botgad detecting botnets by capturing group activities in network traffic n.
Skip this Video
Download Presentation
BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic

Loading in 2 Seconds...

play fullscreen
1 / 27

BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic - PowerPoint PPT Presentation

  • Uploaded on

BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic. Hyunsang Choi , Heejo Lee, and Hyogon Kim COMSWARE '09, Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE. Presenter: Yi Ning Chen. Outline.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'BotGAD : Detecting Botnets by Capturing Group Activities in Network Traffic' - yori

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
botgad detecting botnets by capturing group activities in network traffic

BotGAD: Detecting Botnets by Capturing Group Activitiesin Network Traffic

HyunsangChoi, Heejo Lee, and Hyogon Kim

COMSWARE '09, Proceedings of the Fourth International ICST Conference on COMmunication System softWAre and middlewaRE

Presenter: Yi Ning Chen

  • Introduction
  • Related Work
  • Group Activity of Botnet and Detection Scheme
  • Case Study: BOTGAD Using DNS
  • Conclusion
  • A Botnet is a network of compromised machines controlled by an attacker to carry out online criminal activities including identity theft, e-mail spam, click fraud and DDoS attack.
  • A botnet'smaster can control the group remotely by command-and-control server (C&C server)
difficulties of botnet detection
Difficulties of botnet detection
  • Botnet traffic is hard to detect because it is similar to normal traffic. What is worse, it may contain encrypted communication.
  • Botnets evolve quickly as more users fail to protect their computers, helping the attackers evade existing protection mechanisms.
  • Even botnet detections method can capture botnets which use the evasion techniques, most usually need huge amount of data which cannot be analyzed in real-time
related works
Related Works
  • BotSniffer (2008)
    • BotSniffer has a similar concept with BotGADin respect of capturing the synchronized botnet communication.
    • Different from BotGAD, BotSniffer performs string matching to detect similar responses from botnets.
  • BotMiner (2008)
    • presents a botnet detection method which clusters botnet’s communication traffic and activity traffic.
observation of botnet
Observation of Botnet
  • We find a common property of botnets: group activity.
    • Bots receive/send control traffic, download new codes, migrate the communication channel, and perform malicious behaviors.
botnet life cycle
Botnet Life Cycle

Bots →DNS server,

C&C server

Bots →Target host

Bots → C&C server

group activity of botnet
Group Activity of Botnet
  • Centralized botnets (HTTP and IRC)
  • P2P botnets
    • group activities can be observed during upgrading/ synchronizing
two cases of group activities
Two Cases of Group Activities
  • Suppose that we monitor incoming and outgoing traffic at a network gateway.











Incoming group activity

Outgoing group activity

internal and external group
Internal and External Group
  • ti: internal target
  • te: external target
  • An internal and an external group (Gi, Ge) which perform activity a to external/internal target within a time window wn,
  • Gi = {a, te, wn}
  • Ge= {a, ti, wn}
  • Assume that a group is observed Gwithin wnand G’ within wn+1
  • To measure the group uniformity, we compute a similarity between G and G’
  • Kulczynski similarity
  • Cosine similarity
  • Jaccard similarity
data collection group classifier
Data Collection & Group Classifier

If IP Addr 1 perform the group activity within w1

estimate group properties average similarity
Estimate Group Properties – Average Similarity
  • Some botnet groups can be seen in wi, not in

wn+1 due to the relatively small value of w choice.

  • Therefore, we delete deficientcolumn vectors which satisfy (m is the number of hosts in the group.)
  • Average similarity value within a given monitoring time t (t=nw)
estimate group properties p eriodicity intensity
Estimate Group Properties – Periodicity & Intensity
  • Periodicity
  • If the periodicity P is equal to zero, the group entries occurred periodically at each time window
  • Intensity
  • If the intensity is equal to one, the group entries appear intensively.
  • A lot of groups founded in normal communication patterns, do not appear intensively
identify botnet
Identify Botnet
  • With the combination of average similarity, periodicity and intensity, BotGAD decides whether a groups is a botnet or not.
  • If average similarity > λD, the group is considered suspicious.
  • Delete false positives which have intensity < λI
  • Among remainder groups, if periodicity < λP, we judge the groups are periodic bots
dns used in botnets 1 2
DNS Used in Botnets(1/2)
  • Rally
    • If a host infection succeeds, the host send DNS query to know the name of a C&C server.
  • Update
    • Botnetsusually update their codes with the latest one by downloading it from their web repository. the botnets find the repository using DNS.
  • Synchronization
    • Some botnets synchronize the system time of infected machines with the Network Time Protocol (NTP) using time server DNS (e.g., Storm worm botnet [16]).
dns used in botnets 2 2
DNS Used in Botnets(2/2)
  • Cloning and Reconnection
    • Bots frequently do cloning and reconnecting to be undetectable. At the moment, bots find their new/old channel servers using DNS.
  • Migration
    • Botnetsmigrate C&C servers using DNS.
  • Attack
    • Spamming, DDoS attack and click fraud attacks may use DNS to find victims.
  • Collect DNS traces tapped from the gateway router of /16 campus network.
  • Experiment #1 on 2008/5/19
    • 6.28GB of DNS traffic and 19.52 million DNS queries
    • Observed average 640,000 domain groups, but only 8% of the groups (51,200) have more than 3 hosts.
    • Decide group size threshold, λS to be 3
  • Experiment #2 on 2008/12/24
    • 1.48GB of DNS traffic and 4.6 million DNS queries
    • DNS queries are decreased remarkably because the NAC (Network Access Control)
measured 3 different similarities
Measured 3 Different Similarities
  • Experiment#1
  • w: 10 minute, t: 1 hour
comparison of experiment results
Comparison of Experiment Results
  • The comparison infer that the NAC solution affects positively to BotGAD
dealing with f alse p ositives
Dealing with False Positives
  • After applied λI , there were still some false positives. Most are update related domains, which can be removed using white list.
evadability of botgad
Evadability of BotGAD
  • If bots intentionally generate fake DNS queries using source address spoofing, the fake queries can poison BotGAD.
  • We can check follow-up TCP connections of DNS queries to delete the fake queries.
  • We define an inherent property of botnets, called group activity.
  • We develop metric model to measure the property and detection mechanism which can detect botnetsfrom large scale networks in real-time.
  • We implemented BotGAD using DNS traffic as a case study and the effectiveness of the implemented system by the experiments on real-life campus network trace.