1 / 21

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION

This paper presents BotHunter, a network perimeter monitoring system that tracks communication between internal assets and external entities. It utilizes a dialog correlator to detect botnet infection activity by matching evidence sequences. The system architecture includes Snort for detection, SCADE for inbound scan detection, SLADE for statistical payload anomaly detection, and a network dialog correlation matrix. Bothunter has been tested against over 2000 bot infection experiences and offers a remote repository for global collection and evaluation of bot activity.

dempseyl
Download Presentation

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee PUBLICATION: USENIX Security Symposium, 2007. PRESENTATION BY: Bharat Soundararajan

  2. INTRODUCTION • Network perimeter monitoring system called bothunter • Track two way communication between internal assets • and external entities • Dialog correlator ties together these communications • in the bothunter • Sequence of evidence is used for matching botnet • infection activity

  3. BOTNET INFECTION SEQUENCE • Propagates through remote exploit injection • e.g. NetBIOS (139),My Doom(3127),Dame ware(6129). • After infection the victim host downloads the full • Phatbot binary • Bot inserts itself into the boot process ,security • process off • Connection to C&C server .Infected host acts as a • bot

  4. MODEL OF THE DIALOG PROCESS

  5. BOT INFECTION DECLARATION • Condition1: • Evidence of local host infection (E2) and evidence of outward bot • co-ordination or attack propagation (E3-E5) • Condition2: • At least two distinct signs of outward bot coordination or attack • propagation (E3-E5)

  6. BOTHUNTER SYTEM ARCHITECTURE • Snort is used for detection • Extra plug-in such as SCADE and SLADE are used in snort • Network dialog correlation matrix is used for data structure • Report bot infection profiles to a remote repository • TLS over TOR (onion routing protocol)

  7. BOTHUNTER SYTEM ARCHITECTURE

  8. SCADE(Statistical Scan Anomaly Detection Systems) • Inbound scan Detection • Specifically weighted towards the ports often used by • malware • Memory usage to the number of inside hosts • Failed connection attempts on each ports • Ports are classified in bothunter as • 1)Highly vulnerable ports: 80(HTTP),NETBIOS(445) ,26(TCP),4(UDP) • 2)Low vulnerable ports

  9. SCADE(Statistical Scan Anomaly Detection Systems) S = W1 * Fhs + W2* Fls (Inbound scan detection) Where W1 = weight of high severity ports W2= Weight of low severity ports Fhs = No of connection failures in high severity ports Fls = No of connection failures in low severity ports

  10. SCADE(Statistical Scan Anomaly Detection Systems) S = (W1 * Fhs + W2* Fls)/C (outbound scan detection) Where W1 = weight of high severity ports W2= Weight of low severity ports Fhs = No of connection failures in high severity ports Fls = No of connection failures in low severity ports C = Total number of scans from the host within a window time

  11. SLADE(Statistical Payload Anomaly Detection Engine) • 1-gram payload system : occurrence frequency of one of the • 256 possible bytes in the payload • Examines every request packet sent to the monitored • services and outputs an alert if it deviates from the normal • profile • n-gram will improve accuracy and hardness of evasion • e.g. polymorphic worms

  12. NETWORK DIALOG CORRELATION MATRIX

  13. NETWORK DIALOG CORRELATION MATRIX • Dynamically-allocated row – summary of internal host to • external entities • Cell – one or more sensor alerts that map into one of the • five sensor devices • Correlation matrix – dynamically grows when a new activity • involving the local host is detected and expires • Timers are set for expiry of observation window

  14. TYPES OF TIMERS • HARD PRUNE TIMERS (filled clocks) • Fixed temporal interval over which the users are allowed • to aggregate • After evaluation ,it leads to either bot declaration or to • the complete removal of that dialog trace • SOFT PRUNE TIMERS(open faced clocks) • smaller time window that allows users to configure • tighter interval requirements • Inbound scan warning are expired more quickly by the soft prune • interval

  15. BOT DECLARATION • Expectation table is used and compared with the values • obtained from the Calculation • Dialog sequence crosses the threshold which leads to • either bot declaration or non-bot declaration

  16. Figure6: SCORING PLOTS : 2019 Real bot infections

  17. EXPERIMENTS AND RESULTS Yes/No – Indicate Dialog warning, (No of dialog warning in whole / No of warning victim involves)

  18. RESULTS IN LIVE DEPLOYMENT http://www.cyber-ta.org/malware-analysis/public Website Stats:Spotlight: Top 50 ISP Infection Sources Active Period Reported:          245 Days Botnet Attacks Detected:         23895 Botnet C&C channels Witnessed:   175 Botnet DNS lookups Witnessed:    8496

  19. ADVANTAGES • only one bot profile is generated for infection • presented analysis of bothunter against more than 2000 • recent bot infection experiences. • remote repository for global collection and evaluation of • bot activity.

  20. DISADVANTAGES • Bots could use encrypted communication channels for C&C • This correlator is not adaptable for botnets with the capability of doing stealth scanning • This is not polymorphic malwares as it uses 1-gram • payload

  21. THANK YOU

More Related