Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical...
![Page 1: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/1.jpg)
Yan ChenNorthwestern Lab for Internet
and Security Technology (LIST)
Dept. of Electrical Engineering and Computer Science
Northwestern University
http://list.cs.northwestern.edu
Network-based Botnet Detection Filtering,
Containment, and Destruction
Motorola Liaisons
Z. Judy Fu and Philip R. Roberts
Motorola Labs
![Page 2: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/2.jpg)
New Internet Attack Paradigm
• Botnets have become the major attack force• Symantec identified an average of about 10,000
bot infected computers per day• # of Botnets - increasing• Bots per Botnet - decreasing
– Used to be 80k-140k, now 1000s
• More firepower:– Broadband (1Mbps Up) x 100s = OC3
• More stealthy– Polymorphic, metamorphic, etc.
• Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance
![Page 3: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/3.jpg)
Birth of a Bot
• Bots are born from program binaries that infect your PC
• Various vulnerabilities can be used– E-mail viruses– Shellcode (scripts)
![Page 4: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/4.jpg)
Botnet Distribution
![Page 5: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/5.jpg)
Project Goal• Understand the trend of vulnerabilities and
exploits used by the botnets in the wild
• Design vulnerability based botnet detection and filtering system – Deployed at routers/base stations w/o patching the
end users– Complementary to the existing intrusion
detection/prevention systems– Can also contain the botnets from infecting inside
machines
• Find the command & control (C&C) of botnets and destroy it
![Page 6: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/6.jpg)
Limitations of Exploit Based Signature
1010101
10111101
11111100
00010111
Our network
Traffic Filtering
Internet
Signature: 10.*01
XX
Polymorphic worm might not have exact exploit based signature
Polymorphism!
![Page 7: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/7.jpg)
Vulnerability Signature
Work for polymorphic wormsWork for all the worms which target thesame vulnerability
Vulnerability signature traffic filtering
Internet
XX Our network
Vulnerability
XX
![Page 8: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/8.jpg)
Emerging Botnet Vulnerability and Exploit
Analysis• Large operational honeynet dataset• Massive dataset on the botnet scan with payload• Preliminary analysis show that the number of new
exploits outpace the # of new vulnerabilities.
LBL NU
Sensor 5 /24 10 /24
Traces 883GB 287GB
Duration 37 months 7 months
![Page 9: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/9.jpg)
Vulnerability based Botnet Filtering/Containment
• Vulnerability Signature IDS/IPS framework• Detect and filter incoming botnet• Contain inside bots and quarantine infected
customer machines
Packet Sniffing
TCP Reassembly
Protocol Identification: port# or payload
Protocol Parsing
Vulnerability Signature Matching
Single Matcher MatchingCombine multiple matchers
![Page 10: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/10.jpg)
Introduction 1-10
Residential Access: Cable Modems
Diagram: http://www.cabledatacomnews.com/cmic/diagram.html
![Page 11: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/11.jpg)
Snort Rule Data Mining
Netbios HTTP Oracle SUNRPC Remaining Total
Rule% 55.3% 25.8%
5.3% 2.3% 11.3% 100%
PSS% 99.9% 56.0%
96.6% 100% 84.7% 86.7%
Reduction
Ratio
67.6 1.2 1.6 2.6 1.7 4.5
• Exploit Signature to Vulnerability Signature reduction ratio
PSS means: Protocol Semantic Signature
NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols
![Page 12: Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University .](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649d385503460f94a123ba/html5/thumbnails/12.jpg)
Preliminary Results
HTTP WINRPC
Trace size 558MB 468MB
#flows 580K 743K
#PSS Signatures 791 45
#Snort Rule Covered 974 2000+
Parsing Speed 2.893Gbps 15.186Gbps
Parsing + Matching speed 1.033Gbps 13.897Gbps
• Experiment Setting– PC XEON 3.8GHz with 4GB memory– Real traffic after TCP reassembly preload to
memory
• Experiment Results