120 likes | 257 Views
Network-based Botnet Detection Filtering, Containment, and Destruction. Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu. Motorola Liaisons
E N D
Network-based Botnet Detection Filtering, Containment, and Destruction Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Motorola Liaisons Z. Judy Fu and Philip R. Roberts Motorola Labs
New Internet Attack Paradigm • Botnets have become the major attack force • Symantec identified an average of about 10,000 bot infected computers per day • # of Botnets - increasing • Bots per Botnet - decreasing • Used to be 80k-140k, now 1000s • More firepower: • Broadband (1Mbps Up) x 100s = OC3 • More stealthy • Polymorphic, metamorphic, etc. • Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance
Birth of a Bot • Bots are born from program binaries that infect your PC • Various vulnerabilities can be used • E-mail viruses • Shellcode (scripts)
Project Goal • Understand the trend of vulnerabilities and exploits used by the botnets in the wild • Design vulnerability based botnet detection and filtering system • Deployed at routers/base stations w/o patching the end users • Complementary to the existing intrusion detection/prevention systems • Can also contain the botnets from infecting inside machines • Find the command & control (C&C) of botnets and destroy it
1010101 10111101 11111100 00010111 Limitations of Exploit Based Signature Signature: 10.*01 Traffic Filtering Internet Our network X X Polymorphism! Polymorphic worm might not have exact exploit based signature
Vulnerability Signature Vulnerability signature trafficfiltering Internet Work for polymorphic worms Work for all the worms which target the same vulnerability X X Our network X X Vulnerability
Emerging Botnet Vulnerability and Exploit Analysis • Large operational honeynet dataset • Massive dataset on the botnet scan with payload • Preliminary analysis show that the number of new exploits outpace the # of new vulnerabilities.
Vulnerability based Botnet Filtering/Containment • Vulnerability Signature IDS/IPS framework • Detect and filter incoming botnet • Contain inside bots and quarantine infected customer machines Vulnerability Signature Matching Combine multiple matchers Single Matcher Matching Protocol Parsing Protocol Identification: port# or payload TCP Reassembly Packet Sniffing
Residential Access: Cable Modems Diagram: http://www.cabledatacomnews.com/cmic/diagram.html Introduction 1-10
Snort Rule Data Mining • Exploit Signature to Vulnerability Signature reduction ratio PSS means: Protocol Semantic Signature NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols
Preliminary Results • Experiment Setting • PC XEON 3.8GHz with 4GB memory • Real traffic after TCP reassembly preload to memory • Experiment Results