- 1 [Paper] Bot hunter
- 2 [Paper] BotMiner
- 3 Web security
- 4 Botnet
- 5 [Paper] Conficker and Beyond: A Large-Scale Empirical Study
- 6 [Paper] Effective and Efficient Malware Detection at the End Host
- 7 [Paper] EFFORT: Efficient and Effective Bot Malware Detection with Correlative and Coordinated Analysis
- 8 Network Security in SDN
- 9 [Paper] Rosemary: A Robust, Secure, and High-performance Network Operating System
- 10 SDN Attack/Misuse Genome Project
- 11 SDN security issues
- 12 AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks
- 13 Spam
- 14 Phishing & Pharming
- 15 [Paper] Temporal Correlations between Spam and Phishing Websites
- 16 [Paper] Detecting Spammer on Twitter
- 17 Inter-domain Security
[Paper] Bot hunter
내부 네트웍의 모든 트래픽을 감시하는 IDS를 두고 아래와 같은 봇 모델에 맞는 behavior를 검색함
- Scan을 찾는 모듈 (SCADE)로 e1과 e5를 찾음
- Payload를 보는 모듈 (SLADE)로 e2를 찾음
- Signature engine으로 e2, e3, e4를 찾음
Protocol- and structure-independent botnet detection
Key idea: horizontal correlation
- C-plane clustering: BPS, FPH, BPP, PPF. Algorithm: X-mean
- A-plane clustering: Activity type, Activity features
- Correlation: Find common hosts (어느 두 호스트가 같은 A 클러스터 안에 있고, 그들이 최소한 하나의 같은 C 클러스터에 있으면 그 둘을 같은 클러스터로 묶는다)
- C 플레인 모니터링을 피하기 위해 커뮤니케이션 패턴을 바꾼다.
- A 플레인 모니터링을 피하기 위해 activity를 보다 은밀하게 바꾼다.
- Cross-plane analysis는 너무 늦는 분석이다. (이미 봇넷이 할 일을 다 하고 나서 잡힐 수 있음)
Port scanning with (Java)Script
- Send request by <img src=”192.168.0.4:8080″/>
- Timeout: success, onError: failure
Same origin policy (SOP)
Can script from google.com access content from yahoo.com?
- Script access to document object model (DOM) considers protocol, domain, port
- Cookie reading considers protocol, domain, path
- Cookie writing considers domain
Some browsers allow any frame to navigate any other frame. If bad frame can navigate good frame, attacker gets password!
A file created by a website to store information in the browser. Adds state to stateless HTTP protocol. Browser sends all cookies in URL scope.
Network attacker is in the middle of a victim and internet and is able to modify traffic between them.
- A victim logs into https://bank.com. Login cookie is set and secured by HTTPS.
- The victim also click a link to http://melisa.com.
- The attacker drops the HTTP request to melisa.com and send HTTP response of “302 Moved Permanently” to redirect the victim to http://bank.com.
- The victim’s browser sends bank.com’s login cookie without any encryption.
- The attacker takes the login information.
- Infecting new hosts: Sending e-mails, …
- Stealing personal information: key logger, network sniffer, …
- Phishing and spam proxy
- Distributed Denial of Service (DDoS)
- Theoretical architecture
- Hard-coded IP address (Easy one)
- Dynamic domain name
- Hard-coded C&C domains
- Distributed DNS
- Botnets run own DNS out of reach of authorities
- Most corporate networks does not allow any IRC traffic
- Detecting HTTP botnets is harder but possible since the header fields and the payload do not match usual transmissions.
- IM and P2P
- Growing future protocols
Observable Botnet activities
- Network activities
- Abnormal L7 payload patterns
- IRC conversations that human cannot understand
- DNS queries to locate C&C server
- Repetitive bursty and idle traffic patterns
- Abnormal L7 payload patterns
- Host activities
- Virus like activities
- Sequence of routines
- Modifying registries, system files
- Suspicious network connections
- Global activities
- Sophistication to evade AV engines, IDS, …
- Techniques: executable packers rootkits, …
- Moving from IRC to HTTP, VoIP, IPv6, …
[Paper] Conficker and Beyond: A Large-Scale Empirical Study
Goal: To understand current powerful Botnet.
[Paper] Effective and Efficient Malware Detection at the End Host
Behavior-based detection is effectiveness but slow because it is based on binary emulation. So, instead of running taint analysis for every binary inspection, analyze binary and extract data dependency graph for once and do only system call argument anticipation on the scanner. As a result, system resource utilization is almost same with binary signature based detection but much more effective.
[Paper] EFFORT: Efficient and Effective Bot Malware Detection with Correlative and Coordinated Analysis
Apply both host-side and network-side heuristics to detect malware.
- Human-process-network analysis
- Monitor HCI events and DNS queries
- See whether a process’s DNS queries are driven by human or not
- Process reputation analysis
- Is the process contacting bad domains or good domains?
- SVN classifier for domain classification
- System exposure analysis
- Does the program
- Modify critical registries?
- Access files in system directory?
- Apply OC-SVM
- OC-SVM: The OCSVM algorithm maps input data into a high dimensional feature space (via a kernel) and iteratively finds the maximal margin hyperplane which best separates the training data from the origin.
