Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Zero-configuration networking wikipedia , lookup
Distributed firewall wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
1 Botnet Detection by Monitoring Similar Communication Patterns 5/25/2017 林佳宜 NTOU CSIE [email protected] 2 5/25/2017 Reference • Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf . • ” Botnet Detection by Monitoring Similar Communication Patterns”. • (IJCSIS) International Journal of Computer Science and Information Security .Vol. 7, No. 3, 2010 3 5/25/2017 Outline • • • • Introduction Detection framework Component Conclusions 4 5/25/2017 Introduction • Botnet is most widespread and occurs commonly in today‘s cyber attacks • In this paper ▫ provide taxonomy of Botnets C&C channels ▫ detection framework which focuses on P2P based and IRC based Botnets • Botnet has been defined as a group of bots ▫ perform similar communication and malicious activity 5 5/25/2017 Botnet Communication topologies • Two different models ▫ Centralized model 、Decentralized • Centralized model ▫ Botnet based on IRC ▫ Botnet based on HTTP • Decentralized Model ▫ Botnet based on P2P 6 5/25/2017 Detection framework 7 5/25/2017 Filtering • Filtering is to reduce the traffic workload • In C1, recognized unlikely Botnet C&C servers used the top 500 websites on the web : Alexa • In C2, TCP uses a three-way handshake not completely established 8 5/25/2017 Application classifier[1/2] • Responsible to separate IRC and HTTP traffics • For detecting IRC traffics ▫ inspect the contents of each packet ▫ match the defined strings NICK、PASS、USER、JOIN、OPER、PRIVMSG • For detecting Http traffics ▫ HTTP uses the client-server model ▫ Three common Http methods Http request contain “GET”, “POST” or “HEAP 9 5/25/2017 Application classifier[2/2] • After filtering out Http and IRC traffics ▫ remaining traffics that have the probability of containing P2P traffics • Remaining traffics is identify general P2P ▫ using BLINC no access to packet payload no knowledge of port numbers 10 5/25/2017 Traffic Monitoring[1/3] • Analyzing flows characteristics • Finding similarities among the botnet hosts • Record some information on each flow using Audit Record Generation and Utilization System (ARGUS) specify the period of time which is 6 hours 11 5/25/2017 Traffic Monitoring[2/3] • Same SIP, DIP, Dport and same Pr (TCP or UDP) are marked • For each network flow (row) we calculate Average number of bytes per second(nbps) = Number of bytes/ Duration Average number of bytes per packet(nbpp) = Number of Bytes/ Number of Packets • Insert this two new values (nbps and nbpp) including SIP and DIP of the flows that have been marked into another database 12 5/25/2017 Traffic Monitoring[3/3] • We might have a set of database • For each database we can draw a graph ▫ (X, Y)= (bpp, bps) ▫ Next step is comparing different x-y axis graphs those graphs that are similar to each other are clustered in same category record of SIP addresses lists to next step for analyzing 13 5/25/2017 Two similar graphs based on data 14 5/25/2017 Malicious Activity Detector • Analyze the outbound traffic from the network ▫ try to detect the possible malicious activities that the internal machines • Most common and efficient malicious activities ▫ Scanning 、Spamming • For detecting “scanning” the solution for using in this part ▫ Statistical sCan Anomaly Detection Engine ( SCADE) Inbound Scan Detection(ISD) Outbound Scan Detection (OSD) 15 5/25/2017 Spam-related Activities[1/2] • Known as Unsolicited Bulk Email ▫ for sending spam are Storm Worm which is P2P Botnet • More than 95% of email on the internet is spam • A common approach for detecting spam ▫ use of DNS Black/Black Hole List (DNSBL) ▫ list of spam senders’ IP addresses and SMTP servers 16 5/25/2017 Spam-related Activities[2/2] • An indication of possible malicious activities ▫ using different external mail servers for many times by same client • Inspecting outgoing traffic from our network ▫ recording SIP and DIP of those traffics ▫ dports are 25( SMTP) or 587(Submission) • Conclude which internal host is behaving unusual ▫ sending many emails to different or same mail servers 17 5/25/2017 Monitoring and Clustering • Objective is detection of IRC based Botnet • Using ARGUS for monitoring flows for each network flow we calculate nbps and nbpp 18 5/25/2017 Flows Analyzer • Flows Analyzer is responsible for looking a group of databases that are similar to each other • After finding similar databases ▫ we have to take a record of SIP addresses of those hosts ▫ send them as a group of bot that are belong to IRC based Botnet 19 5/25/2017 Conclusions • We proposed a new general detection framework ▫ focuses on P2P based and IRC based Botnets • Botnets have been defined as a group of bots ▫ that will perform similar communication ▫ malicious activities pattern within the same Botnet • Future add unique detection method in HTTP ▫ make it as one general system for detection of Botnet 20 Thanks for Your Attention Q&A 5/25/2017