1 / 63

Detection of SIP BoTnet based on C&C Communications

Detection of SIP BoTnet based on C&C Communications. Mohammad AlKurbi. Overview. Introduction to Botnet Why SIP is useful? Problem Statement. Related Works. Proposed Solution. Preliminary Evaluation. Conclusions & Future Work. Brief Introduction to Botnet. Botnet ?.

barid
Download Presentation

Detection of SIP BoTnet based on C&C Communications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detection of SIP BoTnetbased onC&C Communications Mohammad AlKurbi

  2. Overview • Introduction to Botnet • Why SIP is useful? • Problem Statement. • Related Works. • Proposed Solution. • Preliminary Evaluation. • Conclusions & Future Work. Detection of SIP Botnet Based on C&C Communications

  3. Brief Introduction to Botnet Detection of SIP Botnet Based on C&C Communications

  4. Botnet? • A network of compromised computers controlled by a master to do a correlated tasks [GP+08]. Botnet Master Controller Command & Control Channel: IRC, HTTP, P2P Malicious Activity: Scan, Spam, DDoS (Bot): Compromised host Victim Detection of SIP Botnet Based on C&C Communications

  5. Bot life Cycle • Infection: • Initial installation of the botnet malware • By email, accessing infected web sites, or vulnerability exploitation. • Bootstrap: • Join Botnet. • Using preliminary list of bots. • Command and Control (C&C): • To get instructions and send info./feed back • Malicious Activity: Implement instructions • Scan, Spam, DDoS, Maintenance, ..etc • Maintenance to upgrade bot software. Detection of SIP Botnet Based on C&C Communications

  6. Botnet Models? Centralized model(IRC/HTTP) Distributed model(P2P) Botnet Master Controller Victim Detection of SIP Botnet Based on C&C Communications

  7. Botnet History [GZL08] • IRC Botnet: • Centralized C&C structure. • Access to IRC is restricted or limited. • HTTP Botnet: • Centralized C&C structure. • Has better access policy, therefore stealthy. • P2P Botnet: • Distributed C&C structure. Detection of SIP Botnet Based on C&C Communications

  8. SIP as a C&C protocol Detection of SIP Botnet Based on C&C Communications

  9. Why SIP is a useful C&C Protocol? • SIP has outstanding features [A. Berger et al. (NPSec '09)]: • SIP access would have Less restriction policy than P2P. • SIP infrastructure minimizes management overhead: • Registration, Tracking of clients' status. • Reliable message delivery. • SIP message's structure provides many options: • SIP Instant Messaging, Message standard/user-defined headers, Message body. Detection of SIP Botnet Based on C&C Communications

  10. Problem Statement • Botnet is one of the most serious and growing security threats [SLWL07, GZL08, YD+10]: • 40% of all computers connected to Internet are considered infected bots [ZLC08]. • 20% of malware will still be able to get into uptodate Internet computers [BK07]. • SIP is even more attractive as C&C protocol after being adopted by 3GPP. • SIP Botnet has not been considered before. Detection of SIP Botnet Based on C&C Communications

  11. Study & Detection Approaches • Bot’s source code analysis. • Honeynets. • Signature based detections. • Anomaly based detection: • Based on Botnet Malicious Activities: • High volume traffic, such as: DDoS attacks, Scans, Spams, or abnormal traffic. • Based on C&C communications. Detection of SIP Botnet Based on C&C Communications

  12. C&C Detection Approach • C&C is the weakest link [GZL08]: • Interrupting C&C channel disarms the Botnet[SLWL07]. • Based on the following observation [GZL08 , GP+08]: • Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner. • Restrict Access to C&C controllers isolates the bots. • No prior knowledge is needed. Detection of SIP Botnet Based on C&C Communications

