Takashi Yamanoue, profile picture
Uploaded byTakashi Yamanoue
PPTX, PDF312 views

A Botnet Detecting Infrastructure Using a Beneficial Botnet

The document presents a beneficial botnet framework aimed at detecting malicious peer-to-peer botnets by utilizing a network of agent and analyzing bots to monitor and analyze communication within local area networks. It discusses the evolution and challenges posed by malicious botnets, particularly those employing decentralized communication techniques. Experimental results demonstrate the beneficial botnet's capability to identify and respond to potential threats while highlighting the need for improvements in speed and security.

Embed presentation

Download to read offline
A Botnet Detecting Infrastructure Using a Beneficial Botnet Takashi Yamanoue, Fukuyama University ACM SIGUCCS 2018, @Orland Fl. USA, Oct. 9, 2018.
#siguccs18 #siguccs18
• An Eye for an Eye • A Tooth for a Tooth • A Bot for a Bot • A Botnet for a Botnet #siguccs18 Vs. Vs. Vs. Vs.
Contents • 1. Introduction • 2. Beneficial Botnet • 3. Experiment • 4. Related Work • 5. Conclusion #siguccs18
1. Introduction (1/6) • Network Managers and People in charge of Network Security …Troubled by Malicious Botnet #siguccs18
• A Malicious Botnet does – Spread SPAM mails – DDoS Attack – Click Fraud – Steal bank account information of users of zombie computers. • A Malicious Botnet is – Persistent • Continues malicious things even if some of bots of it were removed. – Evolving 1. Introduction (2/6) #siguccs18
• Technology of a Malicious Botnet – It was rely on a single centralized command and control (C2) server • The botnet can be disrupted by removing the C2 server –Peer To Peer (P2P) • Middle years of 2000 …ex. Agobot/Phatbot –Domain Generation Algorithm, (DGA) • Late years of 2000 … ex. Conficker • Our approach to cope with them –Beneficial Botnet 1. Introduction (3/6) #siguccs18
• Our Beneficial botnet is A group of beneficial bots –Agent bots and an analyzing bot. • An agent bot – Located between a LAN and its NAT/ router. – Collects and controls communication of hosts in the LAN • The analyzing bot – Collects communication data from agent bots – Analyzes the data. – Can execute R programs for the analysis 1. Introduction (4/6) #siguccs18 Agent bot NAT/Router Sub-LAN
• The P2P communication of malicious botnet – hard to detect by a single IDS at the entrance of organizational network • Because – No single C2 Server – Small amount of traffic of P2P communication between P2P nodes at the inside of the organizational network and the outside. • Our beneficial botnet – has the ability to detect P2P communication using collaboration of our beneficial bots. 1. Introduction (5/6) #siguccs18
• We have Made a Pseudo Botnet, Pseudo Gameover ZeuS, for evaluation. – Performs P2P communication between some nodes of it without doing malicious things. • Our beneficial botnet – could detect P2P communication of the pseudo Gameover ZeuS – may also detect communication using DGA. • Furthermore, our beneficial botnet – has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolving, as same as malicious botnets. 1. Introduction (6/6) #siguccs18
2. Beneficial Botnet(1/13) • It is common – to use an IDS or intrusion prevention system (IPS) – at the entrance of an organizational network now. • An IDS or IPS at the entrance of the organizational network – is effective for a malicious botnet with centralized C2 server because every communication between the C2 server and all bots can be detected by the IDS or the IPS. #siguccs18
• An Example of Botnets – Gameover ZeuS • Disrupted in 2014 by the international collaborative investigating activity. • The losses attributable to Gameover ZeuS were estimated over one hundred million dollars according to the FBI announcement • “The second centralized version of Zeus mutated into a peer-to-peer (P2P) variant, known as P2P Zeus or Gameover. Since P2P Zeus does not rely on centralized command and control server (C2), it is immune to traditional countermeasures against Zeus”, according to Andriesse and Bos 2. Beneficial Botnet (2/13) #siguccs18
• Botnets with the P2P feature are – difficult to detect, difficult to disrupt. – No Centralized command and control server (C2 server) • A reason of great losses of the Gameover Zeus can be considered that the Gameover Zeus acquired the P2P feature. – Gameover ZeuS has been disrupted. However, there are chances that similar P2P botnets intrude campuses and conduct their malicious operation. 2. Beneficial Botnet(3/13) #siguccs18
