Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Hospital-acquired infection wikipedia , lookup

Neonatal infection wikipedia , lookup

Childhood immunizations in the United States wikipedia , lookup

Infection wikipedia , lookup

Sarcocystis wikipedia , lookup

Hepatitis B wikipedia , lookup

Surround optical-fiber immunoassay wikipedia , lookup

Transcript 
BotMiner: Clustering Analysis of
Network Traffic for
Protocol- and Structure-Independent
Botnet Detection
Presented by D Callahan
Outline
• Introduction
– Botnet problem
– Challenges for botnet detection
– Related work
• BotMiner
– Motivation
– Design
– Evaluation
• Conclusion
What Is a Bot/Botnet?
• Bot – A malware instance that runs autonomously and
automatically on a compromised computer (zombie)
without owner’s consent
– Profit-driven, professionally written, widely propagated
• Botnet (Bot Army): network of bots controlled by
criminals- “A coordinated group of malware instances that
are controlled by a botmaster via some C&C channel”
– Architecture: centralized (e.g., IRC,HTTP), distributed
(e.g., P2P)
– “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)
Botnets are used for …
• All DDoS attacks
• Spam
• Click fraud
• Information theft
• Phishing attacks
• Distributing other malware, e.g., spyware
How big is the Bot Problem?
• Computers were used for fun, now they are
platforms
• Current top computing platforms
http://www.top500.org/list/2008/11/100
•Storm worm-1-50 million computers infected
-Massive computing power
-Incredible bandwidth distributed world wide
-Is the storm over?
Conflicker according to McAfee
•
•
•
•
•
When executed, the worm copies
itself using a random name to the
%Sysdir% folder.
obtains the public ip address of the
affected computer.
Attempts to download a malware
file from the remote website
Starts a HTTP server on a random
port on the infected machine to
host a copy of the worm.
Continuously scans the subnet of
the infected host for vulnerable
machines and executes the exploit.
Challenges for Botnet Detection
• Bots are stealthy on the infected machines
– We focus on a network-based solution
• Bot infection is usually a multi-faceted and multi-phased
process
– Only looking at one specific aspect likely to fail
• Bots are dynamically evolving
– Static and signature-based approaches may not be
effective
• Botnets can have very flexible design of C&C channels
– A solution very specific to a botnet instance is not
desirable
Existing Techniques
• Traditional Anti Virus tools
– Bots use packer, rootkit, frequent updating
to easily defeat Anti Virus tools
• Traditional IDS/IPS
– Look at only specific aspect
– Do not have a big picture
• Honeypot
– Not a good botnet detection tool
Related Work
• [Binkley,Singh 2006]: IRC-based bot detection combine
IRC statistics and TCP work weight
• Rishi [Goebel, Holz 2007]: signature-based IRC
botnickname detection
• [Livadas et al. 2006, Karasaridis et al. 2007]: (BBN, AT&T)
network flow level detection of IRC botnets (IRCbotnet)
• BotHunter [Gu etal Security’07]: dialog correlation to detect
bots based on an infection dialog model
• BotSniffer [Gu etal NDSS’08]: spatial-temporal correlation
to detect centralized botnet C&C
• TAMD [Yen, Reiter 2008]: traffic aggregation to detect
botnets that use a centralized C&C structure
Motivation
• Botnets can change their C&C content
(encryption, etc.), protocols (IRC, HTTP,
etc.), structures (P2P, etc.), C&C servers,
infection models …
Botnet again
• “A coordinated group of malware instances
that are controlled by a botmaster via some
C&C channel”
• We need to monitor two planes
– C-plane (C&C communication plane): “who
is talking to whom”
– A-plane (malicious activity plane): “who is
doing what”
Botminer Framework
C-Plane clustering
What characterizes a communication flow
(C-flow) between a local host and a remote
service?
– <protocol, srcIP, dstIP, dstPort>
• Temporal related
statistical distribution
information in
– BPS (bytes per second)
– FPH (flow per hour)
• Spatial related statistical
distribution information in
– BPP (bytes per packet)
– PPF (packet per flow)
Two-step Clustering of C-flows
Why multi-step?
– Coarse-grained clustering
• Using reduced feature
space: mean and
variance of the distribution of
FPH, PPF, BPP, BPS for
each C-flow (2*4=8)
• Efficient clustering
algorithm: X-means
– Fine-grained clustering
• Using full feature space
(13*4=52)
What’s left?
A-plane Clustering
• Capture “activities in what kind of
patterns”
Cross-plane Correlation
• Botnet score s(h) for every host h
• Similarity score between host hi and hj
• Hierarchical clustering
Two hosts in the same A-clusters and
in at least one common C-cluster are
clustered together
Results
False Positive Clusters
Botnet detection
Overview
Conclusion
Botminer
- New botnet detection system based on
Horizontal correlation
- Independent of botnet C&C protocol and
structure
-Real-world evaluation shows promising results
-while it is possible to avoid detection of
BotMiner the efficiency and convenience of the
BotNet will also suffer
Related documents
botnet_detection
botnet_detection
Introduction (cont.)
Introduction (cont.)
Motivation behind botnets
Motivation behind botnets
Slides - TAMU Computer Science Faculty Pages
Slides - TAMU Computer Science Faculty Pages
botnet
botnet
Defense
Defense
botnet
botnet
Offense
Offense
paper - acsac
paper - acsac
Botnets: Infrastructure and Attacks
Botnets: Infrastructure and Attacks
Botnets: Infrastructure and Attacks
Botnets: Infrastructure and Attacks
L19
L19
Lecture25
Lecture25
Multifaceted Approach to Understanding the Botnet Phenomenon
Multifaceted Approach to Understanding the Botnet Phenomenon
Lecture 17
Lecture 17
presentation source
presentation source
Ryan Whitehead Bot Talk In my project, “Bot Talk” we see the
Ryan Whitehead Bot Talk In my project, “Bot Talk” we see the
CNCERT/CC Annual Report 2008
CNCERT/CC Annual Report 2008
Games and the Impossibility of Realizable Ideal Functionality
Games and the Impossibility of Realizable Ideal Functionality
adam - Stanford Crypto group
adam - Stanford Crypto group
Artificial intelligence
Artificial intelligence
How dynamic are IP addresses?
How dynamic are IP addresses?