160 likes | 306 Views
C&C Tracer: Botnet Command and Control Behavior Tracing. 2013/10/28 Presented: 羅傑聘 102064529. Outline. Basic Imformation Problems to solve C&C Tracer Experiment Results Discussion. Basic Information. Title: C&C Tracer: Botnet Command and Control Behavior Tracing Authors:
E N D
C&C Tracer: Botnet Command and Control Behavior Tracing 2013/10/28 Presented:羅傑聘 102064529
Outline • Basic Imformation • Problems to solve • C&C Tracer • ExperimentResults • Discussion
Basic Information • Title: • C&C Tracer: Botnet Command and Control Behavior Tracing • Authors: • Meng-Han Tsai • Chang-Cheng Lin • Ching-Hao Mao (Institute for Information Industry Project Resource Division) • Huey-Ming Lee (Chinese Culture Univeristy) • Publication: • Systems, Man, and Cybernetics (SMC), IEEE International Conference • Year:2011 • Cited (Google):1
Problems to Solve Botnet command and control (C&C) behavior becomes more dynamic and rapid so it is difficult to capture the Botnet behavior in real time. In practical analysis, the scalability and the real-time are two important issues. Reducing the latency of the C&C behavior tracing could enhance the detection covering in rapid changes of C&C behaviors.
C&C Tracer Botnet C&C behavior tracing system (naming C&C Tracer) The C&C Tracer consists of three components: • C&C active behavior feature extracting (CAFE) • C&C status tracing analyzer(CSTA) • Domain name status querying (DNSQ) The C&C Tracer can reduce the non-active C&C domain name close to 80% with only 0.69% false postive rate.
C&C Tracer – CAFE C&C Active Behavior Feature Extracting CAFE can parse the different sources of blacklists to the same format and recognizes the Botnet types. CAFE includes: • Botnet type identifying • malicious URL rendering • domain name extracting • temporal and spatial feature extracting
C&C Tracer – CAFE(2) propose the nine features that consider both spatial and temporal information
C&C Tracer – CSTA C&C Status Tracing Analyzer Determine which domain name is valuable for continuing tracing or ignored. CSTA includes: • domain name behavior extracting • Domainname activity measuring • potential domain name selecting
C&C Tracer – CSTA(2) use different kinds of data miningclassification algorithm for evaluating the active degree of domain name such as: • logistic regression (LR) • naive bayes (NB), • RIPPERS • K-nearest-neighbors (KNN)
C&C Tracer – DNSQ Domain Name Status Querying DNSQ can query the corresponded domain name from online data repositories and extract the C&C behavior to export to C&C behavior database.
Experiment Results • domain extension belonged to gTLD or ccTLD • AutNS + IP + ASN + CC + ISP ≧ 5 • Average TTL (time-to-live) < 1 day • AppearDuration > ActiveRecent TP (true positive) : the numbers of active domain that are correctly detected; FN (false negative) : the numbers of active domain that are not detected; TN (true negative) : the number of domain name without active domain labeling that are correctly classified; FP (false positive) : the number of non-active domain that are incorrectly detected as active domain;
ExperimentResults (3) The C&C Tracer can reduce the non-active C&C domain name close to 80% with only 0.69% false postive rate.
Discussion • What I Like • The model of C&C Tracer is clearly presented. • What I Dislike • Some parts of the evaluations are not clear enough, readers might have to work hard on studying reference much more. • Appication in real cases are rarely mentioned.