PowerPoint Template

pucefakeΤεχνίτη Νοημοσύνη και Ρομποτική

30 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

91 εμφανίσεις

SMC
-
2010, Istanbul
-
Turkey

Outlines

Botnet attack

1

PrefixSpan method

2

Results and Analysis

3

Conclusion

4

SMC
-
2010, Istanbul
-
Turkey

Botnet

SMC
-
2010, Istanbul
-
Turkey

Honeypots


CCC DATA set 2009 consist of the access log of attack to 94
honeypots

in 1 year
(may 1, 2008


April 30 2009).


This research observes one of the
honeypot

runs on Windows XP+SP1

and
Windows 2000

SMC
-
2010, Istanbul
-
Turkey

Coordinated attack

TROJ_QHOST.WT BKDR_POEBOT.AHP

PE_VIRUT.AV

TSPY_ONLINEG.OPJ

TSPY_KOLABC.CH


TROJ_AGENT.AGSB

SMC
-
2010, Istanbul
-
Turkey

Sequential pattern


It is difficult to find frequent
sequential pattern of attacks in
the big size of access log of
attacks manually.


Sequence_id

Sequence

100

<PE
WO
TR>

101

<
PE
TR
WO
>

102

<BK
PE TR
TS
WO
>

103

<TS
PE PE TR WO

BK>

104

<
PE

WO
TR
WO
>

<
PE TR WO
>:4

SMC
-
2010, Istanbul
-
Turkey

Objective


Discover the frequent sequential
attack pattern on CCC DATA set
2009


SMC
-
2010, Istanbul
-
Turkey

Method


Data mining algorithm to discover
the frequent sub
-
sequences as
patterns in a sequence database.


PrefixSpan
1

is an algorithm for
efficient mining of sequential
pattern in a huge dataset


No candidate generation


L
ow

cost
of
computation


1) J. Pei, et al., ``
PrefixSpan
: Mining Sequential Patterns by Prefix
-
Projected Growth'‘, in Proc. of The
17th Int'l Conf. on Data Engineering, pp.215
-
224, 2001
.

Method (count)

SMC
-
2010, Istanbul
-
Turkey

Example: Given a
sequence database and
minimum support
threshold 2

Sequence_id

Sequence

100

<PE
WO
TR>

101

<PE
TR
WO>

102

<BK
PE TR TS
WO>

103

<TS
PE PE TR WO
BK>

104

<PE
WO TR
WO>

Sequential Patterns

<PE WO>:5, <PE TR>:5, <PE WO TR>:2,<PE

TR WO>:4

<WO TR>:2

<TR WO>:4

<TS WO>:2

SMC
-
2010, Istanbul
-
Turkey

Method (count)

Seq. Database

Projected Database

<PE>

<PE WO>

<PE TR>

<PE WO TR>

<WO
TR
>

<TR>

<
PE TR WO
>

<
TR

WO>

<
WO
>

<BK
PE TR
TS
WO
>

<
TR

TS WO>

<TS
WO
>

<TS
PE

PE

TR WO
BK>

<PE
TR

WO BK>

<BK>

<
WO

BK>

<
PE

WO
TR WO
>

<WO
TR

WO>

<TR WO>

<
WO
>

Sequential Patterns

<PE>:5

<PE WO>:5

<PE WO TR>:2

<
PE TR WO
>:4

<PE TR>:5

<PE>:5, <WO>:5, <TR>:5, <BK>:2, and <TS>:2

SMC
-
2010, Istanbul
-
Turkey

Method (count)


Final result of mining sequential
patern is


Sequential Patterns

<PE WO>:5, <PE TR>:5, <PE WO TR>:2,<PE

TR WO>:4

<WO TR>:2

<TR WO>:4

<TS WO>:2

SMC
-
2010, Istanbul
-
Turkey

Pre
-
Processing Data

Slot_id

Sequence of Malware

0

TROJ_SYSTEMHI.BQ

1

KDR_AGENT.ANHZ UNKNOWN TROJ_SYSTEMHI.BQ DR_AGENT.ANHZ UNKNOWN

2

PE_BOBAX.AH

3

PE_BOBAX.AH UNKNOWN BKDR_AGENT.ANHZ





15323

PE_VIRUT.AV TROJ_IRCBRUTE.BW WORM_AUTORUN.CZU

15324

UNKNOWN PE_VIRUT.AV
PE_VIRUT.AV

WORM_AUTORUN.CZU TROJ_IRCBRUTE.BW

SMC
-
2010, Istanbul
-
Turkey

Experiment outlines

1.
Result of mining

a.
sequential
2
-
patterns.

b.
sequential 3
-
patterns.

