DETECTING BOTNETS BASED ON THEIR BEHAVIORS … · NetFlow and other similar network level ......
Transcript of DETECTING BOTNETS BASED ON THEIR BEHAVIORS … · NetFlow and other similar network level ......
Motivation Some Backgrounds Detecting Botnets Experimentation
Collecting Data Detecting Scanner Detecting DDoS Detecting Spammer
Detecting C&C flows Looking Ahead
2
Botnet attack is a major threat for the service providers
Most of the detection is done at the application layer
If the solution can be implemented at the network layer without digging deep as a first level of defense ….
NetFlow and other similar network level logging protocols provide crucial information ….. Can be used to trace botnets
3
Bot: Malware installed an unprotected computer that converts the machine into a zombie
Botnet: Network of zombies controlled by a master called as bot-herder through C&C channel Types: IRC, HTTP, P2P (Based on C&C
mechanism) Common botnet attacks:
DDoS, spamming, malware spreading, online
4
Investigate the network layer behavior pattern of the botnets
Sources of Information Need information of packet activity with enough
detail to trace the communication pattern Cisco NetFlow, Juniper cflowd, IETF IPFIX etc.
Information we can get …… Src & Dst IP, Src & Dst Port, Incoming & Outgoing
Interface, IP Protocol, ToS, TCP Flags, Start & End Time etc. of a flow
What’s next? Find the pattern using these information
5
Detecting botnets based upon attack signature
DDoS Spamming Scanning
Easier to track down
Detecting botnets by analyzing C&C flows Relatively difficult, specially if it’s a P2P botnet
6
Detecting C&C flows among regular flows is very difficult, specially if the C&C channel is based on P2P protocol.
An experimental scheme defined by Timothy et al successfully detected botnet C&C traces in huge flow set.
For stages Filtering Classification Correlation Topology Analysis
7
Phase 1: Netflow log collection Choose toolset
Phase 2: Devise the detection mechanism from the
botnet behavior using the toolset
Phase 3: Apply the mechanism to find the botnet in the
8
There are several means to collect netflow data but we used easiest way collect existing logs from a given network It turns out its not so easy after all After knocking (practically everyone !) we found a
huge collection of netflow logs Internet2 Observatory Data Collection
The only problem is that there is no indication of botnet traces which we can use to evaluate the success of the mechanisms
Therefore we decided to detect botnet in the netflow logs from the naïve detection schemes
9
Rsync To collect data from Internet2 observatory data
collection Needed to create an account beforehand
Flow-tools Internet2 netflow logs are stored in flow-tools
format. Therefore flow-tools was an obvious choice.
Other toolset exists (i.e. Nfdump)
10
Vertical, Horizontal and Block Scanning If the scanner uses TCP protocol, flag information can be
used Find the top talker with TCP SYN bit set only (Yiming Gong)
Our experiment found block scanner from netflow logs (probably)
11
Common behavior of every DDoS attack Huge amount of packets (service request, data) to a set of hosts/
servers in a very short period (TCP SYN flood, Ping flood, Smurf attack etc.)
We devised ICMP Unreachable msg flood detecting scheme Find the victims with huge number of flows containing ICMP port/
host/network unreachable msgs
12
A useful information: sends more email but receives few
We used method described by Gert Vliek Found some probable spammers
13
Novel Detection Scheme using netflow data
Finding Botnet by DDoS detection Use principal component analysis to find patterns in the
flows Find bad changes in the pattern (huge data in small
time) Trace the nodes causing the change
Finding Scanner There are twenty one metrics defined to find a scanner
in Silk documentation. But using all of them together is bit difficult.
Solution: Use all of them in a weighted sum. How to assign the weight?
14
Botnet Detection Based on Network Behavior W. Timothy Strayer, David Lapsely, Robert Walsh, and Carl Livadas
Detecting worms and abnormal activities with netflow, Yiming Gong
Detecting spam machines, a netow-data based approach, Gert Vliek
Many other
15