Master Blaster: - PowerPoint Presentation

Slide1

Master Blaster: Identifying Influential Player in Botnet Transaction

Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte

Gail-

Joon

Ahn

School of Computing , Informatics

and Decision System Engineering Arizona State University

Mohamed

Shehab

College of Computing and Informatics UNC

Charlotte

Reporter:

簡榮杉

https://www.youtube.com/watch?v=5KyoHjIoMkQSlide2

OUTLINE

Introduction

Scope of research

Master blaster : System overview

Implementation and results

Discussion

ConclusionSlide3

Introduction

Bots carry out the commands of

botmaster

through communication mediums.

Communication mediums: Internet Relay Chat (IRC)

、

P2P

、

s

ocial networks

.

Botnet monitoring

an effective method to garner in-depth information about the threat of bonnets

to capture and modify a bot

allow the bot to connect to its command and control center

monitor actual communications that take place on the botnetSlide4

most botnets are controlled by multiple botmasters.

botmaster

1 initially creating the botnet

botmaster

1,2, and N have their own attack agenda.Slide5

Introduction –In this paper

to categories the nodes

to categorize the transactions based on a modified version of

the reflective-impulsive model.

bonet

is just a tool.

a tool is only as useful as the way it is used with the intentions of the person who use it

to categorize the

botmaster

interactions (between the

botmaster

and the node in a botnet ) as social characteristics

There are five categories of node

Botmaster

node

Bot node

Compromised Machine node:

The machine that was originally attacked and turned into a bot node.

Storehouse node:

The node that provides a download service to the

botmaster

node or the bot node

Victim node

: The nod that is attacked.

.Slide6

Introduction –In this paper

to identify the evolution of the physical characteristics (size) of a botnet

like human social networks : born

、

grow

、

shrink

、

disappear

to correlate

the discovered social characteristics

and

the evolutionary characteristics

to shed light on the role each

botmaster

plays in a botnet.Slide7

OUTLINE

Introduction

Scope of research

Master blaster : System overview

Implementation and results Discussion ConclusionSlide8

Easy to covertly infiltrate a botnet and monitor its transactions



botnet monitoring

has become a common way to analyze and

identity botnet and the destruction they cause

This paper

to introduce the novel idea of monitoring botnet traffic to identify the roles each

botmaster

has in the botnet.

to discover motives and characteristics

which lead to discovering the root cause behind the botnetSlide9

OUTLINE

Introduction

Scope of research

Master blaster : System overview

Implementation and results Discussion ConclusionSlide10

Ⅲ MASTER BLASTER: SYSTEM OVERVIEW

A. Bot Capture

B. Closed analysis

C. Open analysis

D. Network Monitoring

E. Correlation Slide11

pretend to be a legitimate vulnerable machine

Three elements in capture component

Socket manger:

The attacker attempts to connect a port through the socket manager

General shell code handler:

General shell code handler are created to receive the data

to pass the code to the Perl regex shell code handler

Perl regex shell code handler:

Step1: to determine what type of code it is.

Step2: the code is downloaded without executing it.

A. Bot

CaptureSlide12

B. Closed Analysis

adapt and modify the reflective-impulsive mode to

bonet

.

the reflective-impulsive mode

to depict social behavior as a joint function of the two systems

Reflective system :

is built by responses of knowledge on facts and their decisions

is denoted by the expression S

R

= set

F

F

is composed of k-subsets:

{ f

d1

,f

d2

,…..,f

dk-1

,f

dk

}



include a finite amount of facts

f

and their decisions d

Impulsive

system : (be discovered in the component “

D.Network

Monitoring”)

In the closed analysis,

to discover the ASCII text in the bot codes which are reflective keywords

these keywords represent the facts

to use RFC 1459 and RFC 1812 (IRC protocol) to help us determine the protocol based keywords.

to derive the semantics of the facts from the command and control protocol.

Keyword

reflective keyword : from the ASCII text in the bot codes

user/system basedSlide13

In the reflective system, behavior is elicited as a consequence

of a decision process.

Specifically, knowledge

about the value and the probability of potential consequences

is weighed and integrated to reach a preference

for one behavioral option.

If a decision is made, the reflective

system activates appropriate behavioral schemata

through a self-terminating mechanism of intending.

In contrast,

the impulsive system activates

behavioral schemata through spreading activation,

which may originate from

perceptual input or from reflective

processes

. As described in James’ (1890)

ideo-motor principle (see also Lotze, 1852), a behavior maybe elicited without the person’s intention or goal. In addition, the activation of behavioral schemata may bemoderated by motivational orientations or deprivation.

