a practical approach for taking down avalanche botnets
play

A Practical Approach for Taking Down Avalanche Botnets Under - PowerPoint PPT Presentation

May 20, 2023 •14 likes •244 views

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le Pochat , Tim Van hamme, Sourena Maroofi, Tom Van Goethem, Davy Preuveneers, Andrzej Duda, Wouter Joosen, Maciej Korczyski NDSS 2020, 25 February 2020

  1. A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le Pochat , Tim Van hamme, Sourena Maroofi, Tom Van Goethem, Davy Preuveneers, Andrzej Duda, Wouter Joosen, Maciej Korczyński NDSS 2020, 25 February 2020

  2. A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints 2

  3. “the world’s largest and most sophisticated cybercriminal syndicate law enforcement has encountered” [Wai17] 3 dahu1 (https://commons.wikimedia.org/wiki/File:Avalanche_Zinal.jpg), „Avalanche Zinal“, https://creativecommons.org/licenses/by-sa/3.0/legalcode

  4. Avalanche operated an advanced infrastructure Infected Core C&C client server Infected hosts Layered network serving as entrypoints of proxy servers 4 Icons made by Icongeek26 from www.flaticon.com

  5. Dec 2008 2008-2016 30 Nov 2016 First activity Ongoing damage: C&C takedown 2M infected clients Avalanche Q3/Q4 2009 2012 Responsible for German law 2017-2019 2/3 of phishing enforcement Yearly cleanup attacks begins investigation iterations 5

  6. Avalanche operated an advanced infrastructure Infected Core C&C client server Domain Generation Algorithms 0a85rcbe2wb5n5f.com researchmadness.com arbres.com 6

  7. Law enforcement has to classify registered domains unregistered block 1.7 million sinkholed Avalanche 1 771 DGA domains benign no action 2 411 registered seize & malicious sinkhole 1 647 2017 + 2018 iterations 7

  8. Law enforcement has to classify registered domains unregistered block 1.7 million sinkholed Avalanche 1 771 DGA domains benign no action 2 411 registered seize & malicious sinkhole 1 647 2017 + 2018 iterations 8

  9. We evaluate on a real-world takedown: Avalanche › Design a more automated approach to reduce extensive manual classification effort › and assist in making accurate decisions Take down a benign domain: service interruption Not take down a malicious domain: botnet can respawn › leveraging (limited) real-world ground truth synthetic data sets may not be representative [Küh14, LeP19] › 9

  10. A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints 10

  11. Constraints affect available indicators Individual Proactive No active patterns analysis connections in contrast to in contrast to in contrast to bulk registration presence/detection active collection of malicious activity of web content [Hao16, Spo19] [Bil11, Ant12] [Khe14] bulk lexical patterns [Woo16, Sch18] 11

  12. A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints 12

  13. Our experimental protocol mimics real takedowns › Enrich with comprehensive feature sets ( within constraints) › Collect historical data as of iteration (if possible) Data set Missing › Some domains have missing data WHOIS 14.6% › Classify all domains Passive DNS 8.7% using ensemble model Active DNS 19.5% 13

  14. F 1 Effort accuracy train on test on score saved 14

  15. F 1 Effort accuracy train on test on score saved Base 2017 2018 84.3% 73.4% 100% ► Concept drift 15

  16. F 1 Effort accuracy train on test on score saved Base 2017 2018 84.3% 73.4% 100% Extended 2017 + Remaining 86.4% 78.6% 85.0% A priori 15% of 2018 85% of 2018 ► Hybrid model: Human oracle 16

  17. F 1 Effort accuracy train on test on score saved Base 2017 2018 84.3% 73.4% 100% Extended 2017 + Remaining 86.4% 78.6% 85.0% A priori 15% of 2018 85% of 2018 Base 2017 2018 97.3% 95.3% 70.3% A posteriori Extended 2017 + Remaining 97.6% 95.8% 66.2% A posteriori 15% of 2018 85% of 2018 *2019: 76.9% 17

  18. We analyze influences on our model Set Feature 1 WHOIS Time between creation... › Important 2 WHOIS Time between creation... time-based features 3 Passive DNS Time between first seen... are hard to evade 4 Passive DNS Time between first and... 5 WHOIS Time between creation... 6 WHOIS Renewal of domain ... 7 Active DNS Days DNS record seen ... 8 WHOIS Renewal of domain ... 9 Active DNS Time between first seen... 10 Joint Number of pages found... 18

  19. We analyze influences on our model Set Feature 1 WHOIS Time between creation... › Important 2 WHOIS Time between creation... time-based features 3 Passive DNS Time between first seen... are hard to evade 4 Passive DNS Time between first and... 5 WHOIS Time between creation... 6 WHOIS Renewal of domain ... › Data availability 7 Active DNS Days DNS record seen ... affects performance 8 WHOIS Renewal of domain ... Some redundancy exists 9 Active DNS Time between first seen... › 10 Joint Number of pages found... 19

