Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of...

Botnet Attribution and Removal: From Axioms to Theory to Practice

Wenke Lee (PI)College of Computing

Georgia Institute of Technology

ONR MURI N000140911042Project Kick-off Meeting

November 20, 2009

Project Team

11/20/09 ONR MURI Project Kick-Off 2

Wenke, David Nick Jon Kang Giovanni

Farnam Michael John Chris

Project Team (cont’d)• Georgia Tech

– Wenke Lee (Ph.D. 1999, Columbia)– Nick Feamster (Ph.D. 2005, MIT)– Jon Giffin (Ph.D. 2006, Wisconsin)– David Dagon (Ph.D. 2009/10?, Georgia Tech)

• Michigan– Kang Shin (Ph.D. 1978, Cornell)– Farnam Jahanian (Ph.D. 1989, Texas)– Michael Bailey (Ph.D. 2006, Michigan)

• Stanford– John Mitchell (Ph.D. 1984, MIT)

• UC Santa Barbara– Giovanni Vigna (Ph.D. 1998, Politecnico di Milano)– Christopher Kruegel (Ph.D. 2002, Technical University of

Vienna)

11/20/09 3ONR MURI Project Kick-Off

Project Overview

• A botnet is a network of compromised computers (bots) under the control of an attacker– Platform for most of the cyber attacks and

fraudulent activities

• IA problems addressed– What are the intrinsic properties of botnets?– What are fundamental approaches to detect

and remove all current and future botnets? And how to develop them?


Project Overview


An overarching framework that covers all aspects of botnet lifecycle and the entire network stack/scale, rather than a collection of point solutions.

A systematic and scientific approach to design robust botnet detection and analysis algorithms, rather than ad-hoc and brittle techniques.

Project Overview (cont’d)

• Approaches– Analyze the intrinsic/invariant properties of botnets

– Derive the axioms, or the necessary and possible host-, network- and Internet- level botnet behaviors that are due to these properties

– From the axioms develop the principles or theories for detecting and stopping these botnet behaviors

– Put the theories into practice by developing pactical algorithms and systems



• Approach example– Analyze essential properties of botnet lifecycle

• E.g., botnets are valuable, long-term resources

– Derive axioms that directly follow from the properties• E.g., botnets need to have agility to evade detection and

removal

– Derive theories from the axioms• E.g., by detecting and neutralizing the sources of network

agility, we can limit botnets’ evasion capabilities and thus make botnets easier to detect and remove

– Apply the theories to practice• E.g., an on-line detection of naming (DNS) based agility.



• Capabilities to offer – Innovative and foundational solutions to enable

• End-hosts to identify bot activities on the host and block bot related traffic

• Enterprise networks to identify hosts that participate in botnet activities on the Internet and accordingly block such traffic

• Internet core to detect anomalies in Internet basic protocols to identify the servers used to support botnet operations and accordingly disrupt or even remove the botnets

– Technology transfer and commercialization• PIs connected to Damballa and Arbor Networks


Research Areas

• Theory and taxonomy– Essential properties, axioms and theories

• Lee, Mitchell, Dagon, Bailey

– Taxonomy• Bailey Dagon, Mitchell, Lee

– Metrics, network and game theory models• Mitchell, Dagon, Feamster, Jahanian

• Epidemiology Models– Population estimates and threat assessment

• Jahanian, Dagon, Feamster, Shin


Research Areas (cont’d)• Essential properties of botnets call for multifaceted

detection and analysis approaches– Bots are compromised computers

• Malware– Bot traffic is not sent/authorized by users

• Host/user activities– C&C required to form/maintain botnet

• Bot programs, network/Internet traffic– Bots used for attacks and frauds

• Bot programs, network/Internet traffic– Bots are long-term resources

• Reuse models, and mechanisms/protocols to support agility– Man behind the bots reaping the profit

• “Management” servers or “mothership”


Research Areas (cont’d)

• Detection and analysis– Malware and malicious web pages/scripts

• Kruegel, Bailey, Giffin, Lee

– Host activities and network/Internet traffic• Giffin, Feamster, Mitchell, Jahanian, Lee

– Agile C&C and activity infrastructures• Shin, Feamster, Jahanian, Dagon

– Long-lived and reused bots• Feamster, Bailey, Vigna, Dagon

– Motherships• Vigna, Shin, Dagon, Feamster



• Theoretical work validates intuitions and directs development and evaluation of detection and analysis algorithms for current and future botnets

• For example– Botnet has long-term utility, which depends of its network model


✖✖


– Agility thus helps preserve botnet utility

– Realization in Internet: DDNS, fast-flux, new domain daily (hourly?)

• Scale and layers of agile control


✖

– Metrics, network and game theory models provide a theoretical understanding of the possibilities and trade-offs of botnet agilities

• Basis to fight future botnets

Plan and Milestones


Evaluation and Technology Insertion

• PIs have a long history of dataset collection and network measurement and thus have access to a wide variety of production datasets including:– DNS, spam, malware, and alert data via SIE– BGP and netflow data from ISPs– Malware collections and exchanges

• Deployment and evaluation in operational environments in departments, universities, and upstream services providers

• PIs have strong ties to industry (e.g., Arbor and Damballa), and have participated in DHS-led efforts to deploy technologies in government agencies


Project Management and Student Education

• Project web site at Georgia Tech– Public pages showcasing the project

• http://onrbotnet.gtisc.gatech.edu/

– Private/wiki for project team and PM to share data, software, and reports

• http://onrbotnet.gtisc.gatech.edu/wiki

• Bi-yearly project meeting– One co-located with a major security conference,

and the other on a campus• Education

– 15 Ph.D. students, 1-3 Post Docs– Exchange summer interns, post docs


Related Projects and Support

• NSF “CLEANSE”, total $1.2M– Georgia Tech and Michigan (and UNC, SRI,

ISC)– Large-scale monitoring of core Internet services

such as DNS and BGP• DHS botnet projects

– Michigan and Georgia Tech, separate– Tech transfer and deployment

• NSF, AFRL, ARO, and ONR IA projects– All PIs; Focused/specific areas such as

malware on cell phones


Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of...

Documents

Transcript of Botnet Attribution and Removal: From Axioms to Theory to Practice Wenke Lee (PI) College of...