Heejo Lee, Hyunsang Choi. Computer and Communication Security Lab Korea University
|
|
- Branden Hoover
- 8 years ago
- Views:
Transcription
1 Botnet and Mass DDoS Attack Heejo Lee, Hyunsang Choi {heejo, ac kr Computer and Communication Security Lab Korea University June 25, 2009
2 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 2
3 Botnet Botnet: A group of zombie computers under the remote control of an attacker via a command and control system Wei Lu et. al.,"automatic Discovery of Botnet Communities on Large-Scale Communication Networks, ACM ASIACCS 09 3
4 Why Botnet? Botconomics: for generating $$$$ 4
5 Purchasing Botnets Buy a bot code Report on the Underground Economy, Symantec, Nov 2008 Buy or rent an already constructed botnet Emerging Information Security Threats, Lenny Zeltser,
6 Botnet Attacks (1) Spamming, DDoS attacks, identity theft, phishing attacks J. Davis, Web War I, Wired Magazine, Sep
7 Botnet Attacks (2) Recent botnet targeted attack (Damballa) Storm (P2P bot), Kraken, Bobax (HTTP bot), RAT-Pro (RAT) 7
8 Botnet Statistics (1) Symantec report 75,158 active bots/day in 2008, an increase of 31% from 2007 China had the most bot-infected computers in 2008, 13% of total 8
9 Botnet Statistics (2) Number of new zombies (top 10 countries ) McAfee Threats Report: First Quarter
10 Botnet Statistics (3) Top 10 infected countries and spam volume in 2009 Trend Micro 2008 Annual Threat Roundup and 2009 Forecast 10
11 Botnet Statistics (4) Damballa report, ~5% of PCs connected Internet are zombies 78% of botnet malware uses HTTP ports for communications More than 60% of targeted attack malware will never be caught by any signature-based AV or IDS/IPS solution MessageLab annual security report % of spam was being distributed by botnets (May. ~ Oct., 2008) 11
12 Botnet History EggDrop, discovered, RPCSS recognized as first benign IRC bot Agobot, robust, flexible, and modular design and significant functionality Storm, (peacomm) Kademlia based P2P botnet, the largest spam bot till 2007 Ghostnet, remote access trojan for spying activities Present GTbots, 1 st botnet to use IRC as C&C Snit/Phatbot, P2P botnets appeared Srizbi, HTTP botnet for spamming (the largest spam bot from 2008) Asprox, HTTP botnet used to launch mass SQL injection attacks to web Conficker, largest botnet ever, hybrid P2P botnet 12
13 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 13
14 Recent Botnet Trends: Summary Recent botnet trends Size Light-weight: mini-bot, RAT bot Structure re Service Size diversified Complexed :Hybrid/custom protocol Specialized: DDoS bot, spam bot, RAT bot Mini-bots: Netbot, Clampi(Rscan), Torpig, Zeus(zbot), Idpinch, etc Structure complicated Conficker, Netbot, Ghostnet, Spybot, etc Evade detection systems using customized protocol (Ghostnet, Netbot, Spybot) or hybrid(comlicated) protocol (Conficker) Service specialized Single-purposed botnets: DDoS bots(netbot, Panda DDoS), spam bots, spying bots(rat) 14
15 Recent Botnets: NetBot NetBot attacker Botnet for DDoS attack: launch(ransom) DDoS attacks to web sites Launch DDoS attacks several times on itembay ( 15
16 Recent Botnets: Ghostnet RAT Ghostnet Gh0st RAT (Remote Access Trojans): hosts are controllable remotely Use HTTP based protocol Cyber espionage network based in China, has infected about 1,300 computers in 103 countries, (Univ. of Toronto, "Tracking GhostNet: Investigating a Cyber Espionage Network", Mar ) Information gathering on Tibetan activities and Dalai Lama Infection is typical social-engineering g (e.g. attachments in ) 16
17 Recent Botnets: Conficker (1) Conficker.C Aka Kido/Downad/Downadup From Nov. 2008, spreaded using Windows netbios and Microsoft-DS service vulnerability: MS (139/tcp, 445/tcp) Also uses USB drives to infect: DLL + rundll32.exe e The largest worm infection since the 2003 SQL Slammer. 9M: F-Secure 15M: UPI (United Press Intl.) Delay system/network speed, cannot access to MS update Setup, security product terminators, P2P, Internet rendezvous modules 17
