Download A System Prototype for Data Leakage Monitoring in the Cloud

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Network tap wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Peer-to-peer wikipedia , lookup

Storm botnet wikipedia , lookup

Transcript 
1
Botnet Detection by Monitoring
Similar Communication Patterns
5/25/2017
林佳宜
NTOU CSIE
[email protected]
2
5/25/2017
Reference
• Hossein Rouhani Zeidanloo, Azizah Bt Abdul
Manaf .
• ” Botnet Detection by Monitoring Similar
Communication Patterns”.
• (IJCSIS) International Journal of Computer
Science and Information Security .Vol. 7, No. 3,
2010
3
5/25/2017
Outline
•
•
•
•
Introduction
Detection framework
Component
Conclusions
4
5/25/2017
Introduction
• Botnet is most widespread and occurs commonly
in today‘s cyber attacks
• In this paper
▫ provide taxonomy of Botnets C&C channels
▫ detection framework which focuses on
 P2P based and IRC based Botnets
• Botnet has been defined as a group of bots
▫ perform similar communication and malicious
activity
5
5/25/2017
Botnet Communication topologies
• Two different models
▫ Centralized model 、Decentralized
• Centralized model
▫ Botnet based on IRC
▫ Botnet based on HTTP
• Decentralized Model
▫ Botnet based on P2P
6
5/25/2017
Detection framework
7
5/25/2017
Filtering
• Filtering is to reduce the traffic workload
• In C1, recognized unlikely Botnet C&C servers
 used the top 500 websites on the web : Alexa
• In C2, TCP uses a three-way handshake
 not completely established
8
5/25/2017
Application classifier[1/2]
• Responsible to separate IRC and HTTP traffics
• For detecting IRC traffics
▫ inspect the contents of each packet
▫ match the defined strings
 NICK、PASS、USER、JOIN、OPER、PRIVMSG
• For detecting Http traffics
▫ HTTP uses the client-server model
▫ Three common Http methods
 Http request contain “GET”, “POST” or “HEAP
9
5/25/2017
Application classifier[2/2]
• After filtering out Http and IRC traffics
▫ remaining traffics that have the probability of
containing P2P traffics
• Remaining traffics is identify general P2P
▫ using BLINC
 no access to packet payload
 no knowledge of port numbers
10
5/25/2017
Traffic Monitoring[1/3]
• Analyzing flows characteristics
• Finding similarities among the botnet hosts
• Record some information on each flow
 using Audit Record Generation and Utilization
System (ARGUS)
 specify the period of time which is 6 hours
11
5/25/2017
Traffic Monitoring[2/3]
• Same SIP, DIP, Dport and same Pr (TCP or UDP)
are marked
• For each network flow (row) we calculate
 Average number of bytes per second(nbps) = Number
of bytes/ Duration
 Average number of bytes per packet(nbpp) = Number
of Bytes/ Number of Packets
• Insert this two new values (nbps and nbpp)
including SIP and DIP of the flows that have
been marked into another database
12
5/25/2017
Traffic Monitoring[3/3]
• We might have a set of database
• For each database we can draw a graph
▫ (X, Y)= (bpp, bps)
▫ Next step is comparing different x-y axis graphs
 those graphs that are similar to each other are
clustered in same category
 record of SIP addresses lists to next step for
analyzing
13
5/25/2017
Two similar graphs based on data
14
5/25/2017
Malicious Activity Detector
• Analyze the outbound traffic from the network
▫ try to detect the possible malicious activities that the
internal machines
• Most common and efficient malicious activities
▫ Scanning 、Spamming
• For detecting “scanning” the solution for using in
this part
▫ Statistical sCan Anomaly Detection Engine ( SCADE)
 Inbound Scan Detection(ISD)
 Outbound Scan Detection (OSD)
15
5/25/2017
Spam-related Activities[1/2]
• Known as Unsolicited Bulk Email
▫ for sending spam are Storm Worm which is P2P
Botnet
• More than 95% of email on the internet is spam
• A common approach for detecting spam
▫ use of DNS Black/Black Hole List (DNSBL)
▫ list of spam senders’ IP addresses and SMTP
servers
16
5/25/2017
Spam-related Activities[2/2]
• An indication of possible malicious activities
▫ using different external mail servers for many
times by same client
• Inspecting outgoing traffic from our network
▫ recording SIP and DIP of those traffics
▫ dports are 25( SMTP) or 587(Submission)
• Conclude which internal host is behaving
unusual
▫ sending many emails to different or same mail
servers
17
5/25/2017
Monitoring and Clustering
• Objective is detection of IRC based Botnet
• Using ARGUS for monitoring flows
 for each network flow we calculate nbps and nbpp
18
5/25/2017
Flows Analyzer
• Flows Analyzer is responsible for looking a
group of databases that are similar to each other
• After finding similar databases
▫ we have to take a record of SIP addresses of those
hosts
▫ send them as a group of bot that are belong to IRC
based Botnet
19
5/25/2017
Conclusions
• We proposed a new general detection framework
▫ focuses on P2P based and IRC based Botnets
• Botnets have been defined as a group of bots
▫ that will perform similar communication
▫ malicious activities pattern within the same
Botnet
• Future add unique detection method in HTTP
▫ make it as one general system for detection of
Botnet
20
Thanks for Your Attention
Q&A
5/25/2017
Related documents
Instructor Rubric for Presentations
Instructor Rubric for Presentations
WWW Lab1
WWW Lab1
Sustainable Consumption & Production
Sustainable Consumption & Production
Document
Document
Tapeworm Diseases - AAP Red Book
Tapeworm Diseases - AAP Red Book
Document
Document
Back to School 2006
Back to School 2006
Math 130
Math 130
Public Relations and Strategic Communication Courses Fall 2016
Public Relations and Strategic Communication Courses Fall 2016
Slide 1
Slide 1
Marketing Essentials: Intro to Marketing
Marketing Essentials: Intro to Marketing