11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1

Network-Level Monitoring for Tracking Botnets

Nick FeamsterSchool of Computer Science

Georgia Institute of Technology

ONR MURI N000140911042Project Kick-off Meeting

November 20, 2009

11/20/09 ONR MURI Project Kick-Off 2

Two Problems: From Axioms to Theories to Practice

• Problem #1: Tracking Bots– Bots are compromised computers– Bot traffic is not sent/authorized by users

• Correlating host activities

• Problem #2: Tracking Network Agility (BGP & DNS)– Bots are long-term resources

• Reuse, mechanisms/protocols to support agility

11/20/09 ONR MURI Project Kick-Off 3

Problem #1: Tracking Bot Propagation

• Malware enters enterprise over the network (e.g., remote exploit, Web application), mobile device.

• Administrators rely on virus scanners, AV, etc.– Problem: Payloads may change, hard to keep

AV up-to-date

Axiom: Bot traffic is not sent by humans/users.

11/20/09 ONR MURI Project Kick-Off 4

Annotate Traffic with Provenance

• Idea: Annotate network traffic with “taints” – The process that generated the traffic– Inputs that the process has taken (i.e., what

other resources it has read)• As malware spreads, traffic accumulates a

common set of taints.– Identify taints corresponding to bad operation– Block traffic if it carries a known bad taint

Theory: We can trace botnet traffic based on how it was sent, not what the botnet is sending.

11/20/09 ONR MURI Project Kick-Off 5

Pedigree Design

• Trusted tagging component on host

• Arbiter on network switch

Practice: Tag traffic with provenance; block traffic at network switches.

NSF-TC 0916732: Taint-Based Information Tracking in Networked Systems

Student: Anirudh Ramachandran

11/20/09 ONR MURI Project Kick-Off 6

Status and Challenges

• Status– Implementation and application to information-

flow control in enterprises

• Challenges– Discover taints corresponding to the malware– Defend against attacks on the taint set (e.g.,

overflow)– Protecting integrity of tagger

11/20/09 ONR MURI Project Kick-Off 7

Problem #2: Tracking Network Agility

• DNS: Remap DNS names to new IP addresses– Fast-flux / Double-Flux

• BGP: Hijack IP address space– Allow hosts to operate from new IP addresses

Axiom: Botnets have only finite resources.These resources must be reused or recycled.

11/20/09 ONR MURI Project Kick-Off 8

Example: DNS Agility

Theory: Places of change are much faster than for legitimate load-balanced sites.

Maria Konte et al., “Dynamics of Online Scam Hosting Infrastructure”, PAM 2009. Best Paper.

11/20/09 ONR MURI Project Kick-Off 9

Rates of Change

• Domains that exhibit fast flux change more rapidly than legitimate domains

• Rates of change are inconsistent with actual TTL values

Theory: Rates of change are faster than for legitimate load-balanced sites.

11/20/09 ONR MURI Project Kick-Off 10

Fingerprinting DNS Agility

• Step 1 (simple idea) – Changes to name server assignment– Characteristics of new domains

• Step 2: Graph Comparison– Lookups from recursive resolvers to “fresh”

domains will look similar– Build fingerprints based on graph and point-set

comparison techniques

Practice: Develop “fingerprints” of DNS dynamics.Identify underlying infrastructure, not attacks.

Student: Shuang Hao

11/20/09 ONR MURI Project Kick-Off 11

~ 10 minutes

Example: BGP Agility

• Hijack address space, send spam withdraw prefix

61.0.0.0/8 4678 66.0.0.0/8 2156282.0.0.0/8 8717

Theory: Different prefixes follow similar patterns.

Anirudh Ramachandran et al., “Understanding the Network-Level Behavior of Spammers”, SIGCOMM 2006. Best Student Paper.

11/20/09 ONR MURI Project Kick-Off 12

Fingerprinting BGP Agility

Spam Trap

BGP FeedSpam Prefix & Origin AS

Bogus AS IAR Recently Registered

Scam Hosting

New Prefixes

Heuristics

Practice: Bootstrap suspicious prefix discovery. Look for

“similar” prefixes.

Student: Maria Konte