Botnet Detection Techniques
-
Upload
team-firefly -
Category
Education
-
view
932 -
download
3
description
Transcript of Botnet Detection Techniques
BotNet Detection TechniquesBotNet Detection TechniquesBy By
Team Firefly Team Firefly Technical Support For System ErrorsTechnical Support For System Errors
And Security IssuesAnd Security Issues
Cyber Security Awareness Program
On Friday, October 18, 2013
Page 2
Outline
Introduction to Botnet Botnet Life-cycle Botnet in Network Security Botnet Uses Botnet Detection Preventing Botnet Infection Botnet Research Conclusion References
Page 3
Introduction to Botnet
A Botnet is a network of compromised computers under the control of a remote attacker.
Botnet Terminology Bot Herder (Bot Master) Bot Bot Client IRC Server Command and Control Channel (C&C)
Page 4
Introduction to Botnet (Terminology)
Bot Master
Bots
Code Server
IRC Server
Victim
IRC Channel
Attack
IRC ChannelC&C Traffic
Updates
Page 5
Botnet Life-cycle
Page 6
Botnet Life-cycle
Page 7
Botnet Life-cycle
Page 8
Botnet Life-cycle
Page 9
Botnet In Network Security
Internet users are getting infected by bots
Many times corporate and end users are trapped in botnet attacks
Today 16-25% of the computers connected to the internet are members of a botnet
In this network bots are located in various locations
It will become difficult to track illegal activities
This behavior makes botnet an attractive tool for intruders and increase threat against network security
Page 10 Bot Master
Botnet is Used For
Page 11
Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing (fake websites)
Addware (Trojan horse)
Spyware (keylogging, information harvesting)
Click Fraud
How Botnet is Used?
So It is really Important to Detect this attack
Page 12
Botnet Detection
Two approaches for botnet detection based on
Setting up honeynets
Passive traffic monitoring
Signature based
Anomaly based
DNS based
Mining based
Page 13
Botnet Detection: Setting up Honeynets
Windows Honeypot
Honeywall Responsibilities:DNS/IP-address of IRC server and port number(optional) password to connect to IRC-serverNickname of botChannel to join and (optional) channel-password
Page 14
Botnet Detection: Setting up Honeynets
1. Malicious Traffic
2. Inform bot’s IP3. Authorize
Bot Sensor
Bot Master
Page 15
Botnet Detection: Traffic Monitoring
Signature based: Detection of known botnets
Anomaly based: Detect botnet using following anomalies
• High network latency
• High volume of traffic
• Traffic on unusual port
• Unusual system behaviour
DNS based: Analysis of DNS traffic generated by botnets
Page 16
Botnet Detection: Traffic Monitoring
Mining based:
• Botnet C&C traffic is difficult to detect
• Anomaly based techniques are not useful
• Data Mining techniques – Classification, Clustering
Page 17
Botnet Detection
Determining the source of a botnet-based attack is challenging:
Traditional approach:
Every zombie host is an attacker
Botnets can exist in a benign state for an arbitrary amount of time before they are used for a specific attack
New trend:
P2P networks
Page 18
Preventing Botnet Infections
Use a Firewall
Patch regularly and promptly
Use Antivirus (AV) software
Deploy an Intrusion Prevention System (IPS)
Implement application-level content filtering
Define a Security Policy and
Share Policies with your users systematically
Page 19
Logging onto herder IRC server to get info
Passive monitoring
Either listening between infected machine and herder or spoofing infected PC
Active monitoring: Poking around in the IRC server
Sniffing traffic between bot & control channel
Botnet Research
Page 20
InfectedIRC Herder
Hi!
Researcher
Botnet Research: Monitoring Attacker
Page 21
Conclusion
Botnets pose a significant and growing threat against cyber security
It provides key platform for many cyber crimes (DDOS)
As network security has become integral part of our life and botnets have become the most serious threat to it
It is very important to detect botnet attack and find the solution for it
Page 22
B. Saha and A, Gairola, “Botnet: An overview,” CERT-In White PaperCIWP-2005-05, 2005
Peer to Peer Botnet detection for cyber-security: A data mining approach - ACM Portal Mohammad M. Masud, Jing Gao, Latifur Khan, Jiawei Han, Bhavani Thuraisingham
A Survey of Botnet and Botnet Detection Feily, M.; Shahrestani, A.; Ramadass, S.; Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third International Conference on Digital Object Publication Year: 2009 , Page(s): 268 – 273 IEEE CONFERENCES
Honeynet-based Botnet Scan Traffic Analysis Zhichun Li, Anup Goyal, and Yan Chen Northwestern University, Evanston, IL 60208
Detecting Botnets Using Command and Control Traffic AsSadhan, B.; Moura, J.M.F.; Lapsley, D.; Jones, C.; Strayer, W.T.; Network Computing and Applications, 2009. NCA 2009. Eighth IEEE International Symposium. Publication Year: 2009 , Page(s): 156 – 162 IEEE CONFERENCES
Spamming botnets: signatures and characteristics Yinglian Xie, Fang Yu
References
Page 23
Page 24