presented by nilesh sharma pulkit mehndiratta indraprashta institute of information technology,...
TRANSCRIPT
Botnet Detection System using DNS behaviour and clustering analysis
Presented by Nilesh Sharma
Pulkit MehndirattaIndraprashta Institute of Information Technology, Delhi
(IIIT- DELHI)
http://null.co.in
Who we are….?M.tech (pursuing) from the
IIIT- DelhiResearch Interests-a) Botnetsb) Cyber Forensicsc) Privacy enhancive
technologiesd) Cryptographic techniques
Part of IIITD-ACM student chapter
http://null.co.in
What Is a Bot/Botnet?Bot – A malware instance that
runs autonomously and automatically on a compromised computer (zombie) without owner’s consent.
Botnet (Bot Army): network of bots controlled by criminals- “A coordinated group of malware instances that are controlled by a botmaster via some C&C channel”.
– “25% of Internet PCs are part of a botnet!”
( - Vint Cerf)
http://null.co.in
Botnets are used for…. All DDoS attacks Spam Click fraud Information theft Phishing attacks Distributing other malware, e.g., spyware
http://null.co.in
How big is this problem?The size and prevalence of the botnet reported as many
as 172,000 new bots recruited every day according to CipherTrust.
which means about 5 million new bots are appeared every month.
Symantec recently reported that the number of bots observed in a day is 30,000 on average.
The total number of bot infected systems has been measured to be between 800,000 to 900,000.
A single botnet comprised of more than 140,000 hosts was found in the wild and botnet driven attacks have been responsible for single DDoS attacks of more than 10Gbps capacity.
http://null.co.in
Conflicker according to McAfeeWhen executed, the worm
copies itself using a random name to the %Sysdir% folder.
Obtains the public ip address of the affected computer.
Attempts to download a malware file from the remote website
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit.
http://null.co.in
Difference between a Virus ,Worm and Botnets….E:\nilesh _back up\academics\
dss project\New Folder\botnet explained.flv
http://null.co.in
Existing TechniquesTraditional Anti
Virus tools– Bots use packer, rootkit, frequent updating to easily defeat Anti Virus tools
Honeypot– Not a good botnet detection tool
http://null.co.in
Challenges for Botnet DetectionSelection of Network Monitoring ToolClustering AlgorithmHeuristics for clustering algorithmThe fast flux. False PositivesGraphical User InterfaceLooking for dynamic approach as static and
signature based approaches may not be effective.
http://null.co.in
Related WorkBotnet Detection by Monitoring Group
Activities in DNS Traffic :Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim Korea University.
BotHunter [Gu etal Security’07]: dialog correlation to detect bots based on an infection dialog model
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection (Guofei Gu Georgia Institute of Technology)
http://null.co.in
MotivationBotnets can change their C&C content
(encryption, etc.), protocols (IRC, HTTP, etc.), structures (P2P, etc.), C&C servers.
http://null.co.in
Again Botnet…..
“A coordinated group of malware instances that are
controlled by a botmaster via some C&C channel”
http://null.co.in
MethodologyCollect the DNS data from wireshark and
change it into .csv file format using Logparser tool through a GUI tool
Insert the infected data(looks like botnet, having the fast flux characteristics).
Retrieve the DNS name and its respective IP addresses from the packet information(.csv file).
Perform the K-means clustering on the data on the basis of DNS name and try to find out that whether we are being able to detect botnet fastflux or not?
