nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis
Download as PPTX, PDF1 like2,120 views
The document presents a botnet detection system leveraging DNS behavior and clustering analysis to identify botnets, which are networks of compromised computers used for malicious activities. It outlines the prevalence of botnets, detailing recruitment rates of new bots and the limitations of traditional detection methods. The proposed methodology utilizes DNS data and k-means clustering to effectively detect fast-flux characteristics associated with botnets, demonstrating promising results with low false positives in real-world evaluations.
![Related WorkBotnet Detection by Monitoring Group Activities in DNS Traffic :HyunsangChoi, Hanwoo Lee, Heejo Lee, Hyogon Kim Korea University.BotHunter [Guetal Security’07]: dialog correlation to detect bots based on an infection dialog modelBotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection (GuofeiGu Georgia Institute of Technology) http://null.co.in](https://image.slidesharecdn.com/nileshsharmanullcon-110314050712-phpapp01/85/nullcon-2011-Botnet-Detection-approach-by-DNS-behavior-and-clustering-analysis-15-320.jpg)
![REAL WORLD FAST-FLUX EXAMPLESCredit Money Botnet- Zeus BotnetBelow are the single-flux DNS records typical of such an infrastructure. The tables show DNS snapshots of the domain name divewithsharks.hk taken approximately every 30 minutes, with the five A records returned round-robin showing clear infiltration into home/business dialup and broadband networks. Notice that the NS records do not change, but some of the A records do. This is the money mule bot example. divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk. 1800 IN NS ns1.world-wr.com.divewithsharks.hk. 1800 IN NS ns2.world-wr.com.ns1.world-wr.com. 87169 IN A 66.232.119.212 [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 87177 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]http://null.co.in](https://image.slidesharecdn.com/nileshsharmanullcon-110314050712-phpapp01/85/nullcon-2011-Botnet-Detection-approach-by-DNS-behavior-and-clustering-analysis-30-320.jpg)
![REAL WORLD FAST-FLUX EXAMPLESfast-flux nets appear to apply some form of logic in deciding which of their available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load-balancing algorithm). New flux-agent IP addresses are inserted into the fast-flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes. divewithsharks.hk. 1800 IN A 24.85.102.xxx [xxx.vs.shawcable.net] NEWdivewithsharks.hk. 1800 IN A 69.47.177.xxx [d47-69-xxx-177.try.wideopenwest.com] NEWdivewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk. 1800 IN NS ns1.world-wr.com.divewithsharks.hk. 1800 IN NS ns2.world-wr.com.ns1.world-wr.com. 85248 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 82991 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]http://null.co.in](https://image.slidesharecdn.com/nileshsharmanullcon-110314050712-phpapp01/85/nullcon-2011-Botnet-Detection-approach-by-DNS-behavior-and-clustering-analysis-31-320.jpg)
![REAL WORLD FAST-FLUX EXAMPLESAs we see, highlighted in bold two of the advertised IP addresses have changed. Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information: divewithsharks.hk. 1238 IN A 68.150.25.xxx [xxx.ed.shawcable.net] NEWdivewithsharks.hk. 1238 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services] This one came back!divewithsharks.hk. 1238 IN A 172.189.83.xxx [xxx.ipt.aol.com] NEWdivewithsharks.hk. 1238 IN A 200.115.195.xxx [pcxxx.telecentro.com.ar] NEWdivewithsharks.hk. 1238 IN A 213.85.179.xxx [CNT Autonomous System] NEW divewithsharks.hk. 1238 IN NS ns1.world-wr.com.divewithsharks.hk. 1238 IN NS ns2.world-wr.com.ns1.world-wr.com. 83446 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 81189 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule botnethttp://null.co.in](https://image.slidesharecdn.com/nileshsharmanullcon-110314050712-phpapp01/85/nullcon-2011-Botnet-Detection-approach-by-DNS-behavior-and-clustering-analysis-32-320.jpg)
nullcon 2011 - Botnet Detection approach by DNS behavior and clustering analysis
- 1. Botnet Detection System using DNS behaviour and clustering analysisPresented by Nilesh SharmaPulkitMehndirattaIndraprashta Institute of Information Technology, Delhi(IIIT- DELHI)http://null.co.in
- 2. Who we are….?M.tech (pursuing) from the IIIT- DelhiResearch Interests-BotnetsCyber ForensicsPrivacy enhancive technologiesCryptographic techniquesPart of IIITD-ACM student chapterhttp://null.co.in
- 3. What Is a Bot/Botnet?Bot – A malware instance that runs autonomously and automatically on a compromised computer (zombie) without owner’s consent.Botnet (Bot Army): network of bots controlled by criminals- “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”.– “25% of Internet PCs are part of a botnet!” ( - Vint Cerf)http://null.co.in
