Your SlideShare is downloading. ×
A System for Live Investigation of Next Generation Botnets
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

A System for Live Investigation of Next Generation Botnets

413
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
413
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A System for Live Investigation of Next Generation Botnets Authors: Alden W. Jackson, David Lapsley, Christine Jones… CATCH 2009 Reporter: Jing Chiu Email: D9815023@mail.ntust.edu.tw Data Mining & Machine Learning Lab 04/26/10
  • 2. Outlines
    • Introduction
    • Botnet Formation
    • C&C Feature Space
    • System Architecture
    • SLINGbog Bot Variants
    • Summary
    Data Mining & Machine Learning Lab 04/26/10
  • 3. Introduction
    • How to characterize botnet?
      • Testbeds: run real botnet software
      • Databases: maintain traffic traces from operational data
      • Reverse Engineering of captured botnet binaries
    • Problems:
      • Limited to characterizing existing botnets
      • Limited control over the experiments conducted
    • SLINGbot:
      • Enables the characterization of both present and future botnet threats.
      • Enables full control over experimental scenarios
    Data Mining & Machine Learning Lab 04/26/10
  • 4. Botnet Formation
    • Reconnaissance
      • Scan target
    • Exploits
      • Let attacker be able to access vulnerable computer
    • Reinforcement
      • Privilege escalation
    • Consolidation
      • Connecting to C&C server and wait commands
    • Mission Execution
      • Receiving commands and executing
    Data Mining & Machine Learning Lab 04/26/10
  • 5. C&C Feature Space
    • Topology
      • Amount of bots under control
      • Speed and simplicity of sending new instructions
      • Botnet’s resilience to disruption
      • Example: centralized, hierarchical and peer-to-peer
    • Rallying Mechanism
      • Related to the botnet propagation mechanism
      • Example: seeding, database, DNS, IP
    Data Mining & Machine Learning Lab 04/26/10
  • 6.
    • Communication Protocol
      • Two important features:
        • Ease of programming
        • Difficulty of detection
      • Examples: IRC, AIM, HTTP and P2P
    • Control Mechanism
      • Examples: callback, polling and ongoing
    • Command Authentication Mechanism
      • To prevent outside parties from disabling or taking over botnets.
      • Example: certificates, password and none
    C&C Feature Space (cont.) Data Mining & Machine Learning Lab 04/26/10
  • 7. C&C Feature Space (cont.) Data Mining & Machine Learning Lab 04/26/10
  • 8.
    • Botnet Scenario Driver
    • Composable Bot Framework
    System Architecture 04/26/10 Data Mining & Machine Learning Lab
  • 9. Botnet Scenario Driver
    • Diagram
    • Scenario Manager
      • To direct activities of the entire botnet
    • Scenario Servers
      • To deploy a bot or a controller
    • XML scenario file
      • Use for configuring experiment scenarios
    04/26/10 Data Mining & Machine Learning Lab
  • 10.
    • Diagram
    • Management Plane
      • Maintaining connectivity to the botnet C&C infrastructure
      • Topology Manager
        • Manages peer information
      • Session Manager
        • Rally Mechanism
        • Control Mechanism
    Composable Bot Framework 04/26/10 Data Mining & Machine Learning Lab
  • 11.
    • Data Plane
      • Enables exchange of commands and responses
      • Communication Protocol
        • Provides protocol encapsulation/decapsulation capabilities
    • Communication Abstraction Layer
      • Hides the details of C&C communication from the core Bot Application
    • Bot Application Layer
      • The core “intelligence” of a bot
      • Contains a set of instruction handlers
      • May easily be updated and expanded
    Composable Bot Framework (cont.) 04/26/10 Data Mining & Machine Learning Lab
  • 12.
    • C&C Topology
      • Centralized
      • Distributed (or Peer-to-Peer)
      • Hierarchical (or Hybrid)
    • Bot Variants
      • IRC Bot
      • TinyP2P Bot
      • Kademlia Bot
      • Hierarchical Kademlia Bot
    SLINGbog Bot Variants 04/26/10 Data Mining & Machine Learning Lab
  • 13.
    • SLINGbot
      • Facilitates the construction of benign botnets
        • With varying command and control structures
        • Generate simulated ground truth in a controlled, safe and repeatable manner.
        • Extensible for the use of shared libraries of botnet modules
      • Currently being adapted for deployment on the DETER Testbed
    Summary 04/26/10 Data Mining & Machine Learning Lab
  • 14. Questions? 04/26/10 Data Mining & Machine Learning Lab
  • 15. 04/26/10 Data Mining & Machine Learning Lab
  • 16. 04/26/10 Data Mining & Machine Learning Lab