Identifying Influential Player in Botnet Transaction Author Napoleon C Paxton College of Computing and Informatics UNC Charlotte Gail Joon Ahn School of Computing Informatics ID: 464668
Download Presentation The PPT/PDF document "Master Blaster:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Master Blaster: Identifying Influential Player in Botnet Transaction
Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte
Gail-
Joon
Ahn
School of Computing , Informatics
and Decision System Engineering Arizona State University
Mohamed
Shehab
College of Computing and Informatics UNC
Charlotte
Reporter:
簡榮杉
https://www.youtube.com/watch?v=5KyoHjIoMkQSlide2
OUTLINE
Introduction
Scope of research
Master blaster : System overview
Implementation and results
Discussion
ConclusionSlide3
Introduction
Bots carry out the commands of
botmaster
through communication mediums.
Communication mediums: Internet Relay Chat (IRC)
、
P2P
、
s
ocial networks
.
Botnet monitoring
an effective method to garner in-depth information about the threat of bonnets
to capture and modify a bot
allow the bot to connect to its command and control center
monitor actual communications that take place on the botnetSlide4
most botnets are controlled by multiple botmasters.
botmaster
1 initially creating the botnet
botmaster
1,2, and N have their own attack agenda.Slide5
Introduction –In this paper
to categories the nodes
to categorize the transactions based on a modified version of
the reflective-impulsive model.
bonet
is just a tool.
a tool is only as useful as the way it is used with the intentions of the person who use it
to categorize the
botmaster
interactions (between the
botmaster
and the node in a botnet ) as social characteristics
There are five categories of node
Botmaster
node
Bot node
Compromised Machine node:
The machine that was originally attacked and turned into a bot node.
Storehouse node:
The node that provides a download service to the
botmaster
node or the bot node
Victim node
: The nod that is attacked.
.Slide6
Introduction –In this paper
to identify the evolution of the physical characteristics (size) of a botnet
like human social networks : born
、
grow
、
shrink
、
disappear
to correlate
the discovered social characteristics
and
the evolutionary characteristics
to shed light on the role each
botmaster
plays in a botnet.Slide7
OUTLINE
Introduction
Scope of research
Master blaster : System overview
Implementation and results Discussion ConclusionSlide8
Easy to covertly infiltrate a botnet and monitor its transactions
botnet monitoring
has become a common way to analyze and
identity botnet and the destruction they cause
This paper
to introduce the novel idea of monitoring botnet traffic to identify the roles each
botmaster
has in the botnet.
to discover motives and characteristics
which lead to discovering the root cause behind the botnetSlide9
OUTLINE
Introduction
Scope of research
Master blaster : System overview
Implementation and results Discussion ConclusionSlide10
Ⅲ MASTER BLASTER: SYSTEM OVERVIEW
A. Bot Capture
B. Closed analysis
C. Open analysis
D. Network Monitoring
E. Correlation Slide11
pretend to be a legitimate vulnerable machine
Three elements in capture component
Socket manger:
The attacker attempts to connect a port through the socket manager
General shell code handler:
General shell code handler are created to receive the data
to pass the code to the Perl regex shell code handler
Perl regex shell code handler:
Step1: to determine what type of code it is.
Step2: the code is downloaded without executing it.
A. Bot
CaptureSlide12
B. Closed Analysis
adapt and modify the reflective-impulsive mode to
bonet
.
the reflective-impulsive mode
to depict social behavior as a joint function of the two systems
Reflective system :
is built by responses of knowledge on facts and their decisions
is denoted by the expression S
R
= set
F
F
is composed of k-subsets:
{ f
d1
,f
d2
,…..,f
dk-1
,f
dk
}
include a finite amount of facts
f
and their decisions d
Impulsive
system : (be discovered in the component “
D.Network
Monitoring”)
In the closed analysis,
to discover the ASCII text in the bot codes which are reflective keywords
these keywords represent the facts
to use RFC 1459 and RFC 1812 (IRC protocol) to help us determine the protocol based keywords.
to derive the semantics of the facts from the command and control protocol.
Keyword
reflective keyword : from the ASCII text in the bot codes
user/system basedSlide13
In the reflective system, behavior is elicited as a consequence
of a decision process.
Specifically, knowledge
about the value and the probability of potential consequences
is weighed and integrated to reach a preference
for one behavioral option.
If a decision is made, the reflective
system activates appropriate behavioral schemata
through a self-terminating mechanism of intending.
In contrast,
the impulsive system activates
behavioral schemata through spreading activation,
which may originate from
perceptual input or from reflective
processes
. As described in James’ (1890)
ideo-motor principle (see also Lotze, 1852), a behavior maybe elicited without the person’s intention or goal. In addition, the activation of behavioral schemata may bemoderated by motivational orientations or deprivation.
