![Page 1: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/1.jpg)
11
Active Botnet Probing to Identify Obscure Command and Control Channels G Gu, V Yegneswaran, P Porras, J Stoll, and W Lee - on Annual Computer Security Applications Conference 2009 (ACSAC
2009 )
Reporter: 高嘉男Advisor: Chin-Laung Lei2010/3/15
![Page 2: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/2.jpg)
2
OutlineIntroductionProblem statement &
assumptionsActive botnet probing:
architecture & algorithmsExperiments with BotProbeConclusion
![Page 3: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/3.jpg)
3
IntroductionBotnet C&C channel: existing protocols
◦ IRC, HTTP & P2PBotnet detection: passive
◦ Signature-based detection◦ Honeypot-based detection◦ Behavior-based botnet detection
Contemporary IRC botnet◦ Obfuscated IRC messages◦ Small sizes◦ Infrequent C&C interactions
![Page 4: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/4.jpg)
4
Active Method
Collect evidence actively
Assume there is only one round of (obscure) chat-like botnet C&C interaction from one bot, can we still detect the bot with a high probability?
![Page 5: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/5.jpg)
5
Key ObservationsBotnet C&C interaction has a clear
command-response pattern◦A bot will behave deterministically to
replayed commands
Bots are preprogrammed to respond to the set of commands they receive◦Bots have limited tolerance for
typographical errors in conversations
![Page 6: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/6.jpg)
6
Adversary AssumptionA bot should respond when it receives a
predefined command in a reasonable time
Message response◦ IRC PRIVMSG message
Activity response◦ Scan response◦ Third-party response◦ Spam response
![Page 7: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/7.jpg)
7
Architecture Design
![Page 8: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/8.jpg)
8
Active Probing Techniques
![Page 9: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/9.jpg)
9
Active Probing Techniques (Cont’d)P0 (Explicit-Challenge-Response)
◦Reverse Turing test◦Request the user to visit a website to
read and translate a CAPTCHA
P1 (Session-Replay-Probing)◦Replay the same application
command to the client several times
![Page 10: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/10.jpg)
10
Active Probing Techniques (Cont’d)P2 (Session-Byte-Probing)
◦The BotProbe monitor randomly permutes certain bytes of the application command
P3 (Client-Replay-Probing)◦Register a new user into the channel◦Send the observed command(s) to the
selected clientP4 (Man-In-The-Middle-Probing)
◦Intercept the new command and launch a man-in-the-middle-like chat message injection
![Page 11: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/11.jpg)
11
Turing-Test-Hypothesis AlgorithmPerform one or more rounds of P0 probingH1: the hypothesis “botnet C&C”
H0: the hypothesis “normal chat”Binary random variable D: whether or not
we observe a wrong reply for a challenge from the client (D = 1: an incorrect reply)
θ1 = Pr( D=1 | H1), θ0 = Pr( D=1 | H0)
θ1 ≒ 1, θ0 ≒ 0α : false positive rate, β : false negative raten : rounds of probing Define
)|(
)|(ln
)|(
)|(ln
0
1
0
1
HDP
HDP
HDP
HDP
ir
iri
ii r
ii r
n
![Page 12: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/12.jpg)
12
Turing-Test-Hypothesis Algorithm (cont’d)
Threshold random walk (TRW)◦ Walk starts from origin(0)◦ Walk goes up with length ln(θ1/θ0) if Di = 1
◦ Walk goes down with length ln(1-θ1/1-θ0) if Di = 0
After n rounds◦ If Λn > ln(1-β/α): H1 is true, it is a botnet C&C
◦ If Λn < ln(β/1-α): H0 is true, it is a normal IRC dialog
◦ If else: additional rounds of testing
![Page 13: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/13.jpg)
13
Single-Binary-Response-Hypothesis Algorithm
Perform one or more rounds of P1 probing
D: whether or not a response from the client is observed
Iterate the TRW process at different scales depending on the responses
Multiple different types of responses corresponding to the same command◦ Choose the one that provides highest
confidence (walks a largest step)
![Page 14: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/14.jpg)
14
Interleaved-Binary-Response-Hypothesis AlgorithmPerform one or more rounds of
interleaved P1 and P2 probingD = 1: the observation of a response
from the replayed packets and no response from modified packets
Bots◦ Respond to replayed packets reliably◦ Do not recognize the modified command
Human◦ Respond to a message with typographical
error◦ How normal users may respond to two
replayed IRC messages?
![Page 15: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/15.jpg)
15
Evaluating User DisturbanceThe degree of disturbance
◦ The number of rounds (packets modified/replayed)
To produce a botnet C&C declaration
To produce a human user IRC channel declaration
![Page 16: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/16.jpg)
16
Evaluating User Disturbance (cont’d)
![Page 17: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/17.jpg)
17
BotProbe: an Active Botnet Probing System
![Page 18: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/18.jpg)
18
Test the False Negative RateHow many bot C&Cs are missed by BotProbe?Execute the bot in Windows XP (VMware)Monitor with BotProbe on LinuxThree classes of real-world IRC bots
◦ Open-source bots with obfuscated communication Spybot
◦ Bot binaries with cleartext communication Phatbot, Rbot, Rxbot, Sdbot
◦ Bot binaries with obfuscated communication W32.Wargbot, Trojan.Dropper.Sramler.C
![Page 19: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/19.jpg)
19
Test the False Negative Rate (cont’d)
Parameters of testing algorithm◦ θ1 =0.99, θ0 =0.15, α (FP)=0.001, β
(FN)=0.01
◦ θ0scan
=0.01, θ03rd-party-access
=0.02
![Page 20: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/20.jpg)
20
Test the False Negative Rate (cont’d)W32.Wargbot
◦ Put an encrypted command in the IRC TOPIC message for bots to execute
Trojan.Dropper.Sramler.C
![Page 21: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/21.jpg)
21
Test the False Positive RateHow frequently could normal chatting
sessions be mislabeled as botnet C&C Study design
◦Human users periodically sent messages that simulate the effect of botnet probing to real users at diverse channels
Test on two different platforms◦ IRC & mebbo.com
![Page 22: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/22.jpg)
22
Test the False Positive Rate (cont’d)Study design
◦Design six different questions to test 123 different users
◦Questions “what’s up” “nice weather” “you like red?”
“how may I help you?” “English only! I play nice fun”
◦Modified questions “ waat’s up” “noce weather” “aou like red?”
“Bow may I help you?” “Eaglish only! I play nice fun”
◦Turing test messages “what’s 3+6=?”
![Page 23: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/23.jpg)
23
Test the False Positive Rate (cont’d)
![Page 24: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/24.jpg)
24
ConclusionThe first feasibility study of the use
of active techniques in botnet detection◦Collect evidence actively◦Shorten the detection time
A hypothesis testing framework & a prototype system implementation◦Separates deterministic botnet
communication from human conversations effectively
![Page 25: Reporter: 高嘉男 Advisor: Chin-Laung Lei 2010/3/15](https://reader035.vdocuments.net/reader035/viewer/2022062720/5681333e550346895d9a364a/html5/thumbnails/25.jpg)
25
ReferenceG Gu, V Yegneswaran, P Porras, J
Stoll, and W Lee, “Active Botnet Probing to Identify Obscure Command and Control Channels.” in Annual Computer Security Applications Conference, 2009.