BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION

AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee

PUBLICATION: USENIX Security Symposium, 2007.

PRESENTATION BY: Bharat Soundararajan

INTRODUCTION

activity

Network perimeter monitoring system called bothunter

Track two way communication between internal assets and external entities

Dialog correlator ties together these communications in the bothunter Sequence of evidence is used for matching botnet infection

BOTNET INFECTION SEQUENCEPropagates through remote exploit injection e.g. NetBIOS (139),My Doom(3127),Dame ware(6129).

After infection the victim host downloads the full Phatbot binary

Bot inserts itself into the boot process ,security process off

Connection to C&C server .Infected host acts as a bot

MODEL OF THE DIALOG PROCESS

BOT INFECTION DECLARATION

Condition1:

Evidence of local host infection (E2) and evidence of outward bot co-ordination or attack propagation (E3-E5)

Condition2:

At least two distinct signs of outward bot coordination or attack propagation (E3-E5)

BOTHUNTER SYTEM ARCHITECTURESnort is used for detection

Extra plug-in such as SCADE and SLADE are used in snort

Network dialog correlation matrix is used for data structure

Report bot infection profiles to a remote repository

TLS over TOR (onion routing protocol)

BOTHUNTER SYTEM ARCHITECTURE

SCADE(Statistical Scan Anomaly Detection Systems)

Inbound scan Detection

Specifically weighted towards the ports often used by malware Memory usage to the number of inside hosts Failed connection attempts on each ports Ports are classified in bothunter as

1)Highly vulnerable ports: 80(HTTP),NETBIOS(445) ,26(TCP),4(UDP) 2)Low vulnerable ports

SCADE(Statistical Scan Anomaly Detection Systems)

S = W1 * Fhs + W2* Fls (Inbound scan detection)

Where W1 = weight of high severity ports

W2= Weight of low severity ports

Fhs = No of connection failures in high severity ports

Fls = No of connection failures in low severity ports

SCADE(Statistical Scan Anomaly Detection Systems)

S = (W1 * Fhs + W2* Fls)/C (outbound scan detection)

Where W1 = weight of high severity ports

W2= Weight of low severity ports

Fhs = No of connection failures in high severity ports Fls = No of connection failures in low severity ports

C = Total number of scans from the host within a window time

SLADE(Statistical Payload Anomaly Detection Engine)

1-gram payload system : occurrence frequency of one of the 256 possible bytes in the payload

Examines every request packet sent to the monitored services and outputs an alert if it deviates from the normal profile

n-gram will improve accuracy and hardness of evasion e.g. polymorphic worms

Time Host Timer E1 E2 E3 E4 E5

192.168.12.1 soft Aa…Ab

192.168.10.45 hard Ac…Ad Ae..Af

192.168.10.66 hard Ag Ah..Ai

Aj..

192.168.12.46 hard

…192.168.11.123

hard & Soft

Al Am.An A0

NETWORK DIALOG CORRELATION MATRIX

NETWORK DIALOG CORRELATION MATRIX

Dynamically-allocated row – summary of internal host to external entities

Cell – one or more sensor alerts that map into one of the five sensor devices

Correlation matrix – dynamically grows when a new activity involving the local host is detected and expires

Timers are set for expiry of observation window

TYPES OF TIMERS

HARD PRUNE TIMERS (filled clocks)

Fixed temporal interval over which the users are allowed to aggregate

After evaluation ,it leads to either bot declaration or to the complete removal of that dialog trace

SOFT PRUNE TIMERS(open faced clocks) smaller time window that allows users to configure tighter interval requirements

Inbound scan warning are expired more quickly by the soft prune interval

BOT DECLARATION

Expectation table is used and compared with the values obtained from the Calculation

Dialog sequence crosses the threshold which leads to either bot declaration or non-bot declaration

Figure6: SCORING PLOTS : 2019 Real bot infections

EXPERIMENTS AND RESULTSE1 E2 E3 E4 E5

agobot Yes(2/2) Yes(9/8) Yes(6/6) Yes(38/8) Yes(4/1)

Phat- alpha 5

Yes(14/4) Yes(5785/5721)

Yes(3/3) Yes(28/26)

Yes(4/2)

Phatbot-rls

Yes(11/3) Yes(2834/46)

Yes(8/8) Yes(69/20)

Yes(6/2)

Rbot 0.6.6

No(0) Yes(2/1) Yes(2/2) Yes(65/24)

Yes(2/1)

Rx-asn-2-re-worked version2

No(0) Yes(2/2) Yes(2/2) Yes(70/27)

Yes(2/1)

Rxbot No(0) Yes(4/3) Yes(2/2) Yes(59/18)

Yes(2/1)

Sxbot No(0) Yes(3/2) Yes(2/2) Yes(73/26)

Yes(2/1)

Yes/No – Indicate Dialog warning, (No of dialog warning in whole / No of warning victim involves)

RESULTS IN LIVE DEPLOYMENThttp://www.cyber-ta.org/malware-analysis/public

Website Stats:Spotlight: Top 50 ISP Infection Sources Active Period Reported:          245 Days Botnet Attacks Detected:         23895 Botnet C&C channels Witnessed:   175 Botnet DNS lookups Witnessed:    8496

ADVANTAGES

only one bot profile is generated for infection

presented analysis of bothunter against more than 2000 recent bot infection experiences.

remote repository for global collection and evaluation of bot activity. 

DISADVANTAGES

Bots could use encrypted communication channels for C&C

This correlator is not adaptable for botnets with the capability of doing stealth scanning

This is not polymorphic malwares as it uses 1-gram payload

THANK YOU