1 / 8

Proactively Removing the Botnet Threat

Proactively Removing the Botnet Threat. ONR Award N00014-09-10757 http://www.cs.utexas.edu/~aseehra/botnets/index.html PI: Joan Feigenbaum (Yale) http://www.cs.yale.edu/homes/jf/ Project Review; February 9, 2010 Columbia University; New York, NY. Investigators. Yale (Prime contractor)

timon-fowler
Download Presentation

Proactively Removing the Botnet Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proactively Removing the Botnet Threat ONR Award N00014-09-10757 http://www.cs.utexas.edu/~aseehra/botnets/index.html PI: Joan Feigenbaum (Yale) http://www.cs.yale.edu/homes/jf/ Project Review; February 9, 2010 Columbia University; New York, NY

  2. Investigators Yale (Prime contractor) Joan Feigenbaum, PI Bryan Ford Columbia (Subcontractor) Steven M. Bellovin, PI Angelos Keromytis Salvatore J. Stolfo UT Austin (Subcontractor) Vitaly Shmatikov, PI Michael Walfish AT&T Labs (Industrial partner) William Cheswick

  3. Botnets are groups of machines that • are assembled by a botmaster, • act together under the botmaster’s control, and • engage in malicious activity.

  4. Question: Is there a “botnet threat” (that’s distinct from the general threat of network/computer insecurity)? WRT prevention: No WRT detection: Yes

  5. Prevention • Consent-based network architecture • disallow unauthorized flows (Walfish and Keromytis) • Deterministic virtualization • disallow unauthorized actions (Ford)

  6. Detection • Characterize botnet traffic (Bellovin) • First step: CU NetFlow data • Next step: Larger NetFlow datasets, including AT&T’s • Identify botmasters (Keromytis) • Current: Track induced traffic fluctuations in response traffic. • Future: Use poisoned documents with embedded beacons.

  7. Detection and Prevention • Network scan revealed many vulnerable embedded devices. • Parasitic Embedded Machines can prevent this type of attack. (Stolfo) • Lots of low-hanging fruit for botmasters • Total scale of the problem still unknown

  8. Shape and Scope of Project • Originally proposed as a 5-year $7.5M MURI project. • Currently an 18-month, $884K project with (only modestly) reduced scope. • Whether, why, and how to continue after Sept. 2010. (TBC this afternoon)

More Related