1 / 20

Botnet Detection by Monitoring Similar Communication Patterns

Botnet Detection by Monitoring Similar Communication Patterns. 林佳宜 NTOU CSIE m98570015@ntou.edu.tw. Reference. Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf . ” Botnet Detection by Monitoring Similar Communication Patterns”.

palila
Download Presentation

Botnet Detection by Monitoring Similar Communication Patterns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Detection by Monitoring Similar Communication Patterns 林佳宜 NTOU CSIE m98570015@ntou.edu.tw

  2. Reference • Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf . • ” Botnet Detection by Monitoring Similar Communication Patterns”. • (IJCSIS) International Journal of Computer Science and Information Security .Vol. 7, No. 3, 2010

  3. Outline • Introduction • Detection framework • Component • Conclusions

  4. Introduction • Botnet is most widespread and occurs commonly in today‘s cyber attacks • In this paper • provide taxonomy of Botnets C&C channels • detection framework which focuses on • P2P based and IRC based Botnets • Botnet has been defined as a group of bots • perform similar communication and malicious activity

  5. Botnet Communication topologies • Two different models • Centralized model 、Decentralized • Centralized model • Botnet based on IRC • Botnet based on HTTP • Decentralized Model • Botnet based on P2P

  6. Detection framework

  7. Filtering • Filtering is to reduce the traffic workload • In C1, recognized unlikely Botnet C&C servers • used the top 500 websites on the web : Alexa • In C2, TCP uses a three-way handshake • not completely established

  8. Application classifier[1/2] • Responsible to separate IRC and HTTP traffics • For detecting IRC traffics • inspect the contents of each packet • match the defined strings • NICK、PASS、USER、JOIN、OPER、PRIVMSG • For detecting Http traffics • HTTP uses the client-server model • Three common Http methods • Http request contain “GET”, “POST” or “HEAP

  9. Application classifier[2/2] • After filtering out Http and IRC traffics • remaining traffics that have the probability of containing P2P traffics • Remaining traffics is identify general P2P • using BLINC • no access to packet payload • no knowledge of port numbers

  10. Traffic Monitoring[1/3] • Analyzing flows characteristics • Finding similarities among the botnet hosts • Record some information on each flow • using Audit Record Generation and Utilization System (ARGUS) • specify the period of time which is 6 hours

  11. Traffic Monitoring[2/3] • Same SIP, DIP, Dport and same Pr (TCP or UDP) are marked • For each network flow (row) we calculate • Average number of bytes per second(nbps) = Number of bytes/ Duration • Average number of bytes per packet(nbpp) = Number of Bytes/ Number of Packets • Insert this two new values (nbps and nbpp) including SIP and DIP of the flows that have been marked into another database

  12. Traffic Monitoring[3/3] • We might have a set of database • For each database we can draw a graph • (X, Y)= (bpp, bps) • Next step is comparing different x-y axis graphs • those graphs that are similar to each other are clustered in same category • record of SIP addresses lists to next step for analyzing

  13. Two similar graphs based on data

  14. Malicious Activity Detector • Analyze the outbound traffic from the network • try to detect the possible malicious activities that the internal machines • Most common and efficient malicious activities • Scanning 、Spamming • For detecting “scanning” the solution for using in this part • Statistical sCan Anomaly Detection Engine ( SCADE) • Inbound Scan Detection(ISD) • Outbound Scan Detection (OSD)

  15. Spam-related Activities[1/2] • Known as Unsolicited Bulk Email • for sending spam are Storm Worm which is P2P Botnet • More than 95% of email on the internet is spam • A common approach for detecting spam • use of DNS Black/Black Hole List (DNSBL) • list of spam senders’ IP addresses and SMTP servers

  16. Spam-related Activities[2/2] • An indication of possible malicious activities • using different external mail servers for many times by same client • Inspecting outgoing traffic from our network • recording SIP and DIP of those traffics • dportsare 25( SMTP) or 587(Submission) • Conclude which internal host is behaving unusual • sending many emails to different or same mail servers

  17. Monitoring and Clustering • Objective is detection of IRC based Botnet • Using ARGUS for monitoring flows • for each network flow we calculate nbps and nbpp

  18. Flows Analyzer • Flows Analyzer is responsible for looking a group of databases that are similar to each other • After finding similar databases • we have to take a record of SIP addresses of those hosts • send them as a group of bot that are belong to IRC based Botnet

  19. Conclusions • We proposed a new general detection framework • focuses on P2P based and IRC based Botnets • Botnets have been defined as a group of bots • that will perform similar communication • malicious activities pattern within the same Botnet • Future add unique detection method in HTTP • make it as one general system for detection of Botnet

  20. Thanks for Your Attention Q & A

More Related