Upload
barid
View
69
Download
0
Embed Size (px)
DESCRIPTION
Detection of SIP BoTnet based on C&C Communications. Mohammad AlKurbi. Overview. Introduction to Botnet Why SIP is useful? Problem Statement. Related Works. Proposed Solution. Preliminary Evaluation. Conclusions & Future Work. Brief Introduction to Botnet. Botnet ?. - PowerPoint PPT Presentation
Citation preview
09 Dec 2010
DETECTION OF SIP BOTNET
BASED ON C&C COMMUNICATIONS
Mohammad AlKurbi
Detection of SIP Botnet Based on C&C Communications
2
Overview Introduction to Botnet
Why SIP is useful?
Problem Statement.
Related Works.
Proposed Solution.
Preliminary Evaluation.
Conclusions & Future Work.09 Dec 2010
3
Detection of SIP Botnet Based on C&C Communications
Brief Introduction to Botnet
09 Dec 2010
4
Botnet? A network of compromised computers controlled
by a master to do a correlated tasks [GP+08].
09 Dec 2010Detection of SIP Botnet Based on C&C Communications
Victim
Botnet Master
Controller
Command & Control Channel: IRC, HTTP, P2P
(Bot): Compromised
host
Malicious Activity:
Scan, Spam, DDoS
Detection of SIP Botnet Based on C&C Communications
5
Bot life Cycle
09 Dec 2010
Infection: Initial installation of the botnet malware By email, accessing infected web sites, or vulnerability exploitation.
Bootstrap: Join Botnet. Using preliminary list of bots.
Command and Control (C&C): To get instructions and send info./feed back
Malicious Activity: Implement instructions Scan, Spam, DDoS, Maintenance, ..etc
Maintenance to upgrade bot software.
6
Botnet Models?
09 Dec 2010Detection of SIP Botnet Based on C&C Communications
Distributed model (P2P)Centralized model (IRC/HTTP)
Controller
Victim
Botnet Master
Detection of SIP Botnet Based on C&C Communications
7
Botnet History [GZL08]
09 Dec 2010
IRC Botnet: Centralized C&C structure. Access to IRC is restricted or limited.
HTTP Botnet: Centralized C&C structure. Has better access policy, therefore stealthy.
P2P Botnet: Distributed C&C structure.
8
Detection of SIP Botnet Based on C&C Communications
SIP as a C&C protocol
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
9
Why SIP is a useful C&C Protocol? SIP has outstanding features [A. Berger et al. (NPSec '09)]:
SIP access would have Less restriction policy than P2P.
SIP infrastructure minimizes management overhead: Registration, Tracking of clients' status.
Reliable message delivery.
SIP message's structure provides many options: SIP Instant Messaging, Message standard/user-defined
headers, Message body.
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
10
Problem Statement
09 Dec 2010
Botnet is one of the most serious and growing security threats [SLWL07, GZL08, YD+10]: 40% of all computers connected to Internet are
considered infected bots [ZLC08]. 20% of malware will still be able to get into
uptodate Internet computers [BK07].
SIP is even more attractive as C&C protocol after being adopted by 3GPP.
SIP Botnet has not been considered before.
Detection of SIP Botnet Based on C&C Communications
11
Study & Detection Approaches
09 Dec 2010
Bot’s source code analysis. Honeynets. Signature based detections. Anomaly based detection:
Based on Botnet Malicious Activities: High volume traffic, such as: DDoS attacks,
Scans, Spams, or abnormal traffic. Based on C&C communications.
Detection of SIP Botnet Based on C&C Communications
12
C&C Detection Approach
09 Dec 2010
C&C is the weakest link [GZL08]: Interrupting C&C channel disarms the Botnet
[SLWL07]. Based on the following observation [GZL08 , GP+08]:
Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner.
Restrict Access to C&C controllers isolates the bots.
No prior knowledge is needed.
13
Detection of SIP Botnet Based on C&C Communications
Related Works
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
14
Related Works (1)
09 Dec 2010
G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February:
Detect centralized C&C channel (IRC & HTTP).
Monitor crowd density/ homogeneity from clients that connect to the same server: Events sequence are considered.