From the original paper “the reflective-impulsive system”Slide14

From the original paper “the reflective-impulsive system”Slide15

C. Open Analysis all information about the initial bootstrapping has to be included in the bot binary and thus can be cloned

to extract the general packet information from the botnet data

Three elements in open analysis component

bot agents

: the bot is stripped of its ability to attack victim machines

botnet connection

: The bot agent to connects to the command and control locations

botnet payload collection:

Captures all the readable contents of the payloadSlide16

D. Network Monitoring

to analyze the ASCII readable

data in the payload (founded in “C. open analysis component”)

to extract characteristic elements from the content of data

to discover conversations initiated by commands between the bot master node and the other node.

the structure of these conversations are discovered in commands based on the command and control protocol.

Within these conversation, to discover

the Impulsive System

the Evolutionary Characteristics.Slide17

D. Network Monitoring –1/2

Impulsive system : S

I

is built on

associative links

and

motivational drives.

S

I

≡ S =m

1

∪m

2

∪m

3

, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive

(M

1

), Monetary (M

2

), and other (M

3

) and m

i

belong to MiIn this paper’s model, each command given by the botmaster is one impulsive human initiated command. Each subset (m1,m2,m3) is composed of a set of commands. The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet .  That means that each command that resides in a k-subnet is linked to each other.

In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the

botmaster

is.

Destructive

: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims)

Monetary

: Concerned only with covertly stealing money

Other

: all unknown motives.

The operation of the paper’s reflective-impulsive process is as follow:



an impulsive command

e

in a set

S

is matched to a reflective keyword

f

in a set

F

, then determine two entities,

e

and

f

, to be one characteristic E which conjoins two system , S

R

and S

I

. Slide18

D. Network Monitoring : Impulsive system: SI

In this paper’s model,

each command given by the

botmaster

is one impulsive human initiated command

.

Impulsive system is built on

associative links

and

motivational drives

.

Motivational drives

:

S

I

≡ S =m

1

∪m

2

∪m

3

, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive

(M

1), Monetary (M2), and other (M3) and mi belong to Mi In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the

botmaster

is.

Destructive

: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims)

Monetary

: Concerned only with covertly stealing money

Other

: all unknown motives.

associative links:

Each subset (m1,m2,m3) is composed of a set of commands.

each command that resides in a k-subnet is linked to each other

.



The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet

The operation of the paper’s reflective-impulsive process is as follow:

an impulsive command

e

in a set

S

is matched to a reflective keyword

f

in a set

F

, then determine two entities,

e

and

f

, to be one characteristic E which conjoins two system , S

R

and S

I

. Slide19

D. Network Monitoring : Evolutionary characteristics

Evolutionary Characteristics:

Each stage of evolution is defined as the following:

Birth

Growth

ContractionSlide20

E. Correlation

the output of this component is to discover what role each

botmaster

plays

there elements in this component

Component correlation :

Each result from the components has a timestamp

Using this timestamp and the

botmaster

name, the results of the components are

correlated.

Botmaster

characteristic statistics:

Evolutionary characteristic statistics

: use autocorrelation function , C(t), to discover the number of botnet that consecutive

timesteps

t.

Reflective-impulsive characteristic statistics:

the ratio of protocol based commands to user/system based commands.

Correlation engine: correlates the results of

the closed analysis component the open analysis component the network monitoring component

the botnet characteristic component

 to discover the

botmaster

based patterns.

Slide21

OUTLINE

Introduction

Scope of research

Master blaster : System overview

Implementation and results Discussion ConclusionSlide22

Ⅳ. Implementation and results.

The following scripts in one version of the bot codes were identified by closed analysis:

Reflective keywords extracted from these results are

PRIVMSG (line 123,133,135 and 138)

dccflood

(line 133) Slide23

Table1 shows the number of impulsive commands generated by the top 10

botmasters

.

active

botmasters

generated more human user/system commands

 most of the impulsive commands generated by the active

botmasters

are

human based

and therefore are more apt to reflect the true intentions of the

botmaster

.Slide24

Lager channels decayed more rapidly.Slide25

More active

botmasters

had a higher ration of human initiated elements to protocol base element.

This is very important since it means the

botmaster

is using his own intuitions in this channel and

most of the transactions are not by scripts.

Human error

continues to be the best way to catch

botmasters

or malware writers in general.Slide26

OUTLINE

Introduction

Scope of research

Master blaster : System overview

Implementation and results Discussion ConclusionSlide27

A. Current state of botnets: This paper is focus on IRC based botnets.

to leave the monitoring of more advanced C&C protocol for the future work

B. Limitations

Only can identify the botmaster characteristics

of transactions that have been decrypted.

Slide28

OUTLINE

Introduction

Scope of research

Master blaster : System overview

Implementation and results Discussion

ConclusionSlide29

To discover the role each botmaster plays help reduce analysis time

the approach enable us to identify the generalize motives for each

botmaster

The paper indicated most attacks occurred during times where the botnet was at its largest size.

The future work would focus on other forms of botnets (e.g. http-based

、

P2P-based

、

hybrid attacks

)