RB-Seeker: Auto-detection of Redirection Botnets <ul><li>資訊技術專題報告 </li></ul><ul><li>指導老師:蕭漢威 教授 </li></ul><ul><li>學生:張天河 <...
Outline <ul><li>Introduction </li></ul><ul><li>Related Work </li></ul><ul><li>System Architecture </li></ul><ul><li>1. Spa...
<ul><li>Conventional Bots </li></ul><ul><li>Modular in Nature + Binary Updates </li></ul><ul><li>Customized   Service </li...
Introduction-Redirecton Botnets <ul><li>Embedded Link </li></ul><ul><li>jpg, pdf, html….. </li></ul><ul><li>High Level of ...
Introduction-Redirecton Botnets <ul><li>Resource Strain </li></ul><ul><li>-   Maintain Connections </li></ul><ul><li>- Con...
Introduction-Redirecton Botnets <ul><li>Comprehensive and Abundant Sources </li></ul><ul><li>1.  Spam Source Subsystem (SS...
System Architecture
Related Work <ul><li>Single dimension or Limitation </li></ul><ul><li>Cook et al.  </li></ul><ul><li>- P2p Botnets </li></...
Spam Source Subsystem (SSS) <ul><li>Multiple Source </li></ul><ul><li>Real Time Collection </li></ul><ul><li>Content Analy...
Spam Source Subsystem (SSS) <ul><li>Redirection Ways </li></ul><ul><li>- Http-status-code </li></ul><ul><li>- Http-meta-re...
Netflow Analysis Subsystem (NAS) <ul><li>NetFlow  </li></ul><ul><li>-   Light-wighted alternative, widely –used </li></ul>...
Netflow Analysis Subsystem (NAS) <ul><li>Comparison-Redirection and Normal </li></ul><ul><li>by Tcpdump </li></ul>
Netflow Analysis Subsystem (NAS) <ul><li>Redirection Behavior Characterization </li></ul><ul><li>1.  Short Inter-Flow Dura...
Netflow Analysis Subsystem (NAS) <ul><li>Sequential Hypothesis Testing </li></ul><ul><li>- Sorts Flow Chronologically </li...
Netflow Analysis Subsystem (NAS) <ul><li>Flow-based Redirection Indentification </li></ul><ul><li>- Combined 3 Features an...
Netflow Analysis Subsystem (NAS) Flow-based Redirection Indentification
Netflow Analysis Subsystem (NAS) <ul><li>Modeling the Distribution of Flow Features </li></ul><ul><li>- How Well Distribut...
Netflow Analysis Subsystem (NAS) <ul><li>CDF of Inter-Flow Duration </li></ul>
Netflow Analysis Subsystem (NAS) <ul><li>Log-Normal Distribution </li></ul>
Netflow Analysis Subsystem (NAS) <ul><li>Dns Log Correlation </li></ul><ul><li>- Valid the DNS Behavior </li></ul><ul><li>...
Netflow Analysis Subsystem (NAS)
System Architecture
Active DNS Anomaly Detection Subsystem <ul><li>Determination & Probability </li></ul><ul><li>- Spam & Flow </li></ul><ul><...
Active DNS Anomaly Detection Subsystem <ul><li>Characterization of RBnet Behavior </li></ul><ul><li>- Its nature atypical ...
<ul><li>CDN Filter </li></ul><ul><li>- Reverse DNS Lookup </li></ul><ul><li>- Remove Valid Domains </li></ul><ul><li>RBnet...
Active DNS Anomaly Detection Subsystem
Active DNS Anomaly Detection Subsystem
Evaluation of RBnet Classifier <ul><li>SSS and NAS: 2 Months </li></ul><ul><li>- 96100+ Suspicious Domains </li></ul><ul><...
Evaluation of RBnet Classifier Low FP Rate of  <  0.004% 3790 281 RB-Seeker 1 week 249 156 SVM-2 2 3541 125 SVM-1 Valid Qu...
Analysis of Detected RBnets
Analysis of Detected RBnets
Evaluation of RBnet Classifier <ul><li>FFSN Detector </li></ul><ul><li>(Fast-Flux Service Network)  </li></ul><ul><li>- Id...
System Architecture
Conclusion <ul><li>Design and Implementation: RB-Seeker </li></ul><ul><li>Multiple Network Data Source </li></ul><ul><li>B...
Q & A <ul><li>VIVA </li></ul><ul><li>THE END </li></ul>
Upcoming SlideShare
Loading in...5
×

2011 1028

115

Published on

如侵權,請告知,純學術用!

