Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

A Botnet Detecting Infrastructure Using a Beneficial Botnet

174 Aufrufe

Veröffentlicht am

A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

A Botnet Detecting Infrastructure Using a Beneficial Botnet

  1. 1. A Botnet Detecting Infrastructure Using a Beneficial Botnet Takashi Yamanoue, Fukuyama University ACM SIGUCCS 2018, @Orland Fl. USA, Oct. 9, 2018.
  2. 2. #siguccs18 #siguccs18
  3. 3. • An Eye for an Eye • A Tooth for a Tooth • A Bot for a Bot • A Botnet for a Botnet #siguccs18 Vs. Vs. Vs. Vs.
  4. 4. Contents • 1. Introduction • 2. Beneficial Botnet • 3. Experiment • 4. Related Work • 5. Conclusion #siguccs18
  5. 5. 1. Introduction (1/6) • Network Managers and People in charge of Network Security …Troubled by Malicious Botnet #siguccs18
  6. 6. • A Malicious Botnet does – Spread SPAM mails – DDoS Attack – Click Fraud – Steal bank account information of users of zombie computers. • A Malicious Botnet is – Persistent • Continues malicious things even if some of bots of it were removed. – Evolving 1. Introduction (2/6) #siguccs18
  7. 7. • Technology of a Malicious Botnet – It was rely on a single centralized command and control (C2) server • The botnet can be disrupted by removing the C2 server –Peer To Peer (P2P) • Middle years of 2000 …ex. Agobot/Phatbot –Domain Generation Algorithm, (DGA) • Late years of 2000 … ex. Conficker • Our approach to cope with them –Beneficial Botnet 1. Introduction (3/6) #siguccs18
  8. 8. • Our Beneficial botnet is A group of beneficial bots –Agent bots and an analyzing bot. • An agent bot – Located between a LAN and its NAT/ router. – Collects and controls communication of hosts in the LAN • The analyzing bot – Collects communication data from agent bots – Analyzes the data. – Can execute R programs for the analysis 1. Introduction (4/6) #siguccs18 Agent bot NAT/Router Sub-LAN
  9. 9. • The P2P communication of malicious botnet – hard to detect by a single IDS at the entrance of organizational network • Because – No single C2 Server – Small amount of traffic of P2P communication between P2P nodes at the inside of the organizational network and the outside. • Our beneficial botnet – has the ability to detect P2P communication using collaboration of our beneficial bots. 1. Introduction (5/6) #siguccs18
  10. 10. • We have Made a Pseudo Botnet, Pseudo Gameover ZeuS, for evaluation. – Performs P2P communication between some nodes of it without doing malicious things. • Our beneficial botnet – could detect P2P communication of the pseudo Gameover ZeuS – may also detect communication using DGA. • Furthermore, our beneficial botnet – has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolving, as same as malicious botnets. 1. Introduction (6/6) #siguccs18
  11. 11. 2. Beneficial Botnet(1/13) • It is common – to use an IDS or intrusion prevention system (IPS) – at the entrance of an organizational network now. • An IDS or IPS at the entrance of the organizational network – is effective for a malicious botnet with centralized C2 server because every communication between the C2 server and all bots can be detected by the IDS or the IPS. #siguccs18
  12. 12. • An Example of Botnets – Gameover ZeuS • Disrupted in 2014 by the international collaborative investigating activity. • The losses attributable to Gameover ZeuS were estimated over one hundred million dollars according to the FBI announcement • “The second centralized version of Zeus mutated into a peer-to-peer (P2P) variant, known as P2P Zeus or Gameover. Since P2P Zeus does not rely on centralized command and control server (C2), it is immune to traditional countermeasures against Zeus”, according to Andriesse and Bos 2. Beneficial Botnet (2/13) #siguccs18
  13. 13. • Botnets with the P2P feature are – difficult to detect, difficult to disrupt. – No Centralized command and control server (C2 server) • A reason of great losses of the Gameover Zeus can be considered that the Gameover Zeus acquired the P2P feature. – Gameover ZeuS has been disrupted. However, there are chances that similar P2P botnets intrude campuses and conduct their malicious operation. 2. Beneficial Botnet(3/13) #siguccs18
  14. 14. • By the single IDS at the network entrance of the campus –Hard to detect P2P communication of bots in the campus. –Hard to locate such Bots in the campus. 2. Beneficial Botnet(4/13) #siguccs18
