Download How to train observe your bot! Affan Syed Associate Professor,

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts

Peering wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Net bias wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Computer network wikipedia , lookup

Deep packet inspection wikipedia , lookup

Storm botnet wikipedia , lookup

Distributed firewall wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
How to train observe your bot!
Affan Syed
Associate Professor,
Systems and Networking (SysNet) Lab,
National University of Computer & Emerging Sciences,
Islamabad, Pakistan
1
What happens at the SysNet …. Should not stay at SysNet!
Broad spectrum of systems research
Funded by
&
Computer Science
Electrical Engineering
*e-Energy
SDN for ISP networks
Sigcomm CCR
Botnets
DSN, *S&P, *CCS
Underwater WUWNet
networks Energy harvesting
and transference
Smart-home &
Smart-Grid
IPSN
Distributed Systems
*= poster or demo
2
What is a Bot/Zombie without connectivity?
"Zombie / Botnet network" by
Sophos Presseinfo
http://www.youthedesigner.com/wpcontent/uploads/2011/10/Zombie-Photo-01.jpg
http://howto-get-rid-of.com/wp-content/uploads/2014/03/troian-virusworm.jpg
Credit: Dreamworks “Shrek 2”
Network activity is the defining feature of a botnet
3
Motivation: Boot-strapping Botnet Research
Credit: www.sparkfun.com
Credit: http://ok.gov/osbi/Forensic_Laboratory/Forensic_Services/Latent_Prints
How can hobbyist/researchers easily observe live bot behavior where it manifests
its true color?
4
Industrial solutions and disclosures
Proprietary and expensive
Limited release of bot behavior as
blogs or papers (IP reasons?)
Need a non-textual, technical, report for *our fav* bot!
Other academic tools?
Deployment and testbed details?
High deployment cost and management/operational overhead
Need a system with low deployment overhead and cost!
Online services?
Lets look at some online
systems
• Anubis
• Comodo
• Malwr
(cuckoosandbox)
Limited and sketchy network details;
Also can’t change the execution environment
Need to trigger all responses of a bot!
7
Goals of our work
 Faithfully capture all network behavior
 Do so at low-cost and operational overhead
 Extensibility for evolving botnet landscape
Key contributions
 Operational contexts
 Implementation of a system to
– effects these contexts
– low-cost, and low- operational overhead
• to bootstrap effective academic research
Generating a faithful fingerprint
OPERATIONAL CONTEXTS & BOTS
10
Operational contexts*: In-the-wild
 Network Configuration
– Public vs Private
 Machine Type
Public
VM’s
– VM vs Bare-metal
 User Activity
Bare-metal
Private
– No activity vs Specific visits
*Operational Context = Environmental conditions that can impact a bot’s network
fingerprint
Operational contexts: Under Observation
 Observation Duration (time consideration)
– Boot-strapping phase vs Quiescent
 Containment Policy (ethical consideration)
– Conservative vs liberal (or ethical vs useful!)
Faithful Network Fingerprint: Operational Contexts
Attack
C&C
Context difference
Metadata
Anti Analysis Stepping stone
Network
connections
Ports opened
Information
stealing
Banking Social
media
Sample Fingerprint
Generating faithful fingerprints, varying operational contexts
TITAN ARCHITECTURE
15
Titan: Design decisions
GOALS
DECISIONS
 Faithful fingerprints
Multiple execution for intra-context feature
extractions
 Ease of management
Semi-automated containment
 Low-cost design and deployment
Few and low-end machines for testbed
Serial fingerprint generation
 Provides flexibility to extend its
capabilities
Modularity built into its design
Open Sourced and community involvement
Web Frontend
 Binary submission
 Operational context selection
–execution machine
–network configuration
–user activity
 Configuration forwarding to system manager
System Manager and Execution Network





