botsniffer detecting botnet command and control channels
play

BotSniffer: Detecting Botnet Command and Control Channels in - PowerPoint PPT Presentation

Sep 16, 2022 •92 likes •379 views

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

  1. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 1 Traffic

  2. Roadmap • Introduction • BotSniffer – Motivation – Architecture – Algorithm – Experimental Evaluation • Summary 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 2 Traffic

  3. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Botnets: Big Problem • “ Attack of zombie computers is growing threat ” (New York Times) • “ Why we are losing the botnet battle ” (Network World) • “ Botnet could eat the internet ” (Silicon.com) • “ 25% of Internet PCs are part of a botnet ” (Vint Cerf) 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 3 Traffic

  4. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview What are Bots/Botnets? • Bot (Zombie) – Compromised computer controlled by botcodes (malware) without owner consent/knowledge – Professionally written; self-propagating • Botnets (Bot Armies) – Networks of bots controlled by criminals – Key platform for fraud and other for-profit exploits Bot-master bot C&C 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 4 Traffic

  5. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Botnet Epidemic • More than 95% of all spam • All distributed denial of service (DDoS) attacks • Click fraud • Phishing & pharming attacks • Key logging & data/identity theft • Distributing other malware, e.g., spyware/adware 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 5 Traffic

  6. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Botnet C&C Detection • C&C is essential to a botnet – Without C&C, bots are just discrete, unorganized infections • C&C detection is important – Relatively stable and unlikely to change within botnets – Reveal C&C server and local victims – The weakest link • C&C detection is hard – Use existing common protocol instead of new one – Low traffic rate – Obscure/obfuscated communication 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 6 Traffic

  7. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Related Work • [Binkley,Singh 2006]: IRC-based bot detection combine IRC statistics and TCP work weight • Rishi [Goebel, Holz 2007]: signature-based IRC bot nickname detection • [Livadas et al. 2006]: (BBN) machine learning based approach using some general network-level traffic features (IRC botnet) • [Karasaridis et al. 2007]: (AT&T) network flow level detection of IRC botnet controllers for backbone network (IRC botnet) • [Gu et al. 2007]: BotHunter 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 7 Traffic

  8. Introduction Botnet Problem Challenges in Botnet Detection BotSniffer Related Work Summary Research Overview Our Approaches: General Picture Vertical Correlation BotHunter Enterprise-like Network (Security’07) Horizontal Correlation BotSniffer (NDSS’08) Internet 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 8 Traffic

  9. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Botnet C&C Communication 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 9 Traffic

  10. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Botnet C&C: Spatial-Temporal Correlation and Similarity 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 10 Traffic

  11. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment BotSniffer Architecture 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 11 Traffic

  12. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Correlation Engine • Group clients according to their destination IP and Port pair (HTTP/IRC connection record) • Perform a group analysis on spatial-temporal correlation and similarity property – Response-Crowd-Density-Check – Response-Crowd-Homogeneity-Check 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 12 Traffic

  13. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Response-Crowd-Density-Check Algorithm • Response crowd – a set of clients that have (message/activity) response behavior • A Dense response crowd – the fraction of clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5). • Example: 5 clients connected to the same IRC/HTTP server, and all of them scanned at similar time (or send IRC messages at similar time) • Accumulate the degree of suspicion – Sequential Probability Ratio Testing (SPRT) 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 13 Traffic

  14. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Sequential Probability Ratio Testing (SPRT) • Each round, observe whether current crowd is dense or not (Y=1 or Y=0) – Hypothesis • Pr(Y=1|H1) very high (for botnet) • Pr(Y=1|H0) very low (for benign) • Update accumulated likelihood ratio according to the observation Y • After several rounds, we may reach a decision (which hypothesis is more likely, H1 or H0) 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 14 Traffic

  15. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Sequential Probability Ratio Testing (cont.) Acc. Likelihood ratio Threshold B , (Botnet ) Stopping time Time Threshold A (benign) • Also called TRW (Threshold Random Walk) • Bounded false positive and false negative rate (as desired), and usually needs only a few rounds 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 15 Traffic

  16. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Response-Crowd-Homogeneity-Check Algorithm • A homogeneous response crowd – Many members have very similar responses • Similarity is defined – Message response • Similar payload (DICE distance) • E.g., “ abcde ” and “ bcdef ” , common 2-grams: “ bc,cd,de ” , DICE distance is 2*3/(4+4)=6/8=0.75 – Activity response (examples) • Scan same ports • Download same binary • Send similar spams 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 16 Traffic

  17. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Real-Time IRC Message Correlation Flow Diagram IRC PRIVMSG Message Response Crowd n Compute DICE Distance, Is there a major cluster? (calculate Y n ) Update Yes Output “botnet” >= B No Output “benign” and Yes <= A put into a soft whitelist No for a random time Wait for more observation of response crowd 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 17 Traffic