18 Recent Botnets: Conficker (2) Conficker domain generation for rendezvous Domain flux: Conficker.C uses domain names, daily The PRNG is seeded by the current time Time synchronization: downloads web pages (google,yahoo, ) and uses the time data (day, month, year) in the HTTP response 18
19 Recent Botnets: Asprox (1) Asprox botnets are used to acquire user information, distribute spams, launch phishing attacks In 2008, SQL injection module is added to Asprox Anatomy of the Asprox Botnet, Oct
20 Recent Botnets: Asprox (2) (1) Asprox search.asp webpages using google (2) Launch mass SQL injection attacks to the pages (3) Insert iframe-based redirection link to vulnerable pages (4) Infected webpage visitors become Asprox hosts Anatomy of the Asprox Botnet, Oct
21 CAPTCHA Breaking Botnets CAPTCHA breaking Mechanical Turks Some anti-captcha tools target the audio alternative offered by sites Audio alternative waveform analysis is easier process than the image. In early 2008, these algorithms were 20-30% successful. CAPTCHA-breakers b k may also combine two approaches Page 21
22 DNS Cache Poisoning using Botnet DNS cache poisoning using a botnet (1) Send DNS queries to Local NS (2) Overload authoritative NS using botnet flooding attacks (3) Send reply before recursive answer arrival N. Chatzis et. al., Motivation for Behaviour-Based DNS Security, SECURWARE
23 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 23
24 Botnet Detection Approaches (1) Host-based vs. Network-based Signature-based vs. Anomaly-based 24
25 Botnet Detection Approaches (2) IRC detection + botnet activity detection IRC Botnet t Binkley et. al., IRC botnet detection, USENIX SRUTI 06 Detection Botnet Group Detection Spam Bot Detection Host-based Detection Karasaridis et. al., Wild scale botnet detection, USENIX HotBot 07 Gu et. al., BotHunter, USENIX Security 07 Challenges: HTTP bots appeared, channel encryption, stealth attacks Botnet group activity detection Gu et. al., BotSniffer, NDSS 08 Gu et. al., BotMiner, USENIX Security 08 Hyunsang et. al., BotGAD, COMSWARE 09 Challenges: sensitive time window, mini-bot, single-purpose bots Spamming botnet detection using data Ramachandran et. al., SpamTracker, ACM CCS 07 Xie et. al., AutoRE, ACM SIGCOMM 08 Duan et. al., SPOT, INFOCOM 09 Zhao et. al., BotGraph, USENIX NSDI 09 Challenges: spam bot only, not early detection, only detect relay IPs Host-based botnet detection approaches Stinson et. al., BotSwat, DIMVA 07 Liu et. al., BotTracer, ISC 08 Al-Hammadi et. al., Keylogging botnet detection, ARES 08 Al-Hammadi et. al., DCA for bot dection, CEC 08 Challenges: too much 25 false alarms
26 IRC Botnet Detection Algorithm (1) J. R. Binkley (at Portland State Univ), An algorithm for anomalybased botnet detection, USENIX SRUTI 06 Goal: Detect IRC-based botnet Approach: IRC mesh detection + TCP scan detection (TCP work weight) Easy to evade: Channel encryption, stealthy scanning Too much false alarms, can not detect HTTP, P2P botnet IRC mesh detection TCP scan detection (TCP work weight) Count of TCP control packets (SYN s (SYNACKs sent) + FIN s sent + RESETS) / total number of TCP packets (Tsr). 26
27 Wide-scale Botnet Detection (2) A. Karasaridis (at AT&T Labs), Wide-scale Botnet Detection and Characterization, USENIX Hotbot 07 Goal: Anomaly-based botnet detection Approach: IDS log-based botnet sequence(stage) detection Can not detect HTTP, P2P botnet, false alarms, IDS/IPS log dependent, weak to stealthy scanning IDS Logs 27
28 BotHunter (3) G. Gu (at Georgia Tech), BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation, USENIX Security 07 Goal: Anomaly-based botnet infection detection Approach: IDS dialog-based botnet sequence(stage) detection IDS/IPS log dependent, weak to stealthy scanning, weak to channel encrypted, can not detect HTTP, P2P botnet 28
29 BotSniffer (4) G. Gu (at Georgia Tech), BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, NDSS 08 Goal: Botnet C&C detection system Approach: Exploiting the underlying spatial-temporal correlation and similarity property of botnet C&C (horizontal correlation) IDS/IPS log dependent, weak to stealthy scanning, weak to channel encrypted, can not detect P2P botnet 29
