Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2 dc meet new

118 views

Published on

botnet, malware analysis

Published in: Internet
  • Be the first to comment

  • Be the first to like this

2 dc meet new

  1. 1. Study and Analysis of botnets and botnet detection Techniques Candidate : G.Kirubavathi Reg No : 71010112041 Guide : Dr.R.Anitha Associate Professor Department of Applied Mathematics and Computational Sciences PSG College of Technology
  2. 2. Outline  Introduction  Botnet Detection  HTTP Botnet Detection  Future Work  Conclusions  References
  3. 3. What is the need for Botnet Detection?  Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK PCs taken out  Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts  In 2013, Chameleon Botnet' takes $6-million-a-month in ad money  Word press hit by large scale botnet attack 5th April 2013. 3
  4. 4. Botnet  Bot is a self propagating application that infects vulnerable host through direct exploitation or Trojan insertion.  A Botnet consists of a network of compromised computers (“bots”) controlled by an attacker (“botmaster”)  Botnets are classified as,  IRC Botnet  HTTP Botnet  P2P Botnet based on the communication protocol,
  5. 5. Classification of Botnet Detection Techniques Honey nets Intrusion Detection System Signature Based Anomaly Based Host Based Network Based Active Monitoring Passive Monitoring
  6. 6. HTTP Botnet Detection using Adaptive Learning Rate MLFF-NN  Recent botnets have begun using common protocols such as HTTP  HTTP bot communications are based on TCP connections  TCP related features have been identified for the detection of HTTP botnets
  7. 7. Proposed System Architecture Network Traffic Feature Extraction Normalization Pre-processing Neural Network Classifier Training Set Testing Set NN Training NN Model Evalu ate Normal Bot
  8. 8. Traces of different Web-based Bonets Bot Family Trace Size Packets Number Zeus-1 5.85 MB 53,220 Zeus -2 4.13 MB 37,252 Spyeye -1 25.17 MB 1,75,870 Spyeye -2 3.90 MB 35,180
  9. 9. Identification accuracy of web botnet traffic profiles Traffic Traces # neurons in the ip layer # neurons in the hidden layer Correct Identification Spyeye -1 6 18 99.03% Spyeye- 2 6 18 99.02% Zeus -1 6 18 99.01% Zeus -2 6 18 99.04%
  10. 10. Performance Measures of Spyeye Botnet Method Precision Recall F-Measure Accuracy Decision Tree 0.968 0.931 0.949 96.5333 Random Forest 0.968 0.934 0.950 96.667 RBF 0.976 0.927 0.950 96.5333 FF NN 0.964 0.983 0.973 99.03
  11. 11. ROC curve for Spyeye Botnet
  12. 12. Performance Measures of Zeus Botnet Method Precision Recall F-Measure Accuracy Decision Tree 0.956 0.930 0.941 96.14333 Random Forest 0.952 0.930 0.940 96.000 RBF 0.959 0.922 0.940 95.8667 FF NN 0.948 0.992 0.969 99.04
  13. 13. ROC curve for Zeus Botnet
  14. 14. Comparison of Performance Method Average Detection Accuracy Gu et al (2008), BotMiner – Data mining Techniques 96.825 Nogueira et al. (2010), Neural Networks 94.9175 Adaptive Learning Neural Networks – Proposed 99.025
  15. 15. HTTP Botnet Detection using HsMM with SNMP MIB Variables  Used Hidden semi-Markov chain Model (HsMM) to characterize the normal network behavior of the TCP based MIB variables as observed sequence.  Forward-backward algorithm for estimating model parameters
  16. 16. Proposed System Architecture Extraction of the SNMP MIB Variables Feature Reduction by PCA HsMM Modeling Summation of the SNMP MIB Variables Train Data Test Data Forward Backward Algorithm HsMM Model AL LNormal Bot
