Botnets

1
Botnets

• Usman Jafarey
• Including slides from The Zombie Roundup by
  Cooke, Jahanian, McPherson

2
(No Transcript)
3
(No Transcript)
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
BotSniffer

• Slides made by Andrew Tjang

Paper BotSniffer Detecting Botnet Command and
Control Channels in Network Traffic by Guofei Gu,
Junjie Zhang, and Wenke Lee (NDSS 08)
19
Motivation

• Botnets serious security threats
• Realtime CommandControl from centralized source
• Use characteristics of this CommandControl to
  detect botnets in sstems

20
Contributions

• Identify characteristics of CC in Botnets
• Capture spatial-temporal correlation of network
  traffic to detect botnets
• Implement anomaly based detection algorithms as
  Snort plugins
• Evaluation of BotSniffer on real world traces
• Show botnets can be detected with high accuracy
  and low false positive rate

21
Command Control

• Centralized control of bots in botnets
• Can be push (i.e. IRC) or pull (i.e. HTTP)
• Difficult to detect because protocol usage
  similar to normal traffic, low traffic volume,
  few bots, encryption

22
Spatial-Temporal correlation

• Invariants to all botnets
• 1. need to connect to central server to get
  commands
• 2. respond to commands
• perform tasks and report back (keeping long
  connection, or making frequent connections)
• Responses message/activity response
• Multiple bots in channel likely to respond in
  similar fashion
• Leverage response crowd
• Bots have stronger/consistent synchronization and
  correlation in responses than humans do.

23
BotSniffer Architecture

• Monitor Engine
• Examines network traffic, detects activity
  response behavior, suspicious CC protocols
• Correlation Engine
• Group analysis of spatial-temporal correlation,
  similarity of activity or message responses
  connected to same IRC/HTTP server

24
(No Transcript)
25
(No Transcript)
26
BotSniffer Architecture Illustrated
27
Group Analysis

• Intuition
• P(botnet 100 clients send similar messages) gt
  P(botnet 10 clients send similar messages)
• IF botnet, THEN more clients more likely to form
  homogeneous cluster
• IF not botnet, THEN unlikely to send similar
  messages

28
Evaluation

• Datasets
• University wide network IRC traffic 2005-2007
  (189 days)
• All network wide traffic (10min/1-5h)
• Botnet traces (synthetic)
• Honeypot (8hr)
• IRC server logs
• Modified bot software in virtual environment
• Implemented 2 botnets using HTTP

29
Results Normal Trace
30
Detection
31
Attacks on Botsniffer and Their Defenses

• Misuse of whitelist
• Whitelists not necessary
• Can use soft whitelists
• Encryption
• Doesnt affect activity response
• Long random response delays
• ?
• Random noise packets
• Activity response unaffected