Chooses the machine to infect
Converts configurations into commands
Starts and Stops the experiment
Facilitates in automation of containment
Setup of host machines
Containment and Logging Modules
 Semi-automation of traffic filtering rules
 Implement containment policy
 Log containment decisions and user traffic
Fingerprint Generation Engine
 XML fingerprint schema
 Performs various operations on collected logs
 Provides to the user for display
Titan Architecture: Workflow
Multiple iterations for a single operational context;
Operational contexts to execute selected by user!
3
2
1
Selecting context
1010
0110
9
Forwarding
configuration
Representation of
Results
Web
Front
End
Configuration of system
& network
Containing and forwarding
traffic
4
System
Manager
Containment
Module
6
Generation of
8
fingerprints
Resetting the
7a
Network
Fingerprint Generation
Engine
10
Selecting rule set (optional)
Logging
traffic
Logging
5
Logging
decisions
Internet
7b
Updating rule
set
Data Traffic
Control &
Management Traffic
How we achieve low-cost, and reduce deployment complexity
IMPLEMENTATION
22
Titan Implementation
 Minimum of 2 desktop-class machines
– Three, now, with support for bare-metal execution
– Can increase machines (virtual and physical) to generate LAN connectivity and
scanning observation (TBD)
 Connected via a L2 switch
Now: Bare Metal Machine bootup and multiple 23OS
System Manager and Execution Platform
 Execution Platform: XEN hypervisor
– Clones VM from a base VM
 System manager: Python & shell scripts
– responsible for creating operational context
24
Recreating Operational contexts
 User emulation  AutoIt Scripts
 Network context  using two-stage NAT
– Fool bot into thinking it has a public IP
Public IP
Private IP
208.x.x.x
10.1.x.x
AutoIt scripts
Public IP
208.x.x.x
Containment Module
 Pox controller with Open vSwitch on the Gateway
 All traffic also passes through attack sensors
–
–
–
–
–
–
exe_detect
DoS_detect
netscan_detect
spam_detect
inject_detect
info_detect
Possible throughput hit; but who cares!
 All traffic is malicious
– More reliable attack sensors
Now: custom sensors can be added
organically to the containment module
26
Containment Methodology: First Iteration
 Allow only TCP handshakes
―Fools bot into thinking it has access but CnC not responding in the
“right” way
―Detect CnC contact mechanisms
Containment Module
C&C 1
Network Traffic
TCP sensor
Attack sensor
Bot infected machine
C&C 2
Drop attack traffic,
add to blacklist
Containment Methodology: Second Iteration
 C&C communication allowed
 Only TCP handshake for new traffic
C&C 1
Containment Module
TCP sensor
TCP handshake
Network Traffic
Other m/c
Attack sensor
Bot Infected machine
C&C 2
Drop attack traffic, add
to blacklist
Containment Methodology: Third Iteration
 Observer bot behavior for long interval
 Detect any network attacks launched
C&C 1
Containment Module
TCP sensor
Connection Establishment
Network Traffic
Other m/c
Attack sensor
Bot Infected machine
C&C 2
Drop attack traffic, add
to blacklist
Advanced users: go for 4th and beyond
If attack sensor are inaccurate, malicious traffic might leak!
Titan Implementation: Fingerprint Generation
 Process raw traffic to generate context-specific features
― attack features from logs
― C&C features from bro, nmap, google safe browsing api, MaxMind GeoIP db,
Python Requests library
 Looks at differences between fingerprints to extract the context-specific
behavior.
EVALUATION
32
Validating Effective Fingerprint Generation
 Deployed a zeus botnet infrastructure
-- our zeus bot reports network configuration
-- performed experiment in both Public & Private setting
Private Context
Public Context
Fingerprint
Cryptolocker : Then
 Fingerprint of CryptoLocker
--analyzed a binary of the CryptoLocker botnet
We detected a DGA feature
Cryptolocker: Now
Ans: DGA updated to avoid detection --exactly the information we wanted to
observe ourself!
So what happened?
Conclusion
 A tool the can recreate operational contexts that impact a bot’s
network behavior
 Is open sourced and extensible
– Some of the attack and CnC feature are raw and need update
 Lots of --- and continuous --- update need to keep the tool
relevant
– Invite people to consider hosting this and carrying the idea forward!
– The project funding (and any funneling) ends in Aug!
Acknowledgements




Osama Haq
Waqar Ahmed
Mujtaba Ahmed
Ashad
37
For more information and source code visit
http://sysnet.org.pk/w/Titan
Contact person: [email protected]
Live demo at: titan.bot.nu:8888
Questions
38
42
Fingerprint: A Taxonomy
C&C
Attack
Context difference
Metadata
Single Experiment features
Intra-context features
Command & Control Features
Attack
Context
difference
Type
HTTP
IRC
Metadata
C&C
IP
Location
Connection frequency
UR
L
Redirection
Safe browsing status
Service
Port
Evasion
Volume
IP flux
Domain flux
Attack Features
C&C
Context
difference
DoS
Metadata
Scan
Attack
Spam
Info steal
SQL Inject
Exe transfer
Experiment Metadata
Attack
C&C
Context
difference
Metadata
Binary MD5
Experiment
Info
Bot Family
Network Start time Duration
connections
Related documents
Product Deck
Product Deck
Four Ways Analytics Think Like You
Four Ways Analytics Think Like You
group medical expense benefits: the changing
group medical expense benefits: the changing
Ryan Whitehead Bot Talk In my project, “Bot Talk” we see the
Ryan Whitehead Bot Talk In my project, “Bot Talk” we see the
Introduction
Introduction
Chapter 3 – Physical Evidence I. Analysis of physical evidence
Chapter 3 – Physical Evidence I. Analysis of physical evidence
Cold War Origins: 1945-1962
Cold War Origins: 1945-1962
Chapter 27 Vocabulary List – The Cold War Era (1945
Chapter 27 Vocabulary List – The Cold War Era (1945
Arches and Loops and Whorls, Oh My! A Study of Fingerprint Patterns
Arches and Loops and Whorls, Oh My! A Study of Fingerprint Patterns
What is art therapy? - Addictions and Mental Health Ontario
What is art therapy? - Addictions and Mental Health Ontario
AGRICULTURE ADVANCEMENT USING ARTIFICIAL INTELLIGENCE
AGRICULTURE ADVANCEMENT USING ARTIFICIAL INTELLIGENCE