  17. 17. Model Construction  Construct a HsMM to build a profile of normal MIB traffic behavior and use this model to detect the botnet.  A HsMM can be described as  λ = (N, M,V, A, B, П) where  N is the size of the state space Ф = {0,1}  V = {v0, v1, …, vM-1} is the set of all visible symbols which are nothing but the TCP-MIB variables.  M is the number of all visible symbols is the summation count of the MIB variables  A = [aij]NXN is the state transition probability matrix  The state transition probability matrix A, Assume A= initially, the process is normal no matter what current state is, the process will transfer to normal state next time by probability 1.  where aij = P{next_state = j | current state = i}, where i, j ϵ Ф       01 01
  18. 18. Model Construction Cont…  B = {bi(k)}, i ϵ Ф, 1 ≤ k ≤ M, is the distribution of visible symbols V, where bi(k)= P{observed system behavior = vk | current state i}  П = [П0, П1, П2, …, ПN-1] is the initial state distribution
  19. 19. Web-based botnet identification Accuracy Datasets False +ve Rate Detection Accuracy Results Web Service 0% 100% Normal FTP Service 0% 100% Normal Spyeye 1.33% 98.67% Malicious Botnet Black energy 1.28% 98.72% Malicious Botnet
  20. 20. Future Work  Analyzing the various types of current botnet activities.  Identify the suitable statistical modeling techniques to detect the botnet irrespective of their communication protocols and Command and Control structures
  21. 21. Conclusion  Botnets pose a significant and growing threat against cyber security  It provides key platform for many cyber crimes like DDOS, etc  As network security has become integral part of our life and botnets have become the most serious threat to it  It is very important to detect botnet attack and find the solution for it
  22. 22. Published Paper G.Kirubavathi Venkatesh and R.Anitha, “HTTP Botnet Detection using Adaptive learning Rate Multilayer Feed-forward Neural Network”. In Proceedings of international workshop in information security theory and practice – WISTP’12, UK, 2012, LNCS 7322, pp. 38-48, 2012. Paper Communicated  G.Kirubavathi Venkatesh, V.Srihari, R.Veeramani, RM. Karthikeyan, R.Anitha “HTTP botnet Detection using Hidden semi-Markov Model with SNMP MIB variables”, has been communicated to the International journal of Security and Communication Networks (Wiley publication).
  23. 23. References P. Barford and V. Yegneswaran, “An inside look at botnets,” Springer Verlag, 2006.  J. Binkley and S. Singh. “An algorithm for anomaly-based botnet detection”, In Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pages 43–48, 2006.  T.Abbes, A.A.Bouhoula, and, M.Rusinowitch, “Protocol Analysis in Intrusion Detection Using Decision Tree”, Proc. International Conference on Information Technology, Coding and Computing (ITCC,04) IEEE Xplore, Pages 404-408.  Jiong Zhang, Mohammad Zulkernine, Anwar Haque: Random-Forests- Based Network Intrusion Detection Systems. IEEE Transactions on Systems, Man, and Cybernetics, Part C 38(5): 649-659 (2008)  Lee., J. et al The activity analysis of malicious http-based botnets using degree of periodic repeatability. In Proceedings of the IEEE International Conference on Security Technology, December, 2008, pp.83-86.
  24. 24. References cont…  X. Tan and H. Xi, Hidden semi-Markov Model for anomaly detection. Journal of Applied Mathematics and Computation, Elsevier, vol. 205, Issue 2, November 2008, Special Issue on Advanced Intelligent Computing Theory and Methodology in Applied Mathematics and Computation, 2008, pp.562-567.  Shun-Zheng Yu and Kobayashi, H. An Efficient Forward-Backward Algorithm for an Explicit Duration Hidden Markov Model. In IEEE Signal Processing Letters, vol.10, Issue 1, Jan. 2003, pp. 11-14  Wang, B., Li, Z., Li, D., Liu, F. and Chen, H. Modeling Connections Behavior for Web-Based Bots Detection. In 2nd IEEE International Conference on e-Business and Information System Security (EBISS) - 2010, Wuhan, pp. 1-4.  Yi Xie and Shun-Zheng Yu (2009) Monitoring the Application-Layer DDoS Attacks for Popular Websites, In IEEE/ACM Transactions on Networking, Vol. 17, NO. 1, Feb. 2009.

×