Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical...
Yan ChenNorthwestern Lab for Internet
and Security Technology (LIST)
Dept. of Electrical Engineering and Computer Science
Northwestern University
http://list.cs.northwestern.edu
Network-based Botnet Detection Filtering,
Containment, and Destruction
Motorola Liaisons
Z. Judy Fu and Philip R. Roberts
Motorola Labs
New Internet Attack Paradigm
• Botnets have become the major attack force• Symantec identified an average of about 10,000
bot infected computers per day• # of Botnets - increasing• Bots per Botnet - decreasing
– Used to be 80k-140k, now 1000s
• More firepower:– Broadband (1Mbps Up) x 100s = OC3
• More stealthy– Polymorphic, metamorphic, etc.
• Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance
Birth of a Bot
• Bots are born from program binaries that infect your PC
• Various vulnerabilities can be used– E-mail viruses– Shellcode (scripts)
Botnet Distribution
Project Goal• Understand the trend of vulnerabilities and
exploits used by the botnets in the wild
• Design vulnerability based botnet detection and filtering system – Deployed at routers/base stations w/o patching the
end users– Complementary to the existing intrusion
detection/prevention systems– Can also contain the botnets from infecting inside
machines
• Find the command & control (C&C) of botnets and destroy it
Limitations of Exploit Based Signature
1010101
10111101
11111100
00010111
Our network
Traffic Filtering
Internet
Signature: 10.*01
XX
Polymorphic worm might not have exact exploit based signature
Polymorphism!
Vulnerability Signature
Work for polymorphic wormsWork for all the worms which target thesame vulnerability
Vulnerability signature traffic filtering
Internet
XX Our network
Vulnerability
XX
Emerging Botnet Vulnerability and Exploit
Analysis• Large operational honeynet dataset• Massive dataset on the botnet scan with payload• Preliminary analysis show that the number of new
exploits outpace the # of new vulnerabilities.
LBL NU
Sensor 5 /24 10 /24
Traces 883GB 287GB
Duration 37 months 7 months
Vulnerability based Botnet Filtering/Containment
• Vulnerability Signature IDS/IPS framework• Detect and filter incoming botnet• Contain inside bots and quarantine infected
customer machines
Packet Sniffing
TCP Reassembly
Protocol Identification: port# or payload
Protocol Parsing
Vulnerability Signature Matching
Single Matcher MatchingCombine multiple matchers
Introduction 1-10
Residential Access: Cable Modems
Diagram: http://www.cabledatacomnews.com/cmic/diagram.html
Snort Rule Data Mining
Netbios HTTP Oracle SUNRPC Remaining Total
Rule% 55.3% 25.8%
5.3% 2.3% 11.3% 100%
PSS% 99.9% 56.0%
96.6% 100% 84.7% 86.7%
Reduction
Ratio
67.6 1.2 1.6 2.6 1.7 4.5
• Exploit Signature to Vulnerability Signature reduction ratio
PSS means: Protocol Semantic Signature
NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols
Preliminary Results
HTTP WINRPC
Trace size 558MB 468MB
#flows 580K 743K
#PSS Signatures 791 45
#Snort Rule Covered 974 2000+
Parsing Speed 2.893Gbps 15.186Gbps
Parsing + Matching speed 1.033Gbps 13.897Gbps
• Experiment Setting– PC XEON 3.8GHz with 4GB memory– Real traffic after TCP reassembly preload to
memory
• Experiment Results