2.
Distribution of attacks of duplicate 3
-
pattern.

(figure 3)

3.
Distribution of attacks of non
-
duplicate 3
-
pattern.

(figure 4)

4.
Attack pattern based on source IP
address and timestamp.

SMC
-
2010, Istanbul
-
Turkey

1.a. Result of mining sequential 2
-
patterns

1270

987

519

492

385

290

211

190

156

153

90

Frequency (slots/year)

Pattern

(P1.2.1)PE_VIRUT.AV PE_VIRUT.AV
(P1.2.2)PE_BOBAX.AK PE_BOBAX.AK
(P1.2.3)PE_VIRUT.D-1 PE_VIRUT.D-1
(P1.2.4)PE_VIRUT.AV TSPY_KOLABC.CH
(P1.2.6)PE_VIRUT.AV WORM_SWTYMLAI.CD
(P1.2.13)TROJ_QHOST.WT WORM_HAMWEQ.AP
(P1.2.24)PE_VIRUT.AV BKDR_SDBOT.BU
(P1.2.28)BKDR_SCRYPT.ZHB BKDR_SDBOT.BU
(P1.2.36)BKDR_SCRYPT.ZHB PE_VIRUT.AV
(P1.2.37)BKDR_RBOT.CZO WORM_HAMWEQ.AP
(P1.2.78)TSPY_ONLINEG.OPJ TROJ_QHOST.WT
length

serial

SMC
-
2010, Istanbul
-
Turkey

1.a. Result of mining sequential 2
-
patterns (cnt)

1105

913

496

459

383

270

181

151

130

127

81

Frequency (slots/year)

Pattern

(P2.2.1)PE_VIRUT.AV PE_VIRUT.AV
(P2.2.2)PE_BOBAX.AK PE_BOBAX.AK
(P2.2.3)PE_VIRUT.D-1 PE_VIRUT.D-1
(P2.2.4)PE_VIRUT.AV TSPY_KOLABC.CH
(P2.2.6)PE_VIRUT.AV WORM_SWTYMLAI.CD
(P2.2.13)WORM_HAMWEQ.AP TROJ_QHOST.WT
(P2.2.23)PE_VIRUT.AV BKDR_SDBOT.BU
(P2.2.31)BKDR_SCRYPT.ZHB BKDR_SDBOT.BU
(P2.2.37)BKDR_SCRYPT.ZHB PE_VIRUT.AV
(P2.2.38)BKDR_RBOT.CZO WORM_HAMWEQ.AP
(P2.2.74)TSPY_ONLINEG.OPJ TROJ_QHOST.WT
SMC
-
2010, Istanbul
-
Turkey

1.b. Result of mining sequential 3
-
patterns

414

286

168

134

119

82

74

74

73

67

57

Frequency (slots/year)

Pattern

(P1.3.1)PE_VIRUT.AV PE_VIRUT.AV PE_VIRUT.AV
(P1.3.2)PE_BOBAX.AK PE_BOBAX.AK PE_BOBAX.AK
(P1.3.4)TROJ_QHOST.WT WORM_HAMWEQ.AP BKDR_POEBOT.AHP
(P1.3.7)PE_VIRUT.AV WORM_SWTYMLAI.CD TSPY_KOLABC.CH
(P1.3.10)PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CD
(P1.3.21)PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI
(P1.3.27)BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI
(P1.3.29)TSPY_ONLINEG.OPJ TROJ_QHOST.WT BKDR_POEBOT.AHP
(P1.3.30)BKDR_RBOT.CZO WORM_HAMWEQ.AP TROJ_QHOST.WT
(P1.3.37)PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB
(P1.3.49)BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU
SMC
-
2010, Istanbul
-
Turkey

1.b. Result of mining sequential 3
-
patterns (cnt)

375

234

203

162

98

93

80

75

74

71

46

Frequency (slots/year)

