nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis


Published on

Botnet Detection approach by DNS behavior and clustering analysis by Nilesh Sharma & Pulkit Mehndiratta

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis

  1. 1. Botnet Detection System using DNS behaviour and clustering analysis<br />Presented by <br />Nilesh Sharma<br />PulkitMehndiratta<br />Indraprashta Institute of Information Technology, Delhi<br />(IIIT- DELHI)<br /><br />
  2. 2. Who we are….?<br /> (pursuing) from the IIIT- Delhi<br />Research Interests-<br />Botnets<br />Cyber Forensics<br />Privacy enhancive technologies<br />Cryptographic techniques<br />Part of IIITD-ACM student chapter<br /><br />
  3. 3. What Is a Bot/Botnet?<br />Bot – A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent.<br />Botnet (Bot Army): network of bots controlled by criminals- “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”.<br />– “25% of Internet PCs are part of a botnet!” <br />( - Vint Cerf)<br /><br />
  4. 4. Botnets are used for….<br /><ul><li> All DDoS attacks
  5. 5. Spam
  6. 6. Click fraud
  7. 7. Information theft
  8. 8. Phishing attacks
  9. 9. Distributing other malware, e.g., spyware</li></ul><br />
  10. 10. How big is this problem?<br />The size and prevalence of the botnet reported as many as 172,000 new bots recruited every day according to CipherTrust.<br />which means about 5 million new bots are appeared every month. <br />Symantec recently reported that the number of bots observed in a day is 30,000 on average.<br />The total number of bot infected systems has been measured to be between 800,000 to 900,000. <br />A single botnet comprised of more than 140,000 hosts was found in the wild and botnet driven attacks have been responsible for single DDoS attacks of more than 10Gbps capacity.<br /><br />
  11. 11. Conflicker according to McAfee<br />When executed, the worm copies itself using a random name to the %Sysdir% folder.<br />Obtains the public ip address of the affected computer. <br />Attempts to download a malware file from the remote website <br />Starts a HTTP server on a random port on the infected machine to host a copy of the worm. <br />Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. <br /><br />
  12. 12. Difference between a Virus ,Worm and Botnets….<br />E:nilesh _back upacademicsdss projectNew Folderbotnet explained.flv<br /><br />
  13. 13. Existing Techniques<br />Traditional Anti Virus tools<br /> – Bots use packer, rootkit, frequent updating to easily defeat Anti Virus tools<br />Honeypot<br /> – Not a good botnet detection tool<br /><br />
  14. 14. Challenges for Botnet Detection<br />Selection of Network Monitoring Tool<br />Clustering Algorithm<br />Heuristics for clustering algorithm<br />The fast flux. <br />False Positives<br />Graphical User Interface<br />Looking for dynamic approach as static and signature based approaches may not be effective.<br /><br />
  15. 15. Related Work<br />Botnet Detection by Monitoring Group Activities in DNS Traffic :HyunsangChoi, Hanwoo Lee, Heejo Lee, Hyogon Kim Korea University.<br />BotHunter [Guetal Security’07]: dialog correlation to detect bots based on an infection dialog model<br />BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection (GuofeiGu Georgia Institute of Technology) <br /><br />
  16. 16. Motivation<br />Botnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers.<br /><br />
  17. 17. Again Botnet…..<br />“A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”<br /><br />
  18. 18. The Framework….<br /><br />
  19. 19. Methodology<br />Collect the DNS data from wireshark and change it into .csv file format using Logparser tool through a GUI tool<br />Insert the infected data(looks like botnet, having the fast flux characteristics).<br />Retrieve the DNS name and its respective IP addresses from the packet information(.csv file).<br />Perform the K-means clustering on the data on the basis of DNS name and try to find out that whether we are being able to detect botnetfastflux or not?<br /><br />
  20. 20. Demonstration of Methodology<br /><br />
  21. 21. Results (k=50 clusters)<br /><br />
  22. 22. Results (k=100 clusters)<br />