30 BotMiner (5) G. Gu (at Georgia Tech), BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection, USENIX Security 08 Goal: Propose the protocol and structure independent botnet detection system Approach: similar C&C and malicious attack patterns IDS/IPS log dependent, weak to stealthy scanning, weak to channel encrypted, not practical (overhead) 30
31 AutoRE (6) Yinglian Xie, (at Microsoft), Spamming Botnets: Signatures and Characteristics, SIGCOMM 08 Goal: A large scale spamming botnet characteristics analysis, Identify trends to detect botnets Approach: botnet spam mail traffic pattern burst (synchronized fashion) & distributed (a large and dispersed IP) Not real time, magic numbers, more analysis for false positives 31
32 Contents Introduction to Botnet Recent Botnet Trends Botnet Detection Researches BotGAD: Botnet Group Activity Detector Conclusion 32
33 Research Motivation BotGAD (Botnet t Group Activity it Detector) t ) Anomaly Hard to Real-time Detection Evade Detection Anomaly detection Botnets use encrypted channel Explosive amount of new/modified bots overwhelm detection methods Hard to evade Botnets adopts complicated techniques to evade detection mechanisms Real-time detection Huge amount of data is hard to be acquired and analyzed Real-time detection is more useful to response to the botnet 33
34 Group Activity Property Group activity feature Group activity: Inherent property of botnets Group activity: Frequently monitored in botnet life cycle Botnets s group activity: Different from normal group activities 34
35 Group Activities in Life Cycle Botnet life cycle Botnets t t three steps: propagation, communication and attack Group activities can be monitored 35
36 Botnet Group Activity Detector Group similarity estimation Kulczynski similarity Cosine similarity Jaccard similarity 36
37 Case Study: BotGAD Using DNS DNS is frequently used in botnet Rally: when bots find C&C, usually send DNS Update: when bots update their codes, send DNS Synchronization: Botnets use DNS to synchronize system time (NTP) Cloning and reconnection: when cloning and reconnecting, use DNS Migration: Bots migrate C&C using DNS Attack: Some attacks go with DNS 37
38 Experiment Results System design and similarity estimation 2 days DNS traces were captured from the gateway router of /16 campus network (1Gbps, 24M DNS queries) Several known/unknown botnets are detected during the experiments including IRC/HTTP/P2P(Storm) botnets Cassel HTTP bot Virut IRC bot Virut IRC bot Poison IRC bot Storm P2P bot Silly IRC bot 38
39 Benefits of Proposed Mechanism Benefits of the botnet detection mechanism Anomaly-based detection algorithm Group activity (inherent property) makes the mechanism hard to evade. Using DNS, detect botnets in its early stage (before they execute an array of malicious behaviors) Efficient to apply on large ISP networks with small portion of network traffic (DNS) 39
40 Research Project Research project The Development of Active Detection and Response Technology against Botnet supported by MKE, Korea, ~ Collaborate with KISA, ISP and security companies 40
41 Publications References H. Choi, H. Lee, H. Kim, BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic, COMSWARE, June I. Kim, H. Choi, H. Lee, Botnet Visualization using DNS Traffic, WISA, Sep H. Choi, H. Lee, H. Lee, H. Kim, Botnet Detection by Monitoring Group Activities in DNS Traffic, IEEE CIT, Oct
42 Q & A Thank you 42
Implementation of Botcatch for Identifying Bot Infected Hosts
Implementation of Botcatch for Identifying Bot Infected Hosts GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus
More informationAn Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets
An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets Sajjad Arshad 1, Maghsoud Abbaspour 1, Mehdi Kharrazi 2, Hooman Sanatkar 1 1 Electrical and Computer Engineering Department,
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationBotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol
More informationData Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.
