11/20/09 onr muri project kick-off 1 network-level monitoring for tracking botnets nick feamster...
TRANSCRIPT
![Page 1: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/1.jpg)
11/20/09 ONR MURI Project Kick-Off 1
Network-Level Monitoring for Tracking Botnets
Nick FeamsterSchool of Computer Science
Georgia Institute of Technology
ONR MURI N000140911042Project Kick-off Meeting
November 20, 2009
![Page 2: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/2.jpg)
11/20/09 ONR MURI Project Kick-Off 2
Two Problems: From Axioms to Theories to Practice
• Problem #1: Tracking Bots– Bots are compromised computers– Bot traffic is not sent/authorized by users
• Correlating host activities
• Problem #2: Tracking Network Agility (BGP & DNS)– Bots are long-term resources
• Reuse, mechanisms/protocols to support agility
![Page 3: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/3.jpg)
11/20/09 ONR MURI Project Kick-Off 3
Problem #1: Tracking Bot Propagation
• Malware enters enterprise over the network (e.g., remote exploit, Web application), mobile device.
• Administrators rely on virus scanners, AV, etc.– Problem: Payloads may change, hard to keep
AV up-to-date
Axiom: Bot traffic is not sent by humans/users.
![Page 4: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/4.jpg)
11/20/09 ONR MURI Project Kick-Off 4
Annotate Traffic with Provenance
• Idea: Annotate network traffic with “taints” – The process that generated the traffic– Inputs that the process has taken (i.e., what
other resources it has read)• As malware spreads, traffic accumulates a
common set of taints.– Identify taints corresponding to bad operation– Block traffic if it carries a known bad taint
Theory: We can trace botnet traffic based on how it was sent, not what the botnet is sending.
![Page 5: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/5.jpg)
11/20/09 ONR MURI Project Kick-Off 5
Pedigree Design
• Trusted tagging component on host
• Arbiter on network switch
Practice: Tag traffic with provenance; block traffic at network switches.
NSF-TC 0916732: Taint-Based Information Tracking in Networked Systems
Student: Anirudh Ramachandran
![Page 6: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/6.jpg)
11/20/09 ONR MURI Project Kick-Off 6
Status and Challenges
• Status– Implementation and application to information-
flow control in enterprises
• Challenges– Discover taints corresponding to the malware– Defend against attacks on the taint set (e.g.,
overflow)– Protecting integrity of tagger
![Page 7: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/7.jpg)
11/20/09 ONR MURI Project Kick-Off 7
Problem #2: Tracking Network Agility
• DNS: Remap DNS names to new IP addresses– Fast-flux / Double-Flux
• BGP: Hijack IP address space– Allow hosts to operate from new IP addresses
Axiom: Botnets have only finite resources.These resources must be reused or recycled.
![Page 8: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/8.jpg)
11/20/09 ONR MURI Project Kick-Off 8
Example: DNS Agility
Theory: Places of change are much faster than for legitimate load-balanced sites.
Maria Konte et al., “Dynamics of Online Scam Hosting Infrastructure”, PAM 2009. Best Paper.
![Page 9: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/9.jpg)
11/20/09 ONR MURI Project Kick-Off 9
Rates of Change
• Domains that exhibit fast flux change more rapidly than legitimate domains
• Rates of change are inconsistent with actual TTL values
Theory: Rates of change are faster than for legitimate load-balanced sites.
![Page 10: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/10.jpg)
11/20/09 ONR MURI Project Kick-Off 10
Fingerprinting DNS Agility
• Step 1 (simple idea) – Changes to name server assignment– Characteristics of new domains
• Step 2: Graph Comparison– Lookups from recursive resolvers to “fresh”
domains will look similar– Build fingerprints based on graph and point-set
comparison techniques
Practice: Develop “fingerprints” of DNS dynamics.Identify underlying infrastructure, not attacks.
Student: Shuang Hao
![Page 11: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/11.jpg)
11/20/09 ONR MURI Project Kick-Off 11
~ 10 minutes
Example: BGP Agility
• Hijack address space, send spam withdraw prefix
61.0.0.0/8 4678 66.0.0.0/8 2156282.0.0.0/8 8717
Theory: Different prefixes follow similar patterns.
Anirudh Ramachandran et al., “Understanding the Network-Level Behavior of Spammers”, SIGCOMM 2006. Best Student Paper.
![Page 12: 11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology](https://reader035.vdocument.in/reader035/viewer/2022062511/5514987c550346b2598b56da/html5/thumbnails/12.jpg)
11/20/09 ONR MURI Project Kick-Off 12
Fingerprinting BGP Agility
Spam Trap
BGP FeedSpam Prefix & Origin AS
Bogus AS IAR Recently Registered
Scam Hosting
New Prefixes
Heuristics
Practice: Bootstrap suspicious prefix discovery. Look for
“similar” prefixes.
Student: Maria Konte