Botconf 2013 - DNS-based Botnet C2 Server Detection

1,309 views

Published on

Presentation at Botconf 2013 by Etienne Stalmans

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,309
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Botconf 2013 - DNS-based Botnet C2 Server Detection

  1. 1. DNS Based Botnet C2 Server Detection Spatial Statistics as a detection metric
  2. 2. whois @kamp_staaldraad etienne@sensepost.com
  3. 3. https://www.team-cymru.org/images/conficker-2009-01-29-dark-full.jpg Geographic Analysis
  4. 4. Research Goals ● Accurately detect botnet traffic ○ ○ ○ ○ Assume no prior knowledge Lightweight Fast Adaptable ● Early detection
  5. 5. Web Browsing DNS P2P Mail Practically Everything Bots Examining DNS
  6. 6. DNS Fast-Flux ● Short TTL ● Multiple A Records ● Different IP Ranges
  7. 7. DNS Fast-Flux ● ● ● ● Multiple ASNs Multiple Countries Multiple Timezones Multiple Unique Location Identifiers
  8. 8. Widely Dispersed Networks
  9. 9. Spatial Statistics Spatial Measures http://earth-info.nga.mil/GandG/coordsys/images/MGRS_1km_Polygon_Shapefiles_Coverage.jpg
  10. 10. Spatial Measures
  11. 11. Nearest Neighbours Fast-Flux Domains Benign Domains
  12. 12. Spatial Statistics Spatial Statistics https://upload.wikimedia.org/wikipedia/commons/c/c7/Snow-cholera-map.jpg
  13. 13. First Law of Geography "All things are related, but near things are more related than far things." - W. Tobler
  14. 14. Autocorrelation
  15. 15. Moran's Index
  16. 16. Geary's Coefficient
  17. 17. Building the Classifiers
  18. 18. Classifier Training Benign Dataset Fast-Flux Dataset
  19. 19. Classifier Training Moran's I: Timezones
  20. 20. Moran's I: UTM
  21. 21. Geary's C: UTM
  22. 22. Geary's C: MGRS
  23. 23. Classifier Results
  24. 24. Moran Classifier Results 97% Timezones UTM 95% 95% MGRS Accuracy
  25. 25. Geary Classifier Results 95% Timezones UTM 96% 95% MGRS Accuracy
  26. 26. Evaluating Performance ● Determine resource usage ● Impact on normal network performance ● Scalability
  27. 27. Classifier Performance Impact http://beyond.customline.com/wp-content/uploads/2012/04/Cheetah-performance.jpg
  28. 28. Measured Performance
  29. 29. Measured Performance 20,000 domain lookups Processed in -4 13 seconds 6.501×10 seconds per domain
  30. 30. Benefits Fast Small Low maintenance Scalable
  31. 31. Future Work ● Combine classifiers into stand-alone solution ● Combine detection and blocking ● Increase accuracy of geo-location
  32. 32. Conclusion @kamp_staaldraad etienne@sensepost.com

×