detecting botnets with temporal persistence
play

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar - PowerPoint PPT Presentation

Jan 30, 2023 •422 likes •888 views

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

  1. Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis

  2. Botnets: Why care?

  3. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit actuation home

  4. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home signature matching software patching

  5. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home signature matching software patching see RAID’09 proceedings

  6. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home signature matching software patching traffic anomaly detectors NBAD see RAID’09 proceedings

  7. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home traffic correlation signature matching port inspection software patching traffic anomaly detectors payload analysis NBAD noisy see RAID’09 prone to false positives proceedings

  8. Botnet Life-Cycle spam IRC DoS dirty webpage HTTP clickfraud drive by download proxies theft P2P trojans espionage hybrid call exploit exploit actuation actuation home traffic correlation signature matching port inspection software patching traffic anomaly detectors payload analysis NBAD noisy see RAID’09 hard to adapt prone to false positives proceedings a-priori knowledge req.

  9. Botnets C&C invariants • Botmasters seldom try to connect to the drones: • drones initiate the (rondezvous) connections • Drones need to call home often: • (if not) drone falls off the radar

  10. Botnets C&C invariants • Botmasters seldom try to connect to the drones: • drones initiate the (rondezvous) connections watch outgoing traffic • Drones need to call home often: • (if not) drone falls off the radar use a frequency based metric

  11. Our Solution: Canary A general purpose, non- specific learning based behavioral detector to uncover botnet C&C destinations at the end-host without a-priori assumptions about traffic types, destinations or protocols

  12. Our Solution: Canary A general purpose, non- specific learning based behavioral detector to uncover botnet C&C destinations at the end-host without a-priori assumptions about traffic types, destinations or protocols

  13. High Level Method Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  14. High Level Method watch destinations whitelist frequent destinations Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  15. High Level Method watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  16. High Level Method ignore whitelisted destinations track frequency for non-whitelisted destinations raise alarm for new high frequency destinations watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  17. High Level Method Botnet C&C’s are likely to be frequently visited ignore whitelisted destinations track frequency for non-whitelisted destinations raise alarm for new high frequency destinations watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  18. High Level Method adding to the whitelist is Botnet C&C’s are likely to a very rare event be frequently visited ignore whitelisted destinations track frequency for non-whitelisted destinations raise alarm for new high frequency destinations watch destinations whitelist frequent destinations whitelist Detection params Training Day1 Day2 Day3 Day4 Day5 .. .. DayN ..

  19. Remaining Detail Destination granularity: tracking IP address = large whitelists! ➡ destination atoms (Frequency) metric needs to capture: 10 loosely periodic behavior at unknown 9 8 7 timescales 6 5 4 3 2 1 ➡ persistence 0 0 1 2 3 4 5 6 7 8 9 10 We track persistence of destination atoms & build whitelists of destination atoms

  20. Destination Atoms mail1.sc.intel.com mail3.sc.intel.com mail3.jf.intel.com circuit.intel.com cps.circuit.intel.com xyz.google.com abs.google.com

  21. Destination Atoms mail1.sc.intel.com mail.intel.com mail3.sc.intel.com mail3.jf.intel.com circuit.intel.com circuit.intel.com cps.circuit.intel.com google.com xyz.google.com abs.google.com

  22. Persistence sliding window 1 1 0 0 0 1 0 1 1 0 1 1 1 1

  23. Persistence sliding window w 1 1 0 0 0 1 0 1 1 0 1 1 1 1 W

  24. Persistence sliding window w 3/7 1 1 0 0 0 1 0 1 1 0 1 1 1 1 W

  25. Persistence sliding window w 3/7 1 1 0 0 0 1 0 6/7 1 1 0 1 1 1 1 W

  26. Picking Timescale suppose: w= 1hr, W=24hr Botnet X Botnet Y Botnet Z connect to C&C once a connect to C&C connect to C&C day hourly every 5-6 hours p-value: 1/24 =0.042 p-value: 24/24 =1 p-value: 4/24 = 0.17

  27. Picking Timescale suppose: w= 1hr, W=24hr Botnet X Botnet Y Botnet Z connect to C&C once a connect to C&C connect to C&C day hourly every 5-6 hours p-value: 1/24 =0.042 p-value: 24/24 =1 p-value: 4/24 = 0.17 Cannot assume a single, fixed timescale!!!!