  23. 23. Results (k=150 clusters)<br />
  24. 24. Results (k=200 clusters)<br />
  25. 25. False Negative Analysis<br /><br />
  26. 26. Detection Rate Analysis<br />
  27. 27. Results<br /><br />
  28. 28. Real world fast-flux examples<br />DNS Basics-<br />A Record<br />A records (also known as host records) are the central records of DNS. These records link a domain, or subdomain, to an IP address. <br />A records and IP addresses do not necessarily match on a one-to-one basis. Many A records correspond to a single IP address, where one machine can serve many web sites. Alternatively, a single A record may correspond to many IP addresses. This can facilitate fault tolerance and load distribution, and allows a site to move its physical location. <br /><br />
  29. 29. Real world fast-flux examples<br />NS records-<br />Name server records determine which servers will communicate DNS information for a domain. Two NS records must be defined for each domain. Generally, you will have a primary and a secondary name server record - NS records are updated with your domain registrar and will take 24-72 hours to take effect. <br />If your domain registrar is separate from your domain host, your host will provide two name servers that you can use to update your NS records with your registrar. <br /><br />
  30. 30. REAL WORLD FAST-FLUX EXAMPLES<br />Credit Money Botnet- Zeus Botnet<br />Below are the single-flux DNS records typical of such an infrastructure. The tables show DNS snapshots of the domain name taken approximately every 30 minutes, with the five A records returned round-robin showing clear infiltration into home/business dialup and broadband networks. Notice that the NS records do not change, but some of the A records do. This is the money mule bot example. <br /> 1800 IN A [] 1800 IN A [SBIS-AS - AT&T Internet Services] 1800 IN A [] 1800 IN A [] 1800 IN A [] 1800 IN NS 1800 IN NS<br />  87169 IN A [HVC-AS - HIVELOCITY VENTURES CORP]  87177 IN A []<br /><br />
  31. 31. REAL WORLD FAST-FLUX EXAMPLES<br />fast-flux nets appear to apply some form of logic in deciding which of their available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load-balancing algorithm). New flux-agent IP addresses are inserted into the fast-flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes. <br /> 1800 IN A [] 1800 IN A [] 1800 IN A [] 1800 IN A [] 1800 IN A [] 1800 IN NS 1800 IN NS<br />  85248 IN A [HVC-AS - HIVELOCITY VENTURES CORP]  82991 IN A []<br /><br />
  32. 32. REAL WORLD FAST-FLUX EXAMPLES<br />As we see, highlighted in bold two of the advertised IP addresses have changed. Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information: <br /> 1238 IN A [] 1238 IN A [SBIS-AS - AT&T Internet Services] This one came back! 1238 IN A [] 1238 IN A [] 1238 IN A [CNT Autonomous System] NEW 1238 IN NS 1238 IN NS<br />  83446 IN A [HVC-AS - HIVELOCITY VENTURES CORP]  81189 IN A []<br />Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule botnet<br /><br />
  33. 33. Some more fast-flux examples<br /> 177 IN A [] 177 IN A [] 177 IN A [] 177 IN A [] 177 IN A [] 108877 IN NS 108877 IN NS 108877 IN NS 108877 IN NS 108877 IN NS<br /> IN A [] IN A [] 854 IN A [] 854 IN A [] 854 IN A []<br /><br />
  34. 34. Results…<br /> 161 IN A [] 161 IN A [] 161 IN A [] 161 IN A [] 161 IN A [] NEW 108642 IN NS 108642 IN NS 108642 IN NS 108642 IN NS 108642 IN NS<br /> 608 IN A [] 608 IN A [] 608 IN A [] 608 IN A [] 608 IN A []<br /><br />
  35. 35. Conclusion<br />On the basis of DNS instances by the k means clustering it is possible to detect the fast flux characteristics of botnets.<br />New botnet detection system based on Horizontal correlation<br /> Independent of botnet C&C protocol and structure<br />Real-world evaluation shows promising results<br />The false positive is very low in case of large IP address instances corresponding to same DNS which actually resembles with the condition of real world botnets.<br /><br />
  36. 36. Acknowledgements<br />Nullcon team.<br />To all the Listeners<br />Our professors<br /> Dr. PonnurangamKumaraguru<br />Dr. ShishirNagaraja<br /><br />
  37. 37. Thank you<br /><br />