c&c tracer: botnet command and control behavior tracing
DESCRIPTION
C&C Tracer: Botnet Command and Control Behavior Tracing. 2013/10/28 Presented: 羅傑聘 102064529. Outline. Basic Imformation Problems to solve C&C Tracer Experiment Results Discussion. Basic Information. Title: C&C Tracer: Botnet Command and Control Behavior Tracing Authors: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/1.jpg)
C&C Tracer: Botnet Command and Control Behavior Tracing
2013/10/28Presented:羅傑聘
102064529
![Page 2: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/2.jpg)
OutlineBasic Imformation
Problems to solve
C&C Tracer
Experiment Results
Discussion
2/16
![Page 3: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/3.jpg)
Basic Information Title:
−C&C Tracer: Botnet Command and Control Behavior Tracing Authors:
−Meng-Han Tsai −Chang-Cheng Lin−Ching-Hao Mao
(Institute for Information Industry Project Resource Division)−Huey-Ming Lee (Chinese Culture Univeristy)
Publication:−Systems, Man, and Cybernetics (SMC), IEEE International
Conference Year:2011 Cited (Google):1
3/15
![Page 4: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/4.jpg)
Problems to SolveBotnet command and control (C&C) behavior becomesmore dynamic and rapid so it is difficult to capture theBotnet behavior in real time.
In practical analysis, the scalability and the real-time aretwo important issues.
Reducing the latency of the C&C behavior tracing couldenhance the detection covering in rapid changes of C&Cbehaviors.
4/15
![Page 5: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/5.jpg)
C&C Tracer
Botnet C&C behavior tracing system (naming C&C Tracer)
The C&C Tracer consists of three components:1. C&C active behavior feature extracting (CAFE)2. C&C status tracing analyzer(CSTA) 3. Domain name status querying (DNSQ)
The C&C Tracer can reduce the non-active C&C domainname close to 80% with only 0.69% false postive rate.
5/15
![Page 6: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/6.jpg)
C&C Tracer – Architecture
6/15
![Page 7: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/7.jpg)
C&C Tracer – CAFE
C&C Active Behavior Feature Extracting
CAFE can parse the different sources of blacklists to thesame format and recognizes the Botnet types.
CAFE includes:1. Botnet type identifying2. malicious URL rendering3. domain name extracting4. temporal and spatial feature extracting
7/15
![Page 8: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/8.jpg)
C&C Tracer – CAFE(2)
propose the nine features that consider both spatial and temporal information
8/15
![Page 9: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/9.jpg)
C&C Tracer – CSTA
C&C Status Tracing Analyzer
Determine which domain name is valuable for continuingtracing or ignored.
CSTA includes:1. domain name behavior extracting2. Domain name activity measuring 3. potential domain name selecting
9/15
![Page 10: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/10.jpg)
C&C Tracer – CSTA(2)
use different kinds of data mining classification algorithmfor evaluating the active degree of domain name
such as: 1. logistic regression (LR)2. naive bayes (NB),3. RIPPERS4. K-nearest-neighbors (KNN)
10/15
![Page 11: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/11.jpg)
C&C Tracer – DNSQ
Domain Name Status Querying
DNSQ can query the corresponded domain name fromonline data repositories and extract the C&C behavior toexport to C&C behavior database.
11/15
![Page 12: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/12.jpg)
Experiment Results
1. domain extension belonged to gTLD or ccTLD2. AutNS + IP + ASN + CC + ISP ≧ 53. Average TTL (time-to-live) < 1 day4. AppearDuration > ActiveRecent
TP (true positive) : the numbers of active domain that arecorrectly detected;FN (false negative) : the numbers of active domain that arenot detected; TN (true negative) : the number of domain name withoutactive domain labeling that are correctly classified;FP (false positive) : the number of non-active domain thatare incorrectly detected as active domain; 12/
15
![Page 13: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/13.jpg)
Experiment Results (2)
13/15
![Page 14: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/14.jpg)
Experiment Results (3)
The C&C Tracer can reduce the non-active C&C domainname close to 80% with only 0.69% false postive rate.
14/15
![Page 15: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/15.jpg)
Discussion
What I Like− The model of C&C Tracer is clearly presented.
What I Dislike− Some parts of the evaluations are not clear enough,
readers might have to work hard on studying reference much more.
− Appication in real cases are rarely mentioned.
15/15
![Page 16: C&C Tracer: Botnet Command and Control Behavior Tracing](https://reader036.vdocuments.site/reader036/viewer/2022081505/568162a5550346895dd321db/html5/thumbnails/16.jpg)
Thank you!
16/15