1 / 23

Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation

Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation. In Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets ( HotBots ), 2007. Reporter : Fong- Ruei , Li. Outline. Introduction Background Communication Channel Detection Results and Evaluation

boaz
Download Presentation

Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation In Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007 Reporter : Fong-Ruei , Li Machine Learning and Bioinformatics Lab

  2. Outline • Introduction • Background • Communication Channel Detection • Results and Evaluation • Conclusion Machine Learning and Bioinformatics Lab

  3. Introduction • Currently • stop a given botnet is to disable the communication channel for the bots • However • the hosts stay infected and are in most cases still backdoored, allowing an attacker to reclaim the machine at any time. Machine Learning and Bioinformatics Lab

  4. Background • Internet Relay Chat(IRC) • Each of the different servers hosts a number of different chat rooms • called channels • Every user connected to an IRC server has its own unique username • called nickname Machine Learning and Bioinformatics Lab

  5. Background • BotMaster • communicate with the botnet is to use IRC • Bots • join a specific channel on a public or private IRC server • to receive further instructions Machine Learning and Bioinformatics Lab

  6. Communication Channel Detection • All bots have one characteristic in common: • they need a communication channel • Our approach focuses on • detecting the communication channel between the bot and the botnet controller • it is possible to detect a bot even before it performs any malicious actions Machine Learning and Bioinformatics Lab

  7. Project Rishi • Every captured packet extracts : • Time of suspicious connection • IP address and port of suspected source host • IP address and port of destination IRC server • Channels joined • Utilized nickname Machine Learning and Bioinformatics Lab

  8. Network setup of Rishi Machine Learning and Bioinformatics Lab

  9. Basic Concept - Rishi Machine Learning and Bioinformatics Lab

  10. Scoring Function • Checks for the occurrence of several criteria : • suspicious substrings • the name of a bot (e.g., RBOT or l33t-) • special characters • like [ , ] , and | • long numbers. • nickname consists of many digits: • for each two consecutive digits 1 point Machine Learning and Bioinformatics Lab

  11. Scoring Function • True signs for an infected host raise the final score by more than one point • a match with one of the regular expressions • a connection to a blacklisted server • the use of a blacklisted nickname > 1 points Machine Learning and Bioinformatics Lab

  12. Regular Expression • Each nickname is tested against several regular expressions • which match known bot names • For example the following expression: \[[0-9]\|[0-9]{4,} • like [0|1234] • like |1234 10 points Machine Learning and Bioinformatics Lab

  13. Whitelisting • The software utilizes : • hard coded whitelist • dynamic whitelist • Each nickname, which receives zero points • is added to the dynamic whitelist Machine Learning and Bioinformatics Lab

  14. Blacklisting • Two blacklists: • the first blacklist is hard coded • in the configuration file • the second one is a dynamic list • with nicknames added to it automatically according to the final score Machine Learning and Bioinformatics Lab

  15. Example • Imagine that the nickname • RBOT|DEU|XP-1234 was added to the blacklist • The next captured nickname • RBOT|CHN|XP-5678 17 points 7 points • 10 points for more than 50% congruence with a name stored on the dynamic blacklist • 1 point each due to the suspicious substrings RBOT,CHN, and XP • 1 points each due to the two occurrences of the special character | • 1 point each due to two occurrences of consecutive digits Machine Learning and Bioinformatics Lab

  16. Example 7 points • 1 point each due to the suspicious substrings RBOT,CHN, and XP • 1 points each due to the two occurrences of the special character | • 1 point each due to two occurrences of consecutive digits • 10 points for more than 50% congruence with a name stored on the dynamic blacklist 17 points Machine Learning and Bioinformatics Lab

  17. Results and Evaluation • RWTH Aachen university • 30,000 computer users to support • Rishi runs on a Quad-CPU Intel Xeon 3,2Ghz system with 3GB of memory installed • we are monitoring a 10 GBit network Machine Learning and Bioinformatics Lab

  18. Results and Evaluation Machine Learning and Bioinformatics Lab

  19. Results and Evaluation Machine Learning and Bioinformatics Lab

  20. Results and Evaluation Machine Learning and Bioinformatics Lab

  21. Conclusion • Based on characteristics of the communication channel • observe protocol messages • use n-gram analysis together with a scoring function • black-/whitelists Machine Learning and Bioinformatics Lab

  22. Bot Nicknames Machine Learning and Bioinformatics Lab

  23. The end Thank you for listening Machine Learning and Bioinformatics Lab

More Related