- 4. Botnets are used for…. All DDoS attacks
- 5. Spam
- 6. Click fraud
- 9. Distributing other malware, e.g., spywarehttp://null.co.in
- 10. How big is this problem?The size and prevalence of the botnet reported as many as 172,000 new bots recruited every day according to CipherTrust.which means about 5 million new bots are appeared every month. Symantec recently reported that the number of bots observed in a day is 30,000 on average.The total number of bot infected systems has been measured to be between 800,000 to 900,000. A single botnet comprised of more than 140,000 hosts was found in the wild and botnet driven attacks have been responsible for single DDoS attacks of more than 10Gbps capacity.http://null.co.in
- 11. Conflicker according to McAfeeWhen executed, the worm copies itself using a random name to the %Sysdir% folder.Obtains the public ip address of the affected computer. Attempts to download a malware file from the remote website Starts a HTTP server on a random port on the infected machine to host a copy of the worm. Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. http://null.co.in
- 12. Difference between a Virus ,Worm and Botnets….E:\nilesh _back up\academics\dss project\New Folder\botnet explained.flvhttp://null.co.in
- 13. Existing TechniquesTraditional Anti Virus tools – Bots use packer, rootkit, frequent updating to easily defeat Anti Virus toolsHoneypot – Not a good botnet detection toolhttp://null.co.in
- 14. Challenges for Botnet DetectionSelection of Network Monitoring ToolClustering AlgorithmHeuristics for clustering algorithmThe fast flux. False PositivesGraphical User InterfaceLooking for dynamic approach as static and signature based approaches may not be effective.http://null.co.in
- 15. Related WorkBotnet Detection by Monitoring Group Activities in DNS Traffic :HyunsangChoi, Hanwoo Lee, Heejo Lee, Hyogon Kim Korea University.BotHunter [Guetal Security’07]: dialog correlation to detect bots based on an infection dialog modelBotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection (GuofeiGu Georgia Institute of Technology) http://null.co.in
- 16. MotivationBotnets can change their C&C content (encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers.http://null.co.in
- 17. Again Botnet…..“A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”http://null.co.in
- 19. MethodologyCollect the DNS data from wireshark and change it into .csv file format using Logparser tool through a GUI toolInsert the infected data(looks like botnet, having the fast flux characteristics).Retrieve the DNS name and its respective IP addresses from the packet information(.csv file).Perform the K-means clustering on the data on the basis of DNS name and try to find out that whether we are being able to detect botnetfastflux or not?http://null.co.in
- 21. Results (k=50 clusters)http://null.co.in
- 22. Results (k=100 clusters)
- 23. Results (k=150 clusters)
- 24. Results (k=200 clusters)
- 28. Real world fast-flux examplesDNS Basics-A RecordA records (also known as host records) are the central records of DNS. These records link a domain, or subdomain, to an IP address. A records and IP addresses do not necessarily match on a one-to-one basis. Many A records correspond to a single IP address, where one machine can serve many web sites. Alternatively, a single A record may correspond to many IP addresses. This can facilitate fault tolerance and load distribution, and allows a site to move its physical location. http://null.co.in
- 29. Real world fast-flux examplesNS records-Name server records determine which servers will communicate DNS information for a domain. Two NS records must be defined for each domain. Generally, you will have a primary and a secondary name server record - NS records are updated with your domain registrar and will take 24-72 hours to take effect. If your domain registrar is separate from your domain host, your host will provide two name servers that you can use to update your NS records with your registrar. http://null.co.in
- 30. REAL WORLD FAST-FLUX EXAMPLESCredit Money Botnet- Zeus BotnetBelow are the single-flux DNS records typical of such an infrastructure. The tables show DNS snapshots of the domain name divewithsharks.hk taken approximately every 30 minutes, with the five A records returned round-robin showing clear infiltration into home/business dialup and broadband networks. Notice that the NS records do not change, but some of the A records do. This is the money mule bot example. divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk. 1800 IN NS ns1.world-wr.com.divewithsharks.hk. 1800 IN NS ns2.world-wr.com.ns1.world-wr.com. 87169 IN A 66.232.119.212 [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 87177 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]http://null.co.in
