Control Behavior Tracing

pucefakeAI and Robotics

Nov 30, 2013 (3 years and 4 months ago)

64 views

C&C Tracer:
Botnet

Command and
Control Behavior Tracing

2013/10/28

Presented:
羅傑聘

102064529

Outline


Basic
Imformation



Problems to solve



C&C Tracer



Experiment

Results



Discussion

1
/16

Basic Information


Title:


C&C Tracer:
Botnet

Command and Control Behavior Tracing


Authors:


Meng
-
Han Tsai


Chang
-
Cheng Lin


Ching
-
Hao

Mao


(Institute for Information Industry Project Resource Division)


Huey
-
Ming Lee (Chinese Culture
Univeristy
)


Publication:


Systems, Man, and Cybernetics (SMC), IEEE International
Conference


Year:
2011


Cited (Google):
1


2
/15

Problems to Solve

Botnet

command and control (C&C) behavior becomes

more dynamic and rapid so it is difficult to capture the

Botnet

behavior in real time.


In practical analysis, the
scalability

and
the real
-
time
are

two important issues.


Reducing the latency
of the C&C behavior tracing could

enhance the detection covering in rapid changes of C&C

behaviors.



3
/15


C&C Tracer


Botnet

C&C behavior tracing system (naming
C&C Tracer
)


The C&C Tracer consists of three components:

1.
C&C active behavior feature extracting (
CAFE
)

2.
C&C status tracing analyzer(
CSTA
)

3.
Domain name status querying (
DNSQ
)



The C&C Tracer can reduce the non
-
active C&C domain

name close to 80% with only 0.69% false
postive

rate.

4
/15


C&C Tracer


Architecture











5
/15


C&C Tracer


CAFE


C&C Active Behavior Feature Extracting


CAFE can parse the different sources of blacklists to the

same format and recognizes the
Botnet

types.


CAFE includes:

1.
Botnet

type identifying

2.
malicious URL rendering

3.
domain name extracting

4.
temporal and spatial feature extracting


6
/15


C&C Tracer


CAFE(2)


propose the nine features that consider both spatial
and temporal information

7
/15


C&C Tracer


CSTA


C&C Status Tracing Analyzer


Determine which domain name is valuable for continuing

tracing or ignored.


CSTA includes:

1.
domain name behavior extracting

2.
Domain

name activity measuring

3.
potential domain name selecting

8
/15


C&C Tracer


CSTA(2)


use different kinds of data mining

classification algorithm

for evaluating the active degree of domain name


such as:

1.
logistic regression (LR)

2.
naive
bayes

(NB),

3.
RIPPERS

4.
K
-
nearest
-
neighbors (KNN)

9
/15


C&C Tracer


DNSQ


Domain Name Status Querying


DNSQ can query the corresponded domain name from

online data repositories and extract the C&C behavior to

export to C&C behavior database.

10
/15



Experiment Results


1.
domain extension belonged to
gTLD

or
ccTLD

2.
AutNS

+ IP + ASN + CC + ISP


5

3.
Average TTL (time
-
to
-
live) < 1 day

4.
AppearDuration

>
ActiveRecent


TP

(true positive) : the numbers of active domain that are

correctly detected;

FN

(false negative) : the numbers of active domain that are

not detected;

TN

(true negative) : the number of domain name without

active domain labeling that are correctly classified;

FP

(false positive) : the number of non
-
active domain that

are incorrectly detected as active domain;


11
/15



Experiment

Results (2)


12
/15



Experiment

Results (3)


The C&C Tracer can reduce the non
-
active C&C domain

name close to 80% with only 0.69% false
postive

rate.

13
/15


Discussion



What I Like


The model of C&C Tracer is clearly presented.




What I Dislike


Some parts of the evaluations are not clear enough,
readers might have to work hard on studying reference
much more.


Appication

in real cases are rarely mentioned.

14
/15






Thank you!

15
/15