1 / 16

C&C Tracer: Botnet Command and Control Behavior Tracing

C&C Tracer: Botnet Command and Control Behavior Tracing. 2013/10/28 Presented: 羅傑聘 102064529. Outline. Basic Imformation Problems to solve C&C Tracer Experiment Results Discussion. Basic Information. Title: C&C Tracer: Botnet Command and Control Behavior Tracing Authors:

seanna
Download Presentation

C&C Tracer: Botnet Command and Control Behavior Tracing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. C&C Tracer: Botnet Command and Control Behavior Tracing 2013/10/28 Presented:羅傑聘 102064529

  2. Outline • Basic Imformation • Problems to solve • C&C Tracer • ExperimentResults • Discussion

  3. Basic Information • Title: • C&C Tracer: Botnet Command and Control Behavior Tracing • Authors: • Meng-Han Tsai • Chang-Cheng Lin • Ching-Hao Mao (Institute for Information Industry Project Resource Division) • Huey-Ming Lee (Chinese Culture Univeristy) • Publication: • Systems, Man, and Cybernetics (SMC), IEEE International Conference • Year:2011 • Cited (Google):1

  4. Problems to Solve Botnet command and control (C&C) behavior becomes more dynamic and rapid so it is difficult to capture the Botnet behavior in real time. In practical analysis, the scalability and the real-time are two important issues. Reducing the latency of the C&C behavior tracing could enhance the detection covering in rapid changes of C&C behaviors.

  5. C&C Tracer Botnet C&C behavior tracing system (naming C&C Tracer) The C&C Tracer consists of three components: • C&C active behavior feature extracting (CAFE) • C&C status tracing analyzer(CSTA) • Domain name status querying (DNSQ) The C&C Tracer can reduce the non-active C&C domain name close to 80% with only 0.69% false postive rate.

  6. C&C Tracer – Architecture

  7. C&C Tracer – CAFE C&C Active Behavior Feature Extracting CAFE can parse the different sources of blacklists to the same format and recognizes the Botnet types. CAFE includes: • Botnet type identifying • malicious URL rendering • domain name extracting • temporal and spatial feature extracting

  8. C&C Tracer – CAFE(2) propose the nine features that consider both spatial and temporal information

  9. C&C Tracer – CSTA C&C Status Tracing Analyzer Determine which domain name is valuable for continuing tracing or ignored. CSTA includes: • domain name behavior extracting • Domainname activity measuring • potential domain name selecting

  10. C&C Tracer – CSTA(2) use different kinds of data miningclassification algorithm for evaluating the active degree of domain name such as: • logistic regression (LR) • naive bayes (NB), • RIPPERS • K-nearest-neighbors (KNN)

  11. C&C Tracer – DNSQ Domain Name Status Querying DNSQ can query the corresponded domain name from online data repositories and extract the C&C behavior to export to C&C behavior database.

  12. Experiment Results • domain extension belonged to gTLD or ccTLD • AutNS + IP + ASN + CC + ISP ≧ 5 • Average TTL (time-to-live) < 1 day • AppearDuration > ActiveRecent TP (true positive) : the numbers of active domain that are correctly detected; FN (false negative) : the numbers of active domain that are not detected; TN (true negative) : the number of domain name without active domain labeling that are correctly classified; FP (false positive) : the number of non-active domain that are incorrectly detected as active domain;

  13. ExperimentResults (2)

  14. ExperimentResults (3) The C&C Tracer can reduce the non-active C&C domain name close to 80% with only 0.69% false postive rate.

  15. Discussion • What I Like • The model of C&C Tracer is clearly presented. • What I Dislike • Some parts of the evaluations are not clear enough, readers might have to work hard on studying reference much more. • Appication in real cases are rarely mentioned.

  16. Thank you!

More Related