From the original paper “the reflective-impulsive system”Slide14
From the original paper “the reflective-impulsive system”Slide15
C. Open Analysis all information about the initial bootstrapping has to be included in the bot binary and thus can be cloned
to extract the general packet information from the botnet data
Three elements in open analysis component
bot agents
: the bot is stripped of its ability to attack victim machines
botnet connection
: The bot agent to connects to the command and control locations
botnet payload collection:
Captures all the readable contents of the payloadSlide16
D. Network Monitoring
to analyze the ASCII readable
data in the payload (founded in “C. open analysis component”)
to extract characteristic elements from the content of data
to discover conversations initiated by commands between the bot master node and the other node.
the structure of these conversations are discovered in commands based on the command and control protocol.
Within these conversation, to discover
the Impulsive System
the Evolutionary Characteristics.Slide17
D. Network Monitoring –1/2
Impulsive system : S
I
is built on
associative links
and
motivational drives.
S
I
≡ S =m
1
∪m
2
∪m
3
, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive
(M
1
), Monetary (M
2
), and other (M
3
) and m
i
belong to MiIn this paper’s model, each command given by the botmaster is one impulsive human initiated command. Each subset (m1,m2,m3) is composed of a set of commands. The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet . That means that each command that resides in a k-subnet is linked to each other.
In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the
botmaster
is.
Destructive
: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims)
Monetary
: Concerned only with covertly stealing money
Other
: all unknown motives.
The operation of the paper’s reflective-impulsive process is as follow:
an impulsive command
e
in a set
S
is matched to a reflective keyword
f
in a set
F
, then determine two entities,
e
and
f
, to be one characteristic E which conjoins two system , S
R
and S
I
. Slide18
D. Network Monitoring : Impulsive system: SI
In this paper’s model,
each command given by the
botmaster
is one impulsive human initiated command
.
Impulsive system is built on
associative links
and
motivational drives
.
Motivational drives
:
S
I
≡ S =m
1
∪m
2
∪m
3
, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive
(M
1), Monetary (M2), and other (M3) and mi belong to Mi In the paper’s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the
botmaster
is.
Destructive
: concerned with causing damage that physically affect potential victim’s system (including getting money from potential victims)
Monetary
: Concerned only with covertly stealing money
Other
: all unknown motives.
associative links:
Each subset (m1,m2,m3) is composed of a set of commands.
each command that resides in a k-subnet is linked to each other
.
The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet
The operation of the paper’s reflective-impulsive process is as follow:
an impulsive command
e
in a set
S
is matched to a reflective keyword
f
in a set
F
, then determine two entities,
e
and
f
, to be one characteristic E which conjoins two system , S
R
and S
I
. Slide19
D. Network Monitoring : Evolutionary characteristics
Evolutionary Characteristics:
Each stage of evolution is defined as the following:
Birth
Growth
ContractionSlide20
E. Correlation
the output of this component is to discover what role each
botmaster
plays
there elements in this component
Component correlation :
Each result from the components has a timestamp
Using this timestamp and the
botmaster
name, the results of the components are
correlated.
Botmaster
characteristic statistics:
Evolutionary characteristic statistics
: use autocorrelation function , C(t), to discover the number of botnet that consecutive
timesteps
t.
Reflective-impulsive characteristic statistics:
the ratio of protocol based commands to user/system based commands.
Correlation engine: correlates the results of
the closed analysis component the open analysis component the network monitoring component
the botnet characteristic component
to discover the
botmaster
based patterns.
Slide21
OUTLINE
Introduction
Scope of research
Master blaster : System overview
Implementation and results Discussion ConclusionSlide22
Ⅳ. Implementation and results.
The following scripts in one version of the bot codes were identified by closed analysis:
Reflective keywords extracted from these results are
PRIVMSG (line 123,133,135 and 138)
dccflood
(line 133) Slide23
Table1 shows the number of impulsive commands generated by the top 10
botmasters
.
active
botmasters
generated more human user/system commands
most of the impulsive commands generated by the active
botmasters
are
human based
and therefore are more apt to reflect the true intentions of the
botmaster
.Slide24
Lager channels decayed more rapidly.Slide25
More active
botmasters
had a higher ration of human initiated elements to protocol base element.
This is very important since it means the
botmaster
is using his own intuitions in this channel and
most of the transactions are not by scripts.
Human error
continues to be the best way to catch
botmasters
or malware writers in general.Slide26
OUTLINE
Introduction
Scope of research
Master blaster : System overview
Implementation and results Discussion ConclusionSlide27
A. Current state of botnets: This paper is focus on IRC based botnets.
to leave the monitoring of more advanced C&C protocol for the future work
B. Limitations
Only can identify the botmaster characteristics
of transactions that have been decrypted.
Slide28
OUTLINE
Introduction
Scope of research
Master blaster : System overview
Implementation and results Discussion
ConclusionSlide29
To discover the role each botmaster plays help reduce analysis time
the approach enable us to identify the generalize motives for each
botmaster
The paper indicated most attacks occurred during times where the botnet was at its largest size.
The future work would focus on other forms of botnets (e.g. http-based
、
P2P-based
、
hybrid attacks
)