BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu,...
-
Upload
alivia-priddle -
Category
Documents
-
view
220 -
download
0
Transcript of BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu,...
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION
AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee
PUBLICATION: USENIX Security Symposium, 2007.
PRESENTATION BY: Bharat Soundararajan
INTRODUCTION
activity
Network perimeter monitoring system called bothunter
Track two way communication between internal assets and external entities
Dialog correlator ties together these communications in the bothunter Sequence of evidence is used for matching botnet infection
BOTNET INFECTION SEQUENCEPropagates through remote exploit injection e.g. NetBIOS (139),My Doom(3127),Dame ware(6129).
After infection the victim host downloads the full Phatbot binary
Bot inserts itself into the boot process ,security process off
Connection to C&C server .Infected host acts as a bot
MODEL OF THE DIALOG PROCESS
BOT INFECTION DECLARATION
Condition1:
Evidence of local host infection (E2) and evidence of outward bot co-ordination or attack propagation (E3-E5)
Condition2:
At least two distinct signs of outward bot coordination or attack propagation (E3-E5)
BOTHUNTER SYTEM ARCHITECTURESnort is used for detection
Extra plug-in such as SCADE and SLADE are used in snort
Network dialog correlation matrix is used for data structure
Report bot infection profiles to a remote repository
TLS over TOR (onion routing protocol)
BOTHUNTER SYTEM ARCHITECTURE
SCADE(Statistical Scan Anomaly Detection Systems)
Inbound scan Detection
Specifically weighted towards the ports often used by malware Memory usage to the number of inside hosts Failed connection attempts on each ports Ports are classified in bothunter as
1)Highly vulnerable ports: 80(HTTP),NETBIOS(445) ,26(TCP),4(UDP) 2)Low vulnerable ports
SCADE(Statistical Scan Anomaly Detection Systems)
S = W1 * Fhs + W2* Fls (Inbound scan detection)
Where W1 = weight of high severity ports
W2= Weight of low severity ports
Fhs = No of connection failures in high severity ports
Fls = No of connection failures in low severity ports
SCADE(Statistical Scan Anomaly Detection Systems)
S = (W1 * Fhs + W2* Fls)/C (outbound scan detection)
Where W1 = weight of high severity ports
W2= Weight of low severity ports
Fhs = No of connection failures in high severity ports Fls = No of connection failures in low severity ports
C = Total number of scans from the host within a window time
SLADE(Statistical Payload Anomaly Detection Engine)
1-gram payload system : occurrence frequency of one of the 256 possible bytes in the payload
Examines every request packet sent to the monitored services and outputs an alert if it deviates from the normal profile
n-gram will improve accuracy and hardness of evasion e.g. polymorphic worms
Time Host Timer E1 E2 E3 E4 E5
192.168.12.1 soft Aa…Ab
192.168.10.45 hard Ac…Ad Ae..Af
192.168.10.66 hard Ag Ah..Ai
Aj..
192.168.12.46 hard
…192.168.11.123
hard & Soft
Al Am.An A0
NETWORK DIALOG CORRELATION MATRIX
NETWORK DIALOG CORRELATION MATRIX
Dynamically-allocated row – summary of internal host to external entities
Cell – one or more sensor alerts that map into one of the five sensor devices
Correlation matrix – dynamically grows when a new activity involving the local host is detected and expires
Timers are set for expiry of observation window
TYPES OF TIMERS
HARD PRUNE TIMERS (filled clocks)
Fixed temporal interval over which the users are allowed to aggregate
After evaluation ,it leads to either bot declaration or to the complete removal of that dialog trace
SOFT PRUNE TIMERS(open faced clocks) smaller time window that allows users to configure tighter interval requirements
Inbound scan warning are expired more quickly by the soft prune interval
BOT DECLARATION
Expectation table is used and compared with the values obtained from the Calculation
Dialog sequence crosses the threshold which leads to either bot declaration or non-bot declaration
Figure6: SCORING PLOTS : 2019 Real bot infections
EXPERIMENTS AND RESULTSE1 E2 E3 E4 E5
agobot Yes(2/2) Yes(9/8) Yes(6/6) Yes(38/8) Yes(4/1)
Phat- alpha 5
Yes(14/4) Yes(5785/5721)
Yes(3/3) Yes(28/26)
Yes(4/2)
Phatbot-rls
Yes(11/3) Yes(2834/46)
Yes(8/8) Yes(69/20)
Yes(6/2)
Rbot 0.6.6
No(0) Yes(2/1) Yes(2/2) Yes(65/24)
Yes(2/1)
Rx-asn-2-re-worked version2
No(0) Yes(2/2) Yes(2/2) Yes(70/27)
Yes(2/1)
Rxbot No(0) Yes(4/3) Yes(2/2) Yes(59/18)
Yes(2/1)
Sxbot No(0) Yes(3/2) Yes(2/2) Yes(73/26)
Yes(2/1)
Yes/No – Indicate Dialog warning, (No of dialog warning in whole / No of warning victim involves)
RESULTS IN LIVE DEPLOYMENThttp://www.cyber-ta.org/malware-analysis/public
Website Stats:Spotlight: Top 50 ISP Infection Sources Active Period Reported: 245 Days Botnet Attacks Detected: 23895 Botnet C&C channels Witnessed: 175 Botnet DNS lookups Witnessed: 8496
ADVANTAGES
only one bot profile is generated for infection
presented analysis of bothunter against more than 2000 recent bot infection experiences.
remote repository for global collection and evaluation of bot activity.
DISADVANTAGES
Bots could use encrypted communication channels for C&C
This correlator is not adaptable for botnets with the capability of doing stealth scanning
This is not polymorphic malwares as it uses 1-gram payload
THANK YOU