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
115
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2011 1028

  1. 1. RB-Seeker: Auto-detection of Redirection Botnets <ul><li>資訊技術專題報告 </li></ul><ul><li>指導老師:蕭漢威 教授 </li></ul><ul><li>學生:張天河 </li></ul>Xin Hu, Matthew Knysz, and Kang G. Shin University of Michigan Ann Arbor
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Related Work </li></ul><ul><li>System Architecture </li></ul><ul><li>1. Spam Source Subsystem (SSS) </li></ul><ul><li>2. Netflow Analysis Subsystem (NAS) </li></ul><ul><li>3. Active DNS Anomaly Detection </li></ul><ul><li>Subsystem (a-DADs ) </li></ul><ul><li>Implementation and Evaluation </li></ul><ul><li>Conclusion </li></ul>
  3. 3. <ul><li>Conventional Bots </li></ul><ul><li>Modular in Nature + Binary Updates </li></ul><ul><li>Customized Service </li></ul><ul><li>Kinds of Attacks/Scams </li></ul><ul><li>Focus:Redirection Bots (RBs) </li></ul><ul><li>Abundant Source </li></ul><ul><li>Misdirection-Evading Detection </li></ul>Introduction-Redirecton Botnets
  4. 4. Introduction-Redirecton Botnets <ul><li>Embedded Link </li></ul><ul><li>jpg, pdf, html….. </li></ul><ul><li>High Level of Anonymity-Mothership </li></ul><ul><li>- Easy Centralized Management </li></ul><ul><li>- Protecting Malicious Hosts </li></ul><ul><li>- Multiple Layers </li></ul><ul><li>- Ample Supply-Multiple Functionality </li></ul><ul><li>- One Blocked, Another still Villainous </li></ul>
  5. 5. Introduction-Redirecton Botnets <ul><li>Resource Strain </li></ul><ul><li>- Maintain Connections </li></ul><ul><li>- Content Availability </li></ul><ul><li>Rdirection-less taxing </li></ul><ul><li>Rent out the RBnet </li></ul><ul><li>Poor utilization </li></ul><ul><li>- Enough Bots </li></ul><ul><li>- Dispersed Across Multiple DNS </li></ul>
  6. 6. Introduction-Redirecton Botnets <ul><li>Comprehensive and Abundant Sources </li></ul><ul><li>1. Spam Source Subsystem (SSS)- Traditional </li></ul><ul><li>2. Netflow Analysis Subsystem (NAS) </li></ul><ul><li>Passive Network Traces </li></ul><ul><li>3. Active DNS Anomaly Detection Subsystem </li></ul><ul><li>Behavioral-based Approach </li></ul>
  7. 7. System Architecture
  8. 8. Related Work <ul><li>Single dimension or Limitation </li></ul><ul><li>Cook et al. </li></ul><ul><li>- P2p Botnets </li></ul><ul><li>- Solely on the C&C Channel-not Effective </li></ul><ul><li>Karasaridis et al. </li></ul><ul><li>- Network-Flow between Bots and Controllers </li></ul><ul><li>Binkley and Singh </li></ul><ul><li>- IRC-based via TCP Anomaly Detection and </li></ul><ul><li>- IRC Message Statistics </li></ul>
  9. 9. Spam Source Subsystem (SSS) <ul><li>Multiple Source </li></ul><ul><li>Real Time Collection </li></ul><ul><li>Content Analysis </li></ul><ul><li>Timestamp the Suspicious Links </li></ul>
  10. 10. Spam Source Subsystem (SSS) <ul><li>Redirection Ways </li></ul><ul><li>- Http-status-code </li></ul><ul><li>- Http-meta-refresh-header </li></ul><ul><li>- Client-side honeypot (JavaScript) </li></ul><ul><li>Set up a Threshold-Prevent Loop </li></ul><ul><li>1. Status Code: 54.1% </li></ul><ul><li>2. Refresh Tag: 5.9% </li></ul><ul><li>3. JavaScript: 40.0% </li></ul>
  11. 11. Netflow Analysis Subsystem (NAS) <ul><li>NetFlow </li></ul><ul><li>- Light-wighted alternative, widely –used </li></ul><ul><li>- Intuition behind it </li></ul><ul><li>Without Packet Content Analysis </li></ul><ul><li>- Cost prohibitively High </li></ul><ul><li>- To address this Limitation </li></ul><ul><li>1. Flow Size </li></ul><ul><li>2. Flow Duration </li></ul><ul><li>3. Inter-flow Duration </li></ul>
  12. 12. Netflow Analysis Subsystem (NAS) <ul><li>Comparison-Redirection and Normal </li></ul><ul><li>by Tcpdump </li></ul>
  13. 13. Netflow Analysis Subsystem (NAS) <ul><li>Redirection Behavior Characterization </li></ul><ul><li>1. Short Inter-Flow Duration </li></ul><ul><li>- multiple, consecutive HTTP flows </li></ul><ul><li>- two orders-of-magnitude longer </li></ul><ul><li>2. Small Flow Size </li></ul><ul><li>- return only commmand data </li></ul><ul><li>3. Short flow Duration </li></ul><ul><li>- no profit to connect longer </li></ul><ul><li>- terminates while bots handed over </li></ul>
