SlideShare a Scribd company logo

Botnet communication patterns 2

Download as PPTX, PDF
K
killswitch4

A general overview of botnets

Engineering
1 of 36
BOTNET COMMUNICATION PATTERNS CS-B Neelesh Kisku MNNIT Allbd
Overviews  Botnet topologies  Command and Control centers (C&C) protocols  Botnet objectives  Botnet establishment and operations  Detection methods and evolution  Taxonomy generalized communication patterns  UML sequence diagrams  Data exchange options  Encryption and hiding techniques  Building protocol and topology independent networks-based detectors
Introduction  Networked computers enable distributed computing and sharing of resources. Distributing tasks over multiple machines allow the execution of tasks.  The are divided into Bots (doing task/sub-task)and Master(C&C)  Internet consist vast amount of unused processing power and network bandwidth  This is achieved by malware coordinating a botnet using compromised machine for computation
Malicious Botnet  These offer various task & service like theft (identity theft), service disruption (network architecture)  Thus various taxonomies and recommendations categorizing different aspects of botnet and ways of detections seen  These are protected from takeover from 3 rd parties thus many ways arise to mitigate bringing down of botnet via single point of failure  Botmasters the controllers stay stealthy to avoid potential prosecution by using little traffic and less possible direct connection
Botnet Detector  We can target communication pattern as network is paramount for operation (network based)  Or extract communication excerpts and compare result with traffic (signature based)  Classify network traffic normal/anomalous (behaviour based)  Countermeasures padding (add sequence of data), protocol encryption  As no inspection of payload is needed generalized properties of obfuscated network traffic can be theoretically used to detect unknown bots
Machine Learning  Analyzing packet meta data to predict expected output from given inputs (training) not necessarily correlating data  Filtering step introduced for automated feature selection (scoping)  Black list for false positive benign nodes as C&C  Thus high accuracy seen during training for related botnet detected goal of unknown botnet not realised
Related work (I)  Analysis of attack classes , propagation mechanisms from OS to applications and social engineering (spam)  Bot life cycle consisting infection , rallying , commands/report and abandon  Changing botnet techniques and environment , single bot and HTTP based botnet detection  Comparing stationary and mobile botnets  Without need of training for signatures based on basic infection consisting inbound scan , implying infection , egg(executable bin) download , outbound scan for C&C communication
Related Work (II)  Detector using IDS to match event to rules from infection dialogue  Infection model split as per network activity and cross co-relating with common botmaster  Detector based on bayesian network  As the events evolve and parts responsible change  Communication perspective (in depth look)  C&C description  Sequence messages (botnet communication pattern)  Framework for building detectors (UML sequence diagrams)
Botnet Topology  Bot functionality and C&C can be same or distributed across
Centralized  Centralized dedicated server easy to set up , low latency high scalability no special requirements (protocol)  Low robustness C&C being single point of failure  Address needs to be hardcoded thus obfuscated  Mitigates using DGA algo can create fast-flux network  Query local system or internet for DGA to stop takeover  URL based spam detection defeated
Overhead
P2P  Every bot potential server  Low communication latency , high robustness , less scalability  OS limits bot size max no. of bots on concurrent TCP connection  Increased visibility low stealth  High no. of coordinating messages thus not fully mesh  Does maintain cache server (peer list) or is hardcoded  Neoteric protocol for fallback channel if comms
P2P
Botnet Protocols (I)  Protocols are tailored to stealthiness achieved by mimicking legitimate traffic  They depend on development , network restrictions  Generally used are existing and neoteric protocol  Types are 1) IRC : Text based may be password protected 2) HTTP : Request response based high latency, major problem loops flooding bot with
Botnet Protocols (II) 3) SMB : Server Message Block (eg. Shared printers) there we request list of available file shares/services pool , (IPC) named pipes call specific functions 4) P2P Protocol : WASTE and KADEMLIA used to store value hashes uses cache servers and used for file sharing 5) Neoteric Protocol : UDP/TCP unreliable single packets vs. reliable stream may require network overhead and payload can be binary/text based
Communication Hiding & Obfuscation  Covert Channel : Using unused header bits eg. Identifier field of ICMP  Encryption : Stream/Block based ; Symmetric/Asymmetric cipher  Multiple Protocols  Compression : Replace repeating sequence  Steganography : carrier files not meant for comms (eg. Images)  Proxying
Communication Patterns (I)  Notation  Sequence of exchange mssg. for task draws UML diagram  Mssg. are synchronous/asynchronous  Contains request page and page contents (arrow) , additional combined fragment and operator kind (box/bracket) , interaction use ie. parts without constraint  Divided into : 1)Coordinate 2)Scan 3)Data 4)Register 5)Store/Execute/Infect/Compute
Communication Pattern(II)  Overview  C&C traffic can be bot or server  Action can be monitored stealth of coordination required  Communication can be push/pull  Botnet communication diveded into operationand propogation
Communication Pattern(III)  Propogation  This happens actively or passively  Passive : 1)Click fraud 2)Drive by  Active : 1)Existing vulnerability exploit 2)Coordination of scan OS and network  Registration
Operation  Data upload  Data download  Forward proxy  Reverse Proxy  Instructions
Conclusion  Event generation engines can be used (IDS)  Machine learning to reorganize message exchange  Identifying botnet communication  Detection of encrypted protocol C&C patterns  Detector capable of matching comms. pattern from independent C&C protocol , topology , family
UML
Related Research
Master Table
Propogation
Upload
Download
Proxy
Botnet Instructions
Communication
Recent
Recent
Recent
References  Symantec corporations knowledge base  Kaspersky threat list  R M Lee “Analysis of cyber attack on ukranian power grid”  W32.Stuxnet dossier  APT advanced persistent Threats

