detection of sip botnet based on c&c communications

09 Dec 2010

DETECTION OF SIP BOTNET

BASED ON C&C COMMUNICATIONS

Mohammad AlKurbi

Detection of SIP Botnet Based on C&C Communications

2

Overview Introduction to Botnet

Why SIP is useful?

Problem Statement.

Related Works.

Proposed Solution.

Preliminary Evaluation.

Conclusions & Future Work.09 Dec 2010

3


Brief Introduction to Botnet

09 Dec 2010

4

Botnet? A network of compromised computers controlled

by a master to do a correlated tasks [GP+08].

09 Dec 2010Detection of SIP Botnet Based on C&C Communications

Victim

Botnet Master

Controller

Command & Control Channel: IRC, HTTP, P2P

(Bot): Compromised

host

Malicious Activity:

Scan, Spam, DDoS


5

Bot life Cycle

09 Dec 2010

Infection: Initial installation of the botnet malware By email, accessing infected web sites, or vulnerability exploitation.

Bootstrap: Join Botnet. Using preliminary list of bots.

Command and Control (C&C): To get instructions and send info./feed back

Malicious Activity: Implement instructions Scan, Spam, DDoS, Maintenance, ..etc

Maintenance to upgrade bot software.

6

Botnet Models?


Distributed model (P2P)Centralized model (IRC/HTTP)

Controller

Victim

Botnet Master


7

Botnet History [GZL08]

09 Dec 2010

IRC Botnet: Centralized C&C structure. Access to IRC is restricted or limited.

HTTP Botnet: Centralized C&C structure. Has better access policy, therefore stealthy.

P2P Botnet: Distributed C&C structure.

8


SIP as a C&C protocol

09 Dec 2010


9

Why SIP is a useful C&C Protocol? SIP has outstanding features [A. Berger et al. (NPSec '09)]:

SIP access would have Less restriction policy than P2P.

SIP infrastructure minimizes management overhead: Registration, Tracking of clients' status.

Reliable message delivery.

SIP message's structure provides many options: SIP Instant Messaging, Message standard/user-defined

headers, Message body.

09 Dec 2010


10

Problem Statement

09 Dec 2010

Botnet is one of the most serious and growing security threats [SLWL07, GZL08, YD+10]: 40% of all computers connected to Internet are

considered infected bots [ZLC08]. 20% of malware will still be able to get into

uptodate Internet computers [BK07].

SIP is even more attractive as C&C protocol after being adopted by 3GPP.

SIP Botnet has not been considered before.


11

Study & Detection Approaches

09 Dec 2010

Bot’s source code analysis. Honeynets. Signature based detections. Anomaly based detection:

Based on Botnet Malicious Activities: High volume traffic, such as: DDoS attacks,

Scans, Spams, or abnormal traffic. Based on C&C communications.


12

C&C Detection Approach

09 Dec 2010

C&C is the weakest link [GZL08]: Interrupting C&C channel disarms the Botnet

[SLWL07]. Based on the following observation [GZL08 , GP+08]:

Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner.

Restrict Access to C&C controllers isolates the bots.

No prior knowledge is needed.

13


Related Works

09 Dec 2010


14

Related Works (1)

09 Dec 2010

G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February:

Detect centralized C&C channel (IRC & HTTP).

Monitor crowd density/ homogeneity from clients that connect to the same server: Events sequence are considered.

Deep inspection: Protocol-Matcher. Crowd homogeneity algorithm is vulnerable to encryption.


15

Related Works (2)

09 Dec 2010

G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July:

Protocol & Structure independent: Captures all TCP/UDP.

Does not consider events sequence.

Two-step X-means Clustering.

Identify hosts that share both similar C&C communication patterns and similar malicious activity patterns.


16

Related Works (3)

09 Dec 2010

X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: Protocol & Structure independent.

Events sequence are considered.

distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier Transform]

Less DFT coefficients are required to capture the distance.

Suspected bot’s malicious activities are monitored before confirming its identity.

17


The Proposed Solution

09 Dec 2010


18


09 Dec 2010

Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol): It is a network anomaly based system. Based on bots similar behavior. It does not rely on the events sequence [SLWL07, GP+08]:

Resist random-time evasion technique. Detect bots at early stages: Before initiating malicious

activities, or as early as possible. By monitoring & analyzing C&C communications (i.e. SIP

communications). Without any prior knowledge. A suspected bot identity is confirmed as soon as it carries

one or more botnet malicious activities.


19

The Proposed Solution (Main idea)

09 Dec 2010

Two users are considered similar if they share similar flows more than a defined threshold ( ).

