290 likes | 478 Views
Master Blaster: Identifying Influential Player in Botnet Transaction. Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte Gail- Joon Ahn School of Computing , Informatics
E N D
Master Blaster: Identifying Influential Player in Botnet Transaction Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte Gail-JoonAhn School of Computing , Informatics and Decision System Engineering Arizona State University Mohamed ShehabCollege of Computing and Informatics UNC Charlotte Reporter: 簡榮杉 https://www.youtube.com/watch?v=5KyoHjIoMkQ
OUTLINE • Introduction • Scope of research • Master blaster : System overview • Implementation and results • Discussion • Conclusion
Introduction • Bots carry out the commands of botmaster through communication mediums. • Communication mediums: Internet Relay Chat (IRC) 、P2P、social networks. • Botnet monitoring • an effective method to garner in-depth information about the threat of bonnets • to capture and modify a bot • allow the bot to connect to its command and control center • monitor actual communications that take place on the botnet
most botnets are controlled by multiple botmasters. • botmaster 1 initially creating the botnet • botmaster 1,2, and N have their own attack agenda.
Introduction –In this paper • to categories the nodes • to categorize the transactions based on a modified version of the reflective-impulsive model. • bonet is just a tool. • a tool is only as useful as the way it is used with the intentions of the person who use it • to categorize the botmaster interactions (between the botmaster and the node in a botnet ) as social characteristics • There are five categories of node • Botmaster node • Bot node • Compromised Machine node: The machine that was originally attacked and turned into a bot node. • Storehouse node: The node that provides a download service to the botmaster node or the bot node • Victim node: The nod that is attacked. • .
Introduction –In this paper • to identify the evolution of the physical characteristics (size) of a botnet • like human social networks : born、grow、shrink 、disappear • to correlate the discovered social characteristics and the evolutionary characteristics to shed light on the role each botmaster plays in a botnet.
OUTLINE • Introduction • Scope of research • Master blaster : System overview • Implementation and results • Discussion • Conclusion
Easy to covertly infiltrate a botnet and monitor its transactions botnet monitoring has become a common way to analyze and identity botnet and the destruction they cause • This paper • to introduce the novel idea of monitoring botnet traffic to identify the roles each botmaster has in the botnet. • to discover motives and characteristics • which lead to discovering the root cause behind the botnet
OUTLINE • Introduction • Scope of research • Master blaster : System overview • Implementation and results • Discussion • Conclusion
Ⅲ MASTER BLASTER: SYSTEM OVERVIEW • A. Bot Capture • B. Closed analysis • C. Open analysis • D. Network Monitoring • E. Correlation
A. Bot Capture • pretend to be a legitimate vulnerable machine • Three elements in capture component • Socket manger: • The attacker attempts to connect a port through the socket manager • General shell code handler: • General shell code handler are created to receive the data • to pass the code to the Perl regex shell code handler • Perl regex shell code handler: • Step1: to determine what type of code it is. • Step2: the code is downloaded without executing it.
B. Closed Analysis • adapt and modify the reflective-impulsive mode to bonet. • the reflective-impulsive mode • to depict social behavior as a joint function of the two systems • Reflective system : • is built by responses of knowledge on facts and their decisions • is denoted by the expression SR= set F F is composed of k-subsets: { fd1,fd2,…..,fdk-1,fdk} include a finite amount of facts f and their decisions d • Impulsivesystem : (be discovered in the component “ D.Network Monitoring”) • In the closed analysis, • to discover the ASCII text in the bot codes which are reflective keywords • these keywords represent the facts • to use RFC 1459 and RFC 1812 (IRC protocol) to help us determine the protocol based keywords. • to derive the semantics of the facts from the command and control protocol. • Keyword • reflective keyword : from the ASCII text in the bot codes • user/system based
From the original paper “the reflective-impulsive system” In the reflective system, behavior is elicited as a consequenceof a decision process. Specifically, knowledgeabout the value and the probability of potential consequencesis weighed and integrated to reach a preferencefor one behavioral option. If a decision is made, the reflectivesystem activates appropriate behavioral schematathrough a self-terminating mechanism of intending. In contrast, the impulsive system activatesbehavioral schemata through spreading activation,which may originate fromperceptual input or from reflectiveprocesses. As described in James’ (1890)ideo-motor principle (see also Lotze, 1852), a behaviormaybe elicited without the person’s intention or goal. Inaddition, the activation of behavioral schemata may be moderated by motivational orientations or deprivation.