Recommended

Paper(edited)
Paper(edited)Paper(edited)
Paper(edited)killswitch4
 
A fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsA fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
 
Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
 
Reduce the False Positive and False Negative from Real Traffic with Intrusion...
Reduce the False Positive and False Negative from Real Traffic with Intrusion...Reduce the False Positive and False Negative from Real Traffic with Intrusion...
Reduce the False Positive and False Negative from Real Traffic with Intrusion...IOSR Journals
 
65 113-121
65 113-12165 113-121
65 113-121idescitation
 
Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02dvicky12
 
Unit 3 Assignment 1 Osi Model
Unit 3 Assignment 1 Osi ModelUnit 3 Assignment 1 Osi Model
Unit 3 Assignment 1 Osi ModelJacqueline Thomas
 
934 Ch1 Networks
934 Ch1 Networks934 Ch1 Networks
934 Ch1 Networkstechbed
 

Recommended

Paper(edited)
Paper(edited)Paper(edited)
Paper(edited)killswitch4
 
A fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsA fast static analysis approach to detect exploit code inside network flows
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
 
Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
 
Reduce the False Positive and False Negative from Real Traffic with Intrusion...
Reduce the False Positive and False Negative from Real Traffic with Intrusion...Reduce the False Positive and False Negative from Real Traffic with Intrusion...
Reduce the False Positive and False Negative from Real Traffic with Intrusion...IOSR Journals
 
65 113-121
65 113-12165 113-121
65 113-121idescitation
 
Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02Intranet Messaging Project Report -phpapp02
Intranet Messaging Project Report -phpapp02dvicky12
 
Unit 3 Assignment 1 Osi Model
Unit 3 Assignment 1 Osi ModelUnit 3 Assignment 1 Osi Model
Unit 3 Assignment 1 Osi ModelJacqueline Thomas
 
934 Ch1 Networks
934 Ch1 Networks934 Ch1 Networks
934 Ch1 Networkstechbed
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Questions On Protocol And Protocol
Questions On Protocol And ProtocolQuestions On Protocol And Protocol
Questions On Protocol And ProtocolMonique Jones
 
IoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
IoT ( M2M) - Big Data - Analytics: Emulation and DemonstrationIoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
IoT ( M2M) - Big Data - Analytics: Emulation and DemonstrationCHAKER ALLAOUI
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFAIJNSA Journal
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
Analysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsAnalysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsEmily Jones
 
Internet of things protocols for resource constrained applications
Internet of things protocols for resource constrained applications Internet of things protocols for resource constrained applications
Internet of things protocols for resource constrained applications Pokala Sai
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxsmile790243
 
nv.ppt
nv.pptnv.ppt
nv.ppttahaniali27
 
Internet of things unit-1
Internet of things unit-1Internet of things unit-1
Internet of things unit-1Srimatre K
 
The .net remote systems
The .net remote systemsThe .net remote systems
The .net remote systemsRaghu nath
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation methodAcad
 
Network Advantages And Disadvantages
Network Advantages And DisadvantagesNetwork Advantages And Disadvantages
Network Advantages And DisadvantagesRenee Jones
 
matdid018951.ppt
matdid018951.pptmatdid018951.ppt
matdid018951.pptssuser965f2f
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...ncct
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 
Chapter 4 communication2
Chapter 4 communication2Chapter 4 communication2
Chapter 4 communication2DBU
 
Internet of things(iot)
Internet of things(iot)Internet of things(iot)
Internet of things(iot)Rakesh Gupta
 