• By the single IDS at the network entrance of the campus –Hard to detect P2P communication of bots in the campus. –Hard to locate such Bots in the campus. 2. Beneficial Botnet(4/13) #siguccs18
• We have designed our beneficial botnet to cope with malicious botnet such as the Gameover ZeuS. 2. Beneficial Botnet(5/13) #siguccs18
• We want cope with technologies of Malicious Botnets – Developing The Beneficial Botnet using our Beneficial Bots • “Monitoring Servers With a Little From My Bots” • “Capturing Malicious Bots using a Beneficial Bot” – A Beneficial Botnet is a group of Beneficial Bots • Agent Bots behind the NAT of a LAN • Analyzing Bots which analyzes data which collected by Agent Bots – The Beneficial Botnet has ability to detect P2P communication of malicious Bots, using collaboration of Beneficial Bots. 2. Beneficial Botnet(6/13) #siguccs18 Agent bot NAT/Router
2. Beneficial Botnet(7/13) #siguccs18
2. Beneficial Botnet(8/13) 2.1 A Bot of a Beneficial Botnet(1/2) #siguccs18 It is a script interpreter #siguccs18 Sensors, Actuators, Traffic Controller
Ex. Of Other command - set pageName <page-name> - include <url> An example of a wiki page 2. Beneficial Botnet(9/13) 2.1 A Bot of a Beneficial Botnet(2/2)
2. Beneficial Botnet(10/13) 2.1 Agent Bot (1/3) #siguccs18 Agent bot NAT/Router Sub-LAN
• Buffers – Packet History • Sub buffers for every (Source IP, Destination IP) • Packet Information + Date/Time, Sha1 hash of the Packet Payload – MAC-list … • which hosts are connected to this sub-LAN and its IP addresses in this LAN. 2. Beneficial Botnet(11/13) 2.1 Agent Bot (2/3) #siguccs18
– Domain-list … DNS queries • which host in this sub-LAN communicated with which host outside of this LAN. • Can be used to detect the usage of Domain Generation Algorithm (DGA). – Dhcp-list … DHCP server queries • Can be used to –detect the DHCP spoofing –detect un-authorized DHCP server. – Arp-list • Can be used to –detect the Arp spoofing. #siguccs18 2. Beneficial Botnet(12/13) 2.1 Agent Bot (3/3)
• The analyzing bot gathers information of each agent bot and analyzes them. • The language processor of Beneficial Bot – CSV parser – Spread Sheet Manipulation/Spread sheet functions. • Analyzing Bot, – The language processor of Beneficial Bot + – R language processor 2. Beneficial Botnet(13/13) 2.2 Analyzing Bot (1/1) #siguccs18
3. Experiment(1/18) • Gameover ZeuS #siguccs18 We can download the source code However, It is dangerous. How shall we evaluate the beneficial botnet?
3. Experiment(2/18) • Pseudo Gameover ZeuS • Does Not Do Bad Things #siguccs18
#siguccs18 3. Experiment(3/18)
#siguccs18 3. Experiment(4/18) 3.1 Script and results of Agent Bots(1/5)
3. Experiment(5/18) 3.1 Script and results of Agent Bots(2/5) • Class page #siguccs18 UDP, Not NTP, Not DNS Host-list Domain-list
#siguccs18 3. Experiment(6/18) 3.1 Script and results of Agent Bots(3/5)
• Object page #siguccs18 3. Experiment(7/18) 3.1 Script and results of Agent Bots(4/5) Results
• A Part of the results – cmd=get repeating, date="2018/04/14 17:03:19 +0900", no=3299, if=1, smac="bc:5c:4c:5d:1c:cd", dmac="b8:27:eb:cb:d6:38", prtcl=udp, sip="192.168.13.160", dip="192.168.2.100", sp=34724, dp=33331, sha1payload="9dac7a7beb944a7193847a3d0fbcc370d13a5838", payloadLength=46, payload=broadcast id=3394824 ttl=3 cmd="message test"..... 3. Experiment(8/18) 3.1 Script and results of Agent Bots(5/5) #siguccs18
#siguccs18 3. Experiment(9/18) 3.2 Script and results of Analyzing Bots(1/10)
#siguccs18 3. Experiment(10/18) 3.2 Script and results of Analyzing Bots(2/10) Find Out pairs of Packets Satisfying - different LAN - same SHA1 - Near Time Among - All pair of Packets (from Agent Bots)
3. Experiment(11/18) 3.2 Script and results of Analyzing Bots(3/10) Define Arrays, Prepare URLs of Object Pages of Agent Bots …
3. Experiment(12/18) 3.2 Script and results of Analyzing Bots(4/10) Choose Packet Info, Read CSV into the Table, Get Vectors of date, sip, dip, smac, dmac, payload, sha1, LAN-ID For R processor For each LAN,
3. Experiment(13/18) 3.2 Script and results of Analyzing Bots(5/10) Prepare the Data Frame of the Packet Information In this LAN For R and combine the Data Frame Of All LAN