http://null.co.in
Results (k=50 clusters)S.NO DNS INSTANCES IP INSTANCES
PER DNSDETECTION
RATE (%)FALSE POSITIVE
RATE (%)FALSE NEGATIVE
RATE (%)1. 10 100 20 2 80
2. 10 500 90 2 10
3. 10 1000 90 2 10
4. 50 100 20 2 80
5. 50 500 59 2 41
6. 50 1000 66 2 34
7. 100 100 26 2 74
8. 100 500 37 2 63
9. 100 1000 42 2 58
10. 150 100 17.33 2 82.67
11. 150 500 27.33 2 72.67
12. 150 1000 30 2 70http://null.co.in
Results (k=100 clusters)S.NO DNS INSTANCES IP INSTANCES
PER DNSDETECTION
RATE (%)FALSE POSITIVE
RATE (%)FALSE NEGATIVE
RATE(%)1. 10 100 60 1 40
2. 10 500 90 1 10
3. 10 1000 90 1 10
4. 50 100 42 1 58
5. 50 500 88 1 12
6. 50 1000 98 1 2
7. 100 100 46 1 56
8. 100 500 71 1 29
9. 100 1000 78 1 22
10. 150 100 35.33 1 64.67
11. 150 500 52.66 1 47.34
12. 150 1000 55.33 1 43.67
Results (k=150 clusters)S.NO DNS INSTANCES IP INSTANCES
PER DNSDETECTION
RATE (%)FALSE POSITIVE
RATE (%)FALSE NEGATIVE
RATE (%)1. 10 100 80 0.667 20
2. 10 500 100 0 0
3. 10 1000 100 0.667 5
4. 50 100 64 0.667 36
5. 50 500 100 0.667 0
6. 50 1000 100 0.667. 0
7. 100 100 54 0.667 46
8. 100 500 71 0.667 29
9. 100 1000 95 0.667 5
10. 150 100 50.66 0.667 49.34
11. 150 500 72 0.667 28
12. 150 1000 78.66 0.667 21.34
Results (k=200 clusters)S.NO DNS INSTANCES IP INSTANCES
PER DNSDETECTION
RATE (%)FALSE POSITIVE
RATE (%)FALSE NEGATIVE
RATE (%)1. 10 100 90 0.5 10
2. 10 500 100 0 0
3. 10 1000 100 0.5 0
4. 50 100 82 0.5 18
5. 50 500 100 0.5 0
6. 50 1000 100 0 0
7. 100 100 89 0.5 11
8. 100 500 100 0.5 0
9. 100 1000 99 0.5 1
10. 150 100 69.33 0.5 31.67
11. 150 500 88 0.5 12
12. 150 1000 98.66 0.5 1.37
False Negative Analysis
10 10 10 50 50 50 100 100 100 150 150 1500
10
20
30
40
50
60
70
80
90
k = 50 k = 100 k = 150 k = 200
http://null.co.in
Detection Rate Analysis
10 10 10 50 50 50 100 100 100 150 150 1500
20
40
60
80
100
120
k=50k=100k=150k=200
Real world fast-flux examplesDNS Basics-A RecordA records (also known as host records) are the
central records of DNS. These records link a domain, or subdomain, to an IP address.
A records and IP addresses do not necessarily match on a one-to-one basis. Many A records correspond to a single IP address, where one machine can serve many web sites. Alternatively, a single A record may correspond to many IP addresses. This can facilitate fault tolerance and load distribution, and allows a site to move its physical location.
http://null.co.in
Real world fast-flux examplesNS records-Name server records determine which servers will
communicate DNS information for a domain. Two NS records must be defined for each domain. Generally, you will have a primary and a secondary name server record - NS records are updated with your domain registrar and will take 24-72 hours to take effect.
If your domain registrar is separate from your domain host, your host will provide two name servers that you can use to update your NS records with your registrar.
http://null.co.in
REAL WORLD FAST-FLUX EXAMPLES Credit Money Botnet- Zeus Botnet Below are the single-flux DNS records typical of such an infrastructure. The
tables show DNS snapshots of the domain name divewithsharks.hk taken approximately every 30 minutes, with the five A records returned round-robin showing clear infiltration into home/business dialup and broadband networks. Notice that the NS records do not change, but some of the A records do. This is the money mule bot example.
divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk. 1800 IN NS ns1.world-wr.com.divewithsharks.hk. 1800 IN NS ns2.world-wr.com.
ns1.world-wr.com. 87169 IN A 66.232.119.212 [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 87177 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]
http://null.co.in
REAL WORLD FAST-FLUX EXAMPLES fast-flux nets appear to apply some form of logic in deciding which of their
available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load-balancing algorithm). New flux-agent IP addresses are inserted into the fast-flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes.
divewithsharks.hk. 1800 IN A 24.85.102.xxx [xxx.vs.shawcable.net] NEWdivewithsharks.hk. 1800 IN A 69.47.177.xxx [d47-69-xxx-177.try.wideopenwest.com] NEWdivewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca] divewithsharks.hk. 1800 IN NS ns1.world-wr.com.divewithsharks.hk. 1800 IN NS ns2.world-wr.com.
ns1.world-wr.com. 85248 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 82991 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]
http://null.co.in
REAL WORLD FAST-FLUX EXAMPLES As we see, highlighted in bold two of the advertised IP addresses have changed.
Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information:
divewithsharks.hk. 1238 IN A 68.150.25.xxx [xxx.ed.shawcable.net] NEWdivewithsharks.hk. 1238 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services] This one came back!divewithsharks.hk. 1238 IN A 172.189.83.xxx [xxx.ipt.aol.com] NEWdivewithsharks.hk. 1238 IN A 200.115.195.xxx [pcxxx.telecentro.com.ar] NEWdivewithsharks.hk. 1238 IN A 213.85.179.xxx [CNT Autonomous System] NEW divewithsharks.hk. 1238 IN NS ns1.world-wr.com.divewithsharks.hk. 1238 IN NS ns2.world-wr.com.
ns1.world-wr.com. 83446 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]ns2.world-wr.com. 81189 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]
Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule botnet
http://null.co.in
Some more fast-flux examples login.mylspacee.com. 177 IN A 66.229.133.xxx [c-66-229-133-xxx.hsd1.fl.comcast.net]
login.mylspacee.com. 177 IN A 67.10.117.xxx [cpe-67-10-117-xxx.gt.res.rr.com]login.mylspacee.com. 177 IN A 70.244.2.xxx [adsl-70-244-2-xxx.dsl.hrlntx.swbell.net]login.mylspacee.com. 177 IN A 74.67.113.xxx [cpe-74-67-113-xxx.stny.res.rr.com]login.mylspacee.com. 177 IN A 74.137.49.xxx [74-137-49-xxx.dhcp.insightbb.com] mylspacee.com. 108877 IN NS ns3.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns4.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns5.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns1.myheroisyourslove.hk.mylspacee.com. 108877 IN NS ns2.myheroisyourslove.hk.
ns1.myheroisyourslove.hk.854 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net]ns2.myheroisyourslove.hk.854 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net]ns3.myheroisyourslove.hk. 854 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net]ns4.myheroisyourslove.hk. 854 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com]ns5.myheroisyourslove.hk. 854 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com]
http://null.co.in
Results… login.mylspacee.com. 161 IN A 74.131.218.xxx [74-131-218-xxx.dhcp.insightbb.com]
NEWlogin.mylspacee.com. 161 IN A 24.174.195.xxx [cpe-24-174-195-xxx.elp.res.rr.com] NEWlogin.mylspacee.com. 161 IN A 65.65.182.xxx [adsl-65-65-182-xxx.dsl.hstntx.swbell.net] NEWlogin.mylspacee.com. 161 IN A 69.215.174.xxx [ppp-69-215-174-xxx.dsl.ipltin.ameritech.net] NEWlogin.mylspacee.com. 161 IN A 71.135.180.xxx [adsl-71-135-180-xxx.dsl.pltn13.pacbell.net] NEW mylspacee.com. 108642 IN NS ns3.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns4.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns5.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns1.myheroisyourslove.hk.mylspacee.com. 108642 IN NS ns2.myheroisyourslove.hk.
ns1.myheroisyourslove.hk. 608 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net]ns2.myheroisyourslove.hk. 608 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net]ns3.myheroisyourslove.hk. 608 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net]ns4.myheroisyourslove.hk. 608 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com]ns5.myheroisyourslove.hk. 608 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com]
http://null.co.in
ConclusionOn the basis of DNS instances by the k means
clustering it is possible to detect the fast flux characteristics of botnets.
New botnet detection system based on Horizontal correlation
Independent of botnet C&C protocol and structureReal-world evaluation shows promising resultsThe false positive is very low in case of large IP
address instances corresponding to same DNS which actually resembles with the condition of real world botnets.
http://null.co.in
AcknowledgementsNullcon team.To all the ListenersOur professors
Dr. Ponnurangam KumaraguruDr. Shishir Nagaraja
http://null.co.in