Deep inspection: Protocol-Matcher. Crowd homogeneity algorithm is vulnerable to encryption.
Detection of SIP Botnet Based on C&C Communications
15
Related Works (2)
09 Dec 2010
G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July:
Protocol & Structure independent: Captures all TCP/UDP.
Does not consider events sequence.
Two-step X-means Clustering.
Identify hosts that share both similar C&C communication patterns and similar malicious activity patterns.
Detection of SIP Botnet Based on C&C Communications
16
Related Works (3)
09 Dec 2010
X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: Protocol & Structure independent.
Events sequence are considered.
distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier Transform]
Less DFT coefficients are required to capture the distance.
Suspected bot’s malicious activities are monitored before confirming its identity.
17
Detection of SIP Botnet Based on C&C Communications
The Proposed Solution
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
18
The Proposed Solution
09 Dec 2010
Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol): It is a network anomaly based system. Based on bots similar behavior. It does not rely on the events sequence [SLWL07, GP+08]:
Resist random-time evasion technique. Detect bots at early stages: Before initiating malicious
activities, or as early as possible. By monitoring & analyzing C&C communications (i.e. SIP
communications). Without any prior knowledge. A suspected bot identity is confirmed as soon as it carries
one or more botnet malicious activities.
Detection of SIP Botnet Based on C&C Communications
19
The Proposed Solution (Main idea)
09 Dec 2010
Two users are considered similar if they share similar flows more than a defined threshold ( ).
Similar users are considered suspected bots.
User-1
User-2
Detection of SIP Botnet Based on C&C Communications
20
System Overview
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
21
System Components (1)
09 Dec 2010
Monitoring Engine:
Logs SIP/Malicious traffic to a central DB server.
Based on snort (open source intrusion detection system): with a customized set of rules to capture SIP traffic. Set of activated plug-ins to capture malicious activities.
Installed where the designated traffic pass by, such as network gateways.
Detection of SIP Botnet Based on C&C Communications
22
System Components (2)
09 Dec 2010
Correlation Engine: Developed in Java.
Input: SIP/Malicious traffic that has been logged into the Central DB.
Function: detect bots and C&C controllers.
It can be installed any where as long as it has access to the central DB server.
Detection of SIP Botnet Based on C&C Communications
23
Correlation Engine (How it works)
09 Dec 2010
Feature Vector (FV): A flow is transferred to a feature vector. FV Consists of flow attributes, such as:
Duration (seconds), size (bytes), No. of packets. bps (bytes per sec.), bpp (bytes per packet).
Feature Stream (FS): User flows are represented by a feature stream. A column represents a Feature Vector.
Duration
Size#Pack
etsBpsbpp
FV1 Flow1
Duration
Size#Pack
etsBpsbpp
FV n Flow n
Time window (w)
User Feature Stream
Duration
Size#Pack
etsBpsbpp
FV2 Flow2
Detection of SIP Botnet Based on C&C Communications
24
Correlation Engine (How it works)
09 Dec 2010
Two flows [a , b] are similar if distance:
d(a,b) = , f: no. of features
Two users (A , B) are considered similar if distance:
distance d(A,B) =
A/B Feature Stream of user A/B.
f
i ibiaibia
1
2
][][][][
B A B A
25
Detection of SIP Botnet Based on C&C Communications
Calculate False Positive & Negative
Experimental Evaluation
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
26
Input Data Set (Users’ traffic)
09 Dec 2010
Network traces has been generated using two tools developed by A. Berger et al. [BH09]:
1. Autosip: Emulate a realistic behavior of a regular users calls:
Number of online users varies with time.
Calls duration is modeled based on μ (Mean value) and σ (S. deviation).
A user calls a friend with probability (α) and others with probability (1 − α).
A user makes in average C calls/hour:
Detection of SIP Botnet Based on C&C Communications
27
Autosip Components
09 Dec 2010
Manager: Set call parameters to clients. Control the number of active users during
day.
Client (SIP users): Connect to the manager. Call each others according to parameters
setting.
Detection of SIP Botnet Based on C&C Communications
28
Input Data Set (Malicious traffic)
09 Dec 2010
2. Sipbot:Generate SIP Botnet traffic.
Based on P2P Storm botnet: Overnet Protocol has been replaced by SIP. Send “603 Decline” response for SIP
INVITE message.