  15. 15. • We have designed our beneficial botnet to cope with malicious botnet such as the Gameover ZeuS. 2. Beneficial Botnet(5/13) #siguccs18
  16. 16. • We want cope with technologies of Malicious Botnets – Developing The Beneficial Botnet using our Beneficial Bots • “Monitoring Servers With a Little From My Bots” • “Capturing Malicious Bots using a Beneficial Bot” – A Beneficial Botnet is a group of Beneficial Bots • Agent Bots behind the NAT of a LAN • Analyzing Bots which analyzes data which collected by Agent Bots – The Beneficial Botnet has ability to detect P2P communication of malicious Bots, using collaboration of Beneficial Bots. 2. Beneficial Botnet(6/13) #siguccs18 Agent bot NAT/Router
  17. 17. 2. Beneficial Botnet(7/13) #siguccs18
  18. 18. 2. Beneficial Botnet(8/13) 2.1 A Bot of a Beneficial Botnet(1/2) #siguccs18 It is a script interpreter #siguccs18 Sensors, Actuators, Traffic Controller
  19. 19. Ex. Of Other command - set pageName <page-name> - include <url> An example of a wiki page 2. Beneficial Botnet(9/13) 2.1 A Bot of a Beneficial Botnet(2/2)
  20. 20. 2. Beneficial Botnet(10/13) 2.1 Agent Bot (1/3) #siguccs18 Agent bot NAT/Router Sub-LAN
  21. 21. • Buffers – Packet History • Sub buffers for every (Source IP, Destination IP) • Packet Information + Date/Time, Sha1 hash of the Packet Payload – MAC-list … • which hosts are connected to this sub-LAN and its IP addresses in this LAN. 2. Beneficial Botnet(11/13) 2.1 Agent Bot (2/3) #siguccs18
  22. 22. – Domain-list … DNS queries • which host in this sub-LAN communicated with which host outside of this LAN. • Can be used to detect the usage of Domain Generation Algorithm (DGA). – Dhcp-list … DHCP server queries • Can be used to –detect the DHCP spoofing –detect un-authorized DHCP server. – Arp-list • Can be used to –detect the Arp spoofing. #siguccs18 2. Beneficial Botnet(12/13) 2.1 Agent Bot (3/3)
  23. 23. • The analyzing bot gathers information of each agent bot and analyzes them. • The language processor of Beneficial Bot – CSV parser – Spread Sheet Manipulation/Spread sheet functions. • Analyzing Bot, – The language processor of Beneficial Bot + – R language processor 2. Beneficial Botnet(13/13) 2.2 Analyzing Bot (1/1) #siguccs18
  24. 24. 3. Experiment(1/18) • Gameover ZeuS #siguccs18 We can download the source code However, It is dangerous. How shall we evaluate the beneficial botnet?
  25. 25. 3. Experiment(2/18) • Pseudo Gameover ZeuS • Does Not Do Bad Things #siguccs18
  26. 26. #siguccs18 3. Experiment(3/18)
  27. 27. #siguccs18 3. Experiment(4/18) 3.1 Script and results of Agent Bots(1/5)
  28. 28. 3. Experiment(5/18) 3.1 Script and results of Agent Bots(2/5) • Class page #siguccs18 UDP, Not NTP, Not DNS Host-list Domain-list
  29. 29. #siguccs18 3. Experiment(6/18) 3.1 Script and results of Agent Bots(3/5)
  30. 30. • Object page #siguccs18 3. Experiment(7/18) 3.1 Script and results of Agent Bots(4/5) Results
  31. 31. • A Part of the results – cmd=get repeating, date="2018/04/14 17:03:19 +0900", no=3299, if=1, smac="bc:5c:4c:5d:1c:cd", dmac="b8:27:eb:cb:d6:38", prtcl=udp, sip="192.168.13.160", dip="192.168.2.100", sp=34724, dp=33331, sha1payload="9dac7a7beb944a7193847a3d0fbcc370d13a5838", payloadLength=46, payload=broadcast id=3394824 ttl=3 cmd="message test"..... 3. Experiment(8/18) 3.1 Script and results of Agent Bots(5/5) #siguccs18
  32. 32. #siguccs18 3. Experiment(9/18) 3.2 Script and results of Analyzing Bots(1/10)
  33. 33. #siguccs18 3. Experiment(10/18) 3.2 Script and results of Analyzing Bots(2/10) Find Out pairs of Packets Satisfying - different LAN - same SHA1 - Near Time Among - All pair of Packets (from Agent Bots)
  34. 34. 3. Experiment(11/18) 3.2 Script and results of Analyzing Bots(3/10) Define Arrays, Prepare URLs of Object Pages of Agent Bots …
  35. 35. 3. Experiment(12/18) 3.2 Script and results of Analyzing Bots(4/10) Choose Packet Info, Read CSV into the Table, Get Vectors of date, sip, dip, smac, dmac, payload, sha1, LAN-ID For R processor For each LAN,
  36. 36. 3. Experiment(13/18) 3.2 Script and results of Analyzing Bots(5/10) Prepare the Data Frame of the Packet Information In this LAN For R and combine the Data Frame Of All LAN
  37. 37. 3. Experiment(14/18) 3.2 Script and results of Analyzing Bots(6/10) Find Out pairs of Packets Satisfying - different LAN - same SHA1 - Near Time Among - All pair of Packets (from Agent Bots) Write the Results to the Wiki. Results
