Transcript PowerPoint - ShareCourse

Networking, Sensing and Control (ICNSC), 2013 10th
IEEE International Conference on
102064535 黃川洁
1/25
Outline
 INTRODUCTION
 BOTNET LIFE CYCLE
 BOTNET ARCHITECTURES
 DETECTION OF BOTNET ATTACK
 PREVENTION & MITIGATION OF BOTNET
 FUTURE PROSPECTS
 CONCLUSION
2/25
INTRODUCTION-1
 BOTNET is a large network of compromised computers
used to attack other computer systems for malicious intent.
 NetBus and BackOrifice2000
 several techniques for BOTNET attack detection
 data mining, fuzzy logic based on some statistical data, anomaly based, structure based
3/25
INTRODUCTION-2
 Testbed environment should focus on following
requirements:
 The ability to test with a variability of bot types (both known and unknown)
deploy on variety of standard operating system.
 To be capable of conducting experiments in a secure mode such as one that
poses no threat to the greater internet
 To be able to form a flexible and realistic botnet technologies and
configuration.
 To perform and conduct experiments at scale and under realistic conditions.
4/25
BOTNET LIFE CYCLE-1
 In start it primarily infects other computer.
 Then injects small code
 File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Peer to Peer (P2P), and
combination of HTTP and P2P (HTTP2P) etc.
 When user connects to internet code is executed
automatically to establish a connection in which it
connects to Command & Control (C&C) server.
5/25
BOTNET LIFE CYCLE-2
 Command and control the zombie computers through C &
C server.
 To remain transparent and active by using Dynamic
Domain Name Server (DNS) and keeping zombie updated
and in existence to maintain and use them accordingly.
6/25
BOTNET ARCHITECTURES
 Centralized Botnet Architecture
 Peer to Peer (P2P) Botnet Architecture
 Hybrid Botnet Architecture
 Hypertext Transfer Protocol Peer to Peer (HTTP2P)
Botnet Architecture
7/25
Centralized Botnet Architecture
8/25
Peer to Peer (P2P) Botnet Architecture
9/25
Hybrid Botnet Architecture
10/25
Hypertext Transfer Protocol Peer to
Peer (HTTP2P) Botnet Architecture
 P2P has threat of Sybil attacks

Sybil Attack:是一種攻擊者透過大量匿名實體增加不成比例的巨大影響，
來破壞P2P網路的信譽系統。(TWCERT/CC)
 Combined HTTP and P2P
 Become harder to be detected by to bypass firewall and
client server architecture
 Cipher the message
 While the Soldier-Bot does not contact dynamically to
Supervisor-Bot or other soldier-bots rather it waits for a
call from its supervisor.
11/25
Centralized
Botnet
Architecture
Peer to
Peer (P2P)
Botnet
Architectur
e
Hybrid
Botnet
Architecture
Hypertext Transfer
Protocol Peer to Peer
(HTTP2P) Botnet
Architecture
隱密性
低
高
高
高
加密
無
有
有
有
管理
容易
困難
困難
偵測
容易
較困難
較困難
困難
阻絕
容易
較困難
較困難
困難
monitoring
and healing
(for
Supervisorbot )
容易
困難
較容易
12/25
DETECTION OF BOTNET ATTACK
 Structured Based Detection
 Signature Based Detection
 DNS Based Detection
 Behavior Based Detection
 Anomaly Based Detection
 Communication Pattern of Botnet
13/25
Signature Based Detection
 The first and most widely
 Only successful for already known Botnets
 Two way
 list of IRC nicknames and applied n-gram analysis
 IP addresses
 Other system
 Honeynet, Honeypots, and Snort
 good cost and without false positives
14/25
DNS Based Detection-1
 DNS queries
 In 2004-05 ideas were given to detect domain names by
unusually high or temporary intense DDNS queries.
 In following year, abnormally recurring NXDOMAIN
reply rates approach was proposed.
15/25
DNS Based Detection-2
 Passive analysis of DNS based Black-hole list (DNSBL)
lookup traffic
 Two problems
 high false positive
 cannot detect distributed inspection
 Hyunsang Choi et al
16/25
Anomaly Based Detection-1
 high network latency, high volumes of traffic, traffic on
unusual ports, and unusual system behavior
 cannot detect a BOTNET in sleeping mode
 Binkley and Singh solved by combining TCP based
anomaly with IRC tokenization and IRC message statistics
to create a system
17/25
Anomaly Based Detection-2
 Gu et al. have proposed Botsniffer
 Botnet C&C channels
 local area network
 low false positive
 Basheer Al-Duwairi and Lina Al-Ebbini proposed
BotDigger
 fuzzy logic
 not work on a specific pattern
 the most reliable and flexible
18/25
Communication Pattern of Botnet -1
 Cyber security defenders checks the communication
characteristics between a Supervisor-Bot and a SoldierBot on transport layer such as for TCP or UDP.
 Defenders check its source and destination IP, Port and
Protocol Identifier.
 Static characteristics

header
 dynamic characteristics

arrival, departure, throughput, and burst time of payload
information
19/25
Communication Pattern of Botnet-2
 selecting precise set of characteristic and defining unique
flow as object
 comparing with other objects provide more information
 encrypted with the evolution of Botnet
 data mining techniques are applied on that limited data to
overcome the problem
20/25
PREVENTION & MITIGATION OF
BOTNET
 In 2007 Collins et al. work to detect future botnet address
by the help of unclean network
 spatial (compromised hosts to cluster)
 temporal (tendency to contain compromised hosts for
extended period)
 Alex Brodsky et al. proposed a distributed content
independent spam classification system to defend from
Botnet generated Spam’s.
 Trend Micro provided Botnet Identification services
 real- time Botnet C&C bot-master address list
21/25
FUTURE PROSPECTS-1
 Some of the steps to be taken to study the mind of
supervisor- bot are as follow:
 Make data warehouse of known bots for future use in data
mining, and to make an algorithm to use that data as
mitigation for attacks.
 Honeypots based defense is so popular and used mostly; it is
predicted and possible that one day supervisor- bots will
have a defense mechanism for detection of honeypots in
their bots.
22/25
FUTURE PROSPECTS-2
 To make anti-bot application software which can work
against Botnet attack as antivirus does against viruses etc.
 New Testbeds are required to be developed which allow
testing in large-scale network either open or closed
environments.
 Getting of Botnet sample code is required for analyzing but
criminals don’t want to examine their malware as well as
cyber defender also feels hesitation with un-trusted ones.
23/25
CONCLUSION
 In this survey we analyzed the protocols being used by the
Supervisor-bots and how they evolved with the passage of
time. How cyber defenders proposed and work for the
detection of a cyber-attack from known and unknown
BOTNETs and given ideas and techniques for its
prevention and mitigation. But unfortunately for
prevention and mitigation till now no sufficient work has
been done.
24/25
25/25