200 likes | 356 Views
Botnet Detection by Monitoring Similar Communication Patterns. 林佳宜 NTOU CSIE m98570015@ntou.edu.tw. Reference. Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf . ” Botnet Detection by Monitoring Similar Communication Patterns”.
E N D
Botnet Detection by Monitoring Similar Communication Patterns 林佳宜 NTOU CSIE m98570015@ntou.edu.tw
Reference • Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf . • ” Botnet Detection by Monitoring Similar Communication Patterns”. • (IJCSIS) International Journal of Computer Science and Information Security .Vol. 7, No. 3, 2010
Outline • Introduction • Detection framework • Component • Conclusions
Introduction • Botnet is most widespread and occurs commonly in today‘s cyber attacks • In this paper • provide taxonomy of Botnets C&C channels • detection framework which focuses on • P2P based and IRC based Botnets • Botnet has been defined as a group of bots • perform similar communication and malicious activity
Botnet Communication topologies • Two different models • Centralized model 、Decentralized • Centralized model • Botnet based on IRC • Botnet based on HTTP • Decentralized Model • Botnet based on P2P
Filtering • Filtering is to reduce the traffic workload • In C1, recognized unlikely Botnet C&C servers • used the top 500 websites on the web : Alexa • In C2, TCP uses a three-way handshake • not completely established
Application classifier[1/2] • Responsible to separate IRC and HTTP traffics • For detecting IRC traffics • inspect the contents of each packet • match the defined strings • NICK、PASS、USER、JOIN、OPER、PRIVMSG • For detecting Http traffics • HTTP uses the client-server model • Three common Http methods • Http request contain “GET”, “POST” or “HEAP
Application classifier[2/2] • After filtering out Http and IRC traffics • remaining traffics that have the probability of containing P2P traffics • Remaining traffics is identify general P2P • using BLINC • no access to packet payload • no knowledge of port numbers
Traffic Monitoring[1/3] • Analyzing flows characteristics • Finding similarities among the botnet hosts • Record some information on each flow • using Audit Record Generation and Utilization System (ARGUS) • specify the period of time which is 6 hours
Traffic Monitoring[2/3] • Same SIP, DIP, Dport and same Pr (TCP or UDP) are marked • For each network flow (row) we calculate • Average number of bytes per second(nbps) = Number of bytes/ Duration • Average number of bytes per packet(nbpp) = Number of Bytes/ Number of Packets • Insert this two new values (nbps and nbpp) including SIP and DIP of the flows that have been marked into another database
Traffic Monitoring[3/3] • We might have a set of database • For each database we can draw a graph • (X, Y)= (bpp, bps) • Next step is comparing different x-y axis graphs • those graphs that are similar to each other are clustered in same category • record of SIP addresses lists to next step for analyzing
Malicious Activity Detector • Analyze the outbound traffic from the network • try to detect the possible malicious activities that the internal machines • Most common and efficient malicious activities • Scanning 、Spamming • For detecting “scanning” the solution for using in this part • Statistical sCan Anomaly Detection Engine ( SCADE) • Inbound Scan Detection(ISD) • Outbound Scan Detection (OSD)
Spam-related Activities[1/2] • Known as Unsolicited Bulk Email • for sending spam are Storm Worm which is P2P Botnet • More than 95% of email on the internet is spam • A common approach for detecting spam • use of DNS Black/Black Hole List (DNSBL) • list of spam senders’ IP addresses and SMTP servers
Spam-related Activities[2/2] • An indication of possible malicious activities • using different external mail servers for many times by same client • Inspecting outgoing traffic from our network • recording SIP and DIP of those traffics • dportsare 25( SMTP) or 587(Submission) • Conclude which internal host is behaving unusual • sending many emails to different or same mail servers
Monitoring and Clustering • Objective is detection of IRC based Botnet • Using ARGUS for monitoring flows • for each network flow we calculate nbps and nbpp
Flows Analyzer • Flows Analyzer is responsible for looking a group of databases that are similar to each other • After finding similar databases • we have to take a record of SIP addresses of those hosts • send them as a group of bot that are belong to IRC based Botnet
Conclusions • We proposed a new general detection framework • focuses on P2P based and IRC based Botnets • Botnets have been defined as a group of bots • that will perform similar communication • malicious activities pattern within the same Botnet • Future add unique detection method in HTTP • make it as one general system for detection of Botnet