  38. 38. • A part of the Object page of the Analyzing Bot – Possible P2P communication Between LAN-1 and LAN-2 • lan1= 0 ,date= 2018/04/14 17:06:50 +0900 , smac= b8:27:eb:cb:d6:38 ,dmac= bc:5c:4c:5d:1c:cd , sip= 192.168.2.100 ,dip= 192.168.13.160 , lan2= 1 ,date= 2018/04/14 17:06:51 +0900 , smac= bc:5c:4c:5d:1a:c9 ,dmac= b8:27:eb:2f:33:cd , sip= 192.168.13.210 ,dip= 192.168.2.102 , sha1payload= f14db4dae7a139cde5185267b8d353498850f22b , payload= broadcast id 3. Experiment(15/18) 3.2 Script and results of Analyzing Bots(7/10)
  39. 39. 3. Experiment(16/18) 3.2 Script and results of Analyzing Bots(8/10) #siguccs18
  40. 40. • A part of the Object page of the Analyzing Bot – Possible P2P communication Between LAN-2 and LAN-5 • lan1= 1 ,date= 2018/04/14 17:03:18 +0900 , smac= b8:27:eb:2f:33:cd ,dmac= bc:5c:4c:5d:1a:c9 , sip= 192.168.2.102 ,dip= 192.168.13.150 , lan2= 4 ,date= 2018/04/14 17:03:17 +0900 , smac= bc:5c:4c:5d:1a:bf ,dmac= b8:27:eb:3a:6b:fa , sip= 192.168.13.160 ,dip= 192.168.2.102 , sha1payload= 9dac7a7beb944a7193847a3d0fbcc370d13a5838 , payload= broadcast id 3. Experiment(17/18) 3.2 Script and results of Analyzing Bots(9/10)
  41. 41. 3. Experiment(18/18) 3.2 Script and results of Analyzing Bots(10/10) #siguccs18
  42. 42. • A group of Agents of Distributed IDS. • agents + transceivers + monitors • An agent of the AAFID is similar to our agent bot – both of them are controlled by commands and collect traffic data. • A monitor and a transceiver of the AAFID is similar to our analyzing bot – both of them are collecting data from agents, transceivers, other monitors or agent bots, and analyzing the data. 4. Related Work(1/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) #siguccs18 (Purdue University)
  43. 43. • An agent of the AAFID is installed in a client host – while our agent bot is placed between LAN and its router or NAT router. • The manager of our beneficial botnet – does not need to install our agent bot to each client host. 4. Related Work(2/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) #siguccs18 (Purdue University)
  44. 44. • A monitor or a transceiver of the AAFID – is not controlled by the script in a wiki page – while our agent bots And the analyzing bot is controlled by the script in a wiki page. • Communication mechanism is not specified in the AAFID architecture – while our beneficial botnet uses wiki API. #siguccs18 4. Related Work(3/5) 4.1 Autonomous Agents for Intrusion Detection (AAFID) (Purdue University)
  45. 45. • The action of an agent bot of our beneficial bot – can be seen as the man-in-the-middle attack. • Many communications in the sub- LAN – can be controlled by the agent bot. • We have to be careful – so that the agent bot does not to go to the dark side. 4. Related Work(4/5) 4.2 Man in the Middle Attack #siguccs18
  46. 46. • Consist of – agent programs at the devices, such as PCs(KASEYA) or wi-fi access points(UNIFAS), – a web site to manage them, – as in our beneficial botnet. • Their devices – can also communicate with the web site over a NAT as in our agent bots. • However, they – use a specialized web server, – whereas our beneficial botnet uses a web site with common wiki software. 4. Related Work(5/5) 4.3 KASEYA and UNIFAS #siguccs18
  47. 47. • Get Flow Information of Network, Find out similar communication between hosts, discriminate communication which seems between malicious bots. • Similar to our beneficial botnet – Finding out similar communication between hosts. • Different to our beneficial botnet – It uses flow information of network. 4. Related Work(6/6) BotMiner #siguccs18
  48. 48. • Beneficial Botnet – P2P communication by malware can be detected – The use of DGA algorithm can be also detected. – Ability to cope with new technology of new botnets by rewriting the scripts. – Currently, very slow. • have to improve the speed for real use of our beneficial botnet. – We also have to improve the security of our beneficial botnet. 5. Conclusion #siguccs18 Agent bot NAT/Router Sub-LAN
  49. 49. Acknowledgements • A part of this research was supported by JSPS KAKENHI Grant Number JP16K00197. • Pcap4J, community of R. • Students who helped us to conduct the experiment in this paper. #siguccs18
  50. 50. • An Eye for an Eye • A Tooth for a Tooth • A Bot for a Bot • A Botnet for a Botnet #siguccs18 Vs. Vs. Vs. Vs.
  51. 51. Beneficial Botnet #siguccs18

×