Yan Chen - PowerPoint PPT Presentation

About This Presentation
Title:

Yan Chen

Description:

Symantec identified an average of about 10,000 bot infected computers per day ... Birth of a Bot. Bots are born from program binaries that infect your PC ... – PowerPoint PPT presentation

Number of Views:64
Avg rating:3.0/5.0
Slides: 13
Provided by: yanc8
Category:
Tags: bot | chen | yan

less

Transcript and Presenter's Notes

Title: Yan Chen


1
Network-based Botnet Detection Filtering,
Containment, and Destruction
  • Yan Chen
  • Northwestern Lab for Internet and Security
    Technology (LIST)
  • Dept. of Electrical Engineering and Computer
    Science
  • Northwestern University
  • http//list.cs.northwestern.edu

Motorola Liaisons Z. Judy Fu and Philip R.
Roberts Motorola Labs
2
New Internet Attack Paradigm
  • Botnets have become the major attack force
  • Symantec identified an average of about 10,000
    bot infected computers per day
  • of Botnets - increasing
  • Bots per Botnet - decreasing
  • Used to be 80k-140k, now 1000s
  • More firepower
  • Broadband (1Mbps Up) x 100s OC3
  • More stealthy
  • Polymorphic, metamorphic, etc.
  • Residential users, e.g., cable modem users, are
    particularly susceptible due to poor maintenance

3
Birth of a Bot
  • Bots are born from program binaries that infect
    your PC
  • Various vulnerabilities can be used
  • E-mail viruses
  • Shellcode (scripts)

4
Botnet Distribution
5
Project Goal
  • Understand the trend of vulnerabilities and
    exploits used by the botnets in the wild
  • Design vulnerability based botnet detection and
    filtering system
  • Deployed at routers/base stations w/o patching
    the end users
  • Complementary to the existing intrusion
    detection/prevention systems
  • Can also contain the botnets from infecting
    inside machines
  • Find the command control (CC) of botnets and
    destroy it

6
Limitations of Exploit Based Signature
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worm might not have exact exploit
based signature
7
Vulnerability Signature
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability
  • Work for polymorphic worms
  • Work for all the worms which target the
  • same vulnerability

8
Emerging Botnet Vulnerability and Exploit Analysis
  • Large operational honeynet dataset
  • Massive dataset on the botnet scan with payload
  • Preliminary analysis show that the number of new
    exploits outpace the of new vulnerabilities.

9
Vulnerability based Botnet Filtering/Containment
  • Vulnerability Signature IDS/IPS framework
  • Detect and filter incoming botnet
  • Contain inside bots and quarantine infected
    customer machines

10
Residential Access Cable Modems
Diagram http//www.cabledatacomnews.com/cmic/diag
ram.html
Introduction
1-10
11
Snort Rule Data Mining
  • Exploit Signature to Vulnerability Signature
    reduction ratio

PSS means Protocol Semantic Signature NetBios
rules include the rules from WINRPC, SMB and
NetBIOS protocols
12
Preliminary Results
  • Experiment Setting
  • PC XEON 3.8GHz with 4GB memory
  • Real traffic after TCP reassembly preload to
    memory
  • Experiment Results
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Yan Chen" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!