  20. A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints 20

  21. We evaluate on a real-world takedown: Avalanche › Automating classification of registered DGA domains › Real-world setting yields unique opportunity but also imposes constraints › Hybrid model: synergy between model and analyst › Insights for real-world takedowns 21

  22. A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints victor.lepochat@kuleuven.be @VictorLePochat

  23. References [Wai17] R. Wainwright and F. J. Cilluffo, “Responding to cybercrime at scale: Operation Avalanche - a case study,” Europol; Center for Cyber and Homeland Security, The George Washington University, Issue Brief 2017-03, Mar. 2017. [Online]. Available: https://cchs.gwu.edu/sites/g/files/zaxdzs2371/f/Responding%20to%20Cybercrime%20at%20Scale%20FINAL.pdf [Küh14] M. Kührer, C. Rossow, and T. Holz, “Paint it black: Evaluating the effectiveness of malware blacklists,” in 17th International Symposium on Research in Attacks, Intrusions and Defenses, ser. RAID ’14, 2014, pp. 1–21. [LeP19] V. Le Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Korczyński, and W. Joosen, “Tranco: A research-oriented top sites ranking hardened against manipulation,” in 26th Annual Network and Distributed System Security Symposium, ser. NDSS ’19, 2019. [Hao16] S. Hao, A. Kantchelian, B. Miller, V. Paxson, and N. Feamster, “PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration,” in 2016 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’16, 2016, pp. 1568–1579. [Spo19] J. Spooren, T. Vissers, P. Janssen, W. Joosen, and L. Desmet, “Premadoma: An operational solution for DNS registries to prevent malicious domain registrations,” in 35th Annual Computer Security Applications Conference, ser. ACSAC ’19, 2019, pp. 557–567. [Woo16] J. Woodbridge, H. S. Anderson, A. Ahuja, and D. Grant, “Predicting Domain Generation Algorithms with Long Short-Term Memory Networks,” Nov. 2016, arXiv:1611.00791 [Sch18] S. Schüppen, D. Teubert, P. Herrmann, and U. Meyer, “FANCI : Feature-based automated NXDomain classification and intelligence,” in 27th USENIX Security Symposium, ser. USENIX Security ’18, 2018, pp. 1165–1181. [Bil11] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, “EXPOSURE: Finding malicious domains using passive DNS analysis,” in 18th Annual Network and Distributed System Security Symposium, ser. NDSS ’11, 2011. [Ant12] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon, “From throw-away traffic to bots: Detecting the rise of DGA-based malware,” in 21st USENIX Security Symposium, ser. USENIX Security ’12, 2012, pp. 491–506. [Khe14] N. Kheir, F. Tran, P. Caron, and N. Deschamps, “Mentor: Positive DNS reputation to skim-off benign domains in botnet C&C blacklists,” in 29th IFIP International Information Security and Privacy Conference, ser. SEC ’14, 2014, pp. 1–14. 23

Recommend

Objectives Avalanche Warning Center websites www.avalanches.org Geo-Communicating

Objectives Avalanche Warning Center websites www.avalanches.org Geo-Communicating

ICA CMC Workshop Banff 2014 Objectives Avalanche Warning Center websites www.avalanches.org Geo-Communicating Avalanche Relevant www.avalanche.org Information EAWS SnoProfiler www.avalanche.ca www.avalanche.net.nz

845 views • 5 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach Israel Herraiz <isra@herraiz.org> <israel.herraiz@upm.es> KeyID FE0A7AF3 Fingerprint D0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF3

996 views • 43 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
Mainstreaming transport co- benefits approach: a practical guide benefits approach: a practical

Mainstreaming transport co- benefits approach: a practical guide benefits approach: a practical

Mainstreaming transport co- benefits approach: a practical guide benefits approach: a practical guide to evaluating transport projects Jane Romero Cli Climate Change Group Ch G IGES Outline Out e o Overview o Why quantify co-benefits?