- 31. REAL WORLD FAST-FLUX EXAMPLESfast-flux nets appear to apply some form of logic in deciding which of their available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load-balancing algorithm). New flux-agent IP addresses are inserted into the fast-flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes. divewithsharks.hk. 1800 IN A 24.85.102.xxx [xxx.vs.shawcable.net] NEWdivewithsharks.hk. 1800 IN A 69.47.177.xxx [d47-69-xxx-177.try.wideopenwest.com] NEWdivewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk. 1800 IN NS ns1.world-wr.com.divewithsharks.hk. 1800 IN NS ns2.world-wr.com.ns1.world-wr.com. 85248 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 82991 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]http://null.co.in
- 32. REAL WORLD FAST-FLUX EXAMPLESAs we see, highlighted in bold two of the advertised IP addresses have changed. Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information: divewithsharks.hk. 1238 IN A 68.150.25.xxx [xxx.ed.shawcable.net] NEWdivewithsharks.hk. 1238 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services] This one came back!divewithsharks.hk. 1238 IN A 172.189.83.xxx [xxx.ipt.aol.com] NEWdivewithsharks.hk. 1238 IN A 200.115.195.xxx [pcxxx.telecentro.com.ar] NEWdivewithsharks.hk. 1238 IN A 213.85.179.xxx [CNT Autonomous System] NEW divewithsharks.hk. 1238 IN NS ns1.world-wr.com.divewithsharks.hk. 1238 IN NS ns2.world-wr.com.ns1.world-wr.com. 83446 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 81189 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule botnethttp://null.co.in
- 33. Some more fast-flux exampleslogin.mylspacee.com. 177 IN A 66.229.133.xxx [c-66-229-133-xxx.hsd1.fl.comcast.net]login.mylspacee.com. 177 IN A 67.10.117.xxx [cpe-67-10-117-xxx.gt.res.rr.com]login.mylspacee.com. 177 IN A 70.244.2.xxx [adsl-70-244-2-xxx.dsl.hrlntx.swbell.net]login.mylspacee.com. 177 IN A 74.67.113.xxx [cpe-74-67-113-xxx.stny.res.rr.com]login.mylspacee.com. 177 IN A 74.137.49.xxx [74-137-49-xxx.dhcp.insightbb.com] mylspacee.com. 108877 IN NS ns3.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns4.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns5.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns1.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns2.myheroisyourslove.hk.ns1.myheroisyourslove.hk.854 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net]ns2.myheroisyourslove.hk.854 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net]ns3.myheroisyourslove.hk. 854 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net]ns4.myheroisyourslove.hk. 854 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com]ns5.myheroisyourslove.hk. 854 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com]http://null.co.in
- 34. Results…login.mylspacee.com. 161 IN A 74.131.218.xxx [74-131-218-xxx.dhcp.insightbb.com] NEWlogin.mylspacee.com. 161 IN A 24.174.195.xxx [cpe-24-174-195-xxx.elp.res.rr.com] NEWlogin.mylspacee.com. 161 IN A 65.65.182.xxx [adsl-65-65-182-xxx.dsl.hstntx.swbell.net] NEWlogin.mylspacee.com. 161 IN A 69.215.174.xxx [ppp-69-215-174-xxx.dsl.ipltin.ameritech.net] NEWlogin.mylspacee.com. 161 IN A 71.135.180.xxx [adsl-71-135-180-xxx.dsl.pltn13.pacbell.net] NEW mylspacee.com. 108642 IN NS ns3.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns4.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns5.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns1.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns2.myheroisyourslove.hk.ns1.myheroisyourslove.hk. 608 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net]ns2.myheroisyourslove.hk. 608 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net]ns3.myheroisyourslove.hk. 608 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net]ns4.myheroisyourslove.hk. 608 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com]ns5.myheroisyourslove.hk. 608 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com]http://null.co.in
- 35. ConclusionOn the basis of DNS instances by the k means clustering it is possible to detect the fast flux characteristics of botnets.New botnet detection system based on Horizontal correlation Independent of botnet C&C protocol and structureReal-world evaluation shows promising resultsThe false positive is very low in case of large IP address instances corresponding to same DNS which actually resembles with the condition of real world botnets.http://null.co.in
- 36. AcknowledgementsNullcon team.To all the ListenersOur professors Dr. PonnurangamKumaraguruDr. ShishirNagarajahttp://null.co.in