C. Open Analysis • all information about the initial bootstrapping has to be included in the bot binary and thus can be cloned • to extract the general packet information from the botnet data • Three elements in open analysis component • bot agents: the bot is stripped of its ability to attack victim machines • botnet connection: The bot agent to connects to the command and control locations • botnet payload collection: Captures all the readable contents of the payload
D. Network Monitoring • to analyze the ASCII readable data in the payload (founded in “C. open analysis component”) • to extract characteristic elements from the content of data • to discover conversations initiated by commands between the bot master node and the other node. • the structure of these conversations are discovered in commands based on the command and control protocol. • Within these conversation, to discover • the Impulsive System • the Evolutionary Characteristics.
D. Network Monitoring –1/2 • Impulsive system : SI • is built on associative links and motivational drives. • SI≡ S =m1 ∪m2 ∪m3, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive(M1), Monetary (M2), and other (M3) and mibelong to Mi • In this paper’s model,each command given by the botmaster is one impulsive human initiated command. • Each subset (m1,m2,m3) is composed of a set of commands. • The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet . That means that each command that resides in a k-subnet is linked to each other. • In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the botmaster is. • Destructive: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims) • Monetary: Concerned only with covertly stealing money • Other: all unknown motives. • The operation of the paper’s reflective-impulsive process is as follow: an impulsive command e in a set S is matched to a reflective keyword f in a set F, then determine two entities, e and f, to be one characteristic E which conjoins two system , SR and SI.
D. Network Monitoring : Impulsive system:SI • In this paper’s model,each command given by the botmaster is one impulsive human initiated command. • Impulsive system is built on associative links and motivational drives. • Motivational drives: • SI≡ S =m1 ∪m2 ∪m3, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive(M1), Monetary (M2), and other (M3) and mibelong to Mi • In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the botmaster is. • Destructive: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims) • Monetary: Concerned only with covertly stealing money • Other: all unknown motives. • associative links: • Each subset (m1,m2,m3) is composed of a set of commands. • each command that resides in a k-subnet is linked to each other. The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet • The operation of the paper’s reflective-impulsive process is as follow: an impulsive command e in a set S is matched to a reflective keyword f in a set F, then determine two entities, e and f, to be one characteristic E which conjoins two system , SR and SI.
D. Network Monitoring :Evolutionary characteristics • Evolutionary Characteristics: Each stage of evolution is defined as the following: • Birth • Growth • Contraction
E. Correlation • the output of this component is to discover what role each botmaster plays • there elements in this component • Component correlation : • Each result from the components has a timestamp • Using this timestamp and the botmaster name, the results of the components are correlated. • Botmaster characteristic statistics: • Evolutionary characteristic statistics: use autocorrelation function , C(t), to discover the number of botnet that consecutive timesteps t. • Reflective-impulsive characteristic statistics: the ratio of protocol based commands to user/system based commands. • Correlation engine: correlates the results of • the closed analysis component • the open analysis component • the network monitoring component • the botnet characteristic component to discover the botmaster based patterns.
OUTLINE • Introduction • Scope of research • Master blaster : System overview • Implementation and results • Discussion • Conclusion
Ⅳ. Implementation and results. • The following scripts in one version of the bot codes were identified by closed analysis: • Reflective keywords extracted from these results are • PRIVMSG (line 123,133,135 and 138) • dccflood (line 133)
Table1 shows the number of impulsive commands generated by the top 10 botmasters. • active botmasters generated more human user/system commands most of the impulsive commands generated by the active botmasters are human based and therefore are more apt to reflect the true intentions of the botmaster.
More active botmasters had a higher ration of human initiated elements to protocol base element. • This is very important since it means the botmaster is using his own intuitions in this channel and most of the transactions are not by scripts. • Human error continues to be the best way to catch botmasters or malware writers in general.
OUTLINE • Introduction • Scope of research • Master blaster : System overview • Implementation and results • Discussion • Conclusion
A. Current state of botnets: • This paper is focus on IRC based botnets. • to leave the monitoring of more advanced C&C protocol for the future work • B. Limitations • Only can identify the botmaster characteristicsof transactions that have been decrypted.
OUTLINE • Introduction • Scope of research • Master blaster : System overview • Implementation and results • Discussion • Conclusion
To discover the role each botmaster plays help reduce analysis time • the approach enable us to identify the generalize motives for each botmaster • The paper indicated most attacks occurred during times where the botnet was at its largest size. • The future work would focus on other forms of botnets (e.g. http-based、P2P-based、hybrid attacks)