nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis
Botconf 2013 - DNS-based Botnet C2 Server Detection
-
Upload
sensepost -
Category
Technology
-
view
790 -
download
2
description
Transcript of Botconf 2013 - DNS-based Botnet C2 Server Detection
![Page 1: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/1.jpg)
DNS Based Botnet C2 Server DetectionSpatial Statistics as a detection metric
![Page 3: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/3.jpg)
Geographic Analysis
https://ww
w.team
-cymru.org/im
ages/conficker-2009-01-29-dark-full.jpg
![Page 4: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/4.jpg)
Research Goals● Accurately detect botnet traffic
○ Assume no prior knowledge○ Lightweight○ Fast○ Adaptable
● Early detection
![Page 5: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/5.jpg)
Examining DNS
DNS
Web Browsing
P2P
Bots
Practically Everything
![Page 6: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/6.jpg)
DNS Fast-Flux● Short TTL
● Multiple A Records
● Different IP Ranges
![Page 7: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/7.jpg)
DNS Fast-Flux
● Multiple ASNs● Multiple Countries● Multiple Timezones● Multiple Unique Location Identifiers
![Page 8: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/8.jpg)
Widely Dispersed Networks
![Page 9: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/9.jpg)
Spatial Statistics
Spatial Measureshttp://earth-info.nga.mil/GandG/coordsys/images/MGRS_1km_Polygon_Shapefiles_Coverage.jpg
![Page 10: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/10.jpg)
Spatial Measures
![Page 11: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/11.jpg)
Nearest Neighbours Fast-Flux Domains Benign Domains
![Page 12: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/12.jpg)
Spatial Statistics
Spatial Statisticshttps://upload.wikimedia.org/wikipedia/commons/c/c7/Snow-cholera-map.jpg
![Page 13: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/13.jpg)
First Law of Geography
"All things are related, but near things are more related than far things." - W. Tobler
![Page 14: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/14.jpg)
Autocorrelation
![Page 15: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/15.jpg)
Moran's Index
![Page 16: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/16.jpg)
Geary's Coefficient
![Page 17: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/17.jpg)
Building the Classifiers
![Page 18: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/18.jpg)
Classifier Training
Benign Dataset
Fast-Flux Dataset
![Page 19: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/19.jpg)
Classifier Training
Moran's I: Timezones
![Page 20: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/20.jpg)
Moran's I: UTM
![Page 21: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/21.jpg)
Geary's C: UTM
![Page 22: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/22.jpg)
Geary's C: MGRS
![Page 23: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/23.jpg)
Classifier Results
![Page 24: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/24.jpg)
Moran Classifier Results97% Timezones UTM 95%95% MGRS
Accuracy
![Page 25: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/25.jpg)
Geary Classifier Results95% Timezones UTM 96%95% MGRS
Accuracy
![Page 26: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/26.jpg)
● Determine resource usage● Impact on normal network performance● Scalability
Evaluating Performance
![Page 27: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/27.jpg)
Classifier Performance Impacthttp://beyond.customline.com/wp-content/uploads/2012/04/Cheetah-performance.jpg
![Page 28: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/28.jpg)
Measured Performance
![Page 29: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/29.jpg)
Measured Performance20,000 domain lookups
Processed in 13 seconds
6.501×10-4 seconds per domain
![Page 30: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/30.jpg)
BenefitsFast SmallLow maintenance Scalable
![Page 31: Botconf 2013 - DNS-based Botnet C2 Server Detection](https://reader033.fdocuments.in/reader033/viewer/2022051609/5466437cb4af9fda3f8b4eed/html5/thumbnails/31.jpg)
Future Work● Combine classifiers into stand-alone solution● Combine detection and blocking● Increase accuracy of geo-location