Similar users are considered suspected bots.

User-1

User-2


20

System Overview

09 Dec 2010


21

System Components (1)

09 Dec 2010

Monitoring Engine:

Logs SIP/Malicious traffic to a central DB server.

Based on snort (open source intrusion detection system): with a customized set of rules to capture SIP traffic. Set of activated plug-ins to capture malicious activities.

Installed where the designated traffic pass by, such as network gateways.


22

System Components (2)

09 Dec 2010

Correlation Engine: Developed in Java.

Input: SIP/Malicious traffic that has been logged into the Central DB.

Function: detect bots and C&C controllers.

It can be installed any where as long as it has access to the central DB server.


23

Correlation Engine (How it works)

09 Dec 2010

Feature Vector (FV): A flow is transferred to a feature vector. FV Consists of flow attributes, such as:

Duration (seconds), size (bytes), No. of packets. bps (bytes per sec.), bpp (bytes per packet).

Feature Stream (FS): User flows are represented by a feature stream. A column represents a Feature Vector.

Duration

Size#Pack

etsBpsbpp

FV1 Flow1

Duration

Size#Pack

etsBpsbpp

FV n Flow n

Time window (w)

User Feature Stream

Duration

Size#Pack

etsBpsbpp

FV2 Flow2


24

Correlation Engine (How it works)

09 Dec 2010

Two flows [a , b] are similar if distance:

d(a,b) = , f: no. of features

Two users (A , B) are considered similar if distance:

distance d(A,B) =

A/B Feature Stream of user A/B.

f

i ibiaibia

1

2

][][][][

B A B A

25


Calculate False Positive & Negative

Experimental Evaluation

09 Dec 2010


26

Input Data Set (Users’ traffic)

09 Dec 2010

Network traces has been generated using two tools developed by A. Berger et al. [BH09]:

1. Autosip: Emulate a realistic behavior of a regular users calls:

Number of online users varies with time.

Calls duration is modeled based on μ (Mean value) and σ (S. deviation).

A user calls a friend with probability (α) and others with probability (1 − α).

A user makes in average C calls/hour:


27

Autosip Components

09 Dec 2010

Manager: Set call parameters to clients. Control the number of active users during

day.

Client (SIP users): Connect to the manager. Call each others according to parameters

setting.


28

Input Data Set (Malicious traffic)

09 Dec 2010

2. Sipbot:Generate SIP Botnet traffic.

Based on P2P Storm botnet: Overnet Protocol has been replaced by SIP. Send “603 Decline” response for SIP

INVITE message.


29

Test bed Network Design

09 Dec 2010

@ NSL cluster:


30

Preliminary Result

09 Dec 2010

7:00 P

M7:1

5 PM7:3

0 PM7:4

5 PM8:0

0 PM8:1

5 PM8:3

0 PM8:4

5 PM9:0

0 PM9:1

5 PM9:3

0 PM9:4

5 PM

10:00

PM

10:15

PM

10:30

PM

10:45

PM

11:00

PM

11:15

PM

11:30

PM

11:45

PM

12:00

AM05

1015202530354045

Algorithm Precision (1000 users, 10 bots), [w=1h, slide=15m]

False PositiveFalse Negative

Time

% P

erce

ntag

e

31


Conclusion / Future Work / Challenges

09 Dec 2010


32

Conclusion

09 Dec 2010

Botnet is a serious growing threat: It needs more researches.

Detecting bots based on C&C channel is efficient: It allows us to detect bots at early stages.

SIP is a promising C&C protocol.

A system is provided to detect SIP botnet with a very low False Negative (~0) & a reasonable False Negative.


33

Future Work

09 Dec 2010

Improve similarity algorithm to decrease False Positive.

Implement larger scale evaluation experiments.

Integrate Malicious activity handler component.

Extracting C&C controllers.

Try to : Reduce time complexity.


34

Challenges

09 Dec 2010

Resilience to evasion: A very long Response Delay (Larger than the time

window): botnet utility is reduced or limited because the botmaster

can no longer command his bots promptly and reliably [GZL08].

Random session’s size/duration.

Random noise packets.

A pool of random SIP options.

35


End

09 Dec 2010

Click icon to add picture

36


Appendix

09 Dec 2010

37

Centralized C&C Model


Controller

Victim

Botnet Master

Command & Control Channel: IRC, HTTP, P2P

(Bot): Compromised

host

Malicious Activity:

Scan, Spam, DDoS

Pros ConsPrompt

communicationsSingle point of

failureEasy management Easy to break down

38

Distributed C&C Model


Pros ConsReliability Not a real time control

Harder to break down Management overhead

(P2P)


39

Detection Approaches

09 Dec 2010

Most of the current botnet detection approaches [7,17,19,20,26,29,35,40] work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques [GP+08].

