Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2011 1028

239 views

Published on

如侵權,請告知,純學術用!

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

2011 1028

  1. 1. RB-Seeker: Auto-detection of Redirection Botnets <ul><li>資訊技術專題報告 </li></ul><ul><li>指導老師:蕭漢威 教授 </li></ul><ul><li>學生:張天河 </li></ul>Xin Hu, Matthew Knysz, and Kang G. Shin University of Michigan Ann Arbor
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Related Work </li></ul><ul><li>System Architecture </li></ul><ul><li>1. Spam Source Subsystem (SSS) </li></ul><ul><li>2. Netflow Analysis Subsystem (NAS) </li></ul><ul><li>3. Active DNS Anomaly Detection </li></ul><ul><li>Subsystem (a-DADs ) </li></ul><ul><li>Implementation and Evaluation </li></ul><ul><li>Conclusion </li></ul>
  3. 3. <ul><li>Conventional Bots </li></ul><ul><li>Modular in Nature + Binary Updates </li></ul><ul><li>Customized Service </li></ul><ul><li>Kinds of Attacks/Scams </li></ul><ul><li>Focus:Redirection Bots (RBs) </li></ul><ul><li>Abundant Source </li></ul><ul><li>Misdirection-Evading Detection </li></ul>Introduction-Redirecton Botnets
  4. 4. Introduction-Redirecton Botnets <ul><li>Embedded Link </li></ul><ul><li>jpg, pdf, html….. </li></ul><ul><li>High Level of Anonymity-Mothership </li></ul><ul><li>- Easy Centralized Management </li></ul><ul><li>- Protecting Malicious Hosts </li></ul><ul><li>- Multiple Layers </li></ul><ul><li>- Ample Supply-Multiple Functionality </li></ul><ul><li>- One Blocked, Another still Villainous </li></ul>
  5. 5. Introduction-Redirecton Botnets <ul><li>Resource Strain </li></ul><ul><li>- Maintain Connections </li></ul><ul><li>- Content Availability </li></ul><ul><li>Rdirection-less taxing </li></ul><ul><li>Rent out the RBnet </li></ul><ul><li>Poor utilization </li></ul><ul><li>- Enough Bots </li></ul><ul><li>- Dispersed Across Multiple DNS </li></ul>
  6. 6. Introduction-Redirecton Botnets <ul><li>Comprehensive and Abundant Sources </li></ul><ul><li>1. Spam Source Subsystem (SSS)- Traditional </li></ul><ul><li>2. Netflow Analysis Subsystem (NAS) </li></ul><ul><li>Passive Network Traces </li></ul><ul><li>3. Active DNS Anomaly Detection Subsystem </li></ul><ul><li>Behavioral-based Approach </li></ul>
  7. 7. System Architecture
  8. 8. Related Work <ul><li>Single dimension or Limitation </li></ul><ul><li>Cook et al. </li></ul><ul><li>- P2p Botnets </li></ul><ul><li>- Solely on the C&C Channel-not Effective </li></ul><ul><li>Karasaridis et al. </li></ul><ul><li>- Network-Flow between Bots and Controllers </li></ul><ul><li>Binkley and Singh </li></ul><ul><li>- IRC-based via TCP Anomaly Detection and </li></ul><ul><li>- IRC Message Statistics </li></ul>
  9. 9. Spam Source Subsystem (SSS) <ul><li>Multiple Source </li></ul><ul><li>Real Time Collection </li></ul><ul><li>Content Analysis </li></ul><ul><li>Timestamp the Suspicious Links </li></ul>
  10. 10. Spam Source Subsystem (SSS) <ul><li>Redirection Ways </li></ul><ul><li>- Http-status-code </li></ul><ul><li>- Http-meta-refresh-header </li></ul><ul><li>- Client-side honeypot (JavaScript) </li></ul><ul><li>Set up a Threshold-Prevent Loop </li></ul><ul><li>1. Status Code: 54.1% </li></ul><ul><li>2. Refresh Tag: 5.9% </li></ul><ul><li>3. JavaScript: 40.0% </li></ul>
  11. 11. Netflow Analysis Subsystem (NAS) <ul><li>NetFlow </li></ul><ul><li>- Light-wighted alternative, widely –used </li></ul><ul><li>- Intuition behind it </li></ul><ul><li>Without Packet Content Analysis </li></ul><ul><li>- Cost prohibitively High </li></ul><ul><li>- To address this Limitation </li></ul><ul><li>1. Flow Size </li></ul><ul><li>2. Flow Duration </li></ul><ul><li>3. Inter-flow Duration </li></ul>
  12. 12. Netflow Analysis Subsystem (NAS) <ul><li>Comparison-Redirection and Normal </li></ul><ul><li>by Tcpdump </li></ul>
  13. 13. Netflow Analysis Subsystem (NAS) <ul><li>Redirection Behavior Characterization </li></ul><ul><li>1. Short Inter-Flow Duration </li></ul><ul><li>- multiple, consecutive HTTP flows </li></ul><ul><li>- two orders-of-magnitude longer </li></ul><ul><li>2. Small Flow Size </li></ul><ul><li>- return only commmand data </li></ul><ul><li>3. Short flow Duration </li></ul><ul><li>- no profit to connect longer </li></ul><ul><li>- terminates while bots handed over </li></ul>