Data Centers Protection from DoS attacks. Trends and solutions Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.2010 Cybercrime Trends Page 2 Types of DoS attacks and classical
More informationBotnet Detection by Abnormal IRC Traffic Analysis
Botnet Detection by Abnormal IRC Traffic Analysis Gu-Hsin Lai 1, Chia-Mei Chen 1, and Ray-Yu Tzeng 2, Chi-Sung Laih 2, Christos Faloutsos 3 1 National Sun Yat-Sen University Kaohsiung 804, Taiwan 2 National
More informationMalicious Network Traffic Analysis
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
More informationAn Efficient Methodology for Detecting Spam Using Spot System
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,
More informationDescription: Course Details:
Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet
More informationP2P-BDS: Peer-2-Peer Botnet Detection System
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 16, Issue 5, Ver. V (Sep Oct. 2014), PP 28-33 P2P-BDS: Peer-2-Peer Botnet Detection System Navjot Kaur 1, Sunny
More informationDetecting P2P-Controlled Bots on the Host
Detecting P2P-Controlled Bots on the Host Antti Nummipuro Helsinki University of Technology anummipu # cc.hut.fi Abstract Storm Worm is a trojan that uses a Peer-to-Peer (P2P) protocol as a command and
More informationBotnets: The Advanced Malware Threat in Kenya's Cyberspace
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
More informationUser Documentation Web Traffic Security. University of Stavanger
User Documentation Web Traffic Security University of Stavanger Table of content User Documentation... 1 Web Traffic Security... 1 University of Stavanger... 1 UiS Web Traffic Security... 3 Background...
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
, pp.81-90 http://dx.doi.org/10.14257/ijfgcn.2013.6.6.09 Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1, 2, Lei Yang 1 and Jin Wang 1 1 School of Computer
More informationBOTNET Detection Approach by DNS Behavior and Clustering Analysis
BOTNET Detection Approach by DNS Behavior and Clustering Analysis Vartika Srivastava, Ashish Sharma Dept of Computer science and Information security, JIIT Noida, India Abstract -Botnets are one of the
More informationDetecting Bots with Automatically Generated Network Signatures
Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,
More informationCurrent counter-measures and responses by CERTs
Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationA Review on IRC Botnet Detection and Defence
A Review on IRC Botnet Detection and Defence Bernhard Waldecker St. Poelten University of Applied Sciences, Austria Bachelor programme: IT-Security 1 Introduction Nowadays botnets pose an enormous security
More informationSymptoms Based Detection and Removal of Bot Processes
Symptoms Based Detection and Removal of Bot Processes 1 T Ravi Prasad, 2 Adepu Sridhar Asst. Prof. Computer Science and engg. Vignan University, Guntur, India 1 Thati.Raviprasad@gmail.com, 2 sridharuce@gmail.com
More informationOverview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationGrowing Challenges. Securing the Internet Cloud: Challenges and Opportunities. Traffic Growing Rapidly on Fixed and Mobile Networks!
