1 / 31

Botnets

Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan. Botnets. BotSniffer. Slides made by Andrew Tjang.

rolf
Download Presentation

Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan Botnets

  2. BotSniffer Slides made by Andrew Tjang Paper: BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic by Guofei Gu, Junjie Zhang, and Wenke Lee (NDSS 08)

  3. Motivation • Botnets serious security threats • Realtime Command+Control from centralized source • Use characteristics of this Command+Control to detect botnets in sstems

  4. Contributions • Identify characteristics of C&C in Botnets • Capture spatial-temporal correlation of network traffic to detect botnets • Implement anomaly based detection algorithms as Snort plugins • Evaluation of BotSniffer on real world traces • Show botnets can be detected with high accuracy and low false positive rate

  5. Command & Control • Centralized control of bots in botnets • Can be push (i.e. IRC) or pull (i.e. HTTP) • Difficult to detect because protocol usage similar to normal traffic, low traffic volume, few bots, encryption

  6. Spatial-Temporal correlation • Invariants to all botnets • 1. need to connect to central server to get commands • 2. respond to commands • perform tasks and report back (keeping long connection, or making frequent connections) • Responses: message/activity response • Multiple bots in channel likely to respond in similar fashion • Leverage “response crowd” • Bots have stronger/consistent synchronization and correlation in responses than humans do.

  7. BotSniffer Architecture • Monitor Engine • Examines network traffic, detects activity response behavior, suspicious C&C protocols • Correlation Engine • Group analysis of spatial-temporal correlation, similarity of activity or message responses connected to same IRC/HTTP server

  8. BotSniffer Architecture Illustrated

  9. Group Analysis • Intuition: • P(botnet | 100 clients send similar messages) > P(botnet | 10 clients send similar messages) • IF botnet, THEN more clients more likely to form homogeneous cluster • IF not botnet, THEN unlikely to send similar messages

  10. Evaluation • Datasets • University wide network IRC traffic 2005-2007 (189 days) • All network wide traffic (10min/1-5h) • Botnet traces (synthetic) • Honeypot (8hr) • IRC server logs • Modified bot software in virtual environment • Implemented 2 botnets using HTTP

  11. Results – Normal Trace

  12. Detection

  13. Attacks on Botsniffer and Their Defenses • Misuse of whitelist • Whitelists not necessary • Can use soft whitelists • Encryption • Doesn’t affect activity response • Long & random response delays • ? • Random noise packets • Activity response unaffected

More Related