Detection of SIP Botnet Based on C&C Communications
29
Test bed Network Design
09 Dec 2010
@ NSL cluster:
Detection of SIP Botnet Based on C&C Communications
30
Preliminary Result
09 Dec 2010
7:00 P
M7:1
5 PM7:3
0 PM7:4
5 PM8:0
0 PM8:1
5 PM8:3
0 PM8:4
5 PM9:0
0 PM9:1
5 PM9:3
0 PM9:4
5 PM
10:00
PM
10:15
PM
10:30
PM
10:45
PM
11:00
PM
11:15
PM
11:30
PM
11:45
PM
12:00
AM05
1015202530354045
Algorithm Precision (1000 users, 10 bots), [w=1h, slide=15m]
False PositiveFalse Negative
Time
% P
erce
ntag
e
31
Detection of SIP Botnet Based on C&C Communications
Conclusion / Future Work / Challenges
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
32
Conclusion
09 Dec 2010
Botnet is a serious growing threat: It needs more researches.
Detecting bots based on C&C channel is efficient: It allows us to detect bots at early stages.
SIP is a promising C&C protocol.
A system is provided to detect SIP botnet with a very low False Negative (~0) & a reasonable False Negative.
Detection of SIP Botnet Based on C&C Communications
33
Future Work
09 Dec 2010
Improve similarity algorithm to decrease False Positive.
Implement larger scale evaluation experiments.
Integrate Malicious activity handler component.
Extracting C&C controllers.
Try to : Reduce time complexity.
Detection of SIP Botnet Based on C&C Communications
34
Challenges
09 Dec 2010
Resilience to evasion: A very long Response Delay (Larger than the time
window): botnet utility is reduced or limited because the botmaster
can no longer command his bots promptly and reliably [GZL08].
Random session’s size/duration.
Random noise packets.
A pool of random SIP options.
35
Detection of SIP Botnet Based on C&C Communications
End
09 Dec 2010
Click icon to add picture
36
Detection of SIP Botnet Based on C&C Communications
Appendix
09 Dec 2010
37
Centralized C&C Model
09 Dec 2010Detection of SIP Botnet Based on C&C Communications
Controller
Victim
Botnet Master
Command & Control Channel: IRC, HTTP, P2P
(Bot): Compromised
host
Malicious Activity:
Scan, Spam, DDoS
Pros ConsPrompt
communicationsSingle point of
failureEasy management Easy to break down
38
Distributed C&C Model
09 Dec 2010Detection of SIP Botnet Based on C&C Communications
Pros ConsReliability Not a real time control
Harder to break down Management overhead
(P2P)
Detection of SIP Botnet Based on C&C Communications
39
Detection Approaches
09 Dec 2010
Most of the current botnet detection approaches [7,17,19,20,26,29,35,40] work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques [GP+08].
Some approaches [4, 6, 12, 18] have been proposed [YD+10].
[BCJ+09, ZLC08]
Detection of SIP Botnet Based on C&C Communications
40
C&C Detection Approach
09 Dec 2010
C&C is the weakest link [GZL08]: Interrupting C&C channel disarms the Botnet [SLWL07]. Based on the following observation [GZL08 , GP+08]:
Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner.
C&C controllers are usually much less than bots: Restrict access to them is easier, safer, and more
efficient.
No prior knowledge is needed.
Detection of SIP Botnet Based on C&C Communications
41
Related Works (1)
09 Dec 2010
G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February: Detecting centralized C&C channel (IRC & HTTP). Analyzing bots response (Message, Activity) to Botmaster’s
commands. Looking every time window (t) for a response crowd from
clients that connect to the same server: Crowd Density (>%50). Crowd homogeneity
A number of rounds are required before confirming a crowd is a botnet.
Deep inspection: Protocol-Matcher. Implemented Crowd homogeneity algorithm is vulnerable to
encryption.
Detection of SIP Botnet Based on C&C Communications
42
Related Works (2)
09 Dec 2010
G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: Protocol & Structure independent: Captures all
TCP/UDP. Does not consider events sequence. Identify hosts that share both similar C&C
communication patterns and similar malicious activity patterns.