3. Experiment(14/18) 3.2 Script and results of Analyzing Bots(6/10) Find Out pairs of Packets Satisfying - different LAN - same SHA1 - Near Time Among - All pair of Packets (from Agent Bots) Write the Results to the Wiki. Results
• A part of the Object page of the Analyzing Bot – Possible P2P communication Between LAN-1 and LAN-2 • lan1= 0 ,date= 2018/04/14 17:06:50 +0900 , smac= b8:27:eb:cb:d6:38 ,dmac= bc:5c:4c:5d:1c:cd , sip= 192.168.2.100 ,dip= 192.168.13.160 , lan2= 1 ,date= 2018/04/14 17:06:51 +0900 , smac= bc:5c:4c:5d:1a:c9 ,dmac= b8:27:eb:2f:33:cd , sip= 192.168.13.210 ,dip= 192.168.2.102 , sha1payload= f14db4dae7a139cde5185267b8d353498850f22b , payload= broadcast id 3. Experiment(15/18) 3.2 Script and results of Analyzing Bots(7/10)
3. Experiment(16/18) 3.2 Script and results of Analyzing Bots(8/10) #siguccs18
• A part of the Object page of the Analyzing Bot – Possible P2P communication Between LAN-2 and LAN-5 • lan1= 1 ,date= 2018/04/14 17:03:18 +0900 , smac= b8:27:eb:2f:33:cd ,dmac= bc:5c:4c:5d:1a:c9 , sip= 192.168.2.102 ,dip= 192.168.13.150 , lan2= 4 ,date= 2018/04/14 17:03:17 +0900 , smac= bc:5c:4c:5d:1a:bf ,dmac= b8:27:eb:3a:6b:fa , sip= 192.168.13.160 ,dip= 192.168.2.102 , sha1payload= 9dac7a7beb944a7193847a3d0fbcc370d13a5838 , payload= broadcast id 3. Experiment(17/18) 3.2 Script and results of Analyzing Bots(9/10)
3. Experiment(18/18) 3.2 Script and results of Analyzing Bots(10/10) #siguccs18
• A group of Agents of Distributed IDS. • agents + transceivers + monitors • An agent of the AAFID is similar to our agent bot – both of them are controlled by commands and collect traffic data. • A monitor and a transceiver of the AAFID is similar to our analyzing bot – both of them are collecting data from agents, transceivers, other monitors or agent bots, and analyzing the data. 4. Related Work(1/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) #siguccs18 (Purdue University)
• An agent of the AAFID is installed in a client host – while our agent bot is placed between LAN and its router or NAT router. • The manager of our beneficial botnet – does not need to install our agent bot to each client host. 4. Related Work(2/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) #siguccs18 (Purdue University)
• A monitor or a transceiver of the AAFID – is not controlled by the script in a wiki page – while our agent bots And the analyzing bot is controlled by the script in a wiki page. • Communication mechanism is not specified in the AAFID architecture – while our beneficial botnet uses wiki API. #siguccs18 4. Related Work(3/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) (Purdue University)
• The action of an agent bot of our beneficial bot – can be seen as the man-in-the-middle attack. • Many communications in the sub- LAN – can be controlled by the agent bot. • We have to be careful – so that the agent bot does not to go to the dark side. 4. Related Work(4/5) 4.2 Man in the Middle Attack #siguccs18
• Consist of – agent programs at the devices, such as PCs(KASEYA) or wi-fi access points(UNIFAS), – a web site to manage them, – as in our beneficial botnet. • Their devices – can also communicate with the web site over a NAT as in our agent bots. • However, they – use a specialized web server, – whereas our beneficial botnet uses a web site with common wiki software. 4. Related Work(5/5) 4.3 KASEYA and UNIFAS #siguccs18
• Get Flow Information of Network, Find out similar communication between hosts, discriminate communication which seems between malicious bots. • Similar to our beneficial botnet – Finding out similar communication between hosts. • Different to our beneficial botnet – It uses flow information of network. 4. Related Work(6/6) BotMiner #siguccs18
• Beneficial Botnet – P2P communication by malware can be detected – The use of DGA algorithm can be also detected. – Ability to cope with new technology of new botnets by rewriting the scripts. – Currently, very slow. • have to improve the speed for real use of our beneficial botnet. – We also have to improve the security of our beneficial botnet. 5. Conclusion #siguccs18 Agent bot NAT/Router Sub-LAN
Acknowledgements • A part of this research was supported by JSPS KAKENHI Grant Number JP16K00197. • Pcap4J, community of R. • Students who helped us to conduct the experiment in this paper. #siguccs18
• An Eye for an Eye • A Tooth for a Tooth • A Bot for a Bot • A Botnet for a Botnet #siguccs18 Vs. Vs. Vs. Vs.
Beneficial Botnet #siguccs18

