Automating Analysis of Large-Scale Botnet Probing Events

Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson*Lab for Internet and Security Technology (LIST)

Northwestern University* UC Berkeley / ICSI

2

Motivation

Administrators

IPv4 Space

Enterprise

Botnets

Does this attack

specially target us?

Can we answer this question with only limited information observed

locally in the enterprise?

3

Motivation

• Can we infer the probe strategy used by botnets?

• Can we infer whether a botnet probing attack specially targets a certain network, or we are just part of a larger, indiscriminant attack?

• Can we extrapolate botnet global properties given limited local information?

4

Agenda

• Motivation

• Basic framework

• Discover the botnet probing strategies

• Extrapolate global properties

• Evaluation

• Conclusions

5

Botnet Probing Events

Big spikes of larger numbers

of probers mainly caused

by botnets

6

System Framework

See the paper for subtle system details.

Misconfiguration

Botnet

Worm

Global Property

Extrapolation

Misconfiguration Separation

Traffic Classification

Event Extraction

Worm Separation

Botnet with

uniform scan

model

Modelchecking

Monotonictrend checking

Hit listchecking

Uniformitychecking

Independencychecking

Honeynets/Honeyfarms

Traffic

Botnet Detection Subsystem Botnet Inference Subsystem

7

Agenda

• Motivation

• Basic framework

• Discover the botnet probing strategies

• Extrapolate global properties

• Evaluation

• Conclusions

8

Discover the Botnet Probing Strategies

• Use statistical tests to understand probing strategies– Leverage on existing statistical tests

• Monotonic trend checking: detect whether bots probe the IP space monotonically

• Uniformity checking: detect whether bots scan the IP range uniformly.

– Design our own• Hitlist (liveness) checking: detect whether they

avoid the dark IP space• Dependency checking: do the bots scan

independently or are they coordinated?

9

Design Space

No mono trend

W/ monotrend

Hit List Not Hit List

Monotonic Trend Monotonic Trend

Non-Uniform

Non-Uniform

Uniform &Independent

Uniform &Non-independent

Uniform &Non-independent

Uniform &Independent

Partial Monotonic Trend Partial Monotonic Trend

10

Hitlist Checking

• Configure the sensor to be half darknet and half honeynet

• Use metric θ= # src in darknet/ # src in honeynet.

• Threshold 0.5Hit-list

Destination IPs in the sensor

#sc

an

pe

r IP

0 500 1000 2000

02

46

81

0

Uniform random

Destination IPs in the sensor

#sc

an

pe

r IP

0 500 1000 2000

02

46

81

0

11

Agenda

• Motivation

• Basic framework

• Discover the botnet probing strategies

• Extrapolate global properties– Global scan scope, total # of bots, total # of

scans, total scan rate for each bot

• Evaluation

• Conclusions

12

Extrapolate Global Properties: Basic Ideas and Validation

• Observe the packet fields that change with certain patterns in continuous probes.– IPID: a packet field in IP header used for IP

defragmentation – Ephemeral port number: the source port used by bots– Increment for a fixed # per scan

• Validation– IPID continuity: All versions of Windows and MacOS – Ephemeral port number continuity: botnet source code

study• Agobot, Phatbot, Spybot, SDbot, rxBot, etc.

– Control experiments with NAT

13

Estimate Global Scan Rate of Each Bot

• Count the IPID & ephemeral port # changes– Recover the overflow of IPID and ephemeral

port number– Estimate the rate with linear regression when

correlation coefficient > 0.99– Counter overestimation: use less of the two

T

IPID

14

Extrapolate Global Scan Scope

IPv4 Space

Botnets

Total scans from boti: scan rate Ri * scan time Ti = 100*1000=100,000

botini=100

ii

i

TR

n̂

Aggregating multiple bots

Local/global ratio

15

Extrapolate Global # of Bots• Idea: similar to Mark and Recapture• Assumption: All bots have the same global

scan range

BotsTotal M=4000First half m1=1000

Observed by both m12= 250

Second half m2=1000

M=m1*m2/m12

M

m1 m2

m12

16

Agenda

• Motivation

• Basic framework

• Discover the botnet probing strategies

• Extrapolate global properties

• Evaluation

• Conclusions

17

Dataset

• Based on a 10 /24 honeynet in a National Lab (LBNL)

• 293GB packet traces in 24 months (2006-07)• Totally observed 203 botnet probing events

– Average observed #bots/event is 980.

• Mainly on SMB/WINRPC, VNC, Symantec, MSSQL, HTTP, Telnet

• Size of the system: 13,900 lines: Bro (6,000), Python (4,000), C++ (2,500), R (1,400)

18

No mono trend97.0%

W/ monotrend3.0%

Hit List 16.3% (33) Not Hit List 83.7% (170)

Monotonic Trend 0% Monotonic Trend 0%

Non-Uniform2.5% (5)

Non-Uniform

14.2% (29)

Uniform &Independent13.8% (28)Uniform &

Non-independent0%

Uniform &Non-independent

0%

Uniform &Independent66.5% (135)

Partial Monotonic Trend 0% Partial Monotonic Trend 3.0% (6)

• More than 80% uniform scanning

• Validate the results through visualization and find the results are highly accurate.

Property Checking Results

19

Extrapolation Results

• Most of extrapolated global scopes are at /8 size, which means the botnets do not target the enterprise (LBNL).

• Validation based with DShield data– DShield: the largest Internet alert repository– Find the /8 prefixes in DShield with sufficient

source (bots) overlap with the honeynet events• Due to incompleteness of Dshield data, 12 events

validated

– Calculate the scan scope in each /8 based on sensor coverage ratio.

20

Extrapolation Validation

• Define scope factor as max(DShield/Honeynet,Honeynet/DShield)

1.0 1.1 1.2 1.3 1.4

0.2

0.6

scope factor

cum

ula

tive

pro

ba

bili

ty CDF of the scope factor 75% within 1.35 All within 1.5

21

Conclusions

• Develop a set of statistical approaches to assess four properties of botnet probing strategies

• Designed approaches to extrapolate the global properties of a scan event based on limited local view

• Through real-world validation based on DShield, we show our scheme are promisingly accurate

22

Backup

23

Event size distribution

0 2000 6000 10000

0.0

0.4

0.8

# of sources per event

cum

ula

tive

pro

ba

bili

ty

24

Extrapolate the scope

ii

i

TR

n̂

Local/global ratio

Probing time window

Estimate global probing rate

Probes observed

locally

25

Monotonic trend checking

• Goal: detect whether the bots probe the IP space monotonically– E.g. simple sequential probing

• Technique:– Mann-Kendall trend test– Intuition: check whether the aggregated sign value

(sign(Ai+1-Ai)) out of the range of randomness can achieve.

– When most (>80%) senders in an events follow trend we label the events follow trends

26

Uniformity Checking

• Goal: detect whether the botnet scan the IP range uniformly.

• Technique:– Chi-Square test– Intuition: put address into bins. The scan

observed in each bin should be similar. – Significance level of 0.5%

27

Dependency Checking

• Goal: Is the bots try to get out each other’s way?

• Idea: account the number of address receive zero scan and comparing with confidence interval of the independent random case.