Transcript BotNet Detection Techniques

BotNet Detection Techniques
By
Shreyas Sali
Course: Network Security (CSCI – 5235)
Instructor: Dr. T Andrew Yang
Outline
 Introduction to Botnet
 Botnet Life-cycle
 Botnet in Network Security
 Botnet Uses
 Botnet Detection
 Preventing Botnet Infection
 Botnet Research
 Conclusion
 References
Page  2
Introduction to Botnet
A Botnet is a network of compromised
computers under the control of a remote attacker.
 Botnet Terminology
 Bot Herder (Bot Master)
 Bot
 Bot Client
 IRC Server
 Command and Control Channel (C&C)
Page  3
Introduction to Botnet (Terminology)
IRC Server
IRC Channel
Code Server
Bot Master
IRC Channel
C&C Traffic
Updates
Attack
Victim
Bots
Page  4
Botnet Life-cycle
Page  5
Botnet Life-cycle
Page  6
Botnet Life-cycle
Page  7
Botnet Life-cycle
Page  8
Botnet In Network Security
 Internet users are getting infected by bots
 Many times corporate and end users are trapped in botnet attacks
 Today 16-25% of the computers connected to the internet are
members of a botnet
 In this network bots are located in various locations
 It will become difficult to track illegal activities
 This behavior makes botnet an attractive tool for intruders and
increase threat against network security
Page  9
Botnet is Used For
Page  10
Bot Master
How Botnet is Used?
 Distributed Denial of Service (DDoS) attacks
 Sending Spams
 Phishing (fake websites)
 Addware (Trojan horse)
 Spyware (keylogging, information harvesting)
 Click Fraud
So It is really Important to Detect this attack
Page  11
Botnet Detection
Two approaches for botnet detection based on
 Setting up honeynets
 Passive traffic monitoring
 Signature based
 Anomaly based
 DNS based
 Mining based
Page  12
Botnet Detection: Setting up Honeynets
Windows Honeypot
 Honeywall Responsibilities:
DNS/IP-address of IRC server and port number
(optional) password to connect to IRC-server
Nickname of bot
Channel to join and (optional) channel-password
Page  13
Botnet Detection: Setting up Honeynets
Bot
Sensor
1. Malicious Traffic
3. Authorize
Page  14
2. Inform bot’s IP
Bot Master
Botnet Detection: Traffic Monitoring
 Signature based: Detection of known botnets
 Anomaly based: Detect botnet using following
anomalies
• High network latency
• High volume of traffic
• Traffic on unusual port
• Unusual system behaviour
 DNS based: Analysis of DNS traffic generated by
botnets
Page  15
Botnet Detection: Traffic Monitoring
 Mining based:
• Botnet C&C traffic is difficult to detect
• Anomaly based techniques are not useful
• Data Mining techniques – Classification, Clustering
Page  16
Botnet Detection
 Determining the source of a botnet-based attack is challenging:
 Traditional approach:
Every zombie host is an attacker
Botnets can exist in a benign state for an arbitrary amount of
time before they are used for a specific attack
 New trend:
P2P networks
Page  17
Preventing Botnet Infections
 Use a Firewall
 Patch regularly and promptly
 Use Antivirus (AV) software
 Deploy an Intrusion Prevention System (IPS)
 Implement application-level content filtering
 Define a Security Policy and
 Share Policies with your users systematically
Page  18
Botnet Research
 Logging onto herder IRC server to get info
 Passive monitoring
Either listening between infected machine and
herder or spoofing infected PC
 Active monitoring: Poking around in the IRC server
 Sniffing traffic between bot & control channel
Page  19
Botnet Research: Monitoring Attacker
Infected
IRC
Researcher
Page  20
Herder
Conclusion
 Botnets pose a significant and growing threat against cyber
security
 It provides key platform for many cyber crimes (DDOS)
 As network security has become integral part of our life and
botnets have become the most serious threat to it
 It is very important to detect botnet attack and find the solution
for it
Page  21
References
B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005
 Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal
Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham
 A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.;
Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third
International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273
IEEE CONFERENCES
 Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen
Northwestern University, Evanston, IL 60208
 Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.;
Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA
2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162
IEEE CONFERENCES
 Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu
Page  22
Page  23
Page  24