  13. Related Works Detection of SIP Botnet Based on C&C Communications

  14. Related Works (1) • G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February: • Detect centralized C&C channel (IRC & HTTP). • Monitor crowd density/ homogeneity from clients that connect to the same server: • Events sequence are considered. • Deep inspection: • Protocol-Matcher. • Crowd homogeneity algorithm is vulnerable to encryption. Detection of SIP Botnet Based on C&C Communications

  15. Related Works (2) • G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: • Protocol & Structure independent: • Captures all TCP/UDP. • Does not consider events sequence. • Two-step X-means Clustering. • Identify hosts that share both similar C&C communication patterns and similar malicious activity patterns. Detection of SIP Botnet Based on C&C Communications

  16. Related Works (3) • X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: • Protocol & Structure independent. • Events sequence are considered. • distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier Transform] • Less DFT coefficients are required to capture the distance. • Suspected bot’s malicious activities are monitored before confirming its identity. Detection of SIP Botnet Based on C&C Communications

  17. The Proposed Solution Detection of SIP Botnet Based on C&C Communications

  18. The Proposed Solution • Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol): • It is a network anomaly based system. • Based on bots similar behavior. • It does not rely on the events sequence [SLWL07, GP+08]: • Resist random-time evasion technique. • Detect bots at early stages: Before initiating malicious activities, or as early as possible. • By monitoring & analyzing C&C communications (i.e. SIP communications). • Without any prior knowledge. • A suspected bot identity is confirmed as soon as it carries one or more botnet malicious activities. Detection of SIP Botnet Based on C&C Communications

  19. The Proposed Solution (Main idea) • Two users are considered similar if they share similar flows more than a defined threshold ( ). • Similar users are considered suspected bots. User-2 User-1 Detection of SIP Botnet Based on C&C Communications

  20. System Overview Detection of SIP Botnet Based on C&C Communications

  21. System Components (1) • Monitoring Engine: • Logs SIP/Malicious traffic to a central DB server. • Based on snort (open source intrusion detection system): • with a customized set of rules to capture SIP traffic. • Set of activated plug-ins to capture malicious activities. • Installed where the designated traffic pass by, such as network gateways. Detection of SIP Botnet Based on C&C Communications

  22. System Components (2) • Correlation Engine: • Developed in Java. • Input: • SIP/Malicious traffic that has been logged into the Central DB. • Function: • detect bots and C&C controllers. • It can be installed any where as long as it has access to the central DB server. Detection of SIP Botnet Based on C&C Communications

  23. Correlation Engine (How it works) • Feature Vector (FV): • A flow is transferred to a feature vector. • FV Consists of flow attributes, such as: • Duration (seconds), size (bytes), No. of packets. • bps (bytes per sec.), bpp (bytes per packet). • Feature Stream (FS): • User flows are represented by a feature stream. • A column represents a Feature Vector. Time window (w) Duration Size #Packets Bps bpp Duration Size #Packets Bps bpp Duration Size #Packets Bps bpp User Feature Stream FV1 Flow1 FV n Flow n FV2 Flow2 Detection of SIP Botnet Based on C&C Communications

  24. Correlation Engine (How it works) • Two flows [a , b] are similar if distance: • d(a,b) = , f: no. of features • Two users (A , B) are considered similar if distance: • distance d(A,B) = • A/B  Feature Stream of user A/B. Detection of SIP Botnet Based on C&C Communications

  25. Experimental Evaluation Calculate False Positive & Negative Detection of SIP Botnet Based on C&C Communications

  26. Input Data Set (Users’ traffic) • Network traces has been generated using two tools developed by A. Berger et al. [BH09]: • Autosip: • Emulate a realistic behavior of a regular users calls: • Number of online users varies with time. • Calls duration is modeled based on μ (Mean value) and σ (S. deviation). • A user calls a friend with probability (α) and others with probability (1 − α). • A user makes in average C calls/hour: Detection of SIP Botnet Based on C&C Communications

  27. Autosip Components • Manager: • Set call parameters to clients. • Control the number of active users during day. • Client (SIP users): • Connect to the manager. • Call each others according to parameters setting. Detection of SIP Botnet Based on C&C Communications