Securing the Internet Cloud: Challenges and Opportunities Farnam Jahanian Computer Science and Engineering University of Michigan December 5, 2009 Growing Challenges Traffic Growing Rapidly on Fixed and
More informationAn analysis of network trac characteristics for Botnet detection
An analysis of network trac characteristics for Botnet detection Maria Jose Erquiaga 1, Carlos Catania 1 and Carlos García Garino 1,2 1 Instituto para las Tecnologías de la Información y las Comunicaciones
More informationAT&T Real-Time Network Security Overview
AT&T Real-Time Network Security Overview Dan Solero Director of Security Technology, AT&T Know Your Enemy: Security Threats Extend Beyond Viruses & Worms Distributed Denial of Service Spam for Hire Social
More informationEfficient Detection of Bots in Subscribers Computers
Efficient Detection of Bots in Subscribers Computers José Brustoloni, Nicholas Farnan, Ricardo Villamarín-Salomón and David Kyle Dept. of Computer Science, University of Pittsburgh 210 S. Bouquet St. #6111,
More informationIndex Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System
Detection of DDoS Attack Using Virtual Security N.Hanusuyakrish, D.Kapil, P.Manimekala, M.Prakash Abstract Distributed Denial-of-Service attack (DDoS attack) is a machine which makes the network resource
More informationSecurity A to Z the most important terms
Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationCSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks
CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic
More informationEvolution of attacks and Intrusion Detection
Evolution of attacks and Intrusion Detection AFSecurity seminar 11 April 2012 By: Stian Jahr Agenda Introductions What is IDS What is IDS in mnemoic How attacks have changed by time and how has it changed
More informationBeyond Aurora s Veil: A Vulnerable Tale
Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF
More information2010 Carnegie Mellon University. Malware and Malicious Traffic
Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationBotnet Detection using NetFlow and Clustering
Botnet Detection using NetFlow and Clustering Pedram Amini1, Reza Azmi2 and MuhammadAmin Araghizadeh3 1 2 3 ICT Department, Malek-Ashtar University of Technology Tehran, Iran amini@mut.ac.ir Department
More informationMulti-phase IRC Botnet and Botnet Behavior Detection Model
Multi-phase IRC otnet and otnet ehavior Detection Model Aymen Hasan Rashid Al Awadi Information Technology Research Development Center, University of Kufa, Najaf, Iraq School of Computer Sciences Universiti
More informationBOTNET SPREADING DETECTION AND PREVENTION VIA WEBSITES
BOTNET SPREADING DETECTION AND PREVENTION VIA WEBSITES Jonas Juknius, Nikolaj Goranin Vilnius Gediminas Technical University, Faculty of Fundamental Sciences Saulėtekio al. 11, 10223 Vilnius In this article
More informationMalware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks R. Kannan Department of Computer Science Sri Ramakrishna Mission Vidyalaya College of Arts and Science Coimbatore,Tamilnadu,India.
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationDDoS Attacks & Mitigation
DDoS Attacks & Mitigation Sang Young Security Consultant ws.young@stshk.com 1 DoS Attack DoS & DDoS an attack render a target unusable by legitimate users DDoS Attack launch the DoS attacks from various
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationStorm Worm & Botnet Analysis
Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing
More informationBotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee School of Computer Science, College of Computing Georgia Institute of Technology Atlanta,
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,
More informationCORRELATION-BASED BOTNET DETECTION IN ENTERPRISE NETWORKS
CORRELATION-BASED BOTNET DETECTION IN ENTERPRISE NETWORKS A Thesis Presented to The Academic Faculty by Guofei Gu In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the College
More informationGlasnost or Tyranny? You Can Have Secure and Open Networks!
AT&T is a proud sponsor of StaySafe Online Glasnost or Tyranny? You Can Have Secure and Open Networks! Steven Hurst CISSP Director - AT&T Security Services and Technology AT&T Chief Security Office 2009
More informationCurrent Threat Scenario and Recent Attack Trends
Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks
More informationA Study on the Live Forensic Techniques for Anomaly Detection in User Terminals
A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals Ae Chan Kim 1, Won Hyung Park 2 and Dong Hoon Lee 3 1 Dept. of Financial Security, Graduate School of Information Security,
More informationProtecting DNS Query Communication against DDoS Attacks
Protecting DNS Query Communication against DDoS Attacks Ms. R. Madhuranthaki 1, Ms. S. Umarani, M.E., (Ph.D) 2 II M.Tech (IT), IT Department, Maharaja Engineering College, Avinashi, India 1 HOD, IT Department,
