modeling and measuring botnets n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Modeling and Measuring Botnets PowerPoint Presentation
Download Presentation
Modeling and Measuring Botnets

Loading in 2 Seconds...

play fullscreen
1 / 26

Modeling and Measuring Botnets - PowerPoint PPT Presentation


  • 146 Views
  • Uploaded on

Modeling and Measuring Botnets. David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida. Outline. Motivation Diurnal modeling of botnet propagation Botnet population estimation Botnet threat assessment Advanced botnet. Motivation.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Modeling and Measuring Botnets' - stamos


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
modeling and measuring botnets

Modeling and Measuring Botnets

David Dagon, Wenke Lee

Georgia Institute of Technology

Cliff C. Zou

Univ. of Central Florida

outline
Outline
  • Motivation
  • Diurnal modeling of botnet propagation
  • Botnet population estimation
  • Botnet threat assessment
  • Advanced botnet
motivation
Motivation
  • Botnet becomes a serious threat
  • Not much research on botnet yet
    • Empirical analysis of captured botnets
      • Mainly based on honeypot spying
  • Need understanding of the network of botnet
    • Botnet growth dynamics
    • Botnet (on-line) population, threat level …
  • Well prepared for next generation botnet
outline1
Outline
  • Motivation
  • Diurnal modeling of botnet propagation
  • Botnet population estimation
  • Botnet threat assessment
  • Advanced botnet
botnet monitor gatech karstnet

KarstNet sinkhole

Botnet Monitor: Gatech KarstNet

attacker

  • A lot bots use Dyn-DNS name to find C&C

C&C

C&C

cc1.com

  • KarstNet informs DNS provider of cc1.com
    • Detect cc1.com by its abnormal DNS queries

bot

bot

bot

  • DNS provider maps cc1.com to Gatech sinkhole (DNS hijack)
  • All/most bots attempt to connect the sinkhole
diurnal pattern in monitored botnets
Diurnal Pattern in Monitored Botnets

Diurnal pattern affects botnet propagation rate

Diurnal pattern affects botnet attack strength

botnet diurnal propagation model
Botnet Diurnal Propagation Model
  • Model botnet propagation via vulnerability exploit
    • Same as worm propagation
    • Extension of epidemic models
  • Model diurnal pattern
    • Computers in one time zone  same diurnal pattern
    • “Diurnal shaping function” i(t) of time zone i
      • Percentage of online hosts in time zone i
      • Derived based on the continuously connection attempts by bots in time zone i to Gatech KarstNet
modeling propagation single time zone
Modeling Propagation: Single Time Zone

:# of online infected

: # of infected

: # of vulnerable

:# of online vulnerable

Diurnal pattern means:

removal

Epidemic model

Diurnal model

modeling propagation k multiple time zones internet

scan rate from zone ji

IP space size of zone i

Modeling Propagation: KMultiple Time Zones (Internet)

Limited ability to model

non-uniform scan

validation fitting model to botnet data
Validation: Fitting model to botnet data
  • Diurnal model is more accurate than traditional epidemic model
applications of diurnal model
Applications of diurnal model
  • Predict future botnet growth with monitored ones
    • Use same vulnerability?  have similar (t)
  • Improve response priority

Released at

different time

outline2
Outline
  • Motivation
  • Diurnal modeling of botnet propagation
  • Botnet population estimation
  • Botnet threat assessment
  • Advanced botnet
population estimation i capture recapture
Population estimation I: Capture-recapture
  • How to obtain two independent samples?
    • KarstNet monitors two C&C for one botnet
      • Need to verify independence with more data
      • Study how to get good estimation when two samples are not independent
    • KarstNet + honeypot spying
      • Guaranteed independence?

# of observed (two samples)

Botnet

population

# of observed in both samples

population estimation ii dns cache snooping
Population estimation II: DNS cache snooping
  • Estimate # of bots in each domain via DNS queries of C&C to its local DNS server
    • Non-recursive query will not change DNS cache

Cache

TTL

….