Some approaches [4, 6, 12, 18] have been proposed [YD+10].

[BCJ+09, ZLC08]


40

C&C Detection Approach

09 Dec 2010

C&C is the weakest link [GZL08]: Interrupting C&C channel disarms the Botnet [SLWL07]. Based on the following observation [GZL08 , GP+08]:

Due to preprogrammed activities, Bots tend to behave in a similar or correlated manner.

C&C controllers are usually much less than bots: Restrict access to them is easier, safer, and more

efficient.

No prior knowledge is needed.


41

Related Works (1)

09 Dec 2010

G. Gu et al., “Botsniffer: Detecting botnet command and control channels in network traffic”, NDSS 08, February: Detecting centralized C&C channel (IRC & HTTP). Analyzing bots response (Message, Activity) to Botmaster’s

commands. Looking every time window (t) for a response crowd from

clients that connect to the same server: Crowd Density (>%50). Crowd homogeneity

A number of rounds are required before confirming a crowd is a botnet.

Deep inspection: Protocol-Matcher. Implemented Crowd homogeneity algorithm is vulnerable to

encryption.


42

Related Works (2)

09 Dec 2010

G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: Protocol & Structure independent: Captures all

TCP/UDP. Does not consider events sequence. Identify hosts that share both similar C&C

communication patterns and similar malicious activity patterns.

Aggregate related flows during epoch time (E ~ one day) into the same C-Flow.

Transfer C-Flows into equal pattern vectors length, by a Quantile binning technique.

Two-step X-means Clustering.


43

Related Works (2)

09 Dec 2010

G. Gu et al., “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection”, (Security’08), July: Protocol & Structure independent. Does not consider events sequence. Aggregate past epoch (E~ one day) related flows into one flow. To standardize feature’s vector length, discrete distribution is

approximated by binning technique (computing quartiles). Two-step X-means Clustering. Identify hosts that share both similar communication patterns

and similar malicious activity patterns: A host receives a high score if it has performed multiple types of

suspicious activities, and if other hosts that were clustered with also show the same multiple types of activities.

If two hosts appear in the same activity clusters and in at least one common C-cluster, they should be clustered together.


44

Related Works (3)

09 Dec 2010

X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: Protocol & Structure independent. Events sequence are considered. Online Detection. User flows are represented by a feature stream. Similarity is measured by an average Euclidean distance. distance(X, Y)=distance(DFT(X), DFT(Y)) [Discrete Fourier

Transform] Less DFT coefficients are required to capture the stream. Incremental DFT coefficients to avoid recalculation when a new

value arrives (Minimize processing time further). Suspected bot’s malicious activities are monitored before confirming

its identity.


45

Related Works (3)

09 Dec 2010

X. Yu et al., “Online botnet detection based on incremental discrete fourier transform”, JOURNAL OF NETWORKS, 5(5), May 2010: Online Detection. Protocol & Structure independent. A flow is represented by a feature stream. Similarity is measured by average Euclidean distance. distance(X, Y)=distance(DFT(X), DFT(Y)). DFT needs fewer feature streams. Incremental DFT coefficients to avoid recalculation when a

new feature stream arrives (Minimize processing time further). Suspected bot’s malicious activities are monitored before

confirming its identity.


46

Related Works (4)

09 Dec 2010

H. Zeidanloo and A. Abdul Manaf, “Botnet detection by monitoring similar communication patterns”, International Journal of Computer Science and Information Security, 7(3), March 2010: General framework:

Focuses on P2P based and IRC based Botnets. Similar users have similar graphs:

User Feature Streams Graph [(X, Y)= (bpp, bps)]. Exact method has not been provided.

They did not provide evaluation.


47

Related Works ()

09 Dec 2010

W. Strayer et al., “Botnet detection based on network behavior”, Vol. 36 of Advances in Information Security. Springer, October 2007:

Detect IRC Botnets (Centralized): Prompt C&C mechanism.

Does not consider events sequence. Filtering phase assumes prior knowledge:

Pass only what it can be a C&C traffic. Filter out any traffic that does not comply with some specific semantics. It does not examine content nor port.

Looking for C&C servers: Topological analysis: Highest in/out-degree in a directed graph of similar flows.

Flow characteristics: bandwidth, packet timing, and burst duration.


