • 10:00-10:30   UCB/UCSD Project overview/programatics • 10:30-11:00   Botfarm and dynamic containment • 11:00-11:30   Automated binary analysis • 11:30-12:00   NLP of underground communications • 12:00-1:30    Lunch • 1:30-3:30     Wenke et al. (GATech/Umich/UCSB/Stanford) • 3:30-4:00     Break • 4:00-5:00     Feedback/brainstorming

  3. Infiltration of Botnet Command & Control and Support Ecosystems MURI Kickoff 2009 PIs: Stefan Savage, Geoff Voelker (UCSD)Vern Paxson, Dawn Song and Dan Klein (UC Berkeley)

  4. Key threat transformations of the 21st century • Efficient large-scale compromises • Internet communications model • Software homogeneity • User naïveity/fatigue • Control networks • Cheap scalability for criminal applications(e.g. spam, info theft, DDoS, etc) • Platform economy • Profit-driven applications • Commodity resources (IP, bandwidth, storage, CPU) • Unique resources(PII/credentials, data exfiltration)

  5. Philosophy • Need to understand and impact botnets from “the inside” instead of simply via their external actions • Address real adversary – real bots and real botmasters • Botnet infiltration (SIGINT) • Intelligence collection (what is the botnet doing?) • Command injection (tell botnet to do this) • Botnet disruption (shutdown and/or takeover botnet) • Ecosystem intelligence (HUMINT) • Data mining/NLP on underground Web/chat to infer social relationships in the botnet ecosystem • Who is supplying which resources, what are stress points, points of attribution, etc

  6. Botnet infiltration • Key idea: distributed C&C is a vulnerability • Botnet authors like de-centralized communications for scalability and resilience, but… • … to do so, they trust their bots to be good actors • If you can modify the right bots you can observe and influence actions of the botnet via their communications • We have done this once • Infiltrated Storm P2P botnet • Able to track everything botnet did and influence their actions • But… one off, and hard to scale Kanich, Kreibich, Levchenko, Enright, Paxson, Voelker and Savage, Spamalytics: an Empirical Analysis of Spam Marketing Conversion, ACM CCS 2008

  7. Botnet infiltration challenges • Obtaining and grooming bots (tricky in practice) • Safe execution environment • Must run bots, but contain their negative side-effects • Fine-grained containment control via network, VMs, etc (informed by past work on Potemkin/GQ honeyfarms) • Especially must control scope of our “attacks” • C&C extraction from botnet binaries • Extract C&C protocol w/o extensive manual reverse-engineering • Use to feed containment, attacks and C&C proxy • Attack development and testing • Passive, cooperatively active, adversarially active • Legal/Policy issues

  8. Ecosystem intelligence • Key idea: botmasters and bot support ecosystem (clients, authors, cashiers, etc) social graph is implicit in underground communications • Underground forums, chat, etc • Marketing, sales, requests, complaints, side-deals, etc • By extracting this graph can relate actors to actions • We have done something similar once • Analyzed 9mos of #ccpower underground IRC data • Extracted buyer/seller and pricing relationships • Manual, error prone, no notion of specific actor Franklin, Perrig, Paxson and Savage, An Inquiry in the Nature and Causes of the Wealth of Internet Miscreants, ACM CCS 2007

  9. Ecosystem intelligence challenges • Pidgen/slang content (Eblish/ ) • Extracting structure from short free-form agrammatical elements • Identity aliasing and multiple identities/pseudonyms • Matching across multiple sources • Limited ground truth knowledge • Access to data WU confirmercan confirm males and females have drops in usaAM VERIFIED MSG ME i am boa cashout have wells and boa logins and i need to good drop man .......ripper f#@! off Have dropper for bots, all iesploits whos a good reg for fluxing?

  10. Goal/evaluation • Botnet infiltration • Can safely execute new botnet software, while still becoming members of live botnets • Can efficiently extract botnet C&C • Can decode and interpret all commands, inject new commands (acted upon) and exploit bot vulnerabilities sucessfully • Validate that attacks only impact bots inside containment • Ecosystem intelligence • Identify actor identities/attributes, inter-actor relationships, identify supply chain relationships, transactions, and roles • Validate automated mapping to human domain expert assessment • Correlate with external ground-truth data from other studies

  11. Milestones for this year • Design work and prototype infrastructure for botfarm containment/grooming, demonstrate safe hosting of many bot families • Prototype binary C&C extractor on one or more bots, output to feed containment network proxy (interpret C&C) • Design work on ecosystem intelligence effort, dataset gathering and gathering of some “ground-truth” data (via botnet output, domain registration, spam campaigns, etc)

  12. Other sponsors/supporters • Funding and in-kind (data, equipment, access) • Several more who decline to be identified (industry)

  13. Education elements • Student training in research • Already have ~10 students involved in different aspects of project (including 3 undergrads) • Class integration • Network security courses at Berkeley and UCSD • Internet Crime course at UCSD • Workforce development • Talks/tutorials to industry • Input to defense contractors in this space

  14. Project management • Tightly integrated group (many have 3-5yrs of experience working w/each other) • Communication via weekly teleconference, students on IM, physical student exchanges • Lead on each campus (Stefan, Vern) responsible for local organization issues, but we cross lines routinely • We attempt to centralize sensitive 3rd-party data and protect it there (tricky issues wrt dual NDA negotiation) • Advance legal review on any issues of risk • Educational issues delegated to each PI, excepting distributed courses

  15. Questions?

More Related