  28. Input Data Set (Malicious traffic) • Sipbot: • Generate SIP Botnet traffic. • Based on P2P Stormbotnet: • OvernetProtocol has been replaced by SIP. • Send “603 Decline” response for SIP INVITE message. Detection of SIP Botnet Based on C&C Communications

  29. Test bed Network Design @ NSL cluster: Detection of SIP Botnet Based on C&C Communications

  30. Preliminary Result Detection of SIP Botnet Based on C&C Communications

  31. Conclusion / Future Work / Challenges Detection of SIP Botnet Based on C&C Communications

  32. Conclusion • Botnet is a serious growing threat: • It needs more researches. • Detecting bots based on C&C channel is efficient: • It allows us to detect bots at early stages. • SIP is a promising C&C protocol. • A system is provided to detect SIP botnet with a very low False Negative (~0) & a reasonable False Negative. Detection of SIP Botnet Based on C&C Communications

  33. Future Work • Improve similarity algorithm to decrease False Positive. • Implement larger scale evaluation experiments. • Integrate Malicious activity handler component. • Extracting C&C controllers. • Try to : • Reduce time complexity. Detection of SIP Botnet Based on C&C Communications

  34. Challenges • Resilience to evasion: • A very long Response Delay (Larger than the time window): • botnet utility is reduced or limited because the botmaster can no longer command his bots promptly and reliably [GZL08]. • Random session’s size/duration. • Random noise packets. • A pool of random SIP options. Detection of SIP Botnet Based on C&C Communications

  35. End Detection of SIP Botnet Based on C&C Communications

  36. Appendix Detection of SIP Botnet Based on C&C Communications

  37. Centralized C&C Model Master C&C Botnet Master C&C Controller Communicator C&C Command & Control Channel: IRC, HTTP, P2P C&C Zombie Zombie Zombie Malicious Activity: Scan, Spam, DDoS (Bot): Compromised host Victim Victim Detection of SIP Botnet Based on C&C Communications

  38. Distributed C&C Model Master C&C (P2P) C&C Communicator C&C C&C Zombie Zombie Zombie Victim Detection of SIP Botnet Based on C&C Communications

  39. Detection Approaches • Most of the current botnet detection approaches [7,17,19,20,26,29,35,40] work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques [GP+08]. • Some approaches [4, 6, 12, 18] have been proposed [YD+10]. • [BCJ+09, ZLC08] Detection of SIP Botnet Based on C&C Communications

  40. C&C Detection Approach • C&C is the weakest link [GZL08]: • Interrupting C&C channel disarms the Botnet[SLWL07]. • Based on the following observation [GZL08 , GP+08]: • Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner. • C&C controllers are usually much less than bots: • Restrict access to them is easier, safer, and more efficient. • No prior knowledge is needed. Detection of SIP Botnet Based on C&C Communications

  41. Related Works (1) • G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February: • Detecting centralized C&C channel (IRC & HTTP). • Analyzing bots response (Message, Activity) to Botmaster’s commands. • Looking every time window (t) for a response crowd from clients that connect to the same server: • Crowd Density (>%50). • Crowd homogeneity • A number of rounds are required before confirming a crowd is a botnet. • Deep inspection: • Protocol-Matcher. • Implemented Crowd homogeneity algorithm is vulnerable to encryption. Detection of SIP Botnet Based on C&C Communications

  42. Related Works (2) • G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: • Protocol & Structure independent: Captures all TCP/UDP. • Does not consider events sequence. • Identify hosts that share both similar C&C communication patterns and similar malicious activity patterns. • Aggregate related flows during epoch time (E ~ one day) into the same C-Flow. • Transfer C-Flows into equal pattern vectors length, by a Quantilebinning technique. • Two-step X-means Clustering. Detection of SIP Botnet Based on C&C Communications

