presented by d callahan
DESCRIPTION
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. Presented by D Callahan. Outline. • Introduction – Botnet problem – Challenges for botnet detection – Related work • BotMiner – Motivation – Design – Evaluation • Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/1.jpg)
BotMiner: Clustering Analysis of Network Traffic for
Protocol- and Structure-Independent Botnet Detection
Presented by D Callahan
![Page 2: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/2.jpg)
Outline
• Introduction– Botnet problem– Challenges for botnet detection– Related work• BotMiner– Motivation– Design– Evaluation• Conclusion
![Page 3: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/3.jpg)
What Is a Bot/Botnet?
• Bot – A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent– Profit-driven, professionally written, widely propagated
• Botnet (Bot Army): network of bots controlled by criminals- “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”– Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)– “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)
![Page 4: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/4.jpg)
Botnets are used for …
• All DDoS attacks• Spam• Click fraud• Information theft• Phishing attacks• Distributing other malware, e.g., spyware
![Page 5: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/5.jpg)
How big is the Bot Problem?• Computers were used for fun, now they are
platforms• Current top computing platformshttp://www.top500.org/list/2008/11/100•Storm worm-1-50 million computers infected-Massive computing power-Incredible bandwidth distributed world wide-Is the storm over?
![Page 6: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/6.jpg)
Conflicker according to McAfee• When executed, the worm copies
itself using a random name to the %Sysdir% folder.
• obtains the public ip address of the affected computer.
• Attempts to download a malware file from the remote website
• Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
• Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit.
![Page 7: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/7.jpg)
Challenges for Botnet Detection• Bots are stealthy on the infected machines
– We focus on a network-based solution• Bot infection is usually a multi-faceted and multi-phased process
– Only looking at one specific aspect likely to fail• Bots are dynamically evolving
– Static and signature-based approaches may not be effective• Botnets can have very flexible design of C&C channels
– A solution very specific to a botnet instance is not desirable
![Page 8: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/8.jpg)
Existing Techniques
• Traditional Anti Virus tools– Bots use packer, rootkit, frequent updating to easily defeat Anti Virus tools
• Traditional IDS/IPS– Look at only specific aspect– Do not have a big picture
• Honeypot– Not a good botnet detection tool
![Page 9: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/9.jpg)
Related Work• [Binkley,Singh 2006]: IRC-based bot detection combine IRC statistics
and TCP work weight• Rishi [Goebel, Holz 2007]: signature-based IRC botnickname detection• [Livadas et al. 2006, Karasaridis et al. 2007]: (BBN, AT&T) network
flow level detection of IRC botnets (IRCbotnet)• BotHunter [Gu etal Security’07]: dialog correlation to detect bots based
on an infection dialog model• BotSniffer [Gu etal NDSS’08]: spatial-temporal correlation to detect
centralized botnet C&C• TAMD [Yen, Reiter 2008]: traffic aggregation to detect botnets that
use a centralized C&C structure
![Page 10: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/10.jpg)
Motivation
• Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers, infection models …
![Page 11: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/11.jpg)
Botnet again
• “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”
• We need to monitor two planes– C-plane (C&C communication plane): “who
is talking to whom”– A-plane (malicious activity plane): “who is
doing what”
![Page 12: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/12.jpg)
Botminer Framework
![Page 13: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/13.jpg)
C-Plane clustering
What characterizes a communication flow (C-flow) between a local host and a remote service?
– <protocol, srcIP, dstIP, dstPort>
![Page 14: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/14.jpg)
• Temporal related statistical distribution information in– BPS (bytes per second)– FPH (flow per hour)
• Spatial related statistical distribution information in– BPP (bytes per packet)– PPF (packet per flow)
![Page 15: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/15.jpg)
Two-step Clustering of C-flows Why multi-step?– Coarse-grained clustering• Using reduced feature space:
mean and variance of the distribution of FPH,
PPF, BPP, BPS for each C-flow (2*4=8)
• Efficient clustering algorithm: X-means
– Fine-grained clustering• Using full feature space
(13*4=52) What’s left?
![Page 16: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/16.jpg)
A-plane Clustering
• Capture “activities in what kind of patterns”
![Page 17: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/17.jpg)
Cross-plane Correlation• Botnet score s(h) for every host h• Similarity score between host hi and hj• Hierarchical clusteringTwo hosts in the same A-clusters andin at least one common C-cluster areclustered together
![Page 18: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/18.jpg)
Results
![Page 19: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/19.jpg)
False Positive Clusters
![Page 20: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/20.jpg)
Botnet detection
![Page 21: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/21.jpg)
Overview
![Page 22: Presented by D Callahan](https://reader031.vdocuments.mx/reader031/viewer/2022020422/56812dd9550346895d932413/html5/thumbnails/22.jpg)
Conclusion
Botminer- New botnet detection system based on Horizontal correlation- Independent of botnet C&C protocol and structure-Real-world evaluation shows promising results-while it is possible to avoid detection of BotMiner the efficiency and convenience of the BotNet will also suffer