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationSECURING APACHE : DOS & DDOS ATTACKS - II
SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,
More informationDDos Monitoring System using Cloud AV. 2009.09.30 AhnLab, Inc. SiHaeng Cho, Director of R & D Center
DDos Monitoring System using Cloud AV 2009.09.30 AhnLab, Inc. SiHaeng Cho, Director of R & D Center Table of Contents I. Recent Security Threat Trend II. III. Security Industry Response & Issues AhnLab
More informationMultifaceted Approach to Understanding the Botnet Phenomenon
Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic
More informationSecurity Whitepaper. The Role of DNS in Botnet Command & Control
Security Whitepaper The Role of DNS in Botnet Command & Control In 2011, botnets started using DNS traffic to covertly tunnel stolen data. Botnets use their own DNS services to proxy communications from
More informationIntrusion Forecasting Framework for Early Warning System against Cyber Attack
Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting
More informationIndian Computer Emergency Response Team (CERT-In) Annual Report (2010)
Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology
More informationNext-Generation DNS Monitoring Tools
Next-Generation DNS Monitoring Tools Cyber Security Division 2012 Principal Investigators Meeting October 9, 2012 Wenke Lee and David Dagon Georgia Institute of Technology wenke@cc.gatech.edu 404-808-5172
More informationZscaler Cloud Web Gateway Test
Zscaler Cloud Web Gateway Test A test commissioned by Zscaler, Inc. and performed by AV-TEST GmbH. Date of the report: April15 th, 2016 Executive Summary In March 2016, AV-TEST performed a review of the
More informationAn Empirical Analysis of Malware Blacklists
An Empirical Analysis of Malware Blacklists Marc Kührer and Thorsten Holz Chair for Systems Security Ruhr-University Bochum, Germany Abstract Besides all the advantages and reliefs the Internet brought
More informationInternet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology
Internet Monitoring via DNS Traffic Analysis Wenke Lee Georgia Institute of Technology 0 Malware Networks (Botnets) 1 From General-Purpose to Targeted Attacks 11/14/12 2 Command and Control l Botnet design:
More informationCyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1
C b Th Cyber Threatt Defense D f S Solution l ti Moritz Wenz, Lancope 1 The Threat Landscape is evolving Enterprise Response Antivirus (Host-Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing
More informationA Review of Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems
A Review of Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems Trupti Dange 1, Pankaj Bhalerao 2 1 Professor, Department of Computer Engineering, RMD Sinhgad School of
More informationComputer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin Lab 2: - prepare
More informationBOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL
BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious
More informationWE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA
WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA Email {wei.xu, ksanders, yzhang}@ paloaltonetworks.com ABSTRACT Malicious domains
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationINFORMATION SECURITY REVIEW
INFORMATION SECURITY REVIEW 14.10.2008 CERT-FI Information Security Review 3/2008 In the summer, information about a vulnerability in the internet domain name service (DNS) was released. If left unpatched,
More informationExtending Black Domain Name List by Using Co-occurrence Relation between DNS queries
Extending Black Domain Name List by Using Co-occurrence Relation between DNS queries Kazumichi Sato 1 keisuke Ishibashi 1 Tsuyoshi Toyono 2 Nobuhisa Miyake 1 1 NTT Information Sharing Platform Laboratories,
More informationKorea s experience of massive DDoS attacks from Botnet
Korea s experience of massive DDoS attacks from Botnet April 12, 2011 Heung Youl YOUM Ph.D. SoonChunHyang University, Korea President, KIISC, Korea Vice-chairman, ITU-T SG 17 1 Table of Contents Overview
More informationIBM Advanced Threat Protection Solution
IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1 Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain
More informationCyber Security and Critical Information Infrastructure
Cyber Security and Critical Information Infrastructure Dr. Gulshan Rai Director General Indian Computer Emergency Response Team (CERT- In) grai [at] cert-in.org.in The Complexity of Today s Network Changes
More informationIntrusion Detection System
Intrusion Detection System Time Machine Dynamic Application Detection 1 NIDS: two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet
More informationSpyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
More informationSymantec enterprise security. Symantec Internet Security Threat Report April 2009. An important note about these statistics.
