Analysis of Web-based Bot Malware Infection

Download Report

Transcript Analysis of Web-based Bot Malware Infection

ANALYSIS OF WEB-BASED BOT MALWARE
INFECTION



Louena L. Manluctao
East Early College High
School
Houston Independent
School District





Dr. Guofei Gu
Assistant Professor
Department of Computer
Science & Engineering
Director, SUCCESS LAB
TEXAS A & M University
DR GUOFEI GU
EDUCATION
•Ph. D in Computer Science
•Georgia Institute of Technology
•M.S. in Computer Science
•Fudan University
RESEARCH INTEREST
•Network and system security such as
Internet malware detection, defense, and
analysis
• Intrusion detection, anomaly detection
• Network security
• Web and social networking security
SUCCESS LAB
Success Lab Students
PhD
Seungwon Shin
Chao Yang
Zhaoyan Xu
Jialong Zhang
MS
Robert Harkreader
Shardul Vikram
Vijayasenthil VC
Lingfeng Chen
Alumni
Yimin Song (MS, first
employment: Juniper Networks)
SEUNGWON SHIN
Network & Web Security
 Botnet Analysis: Conficker
 Seungwon Shin and Guofei Gu. "Conficker and
Beyond: A Large-Scale Empirical Study." To
appear in Proceedings of 2010 Annual
Computer Security Applications Conference
(ACSAC'10), Austin, Texasi, December 2010.

SEUNGWON SHIN
Network & Web Security
 Botnet Analysis: Conficker
 Seungwon Shin, Raymond Lin, Guofei Gu.
"Cross-Analysis of Botnet Victims: New Insights
and Implications." To appear in Proceedings of
the 14th International Symposium on Recent
Advances in Intrusion Detection (RAID 2011),
Menlo Park, California, September 2011.

CHAO YANG
Wireless Security
 Rogue Access Point Detection
 Yimin Song, Chao Yang, Guofei Gu. "Who Is
Peeping at Your Passwords at Starbucks? -- To
Catch an Evil Twin Access Point."
In Proceedings of the 40th Annual IEEE/IFIP
International Conference on Dependable
Systems and Networks (DSN'10), Chicago, IL,
June 2010

CHAO YANG
Social Networking Website Security
 Twitter Spammer Accounts Detection
 Chao Yang, Robert Harkreader, Guofei Gu. "Die
Free or Live Hard? Empirical Evaluation and
New Design for Fighting Evolving Twitter
Spammers." To appear in Proceedings of the
14th International Symposium on Recent
Advances in Intrusion Detection (RAID 2011),
Menlo Park, California, September 2011.

ZHAOYAN XU
Malware Analysis
 Analysis of binary code and source code

 Dynamic
Analysis
 Static Analysis

Reverse Engineering


Protocol
Semanticis
JIALONG ZHANG
Intrusion and Detection System
 Enterprise Network Security
 Assist Us with computer terms

APPLIED CRYPTOGRAPHY
The art of secret writing
 Converts data into unintelligible (random
looking) form
 Must be reversible (recover original data
without loss or modification)

ENCRYPTION/DECRYPTION





Plaintext: a message in its original form
Ciphertext: a message in the transformed,
unrecognized form
Encryption: the process that transforms a plaintext
into a ciphertext
Decryption: the process that transforms a ciphertext
to the corresponding plaintext
Key: the value used to control encryption/decryption.
PROBABILITY AND STATISITICS
Command Prompt.lnk
PROBABILITY AND STATISTICS
RELEVANCE OF THE RESEARCH

To Solve Practical Security Problems
 Internet
malware detection, defense, and analysis
 Intrusion detection, anomaly detections
 Network security
 Web and social networking security

To help society and country from threat of
national security
RESEARCH ACTIVITY
PURPOSE OF BOTNET TAXONOMY
 Help
researchers identify the type of
responses that are most effective against
botnets
 Design
Goals
assist the defenders in identifying
possible types of botnets
describe key properties of botnet
classes
KEY METRICS FOR BOTNET STRUCTURES
BOTNET EFFECTIVENESS
•Estimate of overall utility. Measure the largest
number of bots that can receive instructions and
participate in an attack.
•Average amount of bandwidth that a bot can
contribute, denoted by B.
BOTNET EFFICIENCY
•Network diameter is one means of
expressing this efficiency.
•This is the average geodesic length of a
network.
BOTNET ROBUSTNESS
•Clustering coefficient measures the average
degree of local transitivity.
•The transitivity measure index generally
captures the robustness of a botnet
BOTNET NETWORK MODELS
ERDOS-RENYI RANDOM GRAPH MODELS
•Random graphs are created to avoid creating predictable
flows.
•In a random graph, each node is connected with equal
probability to the other N-1 nodes.
•The chance that a bot has a degree of k is the binomial
distribution:
Acknowledgements
Texas A&M University
Dr. Guofie Gu
National Science Foundation
Nuclear Power Institute
Chevron
Texas Workforce Commission
Wilber Rivas, Math Teacher,
Del Rio High School
Chao Yang, Phd Student
Jialong Zhang, Phd Student