More Related Content

PPTX
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
byJishnu Pradeep
 
PPT
Botnet
byJoshin Gomez
 
PPTX
Botnets
byKavisha Miyan
 
PPTX
G3t R00t at IUT
byNahidul Kibria
 
PDF
Guarding Against Large-Scale Scrabble In Social Network
byEditor IJCATR
 
PDF
Detection of Botnets using Honeypots and P2P Botnets
byCSCJournals
 
PDF
Literature survey on peer to peer botnets
byAcad
 
PDF
Adversary Pattern Analysis - A Journey with APNIC Honeypot
byA. S. M. Shamim Reza
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
byJishnu Pradeep
 
Botnet
byJoshin Gomez
 
Botnets
byKavisha Miyan
 
G3t R00t at IUT
byNahidul Kibria
 
Guarding Against Large-Scale Scrabble In Social Network
byEditor IJCATR
 
Detection of Botnets using Honeypots and P2P Botnets
byCSCJournals
 
Literature survey on peer to peer botnets
byAcad
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
byA. S. M. Shamim Reza
 

Similar to A Botnet Detecting Infrastructure Using a Beneficial Botnet

PPT
Cyber. SE URITY FOR COMPUTER botnets.ppt
byTamilSelvi165
 
PPTX
Botnet
byPriyanKa Harjai
 
PPT
Botnet Detection Techniques
byTeam Firefly
 
PPT
Botnets
byrichashri3
 
PPTX
Botnet communication patterns 2
bykillswitch4
 
PDF
DETECTION OF PEER-TO-PEER BOTNETS USING GRAPH MINING
byIJCNCJournal
 
PDF
Detection of Peer-to-Peer Botnets using Graph Mining
byIJCNCJournal
 
PPT
Honeypot Project
byManikyala Rao
 
PDF
A Dynamic Botnet Detection Model based on Behavior Analysis
byidescitation
 
PDF
Paper(edited)
bykillswitch4
 
PDF
Botnetsand applications
byUltraUploader
 
PPT
098
byArun Mishra
 
PDF
Bot net detection by using ssl encryption
byAcad
 
PPTX
Botnet Architecture
byBhagath Singh Jayaprakasam
 
PPTX
Bots and Botnet
byHicube Infosec
 
PDF
A taxonomy of botnet detection approaches
byFabrizio Farinacci
 
PDF
A review botnet detection and suppression in clouds
byAlexander Decker
 
PPTX
Identify and defend botmaster in a network
byvicky Amr
 
PDF
Botnets & DDoS Introduction
byKae Hsu
 
PDF
Botnet detection using ensemble classifiers of network flow
byIJECEIAES
 
Cyber. SE URITY FOR COMPUTER botnets.ppt
byTamilSelvi165
 
Botnet
byPriyanKa Harjai
 
Botnet Detection Techniques
byTeam Firefly
 
Botnets
byrichashri3
 
Botnet communication patterns 2
bykillswitch4
 
DETECTION OF PEER-TO-PEER BOTNETS USING GRAPH MINING
byIJCNCJournal
 
Detection of Peer-to-Peer Botnets using Graph Mining
byIJCNCJournal
 
Honeypot Project
byManikyala Rao
 
A Dynamic Botnet Detection Model based on Behavior Analysis
byidescitation
 
Paper(edited)
bykillswitch4
 
Botnetsand applications
byUltraUploader
 
098
byArun Mishra
 
Bot net detection by using ssl encryption
byAcad
 
Botnet Architecture
byBhagath Singh Jayaprakasam
 
Bots and Botnet
byHicube Infosec
 
A taxonomy of botnet detection approaches
byFabrizio Farinacci
 
A review botnet detection and suppression in clouds
byAlexander Decker
 
Identify and defend botmaster in a network
byvicky Amr
 
Botnets & DDoS Introduction
byKae Hsu
 
Botnet detection using ensemble classifiers of network flow
byIJECEIAES
 

More from Takashi Yamanoue

PPTX
IoTLT-Vol92-Wiki-IoT-20221009-1.pptx
byTakashi Yamanoue
 
PPTX
人が乗れる自動運転電気自動車作成中その4, -version up その1-
byTakashi Yamanoue
 
PPTX
Wiki と Raspberry Pi と Arduino を組み合わせて作成した電気製品の自動運転・遠隔操作システム
byTakashi Yamanoue
 