  14. 14. Netflow Analysis Subsystem (NAS) <ul><li>Sequential Hypothesis Testing </li></ul><ul><li>- Sorts Flow Chronologically </li></ul><ul><li>- Group them by Source Ip </li></ul><ul><li>- Each Group Computes </li></ul><ul><li>1. Inter-Flow Duration </li></ul><ul><li>2. Flow Size </li></ul><ul><li>3. Flow Duration </li></ul>
  15. 15. Netflow Analysis Subsystem (NAS) <ul><li>Flow-based Redirection Indentification </li></ul><ul><li>- Combined 3 Features and Applied SHT </li></ul><ul><li>- For Less False Positives </li></ul><ul><li>1. Multiple Metrics </li></ul><ul><li>2. Concurrent vs. Redirection- Flow Size </li></ul><ul><li>3. Longer Connection-3rd HT not Perfomed </li></ul>
  16. 16. Netflow Analysis Subsystem (NAS) Flow-based Redirection Indentification
  17. 17. Netflow Analysis Subsystem (NAS) <ul><li>Modeling the Distribution of Flow Features </li></ul><ul><li>- How Well Distributions Fit the Actual Data </li></ul><ul><li>* the Density Function of Features </li></ul><ul><li>* Pareto, Log-normal , and Weibull Distribution </li></ul><ul><li>* Maximum Likelihood Estimate (MLE) </li></ul><ul><li>* CDF -Cumulatvie Distribution Function </li></ul>
  18. 18. Netflow Analysis Subsystem (NAS) <ul><li>CDF of Inter-Flow Duration </li></ul>
  19. 19. Netflow Analysis Subsystem (NAS) <ul><li>Log-Normal Distribution </li></ul>
  20. 20. Netflow Analysis Subsystem (NAS) <ul><li>Dns Log Correlation </li></ul><ul><li>- Valid the DNS Behavior </li></ul><ul><li>- IP in Flow without DNS Name </li></ul><ul><li>* Reverse Lookup: not Usefual </li></ul><ul><li>* Reverse/Forward by Bot’s ISP </li></ul><ul><li>- Correlate RB IP with Domains in Log </li></ul><ul><li>* Filtered: Whitelist (CDN) or Known </li></ul><ul><li>* Remain to RD Domain Database (utilized by a-DADs) </li></ul>
  21. 21. Netflow Analysis Subsystem (NAS)
  22. 22. System Architecture
  23. 23. Active DNS Anomaly Detection Subsystem <ul><li>Determination & Probability </li></ul><ul><li>- Spam & Flow </li></ul><ul><li>- Identify Domains into RD Domain Database </li></ul>
  24. 24. Active DNS Anomaly Detection Subsystem <ul><li>Characterization of RBnet Behavior </li></ul><ul><li>- Its nature atypical DNS Behavior </li></ul><ul><li>- Poor Connectivity of Bots </li></ul><ul><li>- Must Keep the Domain Resolves Live </li></ul><ul><li>- 3 Attributes of DNS abnormalities </li></ul><ul><li>* IP Usage </li></ul><ul><li>* Reverse DNS Lookup </li></ul><ul><li>* AS Count </li></ul>
  25. 25. <ul><li>CDN Filter </li></ul><ul><li>- Reverse DNS Lookup </li></ul><ul><li>- Remove Valid Domains </li></ul><ul><li>RBnet Classification </li></ul><ul><li>- SVM-1 </li></ul><ul><li>* Aggressive RBnets : 2 valid queries </li></ul><ul><li>* unique IPs, ASes, DNS “bad words ” </li></ul><ul><li>- SVM-2 </li></ul><ul><li>* Stealth RBnets : a week DNS queries </li></ul><ul><li>* unique IPs, ASes </li></ul>Active DNS Anomaly Detection Subsystem
  26. 26. Active DNS Anomaly Detection Subsystem
  27. 27. Active DNS Anomaly Detection Subsystem
  28. 28. Evaluation of RBnet Classifier <ul><li>SSS and NAS: 2 Months </li></ul><ul><li>- 96100+ Suspicious Domains </li></ul><ul><li>a-DAD CDN Filter </li></ul><ul><li>- Removed 5,005 CDN domains </li></ul><ul><li>- Similar Technique for  Valid Domains </li></ul><ul><li>* 35500+ Domains kept Monitored </li></ul>
  29. 29. Evaluation of RBnet Classifier Low FP Rate of < 0.004% 3790 281 RB-Seeker 1 week 249 156 SVM-2 2 3541 125 SVM-1 Valid Queries RBnet IPs RBnet Domains
  30. 30. Analysis of Detected RBnets
  31. 31. Analysis of Detected RBnets
  32. 32. Evaluation of RBnet Classifier <ul><li>FFSN Detector </li></ul><ul><li>(Fast-Flux Service Network) </li></ul><ul><li>- Identify 124 of the 125 Aggressive RBnet </li></ul><ul><li>- 1FP: mozilla.org </li></ul><ul><li>- Fail to Detect Stealthy RBnets as SVM-1 Did </li></ul>
  33. 33. System Architecture
  34. 34. Conclusion <ul><li>Design and Implementation: RB-Seeker </li></ul><ul><li>Multiple Network Data Source </li></ul><ul><li>Behavioral-Approach: No C&C Structure </li></ul><ul><li>Capable of Detecting Both </li></ul><ul><li>Aggressive & Stealthy RBnets </li></ul><ul><li>- Low FP (< 0.01%) </li></ul><ul><li>Easy Incoperated into Existing System </li></ul>
  35. 35. Q & A <ul><li>VIVA </li></ul><ul><li>THE END </li></ul>

×