1 / 12

Network-based Botnet Detection Filtering, Containment, and Destruction

This research focuses on understanding the vulnerabilities and exploits used by botnets in order to design a botnet detection and filtering system. The goal is to deploy the system at routers and base stations without requiring patching from end users, complementing existing intrusion detection/prevention systems. The system aims to contain botnets from infecting inside machines and locate and destroy their command and control centers.

akennedy
Télécharger la présentation

Network-based Botnet Detection Filtering, Containment, and Destruction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network-based Botnet Detection Filtering, Containment, and Destruction Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Motorola Liaisons Z. Judy Fu and Philip R. Roberts Motorola Labs

  2. New Internet Attack Paradigm • Botnets have become the major attack force • Symantec identified an average of about 10,000 bot infected computers per day • # of Botnets - increasing • Bots per Botnet - decreasing • Used to be 80k-140k, now 1000s • More firepower: • Broadband (1Mbps Up) x 100s = OC3 • More stealthy • Polymorphic, metamorphic, etc. • Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance

  3. Birth of a Bot • Bots are born from program binaries that infect your PC • Various vulnerabilities can be used • E-mail viruses • Shellcode (scripts)

  4. Botnet Distribution

  5. Project Goal • Understand the trend of vulnerabilities and exploits used by the botnets in the wild • Design vulnerability based botnet detection and filtering system • Deployed at routers/base stations w/o patching the end users • Complementary to the existing intrusion detection/prevention systems • Can also contain the botnets from infecting inside machines • Find the command & control (C&C) of botnets and destroy it

  6. 1010101 10111101 11111100 00010111 Limitations of Exploit Based Signature Signature: 10.*01 Traffic Filtering Internet Our network X X Polymorphism! Polymorphic worm might not have exact exploit based signature

  7. Vulnerability Signature Vulnerability signature trafficfiltering Internet Work for polymorphic worms Work for all the worms which target the same vulnerability X X Our network X X Vulnerability

  8. Emerging Botnet Vulnerability and Exploit Analysis • Large operational honeynet dataset • Massive dataset on the botnet scan with payload • Preliminary analysis show that the number of new exploits outpace the # of new vulnerabilities.

  9. Vulnerability based Botnet Filtering/Containment • Vulnerability Signature IDS/IPS framework • Detect and filter incoming botnet • Contain inside bots and quarantine infected customer machines Vulnerability Signature Matching Combine multiple matchers Single Matcher Matching Protocol Parsing Protocol Identification: port# or payload TCP Reassembly Packet Sniffing

  10. Residential Access: Cable Modems Diagram: http://www.cabledatacomnews.com/cmic/diagram.html Introduction 1-10

  11. Snort Rule Data Mining • Exploit Signature to Vulnerability Signature reduction ratio PSS means: Protocol Semantic Signature NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols

  12. Preliminary Results • Experiment Setting • PC XEON 3.8GHz with 4GB memory • Real traffic after TCP reassembly preload to memory • Experiment Results

More Related