  28. Selecting Timescale(s) • Select n overlapping timescales TS 1 =(w 1 ,W 1 ), TS 2 =(w 2 ,W 2 ), TS 3 =(w 3 ,W 3 ),...., TS n =(w n ,W n ) • p i := persistence of atom for TS i =(w i ,W i ) • track p i concurrently for all the timescales • p(atom) := max i p i (atom)

  29. Selecting Timescale(s) • Select n overlapping timescales TS 1 =(w 1 ,W 1 ), TS 2 =(w 2 ,W 2 ), TS 3 =(w 3 ,W 3 ),...., TS n =(w n ,W n ) • p i := persistence of atom for TS i =(w i ,W i ) • track p i concurrently for all the timescales • p(atom) := max i p i (atom) Can become very expensive! Trick: select W i = k. w i Then, use a single bitmap of size k.w max

  30. Dataset: Training • Normal user traces collected from 157 end-hosts for 4 weeks • Data collected on end-hosts • winpcap + wrapper code • traces assumed clean (some suspicious traffic observed: ground truth not available) • Initial 2 weeks of data used for training • pick threshold for persistence • construct per user whitelists

  31. Picking threshold(s) 1 → seems reasonable 0.9 0.8 0.7 # of atoms 0.6 80 % of destinations 0.5 have a p-value <0.2 0.4 20% of destinations have a p-value > 0.2 0.3 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 persistence if p(atom) > 0.6 add to whitelist

  32. Whitelist Sizes 25 # users 12.5 0 40 70 90 110 125 145 whitelist size 14

  33. Validation • Started with 55 distinct malware binaries windows auto update • 27 had traffic; 12 had traffic for longer than 1 day • Ran each malware for 1 week; all traffic logged • Packet traces ➜ flow traces [Bro] • Flow traces manually analyzed to isolate C&C traffic malware

  34. ClamAV Signature C&C type # of C&C atoms C&C Volume min - max Trojan.Aimbot-25 port 22 1 0-5.7 Trojan.Wootbot-247 IRC port 12347 4 0-6.8 Trojan.Gobot.T IRC port 66659 1 0.2-2.1 Trojan.Codbot-14 IRC port 6667 2 0-9.2 Trojan.Aimbot-5 IRC via http proxy 3 0-10 Trojan.IRCBot-776* HTTP 16 0-1. Trojan.VB-666* IRC port 6667 1 0-1.3 Trojan.IRC-Script-50 IRC ports 6662-6669,9999,7000 8 0-2.1 8 Trojan.Spybot-248 port 9305 4 3.8-4.6 Trojan.MyBot-8926 IRC port 7007 1 0-0.1 Trojan.IRC.Zapchast-11 IRC ports 6666, 6667 9 0-1 Trojan.Peed-69 [Storm] P2P/Overnet 19672 0-30 Converted packet traces to flow traces and hand analyzed each trace individually to identify/isolate C&C traffic to identify/isolate attack traffic

  35. 3 Detailed Examples • SDBot • 2 atoms in covert channel- identified by IRC server names • attack traffic- scans on ports 135, 139, 445 & 2097* • Zapchast • 9 atoms in covert channel- popular IRC ports • attack traffic- netbios(?) • Storm/Peacomm • ~82,000 atoms (almost all atoms are singletons) • no well known port/address for C&C destinations • attack traffic is SMTP (overwhelmingly), and possibly some http & ssh

  36. Connection Rates (per min) C&C Attack 150.0 112.5 75.0 37.5 SDBot 0 ZapChast Storm

  37. C&C Detection 24 hr SDBot 18 hr 12 hr Storm 6 hr ZapChast 1 hr 0.0 0.2 0.4 0.6 0.8 1.0 persistence

Recommend

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e

614 views • 19 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by

Java Technologies Java Persistence API (JPA) Persistence Layer The Persistence Layer is used by an application in order to persist its state, that is to store and retrieve information using some sort of database management system. Presentation

