Yan ChenNorthwestern Lab for Internet

and Security Technology (LIST)

Dept. of Electrical Engineering and Computer Science

Northwestern University

http://list.cs.northwestern.edu

Network-based Botnet Detection Filtering,

Containment, and Destruction

Motorola Liaisons

Z. Judy Fu and Philip R. Roberts

Motorola Labs

New Internet Attack Paradigm

• Botnets have become the major attack force• Symantec identified an average of about 10,000

bot infected computers per day• # of Botnets - increasing• Bots per Botnet - decreasing

– Used to be 80k-140k, now 1000s

• More firepower:– Broadband (1Mbps Up) x 100s = OC3

• More stealthy– Polymorphic, metamorphic, etc.

• Residential users, e.g., cable modem users, are particularly susceptible due to poor maintenance

Birth of a Bot

• Bots are born from program binaries that infect your PC

• Various vulnerabilities can be used– E-mail viruses– Shellcode (scripts)

Botnet Distribution

Project Goal• Understand the trend of vulnerabilities and

exploits used by the botnets in the wild

• Design vulnerability based botnet detection and filtering system – Deployed at routers/base stations w/o patching the

end users– Complementary to the existing intrusion

detection/prevention systems– Can also contain the botnets from infecting inside

machines

• Find the command & control (C&C) of botnets and destroy it

Limitations of Exploit Based Signature

1010101

10111101

11111100

00010111

Our network

Traffic Filtering

Internet

Signature: 10.*01

XX

Polymorphic worm might not have exact exploit based signature

Polymorphism!

Vulnerability Signature

Work for polymorphic wormsWork for all the worms which target thesame vulnerability

Vulnerability signature traffic filtering

Internet

XX Our network

Vulnerability

XX

Emerging Botnet Vulnerability and Exploit

Analysis• Large operational honeynet dataset• Massive dataset on the botnet scan with payload• Preliminary analysis show that the number of new

exploits outpace the # of new vulnerabilities.

LBL NU

Sensor 5 /24 10 /24

Traces 883GB 287GB

Duration 37 months 7 months

Vulnerability based Botnet Filtering/Containment

• Vulnerability Signature IDS/IPS framework• Detect and filter incoming botnet• Contain inside bots and quarantine infected

customer machines

Packet Sniffing

TCP Reassembly

Protocol Identification: port# or payload

Protocol Parsing

Vulnerability Signature Matching

Single Matcher MatchingCombine multiple matchers

Introduction 1-10

Residential Access: Cable Modems

Diagram: http://www.cabledatacomnews.com/cmic/diagram.html

Snort Rule Data Mining

Netbios HTTP Oracle SUNRPC Remaining Total

Rule% 55.3% 25.8%

5.3% 2.3% 11.3% 100%

PSS% 99.9% 56.0%

96.6% 100% 84.7% 86.7%

Reduction

Ratio

67.6 1.2 1.6 2.6 1.7 4.5

• Exploit Signature to Vulnerability Signature reduction ratio

PSS means: Protocol Semantic Signature

NetBios rules include the rules from WINRPC, SMB and NetBIOS protocols

Preliminary Results

HTTP WINRPC

Trace size 558MB 468MB

#flows 580K 743K

#PSS Signatures 791 45

#Snort Rule Covered 974 2000+

Parsing Speed 2.893Gbps 15.186Gbps

Parsing + Matching speed 1.033Gbps 13.897Gbps

• Experiment Setting– PC XEON 3.8GHz with 4GB memory– Real traffic after TCP reassembly preload to

memory

• Experiment Results