Botnet Dection system Introduction o Botnet problem o
Botnet Dection system
Introduction o Botnet problem o Challenges for botnet detection
What Is a Bot/Botnet? o Bot n A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent n Profit-driven, professionally written, widely propagated o Botnet (Bot Army): network of bots controlled by criminals n Definition: “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” n Architecture: centralized (e. g. , IRC, HTTP), distributed (e. g. , P 2 P) n “ 25% of Internet PCs are part of a botnet!” ( - Vint Cerf)
Botnets are used for … o o o All DDo. S attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e. g. , spyware. PCs are part of a botnet!” ( Vint Cerf)
Challenges for Botnet Detection o Bots are stealthy on the infected machines – We focus on a network-based solution o Bot infection is usually a multi-faceted and multiphased process – Only looking at one specific aspect likely to fail o Bots are dynamically evolving – Static and signature-based approaches may not be effective o Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable
Roadmap to three Detection Systems o Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle o Botsniffer: works for IRC and http, can be extended to detect centralized C&C botnets o Botminer: independent of the protocol and structure
Bot. Hunter system-detection on single infected client o Detecting Malware Infection Through IDS-Driven Dialog Correlation o Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware o Correlates dialog trail of inbound intrusion alarms with outbound communication patterns
Bot infection case study: Phatbot
Dialog-based Correlation o Bot. Hunter employs an Infection Lifecycle Model to detect host infection behavior
Bothunter Architecture
Evaluation o Example: http: //www. cyberta. org/releases/malwareanalysis/public/2009 -01 -13 -public/
Bot. Sniffer-detection on centralized C&C botnets(IRC, HTTP) o WHY we will focus on C&C? o C&C is essential to a botnet – Without C&C, bots are just discrete, unorganized infections o C&C detection is important – Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link
Botnet C&C Communication Example
Botnet C&C: Spatial-Temporal Correlation and Similarity
Bot. Sniffer Architecture
Correlation Engine o Based on two properties o Response crowd – a set of clients that have (message/activity) response behavior -A Dense response crowd: the fraction of clients with message/activity behavior within the group is larger than a threshold (e. g. , 0. 5). o A homogeneous response crowd – Many members have very similar responses
Evaluation
Why Botminer? o Botnets can change their C&C content (encryption, etc. ), protocols (IRC, HTTP, etc. ), structures (P 2 P, etc. ), C&C servers, dialog models o So bothunter, botsniffer systems may be evaded. We need to consider more
Revisit Botnet Definition o “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel” o We need to monitor two planes – C-plane (C&C communication plane): “who is talking to whom” – A-plane (malicious activity plane): “who is doing what”
C-Plane clustering o What characterizes a communication flow (Cflow) between a local host and a remote service? – <protocol, src. IP, dst. Port>
A-plane clustering
Cross-clustering o Two hosts in the same A-clusters and in at least one common C-cluster are clustered together
Botminer Architecture
Evaluation Data
Evaluation Result(FP)
Evaluation Result(Detection Rate)
Botnet Detection Systems summary o Bothunter: Vertical Correlation on the behaviors of single host. o Botsniffer: Horizontal Correlation. On centralized C&C botnets o Botminer: Extension on Botsniffer, no limitations on the C&C types.
Thank you! Questions?
- Slides: 28