PPTX
着る電光掲示板の新機能  -場所に応じた情報の自動表示-
byTakashi Yamanoue
 
PPTX
人が乗れる 自動運転 電気自動車 作成中!
byTakashi Yamanoue
 
PPT
Real->Virtual 変換システムの開発その1の1
byTakashi Yamanoue
 
PPTX
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
byTakashi Yamanoue
 
PPTX
簡便な大型幅広デジタルサイネージシステムとその自動運用システム
byTakashi Yamanoue
 
PPTX
Bot Computing using the Power of Wiki Collaboration
byTakashi Yamanoue
 
PPTX
PukiWiki と Raspberry Pi と Arduino を連携させてIoT システムを作ってみた話
byTakashi Yamanoue
 
PPTX
Wiki IoT/Bot Computingを使った顔ロボット群の制御
byTakashi Yamanoue
 
PPTX
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
byTakashi Yamanoue
 
PPTX
IoTLT-Vol93-Wiki-IoT-20221117.pptx
byTakashi Yamanoue
 
PPT
Real->Virtual変換システムの開発その1の2
byTakashi Yamanoue
 
PPTX
シン3次元表示装置 ーその1ー
byTakashi Yamanoue
 
PPTX
SeeThroughChameleonDress-on-the-way-ex1
byTakashi Yamanoue
 
PPTX
Zoomはぶっ飛ばせないけど... - Portable Cloud の紹介
byTakashi Yamanoue
 
PPTX
人が乗れる 自動運転電気自動車作成中その3 -自動運転成功!-
byTakashi Yamanoue
 
PPTX
Teleport dressor 20200524
byTakashi Yamanoue
 
PPTX
trouble-with-mboed-os
byTakashi Yamanoue
 
IoTLT-Vol92-Wiki-IoT-20221009-1.pptx
byTakashi Yamanoue
 
人が乗れる自動運転電気自動車作成中その4, -version up その1-
byTakashi Yamanoue
 
Wiki と Raspberry Pi と Arduino を組み合わせて作成した電気製品の自動運転・遠隔操作システム
byTakashi Yamanoue
 
着る電光掲示板の新機能  -場所に応じた情報の自動表示-
byTakashi Yamanoue
 
人が乗れる 自動運転 電気自動車 作成中!
byTakashi Yamanoue
 
Real->Virtual 変換システムの開発その1の1
byTakashi Yamanoue
 
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
byTakashi Yamanoue
 
簡便な大型幅広デジタルサイネージシステムとその自動運用システム
byTakashi Yamanoue
 
Bot Computing using the Power of Wiki Collaboration
byTakashi Yamanoue
 
PukiWiki と Raspberry Pi と Arduino を連携させてIoT システムを作ってみた話
byTakashi Yamanoue
 
Wiki IoT/Bot Computingを使った顔ロボット群の制御
byTakashi Yamanoue
 
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
byTakashi Yamanoue
 
IoTLT-Vol93-Wiki-IoT-20221117.pptx
byTakashi Yamanoue
 
Real->Virtual変換システムの開発その1の2
byTakashi Yamanoue
 
シン3次元表示装置 ーその1ー
byTakashi Yamanoue
 
SeeThroughChameleonDress-on-the-way-ex1
byTakashi Yamanoue
 
Zoomはぶっ飛ばせないけど... - Portable Cloud の紹介
byTakashi Yamanoue
 
人が乗れる 自動運転電気自動車作成中その3 -自動運転成功!-
byTakashi Yamanoue
 
Teleport dressor 20200524
byTakashi Yamanoue
 
trouble-with-mboed-os
byTakashi Yamanoue
 

Recently uploaded

PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
December Patch Tuesday
byIvanti
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
The year in review - MarvelClient in 2025
bypanagenda
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
API-First Architecture in Financial Systems
bycyy111112
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 