Lecture 3- tcp-ip
Lecture 3- tcp-ipLecture 3- tcp-ip
Lecture 3- tcp-ipSaman M. Almufti
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 

More Related Content

Similar to Botnet communication patterns 2

Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
Questions On Protocol And Protocol
Questions On Protocol And ProtocolQuestions On Protocol And Protocol
Questions On Protocol And ProtocolMonique Jones
 
IoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
IoT ( M2M) - Big Data - Analytics: Emulation and DemonstrationIoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
IoT ( M2M) - Big Data - Analytics: Emulation and DemonstrationCHAKER ALLAOUI
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFAIJNSA Journal
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about BotnetNaveen Titare
 
Analysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsAnalysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsEmily Jones
 
Internet of things protocols for resource constrained applications
Internet of things protocols for resource constrained applications Internet of things protocols for resource constrained applications
Internet of things protocols for resource constrained applications Pokala Sai
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxsmile790243
 
Internet of things unit-1
Internet of things unit-1Internet of things unit-1
Internet of things unit-1Srimatre K
 
The .net remote systems
The .net remote systemsThe .net remote systems
The .net remote systemsRaghu nath
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation methodAcad
 
Network Advantages And Disadvantages
Network Advantages And DisadvantagesNetwork Advantages And Disadvantages
Network Advantages And DisadvantagesRenee Jones
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...ncct
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesFabrizio Farinacci
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
 
Chapter 4 communication2
Chapter 4 communication2Chapter 4 communication2
Chapter 4 communication2DBU
 
Internet of things(iot)
Internet of things(iot)Internet of things(iot)
Internet of things(iot)Rakesh Gupta
 

Similar to Botnet communication patterns 2 (20)

Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
Questions On Protocol And Protocol
Questions On Protocol And ProtocolQuestions On Protocol And Protocol
Questions On Protocol And Protocol
 
IoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
IoT ( M2M) - Big Data - Analytics: Emulation and DemonstrationIoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
IoT ( M2M) - Big Data - Analytics: Emulation and Demonstration
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFA
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
Analysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsAnalysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) Datagrams
 
Internet of things protocols for resource constrained applications
Internet of things protocols for resource constrained applications Internet of things protocols for resource constrained applications
Internet of things protocols for resource constrained applications
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docxlab3cdga.ziplab3code.c#include stdio.h#include std.docx
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
 
nv.ppt
nv.pptnv.ppt
nv.ppt
 
Internet of things unit-1
Internet of things unit-1Internet of things unit-1
Internet of things unit-1
 
The .net remote systems
The .net remote systemsThe .net remote systems
The .net remote systems
 
Botnet detection by Imitation method
Botnet detection by Imitation methodBotnet detection by Imitation method
Botnet detection by Imitation method
 
Network Advantages And Disadvantages
Network Advantages And DisadvantagesNetwork Advantages And Disadvantages
Network Advantages And Disadvantages
 
matdid018951.ppt
matdid018951.pptmatdid018951.ppt
matdid018951.ppt
 
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...
 
A taxonomy of botnet detection approaches
A taxonomy of botnet detection approachesA taxonomy of botnet detection approaches
A taxonomy of botnet detection approaches
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
Chapter 4 communication2
Chapter 4 communication2Chapter 4 communication2
Chapter 4 communication2
 
Internet of things(iot)
Internet of things(iot)Internet of things(iot)
Internet of things(iot)
 
Lecture 3- tcp-ip
Lecture 3- tcp-ipLecture 3- tcp-ip
Lecture 3- tcp-ip
 

Recently uploaded

HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 

Recently uploaded (20)

HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 

Botnet communication patterns 2

  • 2. Overviews  Botnet topologies  Command and Control centers (C&C) protocols  Botnet objectives  Botnet establishment and operations  Detection methods and evolution  Taxonomy generalized communication patterns  UML sequence diagrams  Data exchange options  Encryption and hiding techniques  Building protocol and topology independent networks-based detectors
  • 3. Introduction  Networked computers enable distributed computing and sharing of resources. Distributing tasks over multiple machines allow the execution of tasks.  The are divided into Bots (doing task/sub-task)and Master(C&C)  Internet consist vast amount of unused processing power and network bandwidth  This is achieved by malware coordinating a botnet using compromised machine for computation
  • 4. Malicious Botnet  These offer various task & service like theft (identity theft), service disruption (network architecture)  Thus various taxonomies and recommendations categorizing different aspects of botnet and ways of detections seen  These are protected from takeover from 3 rd parties thus many ways arise to mitigate bringing down of botnet via single point of failure  Botmasters the controllers stay stealthy to avoid potential prosecution by using little traffic and less possible direct connection
  • 5. Botnet Detector  We can target communication pattern as network is paramount for operation (network based)  Or extract communication excerpts and compare result with traffic (signature based)  Classify network traffic normal/anomalous (behaviour based)  Countermeasures padding (add sequence of data), protocol encryption  As no inspection of payload is needed generalized properties of obfuscated network traffic can be theoretically used to detect unknown bots
  • 6. Machine Learning  Analyzing packet meta data to predict expected output from given inputs (training) not necessarily correlating data  Filtering step introduced for automated feature selection (scoping)  Black list for false positive benign nodes as C&C  Thus high accuracy seen during training for related botnet detected goal of unknown botnet not realised
  • 7. Related work (I)  Analysis of attack classes , propagation mechanisms from OS to applications and social engineering (spam)  Bot life cycle consisting infection , rallying , commands/report and abandon  Changing botnet techniques and environment , single bot and HTTP based botnet detection  Comparing stationary and mobile botnets  Without need of training for signatures based on basic infection consisting inbound scan , implying infection , egg(executable bin) download , outbound scan for C&C communication
  • 8. Related Work (II)  Detector using IDS to match event to rules from infection dialogue  Infection model split as per network activity and cross co-relating with common botmaster  Detector based on bayesian network  As the events evolve and parts responsible change  Communication perspective (in depth look)  C&C description  Sequence messages (botnet communication pattern)  Framework for building detectors (UML sequence diagrams)
  • 9. Botnet Topology  Bot functionality and C&C can be same or distributed across
  • 10.
  • 11. Centralized  Centralized dedicated server easy to set up , low latency high scalability no special requirements (protocol)  Low robustness C&C being single point of failure  Address needs to be hardcoded thus obfuscated  Mitigates using DGA algo can create fast-flux network  Query local system or internet for DGA to stop takeover  URL based spam detection defeated
  • 13. P2P  Every bot potential server  Low communication latency , high robustness , less scalability  OS limits bot size max no. of bots on concurrent TCP connection  Increased visibility low stealth  High no. of coordinating messages thus not fully mesh  Does maintain cache server (peer list) or is hardcoded  Neoteric protocol for fallback channel if comms
  • 14.
  • 15. P2P
  • 16. Botnet Protocols (I)  Protocols are tailored to stealthiness achieved by mimicking legitimate traffic  They depend on development , network restrictions  Generally used are existing and neoteric protocol  Types are 1) IRC : Text based may be password protected 2) HTTP : Request response based high latency, major problem loops flooding bot with
  • 17. Botnet Protocols (II) 3) SMB : Server Message Block (eg. Shared printers) there we request list of available file shares/services pool , (IPC) named pipes call specific functions 4) P2P Protocol : WASTE and KADEMLIA used to store value hashes uses cache servers and used for file sharing 5) Neoteric Protocol : UDP/TCP unreliable single packets vs. reliable stream may require network overhead and payload can be binary/text based
  • 18. Communication Hiding & Obfuscation  Covert Channel : Using unused header bits eg. Identifier field of ICMP  Encryption : Stream/Block based ; Symmetric/Asymmetric cipher  Multiple Protocols  Compression : Replace repeating sequence  Steganography : carrier files not meant for comms (eg. Images)  Proxying
  • 19. Communication Patterns (I)  Notation  Sequence of exchange mssg. for task draws UML diagram  Mssg. are synchronous/asynchronous  Contains request page and page contents (arrow) , additional combined fragment and operator kind (box/bracket) , interaction use ie. parts without constraint  Divided into : 1)Coordinate 2)Scan 3)Data 4)Register 5)Store/Execute/Infect/Compute
  • 20. Communication Pattern(II)  Overview  C&C traffic can be bot or server  Action can be monitored stealth of coordination required  Communication can be push/pull  Botnet communication diveded into operationand propogation
  • 21. Communication Pattern(III)  Propogation  This happens actively or passively  Passive : 1)Click fraud 2)Drive by  Active : 1)Existing vulnerability exploit 2)Coordination of scan OS and network  Registration
  • 22. Operation  Data upload  Data download  Forward proxy  Reverse Proxy  Instructions
  • 23. Conclusion  Event generation engines can be used (IDS)  Machine learning to reorganize message exchange  Identifying botnet communication  Detection of encrypted protocol C&C patterns  Detector capable of matching comms. pattern from independent C&C protocol , topology , family
  • 24. UML
  • 30. Proxy
  • 36. References  Symantec corporations knowledge base  Kaspersky threat list  R M Lee “Analysis of cyber attack on ukranian power grid”  W32.Stuxnet dossier  APT advanced persistent Threats