Transcript 下載/瀏覽Download

The Activity Analysis of Malicious
HTTP-based Botnets using Degree of Periodic
Repeatability
Speaker :YUN–KUAN,CHANG
Date : 2009/11/17
Outline
Introduction
Related Work
1. History of Malicious Bots
2. Detection Methods Based on DNS Traffic
Detection of Malicious HTTP Botnets
1. BlackEnergy
2. Degree of Periodic Repeatability
Future Work
Conclusion
2
Introduction
The malicious botnets which have been organized and developed
fast are the most dangerous on Internet environment.
Becomes a malicious network with more than 400 thousand bots.
Some representative studies on detection of malicious botnets are
depended on analysis DNS queries.
We will make it clear where malicious HTTP bots are different
from normal users using degree of periodic repeatability.
3
Related Work
We explain history of malicious bots and botnets and study
detection methods in DNS traffic.
4
History of Malicious Bots 1/2
In the beginning, bots and botnets were legitimate tools mainly
used for functional purposes.
Botnets are the melding of many threats into one.
They are becoming a major tool for cybercrime.
They are called Swiss Army knives of the underground economy
with this reason.
5
History of Malicious Bots 2/2
6
Detection Methods
Based on DNS Traffic
Some existing detection methods are based on
analysis of DNS queries which are sent from bots to DNS server
whenever bots connect to a C&C server and attack to a target.
Choi [5] proposed the botnet detection by monitoring group
activities in DNS traffic.
7
Detection of
Malicious HTTP Botnets
Typical IRC bot, maintains connection and doesn’t reconnect after
the first connecting to a C&C server .
BlackEnergy that is analyzed in this study is similar to that.
Bots which are generated via BlackEnergy bot builder of a
botmaster take two C&C servers.
8
BlackEnergy 1/3
BlackEnergy is an HTTP-based botnet used primarily for DDoS
attacks by the Russian hacker
underground.
9
BlackEnergy 2/3
10
BlackEnergy 3/3
Bots of BlackEnergy are connected to a C&C server again and
again to get a new command of
botmaster like other malicious HTTP botnets.
11
Degree of Periodic
Repeatability 1/3
The repeatability is the variation in measurements taken by a single
person or an instrument on the same item under the same
conditions.
This repeatability standard deviation represents degree of periodic
repeatability between HTTP clients and HTTP servers.
12
Degree of Periodic
Repeatability 2/3
13
Degree of Periodic
Repeatability 3/3
14
Future Work
We will study other malicious HTTP botnets and other feature
vectors (e.g., HTTP request
crowd and payload).
Also we consider related works that payload-based anomaly
detection systems .
15
Conclusion
Many studies have been advanced to detect malicious botnets
which is a menace to Internet.
Methods of analyzing DNS queries to detect malicious botnets are
not efficient .
As the results, we have found that difference of degree of periodic
repeatability between malicious HTTP bots and normal users.
This result means that this study is efficient to detect malicious
HTTP botnets.
16