48


09 Dec 2010

Developing a system to detect SIP Botnet (i.e. SIP is the C&C protocol):

It is a network anomaly based system. Based on bots similar behavior concept. It does not rely on the events sequence [SLWL07, GP+08]:

Resist random-time evasion technique. Detect bots at early stages: Before initiating malicious

activities, or as early as possible. By monitoring & analyzing C&C communications (i.e. SIP

communications). Without any prior knowledge. A suspected bot identity is confirmed as soon as it carries one

or more botnet malicious activities. A further analysis can be applied to extract C&C controllers.


49

The Proposed Solution (Main idea)

09 Dec 2010

Two users are considered similar if they share similar flows more than a defined threshold ( ).

Similar users are considered suspected bots.

Bot identity is confirmed when it commits any malicious activity.

User-1

User-2


50

Input Data Set

09 Dec 2010

Network traces has been generated using the following tools developed by A. Berger: Autosip:

Emulate a realistic behavior of a regular users calls:

Number of online users varies with time. Calls duration is modeled with a log-normal distribution

[BC+05]. A user calls a friend with probability (α) and others with

probability (1 − α). A user makes in average C calls/hour:

Uniform call probability per minute ( ).60c


51

Autosip Components

09 Dec 2010

Manager: Set call parameters. Control the number of active users

during the day.

Client (SIP users): Connect to the manager. Call each others according to

parameters setting.


52

Autosip (How it works)

09 Dec 2010

Upon start, and after random-time sleep.

A client tries to initiate calls to a friend (On average, c calls/hour)

Call duration is computed using parameters μ and σ.

Only a single ongoing call per client.

During an ongoing call, the client does not make call

attempts and answers incoming call attempts with a SIP BUSY.


53

Input Data Set

09 Dec 2010

Network traces has been generated using the following tools developed by A. Berger: Autosip:

Emulate regular users phone calls’ realistic behavior: Number of online users varies with time. Calls duration is modeled with a log-normal distribution [BC+05]. A user calls a friend with probability (α) and others with probability (1 − α). A user makes in average C calls/hour:

Uniform call probability per minute ( ).

Two components: Manager:

Set call parameters. Control the number of active users during the day.

Client (SIP users): Connect to the manager. Call each others according to parameters setting.

60c

C Average number of call attempts per hour

Mean value of call durationStandard deviation of call duration

Number of simulated SIP clientsNumber of friends of each client

Probability of calling a friend


54

Preliminary Result

09 Dec 2010

15m 30m 90m 105m0

10

20

30

40

50

60

Algorithm Precision (90 users, 10 bots)

% False Positive% False Negative

Time Periods in minutes

% P

erce

ntag

e


55

Future Work

09 Dec 2010

Improve similarity algorithm to decrease False Positive.

Implement larger scale evaluation experiments.

Extracting C&C controllers.

Offline Online Detection.

Try to : Implement Real Time Detection. Reduce time complexity.


56

Future Work

09 Dec 2010

Evaluation: Improve similarity algorithm to decrease False

Positive. Implement larger scale evaluation experiments.

Extracting C&C controllers: For example: By a directed graph technique.

Real Time Detection.

Attempt to reduce time complexity.


57

Future Work

09 Dec 2010

Evaluation: Implement larger scale evaluation experiments. Compare result with another algorithm.

Implement Malicious Activity component. Extracting C&C controllers:

For example: By a directed graph technique.

Real Time Detection: Incremental DFT [YD+10]. Estimated Weighted Moving Average (EWMA) [SLWL07]. Binning technique [GP+08]. Aggregate related flows within epoch time (E~ one day) into one flow [GP+08].

Reduce Time Complexity: Reduce Dataset size (No. of Feature Streams).


58

Challenges

09 Dec 2010

Resilience to evasion: Response time (Long &/OR Random):

If the random response times exist within the maximum expected time window, then it is ok.

Otherwise (i.e. long delay response time) Under very long response delay, botnet utility to botmaster is reduced or limited because the botmaster can no longer command his bots promptly and reliably.

Random session’s size/duration.

Adding random noise packets, or when a bot is not only a bot, and simply carries a normal traffic as well.

Random picking form a pool of different SIP options.

Using stack of different C&C protocols.


59

Key Findings/Results 1

Test 1 Test 2 Test 3 Test 40

102030405060708090

100

FirstSecondThird

09 Dec 2010


60

Key Findings/Result 2Project

Item 1Item 2Item 3Item 4

09 Dec 2010


61

Key Findings/Result 3Run Number Description Result A Result B

1 Condition A True True2 Condition B True False3 Condition C False False

09 Dec 2010


62

Conclusion Add your conclusion here

09 Dec 2010


63

Questions and Discussion

09 Dec 2010

detection of sip botnet based on c&c communications

Documents