Embed Size (px)
DESCRIPTION
Master Blaster: Identifying Influential Player in Botnet Transaction. Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte Gail- Joon Ahn School of Computing , Informatics - PowerPoint PPT Presentation
Citation preview
Master Blaster: Identifying Influential Player in Botnet Transaction
Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte Gail-Joon Ahn School of Computing , Informatics and Decision System Engineering Arizona State University Mohamed Shehab College of Computing and Informatics UNC CharlotteReporter: 簡榮杉https://www.youtube.com/watch?v=5KyoHjIoMkQ
OUTLINE
Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion
Introduction Bots carry out the commands of botmaster through communication
mediums. Communication mediums: Internet Relay Chat (IRC) 、 P2P、 social
networks. Botnet monitoring
an effective method to garner in-depth information about the threat of bonnets
to capture and modify a bot allow the bot to connect to its command and control center monitor actual communications that take place on the botnet
most botnets are controlled by multiple botmasters. botmaster 1 initially creating the botnet botmaster 1,2, and N have their own attack agenda.
Introduction –In this paper to categories the nodes
to categorize the transactions based on a modified version of the reflective-impulsive model.
bonet is just a tool. a tool is only as useful as the way it is used with the intentions of the
person who use it to categorize the botmaster interactions (between the botmaster and the
node in a botnet ) as social characteristics There are five categories of node
Botmaster node Bot node Compromised Machine node: The machine that was originally attacked and
turned into a bot node. Storehouse node: The node that provides a download service to the
botmaster node or the bot node Victim node: The nod that is attacked.
.
Introduction –In this paper to identify the evolution of the physical characteristics (size) of a botnet
like human social networks : born 、 grow 、 shrink 、 disappear to correlate the discovered social characteristics and the evolutionary
characteristics to shed light on the role each botmaster plays in a botnet.
OUTLINE
Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion
Easy to covertly infiltrate a botnet and monitor its transactions botnet monitoring has become a common way to analyze and identity botnet and the destruction they cause This paper
to introduce the novel idea of monitoring botnet traffic to identify the roles each botmaster has in the botnet.
to discover motives and characteristics which lead to discovering the root cause behind the botnet
OUTLINE
Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion
Ⅲ MASTER BLASTER: SYSTEM OVERVIEW
A. Bot Capture B. Closed analysis C. Open analysis D. Network Monitoring E. Correlation
pretend to be a legitimate vulnerable machine Three elements in capture component
Socket manger: The attacker attempts to connect a port through the socket
manager General shell code handler:
General shell code handler are created to receive the data to pass the code to the Perl regex shell code handler
Perl regex shell code handler:Step1: to determine what type of code it is.Step2: the code is downloaded without executing it.
A. Bot Capture
B. Closed Analysis adapt and modify the reflective-impulsive mode to bonet. the reflective-impulsive mode
to depict social behavior as a joint function of the two systems Reflective system :
is built by responses of knowledge on facts and their decisions is denoted by the expression SR= set F F is composed of k-subsets: { fd1,fd2,…..,fdk-1,fdk} include a finite amount of facts f and their decisions d
Impulsive system : (be discovered in the component “ D.Network Monitoring”) In the closed analysis,
to discover the ASCII text in the bot codes which are reflective keywords these keywords represent the facts to use RFC 1459 and RFC 1812 (IRC protocol) to help us determine the protocol based keywords. to derive the semantics of the facts from the command and control protocol.
Keyword reflective keyword : from the ASCII text in the bot codes user/system based
In the reflective system, behavior is elicited as a consequence of a decision process. Specifically, knowledge about the value and the probability of potential consequences is weighed and integrated to reach a preference for one behavioral option. If a decision is made, the reflective system activates appropriate behavioral schemata through a self-terminating mechanism of intending.In contrast, the impulsive system activates behavioral schemata through spreading activation, which may originate from perceptual input or from reflective processes. As described in James’ (1890) ideo-motor principle (see also Lotze, 1852), a behavior maybe elicited without the person’s intention or goal. In addition, the activation of behavioral schemata may bemoderated by motivational orientations or deprivation.