  14. 14. Netflow Analysis Subsystem (NAS) <ul><li>Sequential Hypothesis Testing </li></ul><ul><li>- Sorts Flow Chronologically </li></ul><ul><li>- Group them by Source Ip </li></ul><ul><li>- Each Group Computes </li></ul><ul><li>1. Inter-Flow Duration </li></ul><ul><li>2. Flow Size </li></ul><ul><li>3. Flow Duration </li></ul>
  15. 15. Netflow Analysis Subsystem (NAS) <ul><li>Flow-based Redirection Indentification </li></ul><ul><li>- Combined 3 Features and Applied SHT </li></ul><ul><li>- For Less False Positives </li></ul><ul><li>1. Multiple Metrics </li></ul><ul><li>2. Concurrent vs. Redirection- Flow Size </li></ul><ul><li>3. Longer Connection-3rd HT not Perfomed </li></ul>
  16. 16. Netflow Analysis Subsystem (NAS) Flow-based Redirection Indentification
  17. 17. Netflow Analysis Subsystem (NAS) <ul><li>Modeling the Distribution of Flow Features </li></ul><ul><li>- How Well Distributions Fit the Actual Data </li></ul><ul><li>* the Density Function of Features </li></ul><ul><li>* Pareto, Log-normal , and Weibull Distribution </li></ul><ul><li>* Maximum Likelihood Estimate (MLE) </li></ul><ul><li>* CDF -Cumulatvie Distribution Function </li></ul>
  18. 18. Netflow Analysis Subsystem (NAS) <ul><li>CDF of Inter-Flow Duration </li></ul>
  19. 19. Netflow Analysis Subsystem (NAS) <ul><li>Log-Normal Distribution </li></ul>
  20. 20. Netflow Analysis Subsystem (NAS) <ul><li>Dns Log Correlation </li></ul><ul><li>- Valid the DNS Behavior </li></ul><ul><li>- IP in Flow without DNS Name </li></ul><ul><li>* Reverse Lookup: not Usefual </li></ul><ul><li>* Reverse/Forward by Bot’s ISP </li></ul><ul><li>- Correlate RB IP with Domains in Log </li></ul><ul><li>* Filtered: Whitelist (CDN) or Known </li></ul><ul><li>* Remain to RD Domain Database (utilized by a-DADs) </li></ul>
  21. 21. Netflow Analysis Subsystem (NAS)
  22. 22. System Architecture
  23. 23. Active DNS Anomaly Detection Subsystem <ul><li>Determination & Probability </li></ul><ul><li>- Spam & Flow </li></ul><ul><li>- Identify Domains into RD Domain Database </li></ul>
  24. 24. Active DNS Anomaly Detection Subsystem <ul><li>Characterization of RBnet Behavior </li></ul><ul><li>- Its nature atypical DNS Behavior </li></ul><ul><li>- Poor Connectivity of Bots </li></ul><ul><li>- Must Keep the Domain Resolves Live </li></ul><ul><li>- 3 Attributes of DNS abnormalities </li></ul><ul><li>* IP Usage </li></ul><ul><li>* Reverse DNS Lookup </li></ul><ul><li>* AS Count </li></ul>
  25. 25. <ul><li>CDN Filter </li></ul><ul><li>- Reverse DNS Lookup </li></ul><ul><li>- Remove Valid Domains </li></ul><ul><li>RBnet Classification </li></ul><ul><li>- SVM-1 </li></ul><ul><li>* Aggressive RBnets : 2 valid queries </li></ul><ul><li>* unique IPs, ASes, DNS “bad words ” </li></ul><ul><li>- SVM-2 </li></ul><ul><li>* Stealth RBnets : a week DNS queries </li></ul><ul><li>* unique IPs, ASes </li></ul>Active DNS Anomaly Detection Subsystem
  26. 26. Active DNS Anomaly Detection Subsystem
  27. 27. Active DNS Anomaly Detection Subsystem
  28. 28. Evaluation of RBnet Classifier <ul><li>SSS and NAS: 2 Months </li></ul><ul><li>- 96100+ Suspicious Domains </li></ul><ul><li>a-DAD CDN Filter </li></ul><ul><li>- Removed 5,005 CDN domains </li></ul><ul><li>- Similar Technique for  Valid Domains </li></ul><ul><li>* 35500+ Domains kept Monitored </li></ul>
  29. 29. Evaluation of RBnet Classifier Low FP Rate of < 0.004% 3790 281 RB-Seeker 1 week 249 156 SVM-2 2 3541 125 SVM-1 Valid Queries RBnet IPs RBnet Domains
  30. 30. Analysis of Detected RBnets
  31. 31. Analysis of Detected RBnets
  32. 32. Evaluation of RBnet Classifier <ul><li>FFSN Detector </li></ul><ul><li>(Fast-Flux Service Network) </li></ul><ul><li>- Identify 124 of the 125 Aggressive RBnet </li></ul><ul><li>- 1FP: mozilla.org </li></ul><ul><li>- Fail to Detect Stealthy RBnets as SVM-1 Did </li></ul>
  33. 33. System Architecture
  34. 34. Conclusion <ul><li>Design and Implementation: RB-Seeker </li></ul><ul><li>Multiple Network Data Source </li></ul><ul><li>Behavioral-Approach: No C&C Structure </li></ul><ul><li>Capable of Detecting Both </li></ul><ul><li>Aggressive & Stealthy RBnets </li></ul><ul><li>- Low FP (< 0.01%) </li></ul><ul><li>Easy Incoperated into Existing System </li></ul>
  35. 35. Q & A <ul><li>VIVA </li></ul><ul><li>THE END </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×