C&C Tracer: Botnet Command and Control Behavior Tracing

2013/10/28Presented:羅傑聘

102064529

OutlineBasic Imformation

Problems to solve

C&C Tracer

Experiment Results

Discussion

2/16

Basic Information Title:

−C&C Tracer: Botnet Command and Control Behavior Tracing Authors:

−Meng-Han Tsai −Chang-Cheng Lin−Ching-Hao Mao

(Institute for Information Industry Project Resource Division)−Huey-Ming Lee (Chinese Culture Univeristy)

Publication:−Systems, Man, and Cybernetics (SMC), IEEE International

Conference Year:2011 Cited (Google):1

3/15

Problems to SolveBotnet command and control (C&C) behavior becomesmore dynamic and rapid so it is difficult to capture theBotnet behavior in real time.

In practical analysis, the scalability and the real-time aretwo important issues.

Reducing the latency of the C&C behavior tracing couldenhance the detection covering in rapid changes of C&Cbehaviors.

4/15

C&C Tracer

Botnet C&C behavior tracing system (naming C&C Tracer)

The C&C Tracer consists of three components:1. C&C active behavior feature extracting (CAFE)2. C&C status tracing analyzer(CSTA) 3. Domain name status querying (DNSQ)

The C&C Tracer can reduce the non-active C&C domainname close to 80% with only 0.69% false postive rate.

5/15

C&C Tracer – Architecture

6/15

C&C Tracer – CAFE

C&C Active Behavior Feature Extracting

CAFE can parse the different sources of blacklists to thesame format and recognizes the Botnet types.

CAFE includes:1. Botnet type identifying2. malicious URL rendering3. domain name extracting4. temporal and spatial feature extracting

7/15

C&C Tracer – CAFE(2)

propose the nine features that consider both spatial and temporal information

8/15

C&C Tracer – CSTA

C&C Status Tracing Analyzer

Determine which domain name is valuable for continuingtracing or ignored.

CSTA includes:1. domain name behavior extracting2. Domain name activity measuring 3. potential domain name selecting

9/15

C&C Tracer – CSTA(2)

use different kinds of data mining classification algorithmfor evaluating the active degree of domain name

such as: 1. logistic regression (LR)2. naive bayes (NB),3. RIPPERS4. K-nearest-neighbors (KNN)

10/15

C&C Tracer – DNSQ

Domain Name Status Querying

DNSQ can query the corresponded domain name fromonline data repositories and extract the C&C behavior toexport to C&C behavior database.

11/15

Experiment Results

1. domain extension belonged to gTLD or ccTLD2. AutNS + IP + ASN + CC + ISP ≧ 53. Average TTL (time-to-live) < 1 day4. AppearDuration > ActiveRecent

TP (true positive) : the numbers of active domain that arecorrectly detected;FN (false negative) : the numbers of active domain that arenot detected; TN (true negative) : the number of domain name withoutactive domain labeling that are correctly classified;FP (false positive) : the number of non-active domain thatare incorrectly detected as active domain; 12/

15

Experiment Results (2)

13/15

Experiment Results (3)

The C&C Tracer can reduce the non-active C&C domainname close to 80% with only 0.69% false postive rate.

14/15

Discussion

What I Like− The model of C&C Tracer is clearly presented.

What I Dislike− Some parts of the evaluations are not clear enough,

readers might have to work hard on studying reference much more.

− Appication in real cases are rarely mentioned.

15/15

Thank you!

16/15