A Botnet Detecting Infrastructure Using a Beneficial Botnet

  • 1.
    A Botnet DetectingInfrastructure Using a Beneficial Botnet Takashi Yamanoue, Fukuyama University ACM SIGUCCS 2018, @Orland Fl. USA, Oct. 9, 2018.
  • 2.
  • 3.
    • An Eyefor an Eye • A Tooth for a Tooth • A Bot for a Bot • A Botnet for a Botnet #siguccs18 Vs. Vs. Vs. Vs.
  • 4.
    Contents • 1. Introduction •2. Beneficial Botnet • 3. Experiment • 4. Related Work • 5. Conclusion #siguccs18
  • 5.
    1. Introduction (1/6) •Network Managers and People in charge of Network Security …Troubled by Malicious Botnet #siguccs18
  • 6.
    • A MaliciousBotnet does – Spread SPAM mails – DDoS Attack – Click Fraud – Steal bank account information of users of zombie computers. • A Malicious Botnet is – Persistent • Continues malicious things even if some of bots of it were removed. – Evolving 1. Introduction (2/6) #siguccs18
  • 7.
    • Technology ofa Malicious Botnet – It was rely on a single centralized command and control (C2) server • The botnet can be disrupted by removing the C2 server –Peer To Peer (P2P) • Middle years of 2000 …ex. Agobot/Phatbot –Domain Generation Algorithm, (DGA) • Late years of 2000 … ex. Conficker • Our approach to cope with them –Beneficial Botnet 1. Introduction (3/6) #siguccs18
  • 8.
    • Our Beneficialbotnet is A group of beneficial bots –Agent bots and an analyzing bot. • An agent bot – Located between a LAN and its NAT/ router. – Collects and controls communication of hosts in the LAN • The analyzing bot – Collects communication data from agent bots – Analyzes the data. – Can execute R programs for the analysis 1. Introduction (4/6) #siguccs18 Agent bot NAT/Router Sub-LAN
  • 9.
    • The P2Pcommunication of malicious botnet – hard to detect by a single IDS at the entrance of organizational network • Because – No single C2 Server – Small amount of traffic of P2P communication between P2P nodes at the inside of the organizational network and the outside. • Our beneficial botnet – has the ability to detect P2P communication using collaboration of our beneficial bots. 1. Introduction (5/6) #siguccs18
  • 10.
    • We haveMade a Pseudo Botnet, Pseudo Gameover ZeuS, for evaluation. – Performs P2P communication between some nodes of it without doing malicious things. • Our beneficial botnet – could detect P2P communication of the pseudo Gameover ZeuS – may also detect communication using DGA. • Furthermore, our beneficial botnet – has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolving, as same as malicious botnets. 1. Introduction (6/6) #siguccs18
  • 11.
    2. Beneficial Botnet(1/13) •It is common – to use an IDS or intrusion prevention system (IPS) – at the entrance of an organizational network now. • An IDS or IPS at the entrance of the organizational network – is effective for a malicious botnet with centralized C2 server because every communication between the C2 server and all bots can be detected by the IDS or the IPS. #siguccs18
  • 12.
    • An Exampleof Botnets – Gameover ZeuS • Disrupted in 2014 by the international collaborative investigating activity. • The losses attributable to Gameover ZeuS were estimated over one hundred million dollars according to the FBI announcement • “The second centralized version of Zeus mutated into a peer-to-peer (P2P) variant, known as P2P Zeus or Gameover. Since P2P Zeus does not rely on centralized command and control server (C2), it is immune to traditional countermeasures against Zeus”, according to Andriesse and Bos 2. Beneficial Botnet (2/13) #siguccs18
  • 13.
    • Botnets withthe P2P feature are – difficult to detect, difficult to disrupt. – No Centralized command and control server (C2 server) • A reason of great losses of the Gameover Zeus can be considered that the Gameover Zeus acquired the P2P feature. – Gameover ZeuS has been disrupted. However, there are chances that similar P2P botnets intrude campuses and conduct their malicious operation. 2. Beneficial Botnet(3/13) #siguccs18
  • 14.
    • By thesingle IDS at the network entrance of the campus –Hard to detect P2P communication of bots in the campus. –Hard to locate such Bots in the campus. 2. Beneficial Botnet(4/13) #siguccs18
  • 15.
    • We havedesigned our beneficial botnet to cope with malicious botnet such as the Gameover ZeuS. 2. Beneficial Botnet(5/13) #siguccs18
