Transcript A System Prototype for Data Leakage Monitoring in the Cloud

1
Botnet Detection by Monitoring
Similar Communication Patterns
4/2/2016
林佳宜
NTOU CSIE
[email protected]
2
4/2/2016
Reference
• Hossein Rouhani Zeidanloo, Azizah Bt Abdul
Manaf .
• ” Botnet Detection by Monitoring Similar
Communication Patterns”.
• (IJCSIS) International Journal of Computer
Science and Information Security .Vol. 7, No. 3,
2010
3
4/2/2016
Outline
•
•
•
•
Introduction
Detection framework
Component
Conclusions
4
4/2/2016
Introduction
• Botnet is most widespread and occurs commonly
in today‘s cyber attacks
• In this paper
▫ provide taxonomy of Botnets C&C channels
▫ detection framework which focuses on
 P2P based and IRC based Botnets
• Botnet has been defined as a group of bots
▫ perform similar communication and malicious
activity
5
4/2/2016
Botnet Communication topologies
• Two different models
▫ Centralized model 、Decentralized
• Centralized model
▫ Botnet based on IRC
▫ Botnet based on HTTP
• Decentralized Model
▫ Botnet based on P2P
6
4/2/2016
Detection framework
7
4/2/2016
Filtering
• Filtering is to reduce the traffic workload
• In C1, recognized unlikely Botnet C&C servers
 used the top 500 websites on the web : Alexa
• In C2, TCP uses a three-way handshake
 not completely established
8
4/2/2016
Application classifier[1/2]
• Responsible to separate IRC and HTTP traffics
• For detecting IRC traffics
▫ inspect the contents of each packet
▫ match the defined strings
 NICK、PASS、USER、JOIN、OPER、PRIVMSG
• For detecting Http traffics
▫ HTTP uses the client-server model
▫ Three common Http methods
 Http request contain “GET”, “POST” or “HEAP
9
4/2/2016
Application classifier[2/2]
• After filtering out Http and IRC traffics
▫ remaining traffics that have the probability of
containing P2P traffics
• Remaining traffics is identify general P2P
▫ using BLINC
 no access to packet payload
 no knowledge of port numbers
10
4/2/2016
Traffic Monitoring[1/3]
• Analyzing flows characteristics
• Finding similarities among the botnet hosts
• Record some information on each flow
 using Audit Record Generation and Utilization
System (ARGUS)
 specify the period of time which is 6 hours
11
4/2/2016
Traffic Monitoring[2/3]
• Same SIP, DIP, Dport and same Pr (TCP or UDP)
are marked
• For each network flow (row) we calculate
 Average number of bytes per second(nbps) = Number
of bytes/ Duration
 Average number of bytes per packet(nbpp) = Number
of Bytes/ Number of Packets
• Insert this two new values (nbps and nbpp)
including SIP and DIP of the flows that have
been marked into another database
12
4/2/2016
Traffic Monitoring[3/3]
• We might have a set of database
• For each database we can draw a graph
▫ (X, Y)= (bpp, bps)
▫ Next step is comparing different x-y axis graphs
 those graphs that are similar to each other are
clustered in same category
 record of SIP addresses lists to next step for
analyzing
13
4/2/2016
Two similar graphs based on data
14
4/2/2016
Malicious Activity Detector
• Analyze the outbound traffic from the network
▫ try to detect the possible malicious activities that the
internal machines
• Most common and efficient malicious activities
▫ Scanning 、Spamming
• For detecting “scanning” the solution for using in
this part
▫ Statistical sCan Anomaly Detection Engine ( SCADE)
 Inbound Scan Detection(ISD)
 Outbound Scan Detection (OSD)
15
4/2/2016
Spam-related Activities[1/2]
• Known as Unsolicited Bulk Email
▫ for sending spam are Storm Worm which is P2P
Botnet
• More than 95% of email on the internet is spam
• A common approach for detecting spam
▫ use of DNS Black/Black Hole List (DNSBL)
▫ list of spam senders’ IP addresses and SMTP
servers
16
4/2/2016
Spam-related Activities[2/2]
• An indication of possible malicious activities
▫ using different external mail servers for many
times by same client
• Inspecting outgoing traffic from our network
▫ recording SIP and DIP of those traffics
▫ dports are 25( SMTP) or 587(Submission)
• Conclude which internal host is behaving
unusual
▫ sending many emails to different or same mail
servers
17
4/2/2016
Monitoring and Clustering
• Objective is detection of IRC based Botnet
• Using ARGUS for monitoring flows
 for each network flow we calculate nbps and nbpp
18
4/2/2016
Flows Analyzer
• Flows Analyzer is responsible for looking a
group of databases that are similar to each other
• After finding similar databases
▫ we have to take a record of SIP addresses of those
hosts
▫ send them as a group of bot that are belong to IRC
based Botnet
19
4/2/2016
Conclusions
• We proposed a new general detection framework
▫ focuses on P2P based and IRC based Botnets
• Botnets have been defined as a group of bots
▫ that will perform similar communication
▫ malicious activities pattern within the same
Botnet
• Future add unique detection method in HTTP
▫ make it as one general system for detection of
Botnet
20
Thanks for Your Attention
Q&A
4/2/2016