345 views • 15 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Our Approach P rovides a practical, innovative approach for the restoration, preservation and

Our Approach P rovides a practical, innovative approach for the restoration, preservation and

Our Approach P rovides a practical, innovative approach for the restoration, preservation and maintenance of reinforced concrete structures, steel rust inhibitors and asphalt rejuvenator solutions.. Through the use of proprietary technology

720 views • 61 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Surviving the Slide Avalanche Rescue and Resuscitation Updates and Review, 1/14 Conal Roche, MD

Surviving the Slide Avalanche Rescue and Resuscitation Updates and Review, 1/14 Conal Roche, MD

Surviving the Slide Avalanche Rescue and Resuscitation Updates and Review, 1/14 Conal Roche, MD I. Avalanche Basics (Not included in the Lecture) A. VShaped or Loose Snow Avalanches 1. More common in Steep Snow 2. May be dangerous in warm

200 views • 4 slides
A Mechanism for Session Initiation Protocol (SIP) Avalanche Restart Overload Control

A Mechanism for Session Initiation Protocol (SIP) Avalanche Restart Overload Control

A Mechanism for Session Initiation Protocol (SIP) Avalanche Restart Overload Control draft-shen-soc-avalanche-restart-overload-00 Charles Shen and Henning Schulzrinne, Columbia University Arata Koike, NTT IETF 80, Prague, Czech Republic

443 views • 10 slides
How has the new approach to How has the new approach to How has the new approach to How has the

How has the new approach to How has the new approach to How has the new approach to How has the

Institute for Global Environmental Strategies Towards sustainable development - policy oriented, practical and strategic research on global environmental issues How has the new approach to How has the new approach to How has the new approach to

313 views • 4 slides
Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Studying Spamming Botnets Using BotLab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

291 views • 15 slides
Biomimetic optimisation new approach to aircraft structural design Practical Example

Biomimetic optimisation new approach to aircraft structural design Practical Example

Biomimetic optimisation new approach to aircraft structural design Practical Example Coupling the Optimization Procedure with Aeroelastic Numerical Environment K. Maute and M. Allen, Struct Multidisc Optim 27, 27-42 (2004) Practical

131 views • 12 slides
Digging into the Avalanche Phenomenon Presented at UNBC Feb 8 th 2017 By Laurent Janssen Scope

Digging into the Avalanche Phenomenon Presented at UNBC Feb 8 th 2017 By Laurent Janssen Scope

Digging into the Avalanche Phenomenon Presented at UNBC Feb 8 th 2017 By Laurent Janssen Scope of this presentation Basic knowledge of the Avalanche Phenomenon Basic knowledge of Avalanche Terrain Morphology Basic knowledge of the

741 views • 46 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Taking talking beyond the clinic: practical patient and public involvement in your practice Beki

Taking talking beyond the clinic: practical patient and public involvement in your practice Beki

Taking talking beyond the clinic: practical patient and public involvement in your practice Beki Aldam Why? Face-to-face events with families Blogging Social media How? Digesting Science Barts-MS blog Twitter Over 70 events Over 400

725 views • 31 slides
Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur Maheshwari ( nupurm@email.arizona.edu ) Department of Computer Science University of Arizona April 22, 2012 What are Botnets? 1 Technical Overview 2

895 views • 37 slides
Access(ibility) is What We Do Practical Strategies for Taking Charge of Accessibility Jennie

Access(ibility) is What We Do Practical Strategies for Taking Charge of Accessibility Jennie

Access(ibility) is What We Do Practical Strategies for Taking Charge of Accessibility Jennie Archer & Ginny Connell Carl B. Ylvisaker Library Concordia College, Moorhead MN Slides Welcome Jennie Archer Ginny Connell First-Year

624 views • 40 slides
A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing

A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing

A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing - Part 1 Quantum Annealing - Hardware and Basic Principles Introduction to Programming Model and API Constraint Satisfation Problems HARDWARE AND

584 views • 27 slides
Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al. Presented by Kyle Mar5n <kyle.mar5n@knights.ucf.edu> The Problems Botnets The Problems

823 views • 36 slides
trusts: Why trustees (and trustee-spouses) need to be wary of taking the current approach to

trusts: Why trustees (and trustee-spouses) need to be wary of taking the current approach to

Breach of the separation requirement in family trusts: Why trustees (and trustee-spouses) need to be wary of taking the current approach to veil piercing at divorce at face value Prof Bradley Smith University of the Free State

511 views • 30 slides
Taking Taking Taking Taking Aspiration and Aspiration and Aspiration and Aspiration and

Taking Taking Taking Taking Aspiration and Aspiration and Aspiration and Aspiration and

Michael B Arthur Taking Taking Taking Taking Aspiration and Aspiration and Aspiration and Aspiration and Possibility into Possibility into Possibility into Possibility into Emeritus Professor, Suffolk University, Boston, USA Career

921 views • 30 slides
Confusion and Old Age: A Practical Approach to Diagnosis and Management DR. SHAH MD, MPH

Confusion and Old Age: A Practical Approach to Diagnosis and Management DR. SHAH MD, MPH

Confusion and Old Age: A Practical Approach to Diagnosis and Management DR. SHAH MD, MPH DIRECTOR OF PALLIATIVE CARE BROADLAWNS MEDICAL CENTER Relevant to the content of this educational activity, I do not have any relationships with

1.07k views • 83 slides

More recommend