b otnets t hreats a nd b otnets detection mona aldakheel 434920317 1
TRANSCRIPT
![Page 1: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/1.jpg)
BOTNETS THREATS AND BOTNETS DETECTIONMona Aldakheel434920317
1
![Page 2: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/2.jpg)
Outline• BOTS AND BOTNETS• BOTNET CREATION AND PROPOGATION• BOTNET COMMAND AND CONTROL (C&C) TECHNIQUES• Rallying Mechanisms• Communication Protocols• SECURITY THREATS FROM BOTNET• BOTNET DETECTION
2
![Page 3: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/3.jpg)
BOTS AND BOTNETS• The term “Bot” is derived from the word “Robot• Bots are designed to perform some predefined functions in
automated way.• Botnet is a network of infected machines which are under the
control of a human operator commonly known as botmaster.
3
![Page 4: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/4.jpg)
Example illustrates how a botnet is created and used to send spam.
4
![Page 5: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/5.jpg)
5
![Page 6: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/6.jpg)
BOTNET CREATION AND PROPOGATION• Methods to create bot:
• write code • extend or customize an existing bot.
• Methods to propagate:• exploit vulnerabilities• sending out email messages • setting up Web sites
6
![Page 7: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/7.jpg)
BOTNET COMMAND AND CONTROL (C&C) TECHNIQUES• Centralized Command & Control (C&C) Technique• P2P Command & Control (C&C) Technique• Random Command & Control (C&C) Technique
7
![Page 8: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/8.jpg)
Centralized Command & Control (C&C) Technique
8
![Page 9: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/9.jpg)
Centralized Command & Control (C&C) Technique
• Advantages of using centralized C&C techniques • A great amount of resources are available online to create a C&C
based botnet• Allows controlling of as many bots as possible and thus maximizes
the profit of the botmaster.• Small message latency
• Disadvantages of using centralized C&C techniques • Easy to shutdown.
9
![Page 10: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/10.jpg)
P2P Command & Control (C&C) Technique
10
![Page 11: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/11.jpg)
P2P Command & Control (C&C) Technique• Advantages of using P2P Command & Control (C&C) Technique• Harder to locate, shutdown, monitor, and hijack• Propagation latency is lacking in P2P systems
• Disadvantages of using P2P Command & Control (C&C) Technique• Hard to launch large scale attacks
11
![Page 12: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/12.jpg)
Random Command & Control (C&C) Technique
12
![Page 13: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/13.jpg)
Random Command & Control (C&C) Technique• Advantage: • Easy implementation• Resilient to discovery and destruction
Disadvantage• Hard to launch large scale attacks• Propagation latency is very high.
13
![Page 14: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/14.jpg)
Rallying Mechanisms• Rallying mechanisms used for:• Discover new bots• Rally them under their botmasters.
• Rallying Mechanisms:• Hard-coded IP Address• Dynamic DNS Domain Name
14
![Page 15: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/15.jpg)
Hard-coded IP Address
• A common method used to rally new bots works like this: • A bot includes hard-coded C&C server IP addresses in its binary. • When the bot initially infects a computer, the computer will connect
back to the C&C server using the hard-coded server IP address.
15
![Page 16: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/16.jpg)
Drawbacks of Hard-coded IP Address
• The problem with using hard-coded IP addresses is that • The C&C server can be easily detected• The communication channel can be easily blocked.
16
![Page 17: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/17.jpg)
Dynamic DNS Domain Name• The bots today often include hard-coded domain names, assigned
by dynamical DNS providers.
17
![Page 18: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/18.jpg)
Benefit of Dynamic DNS Domain Name• if a C&C server is shutdown by authorities, the botmaster can easily
resume his/her control by creating a new C&C server.
18
![Page 19: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/19.jpg)
Communication Protocols• IRC Protocol• HTTP Protocol• P2P Protocol
19
![Page 20: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/20.jpg)
SECURITY THREATS FROM BOTNET
• Distributed Denial of Services (DDoS)• Spamming• Phishing and Identity Theft• Click Fraud• Hosting illegal material and disseminating malicious code
20
![Page 21: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/21.jpg)
Distributed Denial of Services (DDoS)
• Distributed Denial of Services (DDoS) attack is direct attempt of attackers to prevent legitimate users from using a specific service using multiple compromised systems.
• Two main variants of DDoS attacks • Bandwidth depletion (Flooding and reflection attacks )• Resource depletion.
21
![Page 22: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/22.jpg)
Spamming• Spamming is any message or posting, regardless of its
content, that is sent to multiple recipients who have not specifically requested the message
22
![Page 23: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/23.jpg)
Phishing and Identity Theft• Phishing and Identity Theft is a fraudulent activity defined as
the creation of a replica of an existing Web page or other online resource to deceive a user into submitting personal, financial, or password data
23
![Page 24: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/24.jpg)
Click Fraud• its fake clicks to maximize the revenue of certain users from
the ads they publish on their websites.
24
![Page 25: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/25.jpg)
Hosting illegal material and disseminating malicious code• Illegal material can be stored as a dynamic repository on a bot
compromised computer by the botmaster.
25
![Page 26: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/26.jpg)
BOTNET DETECTION• Honeypot• passive network traffic monitoring and analysis.• Signature-based Detection• Anomaly-based detection techniques• DNS-based detection techniques • Mining-based Detection
26
![Page 27: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/27.jpg)
Signature-based Detection• Useful way for botnet detection based on Knowledge of useful
signatures and behavior of existing botnets.• For example, Snort
27
![Page 28: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/28.jpg)
Anomaly-based detection techniques
• Attempt to detect botnets based on several network traffic anomalies such as high network latency.
28
![Page 29: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/29.jpg)
DNS-based detection techniques
• Detect botnets based on several DNS traffic anomalies
29
![Page 30: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/30.jpg)
Mining-based Detection • One of effective technique for botnet detection to identify botnet
C&C traffic. • Several data mining techniques including machine learning,
classification, and clustering can be used efficiently to detect botnet C&C traffic.
30
![Page 31: B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1](https://reader035.vdocuments.net/reader035/viewer/2022070407/56649e175503460f94b027ee/html5/thumbnails/31.jpg)
Thanks
31