Post on 27-Mar-2015
Botnet Attribution and Removal: From Axioms to Theory to Practice
Wenke Lee (PI)College of Computing
Georgia Institute of Technology
ONR MURI N000140911042Project Kick-off Meeting
November 20, 2009
Project Team
11/20/09 ONR MURI Project Kick-Off 2
Wenke, David Nick Jon Kang Giovanni
Farnam Michael John Chris
Project Team (cont’d)• Georgia Tech
– Wenke Lee (Ph.D. 1999, Columbia)– Nick Feamster (Ph.D. 2005, MIT)– Jon Giffin (Ph.D. 2006, Wisconsin)– David Dagon (Ph.D. 2009/10?, Georgia Tech)
• Michigan– Kang Shin (Ph.D. 1978, Cornell)– Farnam Jahanian (Ph.D. 1989, Texas)– Michael Bailey (Ph.D. 2006, Michigan)
• Stanford– John Mitchell (Ph.D. 1984, MIT)
• UC Santa Barbara– Giovanni Vigna (Ph.D. 1998, Politecnico di Milano)– Christopher Kruegel (Ph.D. 2002, Technical University of
Vienna)
11/20/09 3ONR MURI Project Kick-Off
Project Overview
• A botnet is a network of compromised computers (bots) under the control of an attacker– Platform for most of the cyber attacks and
fraudulent activities
• IA problems addressed– What are the intrinsic properties of botnets?– What are fundamental approaches to detect
and remove all current and future botnets? And how to develop them?
11/20/09 4ONR MURI Project Kick-Off
Project Overview
11/20/09 ONR MURI Project Kick-Off 5
An overarching framework that covers all aspects of botnet lifecycle and the entire network stack/scale, rather than a collection of point solutions.
A systematic and scientific approach to design robust botnet detection and analysis algorithms, rather than ad-hoc and brittle techniques.
Project Overview (cont’d)
• Approaches– Analyze the intrinsic/invariant properties of botnets
– Derive the axioms, or the necessary and possible host-, network- and Internet- level botnet behaviors that are due to these properties
– From the axioms develop the principles or theories for detecting and stopping these botnet behaviors
– Put the theories into practice by developing pactical algorithms and systems
11/20/09 6ONR MURI Project Kick-Off
Project Overview (cont’d)
• Approach example– Analyze essential properties of botnet lifecycle
• E.g., botnets are valuable, long-term resources
– Derive axioms that directly follow from the properties• E.g., botnets need to have agility to evade detection and
removal
– Derive theories from the axioms• E.g., by detecting and neutralizing the sources of network
agility, we can limit botnets’ evasion capabilities and thus make botnets easier to detect and remove
– Apply the theories to practice• E.g., an on-line detection of naming (DNS) based agility.
11/20/09 7ONR MURI Project Kick-Off
Project Overview (cont’d)
• Capabilities to offer – Innovative and foundational solutions to enable
• End-hosts to identify bot activities on the host and block bot related traffic
• Enterprise networks to identify hosts that participate in botnet activities on the Internet and accordingly block such traffic
• Internet core to detect anomalies in Internet basic protocols to identify the servers used to support botnet operations and accordingly disrupt or even remove the botnets
– Technology transfer and commercialization• PIs connected to Damballa and Arbor Networks
11/20/09 8ONR MURI Project Kick-Off
Research Areas
• Theory and taxonomy– Essential properties, axioms and theories
• Lee, Mitchell, Dagon, Bailey
– Taxonomy• Bailey Dagon, Mitchell, Lee
– Metrics, network and game theory models• Mitchell, Dagon, Feamster, Jahanian
• Epidemiology Models– Population estimates and threat assessment
• Jahanian, Dagon, Feamster, Shin
11/20/09 9ONR MURI Project Kick-Off
Research Areas (cont’d)• Essential properties of botnets call for multifaceted
detection and analysis approaches– Bots are compromised computers
• Malware– Bot traffic is not sent/authorized by users
• Host/user activities– C&C required to form/maintain botnet
• Bot programs, network/Internet traffic– Bots used for attacks and frauds
• Bot programs, network/Internet traffic– Bots are long-term resources
• Reuse models, and mechanisms/protocols to support agility– Man behind the bots reaping the profit
• “Management” servers or “mothership”
11/20/09 10ONR MURI Project Kick-Off
Research Areas (cont’d)
• Detection and analysis– Malware and malicious web pages/scripts
• Kruegel, Bailey, Giffin, Lee
– Host activities and network/Internet traffic• Giffin, Feamster, Mitchell, Jahanian, Lee
– Agile C&C and activity infrastructures• Shin, Feamster, Jahanian, Dagon
– Long-lived and reused bots• Feamster, Bailey, Vigna, Dagon
– Motherships• Vigna, Shin, Dagon, Feamster
11/20/09 11ONR MURI Project Kick-Off
Research Areas (cont’d)
• Theoretical work validates intuitions and directs development and evaluation of detection and analysis algorithms for current and future botnets
• For example– Botnet has long-term utility, which depends of its network model
11/20/09 ONR MURI Project Kick-Off 12
✖✖
Research Areas (cont’d)
– Agility thus helps preserve botnet utility
– Realization in Internet: DDNS, fast-flux, new domain daily (hourly?)
• Scale and layers of agile control
11/20/09 ONR MURI Project Kick-Off 13
✖
– Metrics, network and game theory models provide a theoretical understanding of the possibilities and trade-offs of botnet agilities
• Basis to fight future botnets
Plan and Milestones
11/20/09 14ONR MURI Project Kick-Off
Evaluation and Technology Insertion
• PIs have a long history of dataset collection and network measurement and thus have access to a wide variety of production datasets including:– DNS, spam, malware, and alert data via SIE– BGP and netflow data from ISPs– Malware collections and exchanges
• Deployment and evaluation in operational environments in departments, universities, and upstream services providers
• PIs have strong ties to industry (e.g., Arbor and Damballa), and have participated in DHS-led efforts to deploy technologies in government agencies
11/20/09 15ONR MURI Project Kick-Off
Project Management and Student Education
• Project web site at Georgia Tech– Public pages showcasing the project
• http://onrbotnet.gtisc.gatech.edu/
– Private/wiki for project team and PM to share data, software, and reports
• http://onrbotnet.gtisc.gatech.edu/wiki
• Bi-yearly project meeting– One co-located with a major security conference,
and the other on a campus• Education
– 15 Ph.D. students, 1-3 Post Docs– Exchange summer interns, post docs
11/20/09 ONR MURI Project Kick-Off 16
Related Projects and Support
• NSF “CLEANSE”, total $1.2M– Georgia Tech and Michigan (and UNC, SRI,
ISC)– Large-scale monitoring of core Internet services
such as DNS and BGP• DHS botnet projects
– Michigan and Georgia Tech, separate– Tech transfer and deployment
• NSF, AFRL, ARO, and ONR IA projects– All PIs; Focused/specific areas such as
malware on cell phones
11/20/09 ONR MURI Project Kick-Off 17