633 views • 60 slides
BaySTDetect: Detecting unusual temporal patterns in small area disease rates using Bayesian

BaySTDetect: Detecting unusual temporal patterns in small area disease rates using Bayesian

BaySTDetect: Detecting unusual temporal patterns in small area disease rates using Bayesian posterior model probabilities Guangquan Li, Sylvia Richardson, Lea Fortunato, Isma l Ahmed, Anna Hansell, Mireille Toledano and Nicky Best

381 views • 36 slides
ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks NUS-Singtel Cyber

ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks NUS-Singtel Cyber

ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks NUS-Singtel Cyber Security R&amp;D Corp. Lab Dinil Mon Divakaran, Rhishi Pratap Singh, Kalupahana Liyanage Kushan Sudheera, Mohan Gurusamy, Vinay Sachidananda Context

745 views • 27 slides
Databases SWEN-250 Persistence First a detour Persistence is the key to solving most

Databases SWEN-250 Persistence First a detour Persistence is the key to solving most

Databases SWEN-250 Persistence First a detour Persistence is the key to solving most mysteries. Christopher Pike, Black Blood Persistence when you are stuck on a piece of new code is hardly ever a virtue. Try redesigning the

619 views • 25 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a Nuisance Spam: Ham: unsolicited bulk

523 views • 28 slides
Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata Andrew G. West

Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata Andrew G. West

Detecting Wikipedia Vandalism via Spatio- Temporal Analysis of Revision Metadata Andrew G. West June 10, 2010 ONR-MURI Presentation Where we left off. FROM THE LAST MURI REVIEW 2 6/10/2010 ONR-MURI Review Spatio-Temporal Reputation

964 views • 40 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX &amp; CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano &amp; Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes

Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes

01 Mylobot, Detecting the Undetected Using Deep Learning Yael Daihes 02 WHO AM I Yael Daihes Security Data Science Team Lead @ Akamai Technologies My things - Botnets, Traffic, Data, Algorithms, Reading, Painting and a bit of Gaming (:

533 views • 42 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Studying Spamming Botnets Using BotLab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

291 views • 15 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas

Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas

Keep Persistence Simple, Stupid A possible future for Java Persistence Robert Brutigam adidas AG The KISS principle. Herbstcampus 2010 Keep Persistence Simple, Stupid 2 Complexity Cost Functions (Lower) Cost (Higher) Complexity

211 views • 17 slides
Temporal Partioning Temporal

Temporal Partioning Temporal

Temporal Partioning Temporal Partioning with Partial Mikael Olausson Reconfiguration Embedded Reconfigurable Computer Engineering Architectures Department of Electrical

195 views • 8 slides
Spatio-Temporal Statistics with R Chapter Two: Exploring Spatio-Temporal Data Spatio-Temporal

Spatio-Temporal Statistics with R Chapter Two: Exploring Spatio-Temporal Data Spatio-Temporal

Spatio-Temporal Statistics with R Chapter Two: Exploring Spatio-Temporal Data Spatio-Temporal Data Spatio-Temporal Data Geostatistical : continuous spatial index Areal (lattice): defined on finite/countable subset in space Point

897 views • 25 slides
Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur Maheshwari ( nupurm@email.arizona.edu ) Department of Computer Science University of Arizona April 22, 2012 What are Botnets? 1 Technical Overview 2

895 views • 37 slides
Success in Exploration and Development; the value of persistence Development; the value of

Success in Exploration and Development; the value of persistence Development; the value of

EPC: TSX-V Success in Exploration and Development; the value of persistence Development; the value of persistence Empire Mining Corporation david@empireminingcorp.com 1090 Hamilton Street Vancouver, BC V6B 2R9 CANADA June 2012

532 views • 30 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al. Presented by Kyle Mar5n &lt;kyle.mar5n@knights.ucf.edu&gt; The Problems Botnets The Problems

823 views • 36 slides
Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen

Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen

Transformations on Graph Databases for Polyglot Persistence with NotaQL 2017-03-08 Johannes Schildgen schildgen@cs.uni-kl.de Yannick Krck Stefan Deloch Polyglot Persistence 3 Polyglot Persistence db.product.insert ({})

626 views • 50 slides

More recommend