Botnet Dection system

Introduction

Botnet problem Challenges for botnet detection

What Is a Bot/Botnet? Bot

A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent

Profit-driven, professionally written, widely propagated

Botnet (Bot Army): network of bots controlled by criminals Definition: “A coordinated group of malware

instances that are controlled by a botmaster via some C&C channel”

Architecture: centralized (e.g., IRC,HTTP), distributed (e.g., P2P)

“25% of Internet PCs are part of a botnet!” ( - Vint Cerf)

Botnets are used for …

All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g.,

spywarePCs are part of a botnet!” ( - Vint Cerf)

Challenges for Botnet Detection Bots are stealthy on the infected machines – We focus on a network-based solution Bot infection is usually a multi-faceted and

multiphased process – Only looking at one specific aspect likely to fail Bots are dynamically evolving – Static and signature-based approaches may not be

effective Botnets can have very flexible design of C&C channels – A solution very specific to a botnet instance is not desirable

Roadmap to three Detection Systems

Bothunter: regardless of the C&C structure and network protocol, if they follow pre-defined infection live cycle

Botsniffer:works for IRC and http, can be extended to detect centralized C&C botnets

Botminer:independent of the protocol and structure

BotHunter system-detection on single infected client

Detecting Malware Infection ThroughIDS-Driven Dialog Correlation

Monitors two-way communication flows between internal networks and the Internet for signs of bot and other malware

Correlates dialog trail of inbound intrusion alarms with outbound communication patterns

Bot infection case study: Phatbot

Dialog-based Correlation

BotHunter employs an

Infection Lifecycle Model

to detect host infection behavior

Bothunter Architecture

Evaluation Example:

http://www.cyber-ta.org/releases/malware-analysis/public/2009-01-13-public/

BotSniffer-detection on centralized C&C botnets(IRC,HTTP)

WHY we will focus on C&C? C&C is essential to a botnet – Without C&C, bots are just discrete,

unorganized infections C&C detection is important – Relatively stable and unlikely to change

within botnets – Reveal C&C server and local victims – The weakest link

Botnet C&C Communication Example

Botnet C&C: Spatial-Temporal Correlation and Similarity

BotSniffer Architecture

Correlation Engine Based on two properties Response crowd – a set of clients that have

(message/activity) response behavior -A Dense response crowd: the fraction of

clients with message/activity behavior within the group is larger than a threshold (e.g., 0.5).

A homogeneous response crowd – Many members have very similar responses

Evaluation

Why Botminer?

Botnets can change their C&C content(encryption, etc.), protocols (IRC, HTTP,

etc.),structures (P2P, etc.), C&C servers, dialog models

So bothunter, botsniffer systems may be evaded. We need to consider more

Revisit Botnet Definition

“ A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”

We need to monitor two planes – C-plane (C&C communication plane):

“who is talking to whom” – A-plane (malicious activity plane):

“who is doing what”

C-Plane clustering What characteriz

es a communication flow (Cflow)

between a local host and a remote service?

– <protocol, srcIP, dstIP, dstPort>

A-plane clustering

Cross-clustering

Two hosts in the same A-clusters andin at least one common C-cluster areclustered together

Botminer Architecture

Evaluation Data

Evaluation Result(FP)

Evaluation Result(Detection Rate)

Botnet Detection Systems summary

Bothunter: Vertical Correlation. Correlation on the behaviors of single host.

Botsniffer: Horizontal Correlation. On centralized C&C botnets

Botminer: Extension on Botsniffer, no limitations on the C&C types.

Thank you!

Questions?