Botnet Dection system - PowerPoint PPT Presentation

About This Presentation
Title:

Botnet Dection system

Description:

Botnet Dection system Roadmap to three Detection Systems Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 29
Provided by: ych71
Category:

less

Transcript and Presenter's Notes

Title: Botnet Dection system


1
Botnet Dection system
2
Introduction
  • Botnet problem
  • Challenges for botnet detection

3
What Is a Bot/Botnet?
  • Bot
  • A malware instance that runs autonomously and
    automatically on a compromised computer (zombie)
    without owners consent
  • Profit-driven, professionally written, widely
    propagated
  • Botnet (Bot Army) network of bots controlled by
    criminals
  • Definition A coordinated group of malware
    instances that are controlled by a botmaster via
    some CC channel
  • Architecture centralized (e.g., IRC,HTTP),
    distributed (e.g., P2P)
  • 25 of Internet PCs are part of a botnet! ( -
    Vint Cerf)

4
Botnets are used for
  • All DDoS attacks
  • Spam
  • Click fraud
  • Information theft
  • Phishing attacks
  • Distributing other malware, e.g., spywarePCs are
    part of a botnet! ( - Vint Cerf)

5
Challenges for Botnet Detection
  • Bots are stealthy on the infected machines
  • We focus on a network-based solution
  • Bot infection is usually a multi-faceted and
    multiphased process
  • Only looking at one specific aspect likely
    to fail
  • Bots are dynamically evolving
  • Static and signature-based approaches may
    not be effective
  • Botnets can have very flexible design of CC
  • channels
  • A solution very specific to a botnet
    instance is not
  • desirable

6
Roadmap to three Detection Systems
  • Bothunter regardless of the CC structure and
    network protocol, if they follow pre-defined
    infection live cycle
  • Botsnifferworks for IRC and http, can be
    extended to detect centralized CC botnets
  • Botminerindependent of the protocol and structure

7
BotHunter system-detection on single infected
client
  • Detecting Malware Infection ThroughIDS-Driven
    Dialog Correlation
  • Monitors two-way communication flows between
    internal networks and the Internet for signs of
    bot and other malware
  • Correlates dialog trail of inbound intrusion
    alarms with outbound communication patterns

8
Bot infection case study Phatbot
9
Dialog-based Correlation
  • BotHunter employs an
  • Infection Lifecycle Model
  • to detect host infection behavior

10
Bothunter Architecture
11
Evaluation
  • Example http//www.cyber-ta.org/releases/malware-
    analysis/public/2009-01-13-public/

12
BotSniffer-detection on centralized CC
botnets(IRC,HTTP)
  • WHY we will focus on CC?
  • CC is essential to a botnet
  • Without CC, bots are just discrete,
    unorganized infections
  • CC detection is important
  • Relatively stable and unlikely to change
    within botnets
  • Reveal CC server and local victims
  • The weakest link

13
Botnet CC Communication Example
14
Botnet CC Spatial-Temporal Correlation and
Similarity
15
BotSniffer Architecture
16
Correlation Engine
  • Based on two properties
  • Response crowd
  • a set of clients that have
    (message/activity) response behavior
  • -A Dense response crowd the fraction of
    clients with message/activity behavior within the
    group is larger than a threshold (e.g., 0.5).
  • A homogeneous response crowd
  • Many members have very similar responses

17
Evaluation
18
Why Botminer?
  • Botnets can change their CC content
  • (encryption, etc.), protocols (IRC, HTTP,
    etc.),structures (P2P, etc.), CC servers, dialog
    models
  • So bothunter, botsniffer systems may be evaded.
    We need to consider more

19
Revisit Botnet Definition
  • A coordinated group of malware instances that
    are controlled by a botmaster via some CC
    channel
  • We need to monitor two planes
  • C-plane (CC communication plane) who is
    talking to whom
  • A-plane (malicious activity plane) who is
    doing what

20
C-Plane clustering
  • What characterizes a communication flow (Cflow)
  • between a local host and a remote service?
  • ltprotocol, srcIP, dstIP, dstPortgt

21
A-plane clustering
22
Cross-clustering
  • Two hosts in the same A-clusters and
  • in at least one common C-cluster are
  • clustered together

23
Botminer Architecture
24
Evaluation Data
25
Evaluation Result(FP)
26
Evaluation Result(Detection Rate)
27
Botnet Detection Systems summary
  • Bothunter Vertical Correlation. Correlation on
    the behaviors of single host.
  • Botsniffer Horizontal Correlation. On
    centralized CC botnets
  • Botminer Extension on Botsniffer, no limitations
    on the CC types.

28
Thank you!
Questions?
Write a Comment
User Comments (0)
About PowerShow.com