  43. Related Works (2) • G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: • Protocol & Structure independent. • Does not consider events sequence. • Aggregate past epoch (E~ one day) related flows into one flow. • To standardize feature’s vector length, discrete distribution is approximated by binning technique (computing quartiles). • Two-step X-means Clustering. • Identify hosts that share both similar communication patterns and similar malicious activity patterns: • A host receives a high score if it has performed multiple types of suspicious activities, and if other hosts that were clustered with also show the same multiple types of activities. • If two hosts appear in the same activity clusters and in at least one common C-cluster, they should be clustered together. Detection of SIP Botnet Based on C&C Communications

  44. Related Works (3) • X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: • Protocol & Structure independent. • Events sequence are considered. • Online Detection. • User flows are represented by a feature stream. • Similarity is measured by an average Euclidean distance. • distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier Transform] • Less DFT coefficients are required to capture the stream. • Incremental DFT coefficients to avoid recalculation when a new value arrives (Minimize processing time further). • Suspected bot’s malicious activities are monitored before confirming its identity. Detection of SIP Botnet Based on C&C Communications

  45. Related Works (3) • X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: • Online Detection. • Protocol & Structure independent. • A flow is represented by a feature stream. • Similarity is measured by average Euclidean distance. • distance(X, Y)=distance(DFT(X), DFT(Y)). • DFT needs fewer feature streams. • Incremental DFT coefficients to avoid recalculation when a new feature stream arrives (Minimize processing time further). • Suspected bot’s malicious activities are monitored before confirming its identity. Detection of SIP Botnet Based on C&C Communications

  46. Related Works (4) • H. Zeidanloo and A. Abdul Manaf, “Botnet detection by monitoring similar communication patterns”, International Journal of Computer Science and Information Security, 7(3), March 2010: • General framework: • Focuses on P2P based and IRC based Botnets. • Similar users have similar graphs: • User  Feature Streams  Graph [(X, Y)= (bpp, bps)]. • Exact method has not been provided. • They did not provide evaluation. Detection of SIP Botnet Based on C&C Communications

  47. Related Works () • W. Strayer et al., “Botnet detection based on network behavior”, Vol. 36 of Advances in Information Security. Springer, October 2007: • Detect IRC Botnets (Centralized): • Prompt C&C mechanism. • Does not consider events sequence. • Filtering phase assumes prior knowledge: • Pass only what it can be a C&C traffic. • Filter out any traffic that does not comply with some specific semantics. • It does not examine content nor port. • Looking for C&C servers: • Topological analysis: Highest in/out-degree in a directed graph of similar flows. • Flow characteristics: bandwidth, packet timing, and burst duration. Detection of SIP Botnet Based on C&C Communications

  48. The Proposed Solution • Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol): • It is a network anomaly based system. • Based on bots similar behavior concept. • It does not rely on the events sequence [SLWL07, GP+08]: • Resist random-time evasion technique. • Detect bots at early stages: Before initiating malicious activities, or as early as possible. • By monitoring & analyzing C&C communications (i.e. SIP communications). • Without any prior knowledge. • A suspected bot identity is confirmed as soon as it carries one or more botnet malicious activities. • A further analysis can be applied to extract C&C controllers. Detection of SIP Botnet Based on C&C Communications

  49. The Proposed Solution (Main idea) • Two users are considered similar if they share similar flows more than a defined threshold ( ). • Similar users are considered suspected bots. • Bot identity is confirmed when it commits any malicious activity. User-2 User-1 Detection of SIP Botnet Based on C&C Communications

  50. Input Data Set • Network traces has been generated using the following tools developed by A. Berger: • Autosip: • Emulate a realistic behavior of a regular users calls: • Number of online users varies with time. • Calls duration is modeled with a log-normal distribution [BC+05]. • A user calls a friend with probability (α) and others with probability (1 − α). • A user makes in average C calls/hour: • Uniform call probability per minute ( ). Detection of SIP Botnet Based on C&C Communications

More Related