From the original paper “the reflective-impulsive system”
From the original paper “the reflective-impulsive system”
C. Open Analysis all information about the initial bootstrapping has to be included in the
bot binary and thus can be cloned to extract the general packet information from the botnet data Three elements in open analysis component
bot agents: the bot is stripped of its ability to attack victim machines botnet connection: The bot agent to connects to the command and control
locations botnet payload collection: Captures all the readable contents of the payload
D. Network Monitoring to analyze the ASCII readable data in the payload (founded in “C. open analysis
component”) to extract characteristic elements from the content of data to discover conversations initiated by commands between the bot master node and the
other node. the structure of these conversations are discovered in commands based on the command and
control protocol. Within these conversation, to discover
the Impulsive System the Evolutionary Characteristics.
D. Network Monitoring –1/2 Impulsive system : SI
is built on associative links and motivational drives. SI≡ S =m1 ∪m2 ∪m3, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive (M1),
Monetary (M2), and other (M3) and mi belong to Mi
In this paper’s model, each command given by the botmaster is one impulsive human initiated command. Each subset (m1,m2,m3) is composed of a set of commands. The associative links are the semantic connections of each command to another that meet a defined criteria for the
subnet . That means that each command that resides in a k-subnet is linked to each other. In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines
what the motivation the botmaster is. Destructive: concerned with causing damage that physically affect potential victim’s system (including getting money from
potential victims) Monetary: Concerned only with covertly stealing money Other: all unknown motives.
The operation of the paper’s reflective-impulsive process is as follow: an impulsive command e in a set S is matched to a reflective keyword f in a set F, then determine two entities, e and f, to be one characteristic E which conjoins two system , SR and SI.
D. Network Monitoring : Impulsive system: SI
In this paper’s model, each command given by the botmaster is one impulsive human initiated command. Impulsive system is built on associative links and motivational drives. Motivational drives:
SI≡ S =m1 ∪m2 ∪m3, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive (M1), Monetary (M2), and other (M3) and mi belong to Mi
In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the botmaster is.
Destructive: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims) Monetary: Concerned only with covertly stealing money Other: all unknown motives.
associative links: Each subset (m1,m2,m3) is composed of a set of commands. each command that resides in a k-subnet is linked to each other. The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet
The operation of the paper’s reflective-impulsive process is as follow: an impulsive command e in a set S is matched to a reflective keyword f in a set F, then determine two entities, e and f, to be one characteristic E which conjoins two system , SR and SI.
D. Network Monitoring : Evolutionary characteristics
Evolutionary Characteristics: Each stage of evolution is defined as the following:
Birth Growth Contraction
E. Correlation the output of this component is to discover what role each botmaster plays there elements in this component
Component correlation : Each result from the components has a timestamp Using this timestamp and the botmaster name, the results of the components are
correlated. Botmaster characteristic statistics:
Evolutionary characteristic statistics: use autocorrelation function , C(t), to discover the number of botnet that consecutive timesteps t.
Reflective-impulsive characteristic statistics: the ratio of protocol based commands to user/system based commands.
Correlation engine: correlates the results of the closed analysis component the open analysis component the network monitoring component the botnet characteristic component to discover the botmaster based patterns.
OUTLINE
Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion
Ⅳ. Implementation and results.
The following scripts in one version of the bot codes were identified by closed analysis:
Reflective keywords extracted from these results are
PRIVMSG (line 123,133,135 and 138) dccflood (line 133)
• Table1 shows the number of impulsive commands generated by the top 10 botmasters.
• active botmasters generated more human user/system commands most of the impulsive commands generated by the active botmasters are human based and therefore are more apt to reflect the true intentions of the botmaster.
Lager channels decayed more rapidly.
More active botmasters had a higher ration of human initiated elements to protocol base element. This is very important since it
means the botmaster is using his own intuitions in this channel and most of the transactions are not by scripts.
Human error continues to be the best way to catch botmasters or malware writers in general.
OUTLINE
Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion
A. Current state of botnets: This paper is focus on IRC based botnets. to leave the monitoring of more advanced C&C
protocol for the future work B. Limitations
Only can identify the botmaster characteristics of transactions that have been decrypted.
OUTLINE
Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion
To discover the role each botmaster plays help reduce analysis time
the approach enable us to identify the generalize motives for each botmaster
The paper indicated most attacks occurred during times where the botnet was at its largest size.
The future work would focus on other forms of botnets (e.g. http-based 、 P2P-based 、 hybrid attacks)
