1 / 24

A Survey of Botnet Size Measurement

A Survey of Botnet Size Measurement. Presented: Kai-Hsiang Yang ( 楊凱翔 ) Date: 2013/11/04. Basic Information. Title: - A Survey of Botnet Size Measurement Author & Institution: - Shangdong Liu ( Jiangsu Province Southeast University ) - Jian Gong - Wang Yang

jatin
Download Presentation

A Survey of Botnet Size Measurement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Survey of Botnet Size Measurement Presented: Kai-Hsiang Yang(楊凱翔) Date: 2013/11/04

  2. Basic Information • Title: -A Survey of Botnet Size Measurement • Author & Institution: • - ShangdongLiu (Jiangsu Province Southeast University) -JianGong - Wang Yang - Ahmad Jakalan • Publication: Second International Conference on Networking and Distributed Computing • Year: 2011 • Cited (Google): 2

  3. Problems to Solve • 1. Botnets have exerted serious threat against cyber-security. • 2. Botnet size is one of the most important characteristics to evaluate the threat of botnet. • 3. As far as the size of botnet is concerned, it is more difficult to calculate. • 4. Agreat many of challenges to measure botnet size still exist, for example, how to eliminate the influence of DDNS, NAT, DHCP and botnet migration or clone?

  4. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  5. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  6. Definition of Botnet Size • The definition of botnet size has been clearly proposed by M. A. Rajab in the meeting of USENIX HotBots2007. • 1. Footprint: • Refers to the overall size of infected population of botnet at any time in its lifetime. • Range of infection • 2. Live population: • The number of live bots simultaneously present in C2 channel. • Attack volume

  7. Issues for Measurement of Botnet Size • 1. The measurement of botnet live population. • 2. The measurement of botnet footprints. • 3. Dynamic tracing of botnet size. • 4. Area issue of botnet size.

  8. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  9. Three Classes of Methods • 1. Detection methods based on active/passive DNS detection • 2. Detection methods based on botnet C2 features • 3. Detection methods based on correlation of multiple bases

  10. Active DNS Detection • Based on actively utilizing domain name of C2 controller. • Take DNS redirection for example, • 1. Map the domain name of botnet C2 server toprepared sinkhole • 2.Records all the connections betweenbots and C2 server • 3.Count the number of hosts whotake connections • 4. The live population of the botnet can beobtained

  11. Methods based on botnet C2 features • One of theexamples exploring spam to detect is method by analyzingspam content. • 1. Hunting hosts which send a large amount of e-mail in the short term on mail servers • 2. These hosts will be judged to suspects • 3. The mails embedded with same key URL will be classified as spam from the same botnet • 4. Counting the spammers from one botnet will obtain the botnet’s live population

  12. Methods based on correlation of multiple bases • BotHunter • The basic idea is: • By capturing the data exchange, generated in the process of spread and attack of botnet, between inside and outside of network border, “chain of evidence” of botnet activity will be formed through correlating the captured data exchange according to the botnet working process. • 95.1% of detection rate can be reached!

  13. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  14. How to calculate botnet footprint? • Solution 1: • Determine whether hosts are infected by botnet, and then take count of infected hosts. • Solution 2: • Statistical inference is usually the only choice to calculate botnet footprint. • Not accurate! • Till this survey is written, there are no literatures which focus on accurate estimation of offline hostsin observed network.

  15. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  16. Aspects of dynamically tracking botnet size • 1. Means or patterns of botnet propagation • 2. Obfuscation produced by some botnet activities, such as botnet clone and botnet migration • 3. Dynamic model of botnet

  17. Scanning manner of botnet • - A propagation way: Vulnerability scanning • 1. Worm class: • A way using more primitive style through which botnet has large scanning volume and holds a large amount of infected hosts in short time. • 2. Non-worm class: • Integrated with a variety of scanning algorithm, including scanning on a network segment, hit-list and random scanning. • The amount of infections caused by non-worm scanning is less than worm class scanning, but the detection is more difficult.

  18. Detection of IRC botnets • The multiple IRC bots collections detected by communication between C2 controller and bots, due to the existence of botnet clone, migrationand hierarchical management, these collections might belong to a same botnet. • The algorithm uses: • 1. Distance of communication’s characteristics • 2. Overlap rate of bots • 3. IP aggregation (Calculate “Overlap rate of bots”) • More accurate footprint can be obtained by this method for 89% of IRC botnets.

  19. Detection of IRC botnets • - Advantages: • Resolve migration, cloneand hierarchical management issues of IRC botnet. • - Disadvantages: • 1. Multiple collections of bots should be known before using the algorithm • 2. It is only applicable for the botnets with centralized structure.

  20. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  21. Area Issues of Botnet Size • - Live population, footprint of botnet also have regional issues (local or global). • - Global footprints need to consider the impact of time zones. • - Two approaches to calculate the global size of botnet: • 1. Statistical inference • 2. Empirical estimation

  22. Problems still to be solved • - Unresolved problems of tracking botnet size include… • 1. Dynamic IP addresses and NAT addresses. • 2. How to track entire life cycle while every stages in life cycle have different characteristics. • 3. How to identify botnets detected at different time in the existence of botnet clone and migration.

  23. Outline • - INTRODUCTION • - MEASUREMENT OF BOTNET LIVE POPULATION • - MEASUREMENT OF BOTNET FOOTPRINT • - DYNAMIC TRACKING OF BOTNET SIZE • - AREA ISSUE OF BOTNET SIZE • - SUMMARY

  24. Summary • - The measurement of botnet size is not an isolated problem. It is related closely with capturing of bot programs, botnet detection and behavior analysis of botnet etc. • - Just as blind men touching an elephant, each way to measure botnet size reflects only a perspective of observation. Thank You!

More Related