Time

If queries inter-arrival time is exponentially distributed,

then Ti follows the same exp. distr. (memoryless)

Query rate/bot

outline3
Outline
  • Motivation
  • Diurnal modeling of botnet propagation
  • Botnet population estimation
  • Botnet threat assessment
  • Advanced botnet
basic threat assessment
Basic threat assessment
  • Botnet size (population estimation)
  • Active/online population when attack (diurnal model)
  • IP addresses of bots in botnets
    • Basis for effective filtering/defense
    • KarstNet is a good monitor for this
      • Honeypot spying is not good at this
  • Botnet control structure (easy to disrupt?)
    • IPs and # of C&C for a botnet?
    • P2P botnets?
botnet attack bandwidth
Botnet attack bandwidth
  • Bot bandwidth: Heavy-tailed distribution
    • Filtering 32% of bots cut off 70% of attack traffic
  • How about bots bandwidth in term of ASes?
    • If yes, then contacting top x% of ASes is enough for a victim to defend against botnet DDoS attack
outline4
Outline
  • Motivation
  • Diurnal modeling of botnet propagation
  • Botnet population estimation
  • Botnet threat assessment
  • Advanced botnet
monitoring evasion by botmasters

bot

sensor (secret)

malicious traffic

Authorize

Inform bot’s IP

C&C

Monitoring evasion by botmasters
  • Honeypot detection
    • Honeypot defenders are liable for attacks sending out
  • C&C hijacking detection (e.g., KarstNet)
    • Check if C&C names map to their real IPs
      • Attacker knows which computers used for C&Cs
    • Check if C&C passes trivial commands to bots
advanced hybrid p2p botnet
Advanced hybrid P2P botnet
  • Why use P2P by attackers?
    • Remove control bottleneck (C&C)
    • C&Cs are easy to be monitored
      • One honeypot spy reveals all C&Cs
      • One captured/hijacked C&C reveals all bots
    • C&C are easy to be shut down (limited number)
  • Current P2P protocols will not work for botnets
    • Bootstrap process is vulnerable to be blocked
    • Disable global view from each bot (prevent monitoring)
    • Must consider DHCP, private IP, firewall, capture, removal
advanced botnet designs
Advanced botnet designs

Servent bots

  • Servent bots:
    • static IP, no firewall blocking
  • Peer-list based connection:
    • Max number of servent bot IPs in each bot
      • Limited view of botnet
    • Built as a botnet spreads
      • No bootstrap process
      • No reveal of entire botnet

Client bots

  • Compare to C&C botnets:
    • Large # of C&C bots interconnect to each other
advanced botnet designs1

Peer list:

Advanced botnet designs
  • Public key in bot code, private key in botmaster
    • Ensure command authentication/integrity
  • Individualized encryption, service port
    • Defeat traffic-based detection
    • Limited exposure when one bot is captured
advanced botnet designs2
Advanced botnet designs
  • Easy monitoring by botmaster
    • Command all bots report to a “sensor” host
      • Each bot report: peer list, encryption key, service port, IP, diurnalproperty, IP property, link bandwidth….
    • Different sensor hosts in each round of report command
      • Prevent sensors from being blocked, captured
  • Robust botnet construction by peer-list updating
    • With few re-infections, initial servent bots are highly connected (each connecting to >60% of bots in a botnet)
    • “Peer-list Update” command: each bot goes to a “sensor” host to get its new peer list
      • Peer list randomly selected from previous reported servent bots
botnet robustness study
Botnet robustness study
  • : remove top p fraction of servent bots used in “update” command
  • : connected ratio – how many remaining bots are connected
  • Simulation settings:
    • 20,000-size botnet, 5000 are servent bots (hundreds of reinfections)
    • 1000 servent bots used in update command
future work
Future work
  • Propagation modeling
    • Diurnal model of email-based propagation
    • Parameters: (t), , removal dynamics
  • Population estimation:
    • Validate the independence of monitor samples
    • Validate the Poisson arrival in C&C DNS queries
  • Threat assessment
    • AS-level botnet bandwidth (heavy tailed?)
    • Bot access link speed --- better representation?
  • Monitor and model of advanced botnets
reference
Reference
  • NSF Cyber Trust grant: CNS-0627318
    • "Collaborative Research: CT-ISG: Modeling and Measuring Botnets"
    • PI: Cliff Zou, PI: Wenke Lee
  • David Dagon, Cliff C. Zou, and Wenke Lee. "Modeling Botnet Propagation Using Time Zones," in 13th Annual Network and Distributed System Security Symposium (NDSS), Feb., San Diego, 2006 (Acceptance ratio: 17/127=13.4%).
  • Cliff C. Zou and Ryan Cunningham. "Honeypot-Aware Advanced Botnet Construction and Maintenance," in the International Conference on Dependable Systems and Networks (DSN), Jun., Philadelphia, 2006 (Acceptance ratio: 34/187=18.2%).
  • Ping Wang, Sherri Sparks, Cliff C. Zou. “An Advanced Hybrid Peer-to-Peer Botnet,” in submission.
  • Cliff Zou homepage:http://www.cs.ucf.edu/~czou/