botnet detection with dns monitoring
play

Botnet Detection with DNS Monitoring Seminar Future Internet 2014 - PowerPoint PPT Presentation

Jun 05, 2023 •568 likes •748 views

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser Introduction - Botnets Great

  1. Lehrstuhl Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München Botnet Detection with DNS Monitoring Seminar Future Internet 2014 Christopher Will Advisor: Oliver Gasser

  2. Introduction - Botnets  Great threat in the Internet today  Universally usable – DDoS, Content Hosting …  Very important to take them down 2 Botnet Detection with DNS Monitoring

  3. Background – Botnet structure C&C server Bot 1 Bot 2 Bot 3 Target Server User 3 Botnet Detection with DNS Monitoring

  4. Botnets - Detection approach  Many botnets use DNS for communication  Find botnet communication in DNS traffic  Difficulty: Filter out all benign traffic  Use specific features of botnet traffic to find bots as well as the C&C servers 4 Botnet Detection with DNS Monitoring

  5. Botnet - DNS usage  C&C communication with Domain Generation Algorithms zpdyaislnu.net? not found dlftozdnxn.net? Bot DNS Server 176.53.17.51 google.com? 173.194.70.105 5 Botnet Detection with DNS Monitoring

  6. Detecting DGA C&C communication  General framework structure: Collect DNS Data Filter traffic, detect bots Classify and group bots Detect C&Cs 6 Botnet Detection with DNS Monitoring

  7. Detection Frameworks 1. Using Anchor Domains 2. PREDENTIFIER: Using domain features 3. Pleiades: Using NXDomains 4. Using NXDomains and Bloom Filters + Privacy 7 Botnet Detection with DNS Monitoring

  8. Pleiades Framework by Antonakakis et al.  Very sophisticated  Highest detection rate of all frameworks  Well-tested in real scenario (ran at local DNS server for over 2 years) 8 Botnet Detection with DNS Monitoring

  9. Pleiades: 1. DNS Data Collection/Filtering  Assumption NXDomains mostly generated by botnets  Later, successful responses used for C&C identification 9 Botnet Detection with DNS Monitoring

  10. Pleiades: 2. Bot clustering  Method 1: Statistical domain features: 71f9d3d1.net 84c7e2a3.com lymylorozig.eu fotyriwavix.eu gxnbtlvvwmyg.com zzopaahxctfh.com 10 Botnet Detection with DNS Monitoring

  11. Pleiades: 2. Bot clustering  Method 2: Host ↔ Domains association: B1 B2 D1 B3 D2 B4 D3 B5 11 Botnet Detection with DNS Monitoring

  12. Pleiades: 3. C&C detection Single, successful DNS response Bot clusters C&C Detection Probability of belonging to the DGA 12 Botnet Detection with DNS Monitoring

  13. Pleiades: Evaluation Detection rate False positive rate DGA Classifier 99.7% 0.1% C&C > 91% (except 1 3% Detection botnet)  In the wild: Detection of 6 unknown DGAs  Privacy issues not specifically adressed 13 Botnet Detection with DNS Monitoring

  14. Summary  Botnets are dangerous  DGA-based Botnets can be detected with the DNS  Example: One Framework 14 Botnet Detection with DNS Monitoring

  15. Thank you! 15 Botnet Detection with DNS Monitoring

  16. Legitimate DNS usage  Main goal: Load balancing  Round-Robin DNS: Loop through list of possible IPs, high TTL  Content Distribution Networks: More sophisticated approach to calculate currently best IP, lower TTL 16 Botnet Detection with DNS Monitoring

  17. Background: Domain Name System root "Where's www.wikipedia.org?" nameserver 198.41.0.4 1 "Try 204.74.112.1" org. 2 nameserver 204.74.112.1 DNS Recurser "Try 207.142.131.234" 3 wikipedia.org. "It's at xxx.xx.xx.xxx" nameserver 207.142.131.234 17 Botnet Detection with DNS Monitoring

Recommend

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder

Transfer Learning Approach for Botnet Detection based on Recurrent Variational Autoencoder Jeeyung Kim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory 2020 SNTA, 06/02/2020 J.

423 views • 21 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in

Large-scale performance monitoring framework for cloud monitoring Run-Time Latency Detection in Production Julien Desfossez Michel Dagenais Dcembre 2014 cole Polytechnique de Montreal Latency-tracker Kernel module to track down

524 views • 17 slides
- masses M , stiffness K - modes Physical linear dynamic model. Natural excitation : - swell

- masses M , stiffness K - modes Physical linear dynamic model. Natural excitation : - swell

Statistical Approaches Introduction to Industrial Monitoring Problems - Signal processing and on-board monitoring Fault Detection and Isolation Early detection of slight deviations M. Basseville, Q. Zhang, A. Benveniste with respect to a

1.31k views • 13 slides
Detection & Eradication About RedIRIS Spanish Academic & Research Network

Detection & Eradication About RedIRIS Spanish Academic & Research Network

Detection & Eradication About RedIRIS Spanish Academic & Research Network Interconnect 250 Universities & Research centers Part of goverment company, red.es IRIS-CERT, CSIRT inside RedIRIS Botnet Detection 1. By

716 views • 48 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series <Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
MONITORING CARBON MONOXIDE AND METHANE FOR EARLY FIRE DETECTION IN COAL-HANDLING FACILITIES By

MONITORING CARBON MONOXIDE AND METHANE FOR EARLY FIRE DETECTION IN COAL-HANDLING FACILITIES By

MONITORING CARBON MONOXIDE AND METHANE FOR EARLY FIRE DETECTION IN COAL-HANDLING FACILITIES By Kurt Smoker, Conspec Controls, Inc. While most coal-handling facilities today have some type of plant-wide monitoring and control system in place for

465 views • 10 slides

More recommend