Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Bot-network detection NAIST Mitsuaki Akiyama, Takanori Kawamoto Teruaki Yokoyama 1 What is the bot-net (1) Platform of Malicious Activities Attempting login Sending DDoS traffic Submitting SPAM messages Threat for the Internet and for AI3 network Necessary for avoiding be stepping-stone of attacks Necessary for reducing wasting bandwidth 2 What is the bot-net (2) Bot-net characteristics: Consisting of many victim hosts and few (or usually only One) master host(s) (or user(s)) Constructing command system among them Victims are controlled by the order from master Victims sometimes try to infect other hosts 3 Our project: Traffic monitoring and Analyzing AI3 network may work well as sensor for bot-network Constructing traffic monitor mechanism extensive address space Backbone but easy for traffic capturing Dump the whole traffic in AI3 network Mining anomaly from the traffic Today Report Current situation Temporal results 4 Model of Bot-network 1st target (current): To find command system Command System 2nd target (future): To find infection behavior Infection 2nd target (future): To find attack behavior Attacks 5 Our strategy Target – bot-net on IRC Easy to be differentiated (TCP port 6667) Famous implementations of bot-net The Signature is well known The bot-net on IRC is better as practical experiments To confirm to possible for its command system To obtain bot-net as host-crowd To analyze the behavior of the crowd 6 Experiment: Data Target: Measure.: Date: Amount: As stored data (offline analysis) bot-net on IRC PC-router at SFC 10, Aug, 2004 24hour, 30Gbytes 7 Experiment: Detection Practical detection: Watching IRC traffic (TCP:6667) Obtaining pairs of IRC nick. and channel Finding the channels which keep a lot of users For finding command system IRCサーバ チャンネルA botnet チャンネルB client 8 Results Channel User Channel# User# Command# 394 1741 83481 Channel which have many users (50-100users) - Command system of botnet ??? Conceptual graph 9 Confirmation: messages Found bots WORM_SDBOT.BR WORM_RBOT.GE WORM_RBOT.ZQ WORM_SDBOT.VQ Examples of suspicious channel: Channel: #!ftpscan Message: :lsass: exploited (167.205.37.57) Channel: #!ftpscan Message: :[lsass]: Exploiting IP: 167.205.106.17. Channel Hosts# Channel: #g3n1u5 Message: :CSendFile(0x007E29C0h): Transfer to 167.205.38.93 finished. Channel: ####splox#### Message: :[TFTP]: File transfer started to IP: 203.159.46.120 (C:\WINDOWS\System32\WinGamed.exe). Channel: ##rektp Message: :[FTP]: File transfer complete to IP: 167.205.12.195 (C:\WINDOWS\System32\serm32.exe). Channel: #admin Message: :[FTP]: File transfer complete to IP: 167.205.65.86 (C:\WINDOWS\System32\xpcd.exe). Address Spaces #g3n1u5 108 167.205.0.0 - 167.205.255.255 ##rektp 16 167.205.0.0 - 167.205.255.255 #!ftpscan 13 167.205.0.0 - 167.205.255.255 10 knowledge Confirmed our assumption Command system can be found The bot-net has characteristic comm. pattern The hosts crowd are found Now planning next step… 11 Plans for future To obtain statistical data from the hosts crowd To estimate computational requirement for the stateful analyzing memory and calculation requirements per the amount of bandwidth To apply the method to realtime traffic To make their activities and behaviors clear To find the universality of bot behavior To confirm the universality is true To watch the bot-net trend of the times Fixed point observation To plan for possible countermeasure of bot-network Against improvement of their command system Using cryptogram, Constructing p2p-like structure … 12