Symantec enterprise security Symantec Internet Security Threat Report April 00 Regional Data Sheet Latin America An important note about these statistics The statistics discussed in this document are based
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationSTATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015
STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 www.kaspersky.com 2 CONTENTS Methodology 3 Main findings 4 Geography of attacks 5 Time variations in the number of DDoS attacks 7 Types and duration
More informationENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park
21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenDcaDon
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationResearch Article Overhead Analysis and Evaluation of Approaches to Host-Based Bot Detection
International Journal of Distributed Sensor Networks Volume 15, Article ID 524627, 17 pages http://dx.doi.org/1.1155/15/524627 Research Article Overhead Analysis and Evaluation of Approaches to Host-Based
More informationBotNets- Cyber Torrirism
BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot Statistics Suggest Assimilation
More informationHow To Detect An Advanced Persistent Threat Through Big Data And Network Analysis
, pp.30-36 http://dx.doi.org/10.14257/astl.2013.29.06 Detection of Advanced Persistent Threat by Analyzing the Big Data Log Jisang Kim 1, Taejin Lee, Hyung-guen Kim, Haeryong Park KISA, Information Security
More informationNUIT Tech Talk. Peeking Behind the Curtain of Security. Jeff Holland Security Vulnerability Analyst Information & Systems Security/Compliance
NUIT Tech Talk Peeking Behind the Curtain of Security Jeff Holland Security Vulnerability Analyst Information & Systems Security/Compliance Definitions Malware: The Virus/Trojan software we ve all come
More informationCountry Case Study on Incident Management Capabilities CERT-TCC, Tunisia
Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia helmi.rais@ansi.tn helmi.rais@gmail.com Framework
More informationDevelopment of a Network Intrusion Detection System
Development of a Network Intrusion Detection System (I): Agent-based Design (FLC1) (ii): Detection Algorithm (FLC2) Supervisor: Dr. Korris Chung Please visit my personal homepage www.comp.polyu.edu.hk/~cskchung/fyp04-05/
More informationOS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016
OS Security Malware (Part 2) & Intrusion Detection and Prevention Radboud University Nijmegen, The Netherlands Winter 2015/2016 A short recap Different categories of malware: Virus (self-reproducing, needs
More informationReview Study on Techniques for Network worm Signatures Automation
Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1,
More informationInnovations in Network Security
Innovations in Network Security Michael Singer April 18, 2012 AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.
More informationA Real-Time Network Traffic Based Worm Detection System for Enterprise Networks
A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks Long-Quan Zhao 1, Seong-Chul Hong 1, Hong-Taek Ju 2 and James Won-Ki Hong 1 1 Dept. of Computer Science and Engineering,
More informationDDoS Attacks Can Take Down Your Online Services
DDoS Attacks Can Take Down Your Online Services Dr. Bill Highleyman Managing Editor, Availability Digest Continuity Insights New York 2014 October 8, 2014 editor@availabilitydigest.com Who Am I? Dr. Bill
More informationPeer-to-Peer Botnets. Chapter 1. 1.1 Introduction
Chapter 1 Peer-to-Peer Botnets Ping Wang, Baber Aslam, Cliff C. Zou School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, Florida 32816 Botnet is a network of computers
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationIDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationBotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute
More informationDDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR
Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,
More informationWhy a Network-based Security Solution is Better than Using Point Solutions Architectures
Why a Network-based Security Solution is Better than Using Point Solutions Architectures In This Paper Many threats today rely on newly discovered vulnerabilities or exploits CPE-based solutions alone
More informationSocial Networking for Botnet Command and Control
Social Networking for Botnet Command and Control Ashutosh Singh, Annie H. Toderici, Kevin Ross, and Mark Stamp San Jose State University, San Jose, California Email: itsiashu@gmail.com, anniehii@gmail.com,
More informationDetecting Hybrid Botnets with Web Command and Control Servers or Fast Flux Domain
Journal of Information Hiding and Multimedia Signal Processing 2014 ISSN 2073-4212 Ubiquitous International Volume 5, Number 2, April 2014 Detecting Hybrid Botnets with Web Command and Control Servers
More informationA COMPREHENSIVE STUDY ON BOTNET AND ITS DETECTION TECHNIQUES
A COMPREHENSIVE STUDY ON BOTNET AND ITS DETECTION TECHNIQUES P.Panimalar 1, Dr.K.Rameshkumar 2 Abstract- A botnet is a group of compromised computers also called bots or zombies which are controlled by
More information