Aggregate related flows during epoch time (E ~ one day) into the same C-Flow.
Transfer C-Flows into equal pattern vectors length, by a Quantile binning technique.
Two-step X-means Clustering.
Detection of SIP Botnet Based on C&C Communications
43
Related Works (2)
09 Dec 2010
G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: Protocol & Structure independent. Does not consider events sequence. Aggregate past epoch (E~ one day) related flows into one flow. To standardize feature’s vector length, discrete distribution is
approximated by binning technique (computing quartiles). Two-step X-means Clustering. Identify hosts that share both similar communication patterns
and similar malicious activity patterns: A host receives a high score if it has performed multiple types of
suspicious activities, and if other hosts that were clustered with also show the same multiple types of activities.
If two hosts appear in the same activity clusters and in at least one common C-cluster, they should be clustered together.
Detection of SIP Botnet Based on C&C Communications
44
Related Works (3)
09 Dec 2010
X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: Protocol & Structure independent. Events sequence are considered. Online Detection. User flows are represented by a feature stream. Similarity is measured by an average Euclidean distance. distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier
Transform] Less DFT coefficients are required to capture the stream. Incremental DFT coefficients to avoid recalculation when a new
value arrives (Minimize processing time further). Suspected bot’s malicious activities are monitored before confirming
its identity.
Detection of SIP Botnet Based on C&C Communications
45
Related Works (3)
09 Dec 2010
X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: Online Detection. Protocol & Structure independent. A flow is represented by a feature stream. Similarity is measured by average Euclidean distance. distance(X, Y)=distance(DFT(X), DFT(Y)). DFT needs fewer feature streams. Incremental DFT coefficients to avoid recalculation when a
new feature stream arrives (Minimize processing time further). Suspected bot’s malicious activities are monitored before
confirming its identity.
Detection of SIP Botnet Based on C&C Communications
46
Related Works (4)
09 Dec 2010
H. Zeidanloo and A. Abdul Manaf, “Botnet detection by monitoring similar communication patterns”, International Journal of Computer Science and Information Security, 7(3), March 2010: General framework:
Focuses on P2P based and IRC based Botnets. Similar users have similar graphs:
User Feature Streams Graph [(X, Y)= (bpp, bps)]. Exact method has not been provided.
They did not provide evaluation.
Detection of SIP Botnet Based on C&C Communications
47
Related Works ()
09 Dec 2010
W. Strayer et al., “Botnet detection based on network behavior”, Vol. 36 of Advances in Information Security. Springer, October 2007:
Detect IRC Botnets (Centralized): Prompt C&C mechanism.
Does not consider events sequence. Filtering phase assumes prior knowledge:
Pass only what it can be a C&C traffic. Filter out any traffic that does not comply with some specific semantics. It does not examine content nor port.
Looking for C&C servers: Topological analysis: Highest in/out-degree in a directed graph of similar flows.
Flow characteristics: bandwidth, packet timing, and burst duration.
Detection of SIP Botnet Based on C&C Communications
48
The Proposed Solution
09 Dec 2010
Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol):
It is a network anomaly based system. Based on bots similar behavior concept. It does not rely on the events sequence [SLWL07, GP+08]:
Resist random-time evasion technique. Detect bots at early stages: Before initiating malicious
activities, or as early as possible. By monitoring & analyzing C&C communications (i.e. SIP
communications). Without any prior knowledge. A suspected bot identity is confirmed as soon as it carries one
or more botnet malicious activities. A further analysis can be applied to extract C&C controllers.
Detection of SIP Botnet Based on C&C Communications
49
The Proposed Solution (Main idea)
09 Dec 2010
Two users are considered similar if they share similar flows more than a defined threshold ( ).
Similar users are considered suspected bots.
Bot identity is confirmed when it commits any malicious activity.
