speaker: hom-jay hom date:2009/11/17 botnet, and the cybercriminal underground ieee 2008 hsin chun...
Post on 04-Jan-2016
223 Views
Preview:
TRANSCRIPT
Speaker: Hom-Jay Hom
Date:2009/11/17
Botnet, and the CyberCriminal Underground
IEEE 2008
Hsin chun Chen
Clinton J. Mielke II
OutlineBotnats
SHADOW SERVER
Investigating The Botnat World
Further Work
Conclusion
112/04/20 2
Botnats (1/3)The earliest malware
damaging systemprinting taunting messages
Traditional computer virusesSelf-copy themselves.Trojan horses.
WormsScanning and infecting.
112/04/20 3
Infection
DDoS attacks
Spamming
Espionage
Proxies
Clickthrough Fraud
Botnats (2/3)
Botnats (3/3)The Underground Economy
Hidden social network of cybercriminals.
sell their servicesSpammersBot-herdersMalware authorsCriminals gather
Many botnets are actually rented to other criminal organizations
phish attacksstock market pump-and-dump
112/04/20 5
SHADOW SERVER (1/2)ShadowServer
Nonprofit group.
HoneypotsPassively collect malware.
Malware AnalysisPassive:AntiVirus engines.Active:Sandbox.Execute untrustworthy malicious code
112/04/20 6
SHADOW SERVER (2/2)Snooping
Newlydiscovered IRC networks Records all IRC traffic. The IRC logs are analyzedPattern-matching signature system,
112/04/20 7
Investigating The Botnat World (1/9)Dataset Processing
112/04/20 8
ID:
C&C ID
nickmane: IP:
Investigating The Botnat World (2/9)Classify known command strings
DDoS command.Infection event.Password-theft event.
Signature systemAnalyzed and classifiedProduced a compendium of what events
112/04/20 9
Investigating The Botnat World (3/9)1. Nickname Enumeration:
Random numeric IDDictionary
Signature systemBot command strings Produced a sanitized list
112/04/20 10
Investigating The Botnat World (4/9)2. Drone Counting
A simple approachstate tracked in a lookup tableA population counter
A more refined approachIRC eventSnoops channel.
112/04/20 11
Investigating The Botnat World (5/9)
112/04/20 12
600
400
200
白天
晚上Bot ,population
Time
Investigating The Botnat World (6/9)Key Players
The botnet herders by counting their controlled C&CDetect other’s botnet C&C channels Subvert their security mechanisms.
112/04/20 13
Investigating The Botnat World (7/9)Criminal Social Network
Analysis community structureAll pre-filtered ”human” nicknames
C&C channel.Any two nodes found collaborating
Weights were assigned to the edgesJaccard metric measuring
112/04/20 14
Investigating The Botnat World (8/9)Hierarchical agglomerative clustering algorithm
minimum similarity of 50%.957 nicknames.104 clusters
112/04/20 15
Investigating The Botnat World (9/9)Of the 104 clusters
C : C&CD : DDoSB : Bot P : Victim passwords
112/04/20 16
clusters
clusters
Further WorkMany herders will use close variations of a similar nicknames.
Profile behavioral characteristics of herders.
hierarchical clusteringBiclustering or hyperGraph nicknames and channels.
To better profile the DDoS attack motivationsDDoS targets must be individually scrutinized. IP addresses could be correlated with latitude and longitude
112/04/20 17
ConclusionRecent years to encompass world-influencing crimes
Tracking these miscreants and their botnets will become more and more challenging.
individuals to secure themselves
ShadowServer hopes to assist in whatever way we can to make the internet a safer place.
112/04/20 18
END
112/04/20 19
top related