  • 16.
    • We wantcope with technologies of Malicious Botnets – Developing The Beneficial Botnet using our Beneficial Bots • “Monitoring Servers With a Little From My Bots” • “Capturing Malicious Bots using a Beneficial Bot” – A Beneficial Botnet is a group of Beneficial Bots • Agent Bots behind the NAT of a LAN • Analyzing Bots which analyzes data which collected by Agent Bots – The Beneficial Botnet has ability to detect P2P communication of malicious Bots, using collaboration of Beneficial Bots. 2. Beneficial Botnet(6/13) #siguccs18 Agent bot NAT/Router
  • 17.
  • 18.
    2. Beneficial Botnet(8/13) 2.1A Bot of a Beneficial Botnet(1/2) #siguccs18 It is a script interpreter #siguccs18 Sensors, Actuators, Traffic Controller
  • 19.
    Ex. Of Othercommand - set pageName <page-name> - include <url> An example of a wiki page 2. Beneficial Botnet(9/13) 2.1 A Bot of a Beneficial Botnet(2/2)
  • 20.
    2. Beneficial Botnet(10/13) 2.1Agent Bot (1/3) #siguccs18 Agent bot NAT/Router Sub-LAN
  • 21.
    • Buffers – PacketHistory • Sub buffers for every (Source IP, Destination IP) • Packet Information + Date/Time, Sha1 hash of the Packet Payload – MAC-list … • which hosts are connected to this sub-LAN and its IP addresses in this LAN. 2. Beneficial Botnet(11/13) 2.1 Agent Bot (2/3) #siguccs18
  • 22.
    – Domain-list …DNS queries • which host in this sub-LAN communicated with which host outside of this LAN. • Can be used to detect the usage of Domain Generation Algorithm (DGA). – Dhcp-list … DHCP server queries • Can be used to –detect the DHCP spoofing –detect un-authorized DHCP server. – Arp-list • Can be used to –detect the Arp spoofing. #siguccs18 2. Beneficial Botnet(12/13) 2.1 Agent Bot (3/3)
  • 23.
    • The analyzingbot gathers information of each agent bot and analyzes them. • The language processor of Beneficial Bot – CSV parser – Spread Sheet Manipulation/Spread sheet functions. • Analyzing Bot, – The language processor of Beneficial Bot + – R language processor 2. Beneficial Botnet(13/13) 2.2 Analyzing Bot (1/1) #siguccs18
  • 24.
    3. Experiment(1/18) • Gameover ZeuS #siguccs18 Wecan download the source code However, It is dangerous. How shall we evaluate the beneficial botnet?
  • 25.
    3. Experiment(2/18) • Pseudo Gameover ZeuS •Does Not Do Bad Things #siguccs18
  • 26.
  • 27.
    #siguccs18 3. Experiment(4/18) 3.1 Scriptand results of Agent Bots(1/5)
  • 28.
    3. Experiment(5/18) 3.1 Scriptand results of Agent Bots(2/5) • Class page #siguccs18 UDP, Not NTP, Not DNS Host-list Domain-list
  • 29.
    #siguccs18 3. Experiment(6/18) 3.1 Scriptand results of Agent Bots(3/5)
  • 30.
    • Object page #siguccs18 3.Experiment(7/18) 3.1 Script and results of Agent Bots(4/5) Results
  • 31.
    • A Partof the results – cmd=get repeating, date="2018/04/14 17:03:19 +0900", no=3299, if=1, smac="bc:5c:4c:5d:1c:cd", dmac="b8:27:eb:cb:d6:38", prtcl=udp, sip="192.168.13.160", dip="192.168.2.100", sp=34724, dp=33331, sha1payload="9dac7a7beb944a7193847a3d0fbcc370d13a5838", payloadLength=46, payload=broadcast id=3394824 ttl=3 cmd="message test"..... 3. Experiment(8/18) 3.1 Script and results of Agent Bots(5/5) #siguccs18
  • 32.
    #siguccs18 3. Experiment(9/18) 3.2 Scriptand results of Analyzing Bots(1/10)
  • 33.
    #siguccs18 3. Experiment(10/18) 3.2 Scriptand results of Analyzing Bots(2/10) Find Out pairs of Packets Satisfying - different LAN - same SHA1 - Near Time Among - All pair of Packets (from Agent Bots)
  • 34.
    3. Experiment(11/18) 3.2 Scriptand results of Analyzing Bots(3/10) Define Arrays, Prepare URLs of Object Pages of Agent Bots …
  • 35.
    3. Experiment(12/18) 3.2 Scriptand results of Analyzing Bots(4/10) Choose Packet Info, Read CSV into the Table, Get Vectors of date, sip, dip, smac, dmac, payload, sha1, LAN-ID For R processor For each LAN,
  • 36.
    3. Experiment(13/18) 3.2 Scriptand results of Analyzing Bots(5/10) Prepare the Data Frame of the Packet Information In this LAN For R and combine the Data Frame Of All LAN
  • 37.
    3. Experiment(14/18) 3.2 Scriptand results of Analyzing Bots(6/10) Find Out pairs of Packets Satisfying - different LAN - same SHA1 - Near Time Among - All pair of Packets (from Agent Bots) Write the Results to the Wiki. Results
  • 38.