User-1
User-2
Detection of SIP Botnet Based on C&C Communications
50
Input Data Set
09 Dec 2010
Network traces has been generated using the following tools developed by A. Berger: Autosip:
Emulate a realistic behavior of a regular users calls:
Number of online users varies with time. Calls duration is modeled with a log-normal distribution
[BC+05]. A user calls a friend with probability (α) and others with
probability (1 − α). A user makes in average C calls/hour:
Uniform call probability per minute ( ).60c
Detection of SIP Botnet Based on C&C Communications
51
Autosip Components
09 Dec 2010
Manager: Set call parameters. Control the number of active users
during the day.
Client (SIP users): Connect to the manager. Call each others according to
parameters setting.
Detection of SIP Botnet Based on C&C Communications
52
Autosip (How it works)
09 Dec 2010
Upon start, and after random-time sleep.
A client tries to initiate calls to a friend (On average, c calls/hour)
Call duration is computed using parameters μ and σ.
Only a single ongoing call per client.
During an ongoing call, the client does not make call
attempts and answers incoming call attempts with a SIP BUSY.
Detection of SIP Botnet Based on C&C Communications
53
Input Data Set
09 Dec 2010
Network traces has been generated using the following tools developed by A. Berger: Autosip:
Emulate regular users phone calls’ realistic behavior: Number of online users varies with time. Calls duration is modeled with a log-normal distribution [BC+05]. A user calls a friend with probability (α) and others with probability (1 − α). A user makes in average C calls/hour:
Uniform call probability per minute ( ).
Two components: Manager:
Set call parameters. Control the number of active users during the day.
Client (SIP users): Connect to the manager. Call each others according to parameters setting.
60c
C Average number of call attempts per hour
Mean value of call durationStandard deviation of call duration
Number of simulated SIP clientsNumber of friends of each client
Probability of calling a friend
Detection of SIP Botnet Based on C&C Communications
54
Preliminary Result
09 Dec 2010
15m 30m 90m 105m0
10
20
30
40
50
60
Algorithm Precision (90 users, 10 bots)
% False Positive% False Negative
Time Periods in minutes
% P
erce
ntag
e
Detection of SIP Botnet Based on C&C Communications
55
Future Work
09 Dec 2010
Improve similarity algorithm to decrease False Positive.
Implement larger scale evaluation experiments.
Extracting C&C controllers.
Offline Online Detection.
Try to : Implement Real Time Detection. Reduce time complexity.
Detection of SIP Botnet Based on C&C Communications
56
Future Work
09 Dec 2010
Evaluation: Improve similarity algorithm to decrease False
Positive. Implement larger scale evaluation experiments.
Extracting C&C controllers: For example: By a directed graph technique.
Real Time Detection.
Attempt to reduce time complexity.
Detection of SIP Botnet Based on C&C Communications
57
Future Work
09 Dec 2010
Evaluation: Implement larger scale evaluation experiments. Compare result with another algorithm.
Implement Malicious Activity component. Extracting C&C controllers:
For example: By a directed graph technique.
Real Time Detection: Incremental DFT [YD+10]. Estimated Weighted Moving Average (EWMA) [SLWL07]. Binning technique [GP+08]. Aggregate related flows within epoch time (E~ one day) into one flow [GP+08].
Reduce Time Complexity: Reduce Dataset size (No. of Feature Streams).
Detection of SIP Botnet Based on C&C Communications
58
Challenges
09 Dec 2010
Resilience to evasion: Response time (Long &/OR Random):
If the random response times exist within the maximum expected time window, then it is ok.
Otherwise (i.e. long delay response time) Under very long response delay, botnet utility to botmaster is reduced or limited because the botmaster can no longer command his bots promptly and reliably.
Random session’s size/duration.
Adding random noise packets, or when a bot is not only a bot, and simply carries a normal traffic as well.
Random picking form a pool of different SIP options.
Using stack of different C&C protocols.
Detection of SIP Botnet Based on C&C Communications
59
Key Findings/Results 1
Test 1 Test 2 Test 3 Test 40
102030405060708090
100
FirstSecondThird
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
60
Key Findings/Result 2Project
Item 1Item 2Item 3Item 4
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
61
Key Findings/Result 3Run Number Description Result A Result B
1 Condition A True True2 Condition B True False3 Condition C False False
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
62
Conclusion Add your conclusion here
09 Dec 2010
Detection of SIP Botnet Based on C&C Communications
63
Questions and Discussion
09 Dec 2010