Pattern


(P2.3.1)PE_VIRUT.AV PE_VIRUT.AV PE_VIRUT.AV
(P2.3.2)PE_BOBAX.AK PE_BOBAX.AK PE_BOBAX.AK
(P2.3.3)PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CD
(P2.3.4)BKDR_POEBOT.AHP WORM_HAMWEQ.AP TROJ_QHOST.WT
(P2.3.14)PE_VIRUT.AV BKDR_VANBOT.HI BKDR_SDBOT.BU
(P2.3.15)BKDR_RBOT.CZO WORM_HAMWEQ.AP TROJ_QHOST.WT
(P2.3.20)PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB
(P2.3.24)BKDR_SCRYPT.ZHB BKDR_VANBOT.HI BKDR_SDBOT.BU
(P2.3.25)PE_VIRUT.AV TROJ_BUZUS.AGB WORM_SWTYMLAI.CD
(P2.3.29)TSPY_ONLINEG.OPJ BKDR_POEBOT.AHP TROJ_QHOST.WT
(P2.3.54)BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU
Hot Tip

SMC
-
2010, Istanbul
-
Turkey

The sequential attack 3
-
pattern is considered as a
distribution form of command and control (C&C) of botnet
system captured at Honeypot
-
1 in a year.

Figure 3.a

Hot Tip

SMC
-
2010, Istanbul
-
Turkey

The sequential attack 3
-
pattern is considered as a
distribution form of command and control (C&C) of botnet
system captured at Honeypot
-
2 in a year.

Figure 3.b

Hot Tip

SMC
-
2010, Istanbul
-
Turkey

Distribution of non
-
duplicate the sequential attack 3
-
patterns
of malware within a year at honeypot
-
1

Figure 4.a

20 days

25 days

8 days

(P
1.
3.4) TROJ_QHOST.WT, WORM_HAMWEQ.AP, BKDR_POEBOT.AHP

(P
1.
3.29) TSPY_ONLINEG.OPJ, TROJ_QHOST.WT, BKDR_POEBOT.AHP

(P
1.
3.30) BKDR_RBOT.CZO, WORM_HAMWEQ.AP, TROJ_QHOST.WT

A

(P
1.
3.21) PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI

(P
1.
3.27) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI

(P
1.
3.
4
9) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU

B

(P
1.
3.37) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB

C

Hot Tip

SMC
-
2010, Istanbul
-
Turkey

Distribution of non
-
duplicate the sequential attack 3
-
patterns
of malware within a year at honeypot
-
2

Figure 4.b

20 days

25 days

8 days

(P
2.
3.
29
) TSPY_ONLINEG.OPJ BKDR_POEBOT.AHP

TROJ_QHOST.WT

(P
2.
3.
15
) BKDR_RBOT.CZO WORM_HAMWEQ.AP

TROJ_QHOST.WT

(P
2.
3.
4
) BKDR_POEBOT.AHP WORM_HAMWEQ.AP TROJ_QHOST.WT

A

(P
2.
3.
54
) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.B
U

(P
2.
3.2
4
) BKDR_SCRYPT.ZHB BKDR_VANBOT.HI

BKDR_SDBOT.BU

(P
2.
3.
14
) PE_VIRUT.AV BKDR_VANBOT.HI BKDR_SDBOT.BU

B

(P
2.
3.
20
) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB

C

SMC
-
2010, Istanbul
-
Turkey

The common features of non
-
dulicate sequential
attack 3
-
pattern are


These patterns occured
intensively within the sort time
period.


The number of slots that have
been infected are greater than
the duplicate patterns.


Each group of attack has been
performed by multiple 3
-
patterns except group C.


SMC
-
2010, Istanbul
-
Turkey

4. Attack pattern based on source IP address and
timestamp



Pattern P
1.3
.29



Pattern P
2.3
.49

TROJ_QHOST.WT BKDR_POEBOT.AHP

TSPY_ONLINEG.OPJ

BKDR_SCRYPT.ZHB

PE_VIRUT.AV

BKDR_SDBOT.BU


0
10
20
30
40
50
60
70
0
500
1000
Frequency

time (s)

P
1.3.29

P
2.3.49

SMC
-
2010, Istanbul
-
Turkey

Conclusion


Coordinated attacks are performed by
multiple sequential attack patterns within a
short time period.


The sequential pattern of coordinated
attacks tends to change all the time.


The types of malware do not have a high
of operating system dependency, but the
sequence of malware within a pattern has
operating system dependency.


PrefixSpan

method sufficiently discover all
sequential attack patterns.


This result gives several behaviors useful
for alerting threats of botnets’ attacks.