    • A partof the Object page of the Analyzing Bot – Possible P2P communication Between LAN-1 and LAN-2 • lan1= 0 ,date= 2018/04/14 17:06:50 +0900 , smac= b8:27:eb:cb:d6:38 ,dmac= bc:5c:4c:5d:1c:cd , sip= 192.168.2.100 ,dip= 192.168.13.160 , lan2= 1 ,date= 2018/04/14 17:06:51 +0900 , smac= bc:5c:4c:5d:1a:c9 ,dmac= b8:27:eb:2f:33:cd , sip= 192.168.13.210 ,dip= 192.168.2.102 , sha1payload= f14db4dae7a139cde5185267b8d353498850f22b , payload= broadcast id 3. Experiment(15/18) 3.2 Script and results of Analyzing Bots(7/10)
  • 39.
    3. Experiment(16/18) 3.2 Scriptand results of Analyzing Bots(8/10) #siguccs18
  • 40.
    • A partof the Object page of the Analyzing Bot – Possible P2P communication Between LAN-2 and LAN-5 • lan1= 1 ,date= 2018/04/14 17:03:18 +0900 , smac= b8:27:eb:2f:33:cd ,dmac= bc:5c:4c:5d:1a:c9 , sip= 192.168.2.102 ,dip= 192.168.13.150 , lan2= 4 ,date= 2018/04/14 17:03:17 +0900 , smac= bc:5c:4c:5d:1a:bf ,dmac= b8:27:eb:3a:6b:fa , sip= 192.168.13.160 ,dip= 192.168.2.102 , sha1payload= 9dac7a7beb944a7193847a3d0fbcc370d13a5838 , payload= broadcast id 3. Experiment(17/18) 3.2 Script and results of Analyzing Bots(9/10)
  • 41.
    3. Experiment(18/18) 3.2 Scriptand results of Analyzing Bots(10/10) #siguccs18
  • 42.
    • A groupof Agents of Distributed IDS. • agents + transceivers + monitors • An agent of the AAFID is similar to our agent bot – both of them are controlled by commands and collect traffic data. • A monitor and a transceiver of the AAFID is similar to our analyzing bot – both of them are collecting data from agents, transceivers, other monitors or agent bots, and analyzing the data. 4. Related Work(1/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) #siguccs18 (Purdue University)
  • 43.
    • An agentof the AAFID is installed in a client host – while our agent bot is placed between LAN and its router or NAT router. • The manager of our beneficial botnet – does not need to install our agent bot to each client host. 4. Related Work(2/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) #siguccs18 (Purdue University)
  • 44.
    • A monitoror a transceiver of the AAFID – is not controlled by the script in a wiki page – while our agent bots And the analyzing bot is controlled by the script in a wiki page. • Communication mechanism is not specified in the AAFID architecture – while our beneficial botnet uses wiki API. #siguccs18 4. Related Work(3/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) (Purdue University)
  • 45.
    • The actionof an agent bot of our beneficial bot – can be seen as the man-in-the-middle attack. • Many communications in the sub- LAN – can be controlled by the agent bot. • We have to be careful – so that the agent bot does not to go to the dark side. 4. Related Work(4/5) 4.2 Man in the Middle Attack #siguccs18
  • 46.
    • Consist of –agent programs at the devices, such as PCs(KASEYA) or wi-fi access points(UNIFAS), – a web site to manage them, – as in our beneficial botnet. • Their devices – can also communicate with the web site over a NAT as in our agent bots. • However, they – use a specialized web server, – whereas our beneficial botnet uses a web site with common wiki software. 4. Related Work(5/5) 4.3 KASEYA and UNIFAS #siguccs18
  • 47.
    • Get FlowInformation of Network, Find out similar communication between hosts, discriminate communication which seems between malicious bots. • Similar to our beneficial botnet – Finding out similar communication between hosts. • Different to our beneficial botnet – It uses flow information of network. 4. Related Work(6/6) BotMiner #siguccs18
  • 48.
    • Beneficial Botnet –P2P communication by malware can be detected – The use of DGA algorithm can be also detected. – Ability to cope with new technology of new botnets by rewriting the scripts. – Currently, very slow. • have to improve the speed for real use of our beneficial botnet. – We also have to improve the security of our beneficial botnet. 5. Conclusion #siguccs18 Agent bot NAT/Router Sub-LAN
  • 49.
    Acknowledgements • A partof this research was supported by JSPS KAKENHI Grant Number JP16K00197. • Pcap4J, community of R. • Students who helped us to conduct the experiment in this paper. #siguccs18
  • 50.
    • An Eyefor an Eye • A Tooth for a Tooth • A Bot for a Bot • A Botnet for a Botnet #siguccs18 Vs. Vs. Vs. Vs.
  • 51.