  18. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Crowd Homogeneity: Relationship with Number of Clients For a botnet, more clients, higher probability of crowd homogeneity For normal IRC channel, more clients, lower probability of crowd homogeneity q: #clients t: threshold in clustering P= θ (2): basic probability of two clients sending similar messages 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 18 Traffic

  19. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Number of Rounds Needed 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 19 Traffic

  20. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Experiment 189 days’ of IRC traffic 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 20 Traffic

  21. Introduction Motivation Architecture BotSniffer Algorithm Summary Experiment Experiment (cont.) Thanks David Dagon, Fabian Monrose, and Chris Lee for providing some of the evaluation traces 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 21 Traffic

  22. Introduction BotSniffer Summary BotSniffer Summary • Exploiting the underlying spatial-temporal correlation and similarity property of botnet C&C (horizontal correlation) • New anomaly-based detection algorithm • New Botnet C&C detection system: BotSniffer • Detected real-world botnets with a very low false positive rate 2008-2-25 Guofei Gu NDSS’08 BotSniffer: Detecting Botnet C&C Channels in Network 22 Traffic

Recommend

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What do we Track and Why? + Overview of Information Stealing Trojans How/What they steal Phoning Home Popular Kits + Detecting C&amp;C

378 views • 25 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis &amp; Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&amp;C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

1.02k views • 56 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&amp;C) Dynamic Graph Model Botnet

195 views • 18 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien Maisonneuve Thesis supervisors: Olivier Hermant Franois Irigoin Thesis defense Paris, February 6, 2015 Control-Command Systems A control-command

1.17k views • 83 slides
Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2 WS) 2005-2007 2005-2007 Magdalena Hammervik Jenny Lindoff Martin Castor Lars Tydn Purpose of this presentation Purpose of this presentation

530 views • 24 slides
Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B.

Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B.

2010 Command and Control Research and Technology Symposium Key Human System Integration Plan Elements for Command &amp; Control Acquisition Michael B. Cowen, Ph.D. SPAWAR Systems Center Pacific Code 53621 53560 Hull Street San Diego, CA 92152

492 views • 13 slides
The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to the 12th International Command and Control Research and Technology Symposium Paper I-156 Dr. Michael R. Hieb Sean Mackay Michael Powers Martin

332 views • 19 slides
Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Marks Basic graphical elements in an image Channels Visual channels to control the

667 views • 43 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Response: WCC, SDC &amp; Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Response: WCC, SDC &amp; Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Emergency Planning in Stratford Scrutiny Committee Michael Enderby Head of Service, CSW Resilience 6 th September 2017 04/09/2017 Civil Contingencies Act 2004 THE 7 DUTIES A single framework for civil protection in the United Kingdom to

419 views • 4 slides
Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in

Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in

Swiftwater Review Swiftwater Review There are over 470 miles of flood control channels in Los Angeles County Flood channels vary in shape and composition vertical sides sloped banks natural river Swiftwater Review Water

738 views • 35 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and

Command, Control, and Communications Engineering Center (C3CEN) C3CEN Industry Day 2018 CAPT Michael F. Nasitka Commanding Officer Command, Control, and Communications Engineering Center Sustaining the PresentDeveloping the Future Command,

1.18k views • 49 slides
FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

FGAN Content 1. The Development of a Formal Grammar 2. Designing a Command and Control Grammar

Applying A Formal Language of Command and Control for Interoperability Between Systems Presented to the AFCEA - GMU C4I Center Symposium on Critical Issues in C4I Dr. Michael Hieb Dr. Ulrich Schade George Mason University FGAN-FKIE US

562 views • 14 slides
New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels:

New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels:

New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels New Control Schemes for Bilateral Teleoperation under Asymmetric Communication Channels: Stabilization and Performance under Variable Time Delays Bo Zhang

1.67k views • 117 slides
COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH

COMMAND AND CONTROL SYSTEMS zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA CRITICAL PATH APPROACH TO BY D. J. LAMB AND P. F. O'NEILL OPERATIONAL RESEARCH AND ANALYSIS NATIONAL DEFENCE HEADQUARTERS OTTAWA, CANADA OUTLINE OF PRESENTATION

680 views • 45 slides
Between Fluffy Bunnies and Command &amp; Control Agile Adop8on

Between Fluffy Bunnies and Command &amp; Control Agile Adop8on

Between Fluffy Bunnies and Command &amp; Control Agile Adop8on in Prac8ce 5493 Benjamin Mitchell Independent Consultant @benjaminm Mixed Messages &amp;

964 views • 48 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&amp;C server Bots query the

1k views • 58 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides

More recommend