Transcript 投影片 1
Exploiting Temporal Persistence to
Detect Covert Botnet Channels
Authors: Frederic Giroire, Jaideep
Chandrashekar, Nina Taft…
RAID 2009
Reporter: Jing Chiu
Email: [email protected]
2016/4/9
Data Mining & Machine Learning Lab
1
Outlines
•
•
•
•
•
Introduction
Methodology
Dataset Description
Evaluation
Conclusions
2016/4/9
Data Mining & Machine Learning Lab
2
Introduction
• How do bots get rid of existing defenses?
▫ Polymorphic engines
▫ packing engines
▫ AV vendor reports 3000 distinct samples daily
• Anomaly detection methods for botnet
▫ Use traffic feature distributions for analysis
▫ Detect bots activated for generating attacks
▫ Latency exist from infection to activation
• Covert channel between bots and C&C server
▫ Last for an extended period
▫ Lightweight and spaced out over irregular time period
2016/4/9
Data Mining & Machine Learning Lab
3
Methodology
• Assumptions
▫ Communication between Zombie and C&C server
is not limited to a few connections
▫ Zombie is not programmed to use a completely
new C&C server at each new attempt
• Persistence and destination atoms
▫ Destination atoms for building white lists
▫ Persistence for lightweight repetition
2016/4/9
Data Mining & Machine Learning Lab
4
Methodology (cont.)
• Why use white lists?
▫ Regularly communicate hosts is a stable, small set
Examples:
Work related, news and entertainment websites
Mail servers, update servers, patch servers, RSS feeds
Advantages:
Search fast
Easy to management
▫ These hosts require infrequent updating
2016/4/9
Data Mining & Machine Learning Lab
5
Methodology (cont.)
• Destination atoms
▫ (dstService, dstPort, proto)
▫ Different domains: second level domain name
Yahoo.com, cisco.com
▫ The same domains: third level domain name
Mail.intel.com, print.intel.com
▫ Multiple ports is allowed
(ftp.service.com, 21:>1024, tcp)
▫ When address cannot be mapped to names, use
IP address as service name
▫ Examples
2016/4/9
Data Mining & Machine Learning Lab
6
Methodology (cont.)
• Persistence metric
▫ d: destination atom
W = [s1, s2,…, sn]
▫ W: observation window si: measurement window
1 n
p (d , W ) 1d , si
n i 1
▫ Timescale: (W,s)
▫ For each timescale(Wj,sj): 1≤j≤k
max p (d ) p
( j)
*
j
2016/4/9
Data Mining & Machine Learning Lab
7
Methodology (cont.)
• C&C Detection Implementation
▫ Use long bitmap to track connections at each
timescale
▫ Procedure
Update bitmap, count persistence
If updated persistence crosses the threshold p*, raise
alarm
After enough samples, the persistence is below the
threshold, free bitmap up
• Bitmap example
2016/4/9
Data Mining & Machine Learning Lab
8
Dataset Description
• End host traffic traces
▫ Collected at 350 enterprise user’s hosts
▫ Over 5 week
▫ Use 157 of the 350 traces, common 4 week period
• Botnet traffic traces
▫ Collected 55 known botnet binaries
▫ Executed inside a Windows XP SP2 VM and run for as long
as a week
▫ Experience
2016/4/9
A lot of binaries simply crashed the VM
C&C deactivated
Only 27 binaries yielded traffic
12 of the 27 binaries yielded traffic that lasted more than a day
List of sampled Botnet binaries
Data Mining & Machine Learning Lab
9
Evaluation
• System Properties
CDF of p(d) across all the atoms
seen in training data
2016/4/9
Distribution of per host whitelist
sizes (p* = 0.6)
Data Mining & Machine Learning Lab
10
Evaluation
• C&C Detection
RoC curve
False positives across usres(p* = 0.6)
• Other results
2016/4/9
Data Mining & Machine Learning Lab
11
Evaluation
• Improvement in detection rate after filtering
2016/4/9
Data Mining & Machine Learning Lab
12
Conclusions
• Introduce “persistence” as a temporal measure
of regularity in connection to “destination atoms”
• Persistence could help detect malware without
▫ protocol semantics
▫ payloads
• Proposed a method for detecting C&C server and
has no false negative in experiment
• Both centralized and p2p infrastructure could be
uncovered by this method
• Low overhead and low user annoyance factor
2016/4/9
Data Mining & Machine Learning Lab
13
Destination atoms
2016/4/9
Data Mining & Machine Learning Lab
14
Bitmap Example
2016/4/9
Data Mining & Machine Learning Lab
15
List of Botnet binaries
2016/4/9
Data Mining & Machine Learning Lab
16
C&C detection result
2016/4/9
Data Mining & Machine Learning Lab
17