- Does the program
- Network information trading
- Bot’s traffic is mostly upstream while other’s is downstream.
- Measure ratio of
- outgoing packets / incoming packets
- outgoing bytes / incoming bytes
- Correlation engine
- Combine results from each module with OC-SVM
- Underlying assumption that Bots use DNS
- Another assumption that the OS is not compromised
Network Security in SDN
Security issues in SDN
- Rule conflict
- Dynamic flow tunneling
- Flooding attack
Security applications with SDN
- Collaborate with security middleboxes for more efficient detection
- Possibly replace security middleboxes
- Dynamic security control service
- CloudWatcher (Security-aware routing)
- FRESCO (Security applications)
- Development environment for SDN security applications
- Ease the application development
- Provides a set of 7 security action primitives: block, deny, allow, redirect and quarantine
- Development environment module (DE) runs FRESCO script
[Paper] Rosemary: A Robust, Secure, and High-performance Network Operating System
Goal: make NOSs be more robust and secure without performance degradation.
Network application may crash, leak memory or change DB of underlying NOS.
- No separation of application from NOS
- No application resource control
–> Controlling application resource utilization
- NOSs are monolithic
–> Micro-Kernel approach: compartmentalizing NOS kernel modules
- No separation of application from NOS
- No authentication
- No access control
–> Providing access control and authentication
–> Monitoring & safely restarting NOS
- –> Request pipelining
- –> Trusted execution
SDN Attack/Misuse Genome Project
Motivation: what kind of attacks or misuse cases are possible?
- Systemically summarize existing attacks/misuses
- Find more possible attacks/misuses
- Test attacks/misuses to investigate if they are really feasible/practical
SDN security issues
- Forged or faked traffic flows (e.g., DoS attack)
–> IDS + rate bounds for control plane requests
- Attacks on vulnerabilities in switches
–> SW/HW attestation with automatic trust management
- Attacks on control plane communications
–> Threshold cryptography across controller replicas
- Attacks on and vulnerabilities in controllers
–> Replication + diversity + recovery
- Lack of mechanisms to ensure trust between controller and management apps
–> SW attestation without autonomic trust management
- Attacks on and vulnerabilities in admin stations
–> Double credential verivfication
- Lack of trusted resources for forensics and remediation
–> Indelible logging
AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks
- Scalability: controller is bottleneck
- Responsiveness: limited controller’s data plane sampling rate
Scalability: Data plane switch does TCP handshake with SYN cookie on behalf of end hosts, to avoid controller-switch communication caused by abnormal TCP packets. Once the handshake is successfully finished, migrate the connection to the other end and keep on relaying it by translating sequence numbers.
Responsiveness: Reporting is triggered by data plane, not by control plane. Control plane defines and registers a condition to trigger reporting, meanwhile, data plane checks the condition and does predefined action.
SMTP does not verify sender of a mail, nor encrypt mail-contents.
Realtime Blackhole Lists (RBL)
- Using open SMTP relays
- Hack a relay to prevent it from revealing source IP address.
- Send list of recipients and email body to the relay.
- Using open HTTP proxies
- Find open proxies by port scan (Fingerprinting SQUID or SOCKS proxies).
- Make the proxy connect to victims and send SMTP commands instead of HTTP.
- Thin pipe / Thick pipe method
- Spammer has High Speed Broadband server (HSB) and Low Speed Zombie (LSZ).
- Let LSZ make TCP connection and send SMTP bulk mail by HSB, to hide IP address of HSB while utilizing its high network throughput.
The law: CAN-SPAM act
- A law to prohibit spamming, email harvesting and proxying.
- No impact on spam originating outside the US
Sender verification: SPF
- Mail recipient compare sender’s IP address with DNS query response, to prevent sending SMTP bounce flooding.
- Recipient’s mail server records triple: sender email, recipient email, peer IP.
- Refuse to accept the mail at first time.
- Accept the the mail after 5 minutes.
- Keep the triple for 3 days
Puzzles and CAPTCHA
Phishing & Pharming
- Phishing sites often hosted on bot-net drones.
- Use misleading domain name or URLs with multiple redirections.
- IE7 filters phishing URL with assist of MS server.
- Cause DNS to point to phishing site (e.g. DNS cache poisoning)
- Able to bypass URL checks
- High assurance SSL certificate
The UI problem
T.G.s: Transaction generation malware
- Wait for user to login to banking sites
- Issue money transfer requests on behalf of user
- SpoofGuard: Use heuristics to detect spoofed web page.
- PwdHash: Provide hashed password.
[Paper] Temporal Correlations between Spam and Phishing Websites
- Spam mails and phishing sites live in the same period
- Most spam mails are delivered at the time when phishing sites are launched
- Attackers running phishing sites on fast-flux send more spam mails
[Paper] Detecting Spammer on Twitter
By manually analyzing tremendous size of tweet data, the authors found that
- Spammer’s tweets contains more URLs
- Spammer’s tweets contains more spam words
- Spammer’s tweets has more hashtags
- Spammers have more followers than followees
- Spammers are new accounts
- Spammers receives less tweets
BGP session is on TCP
IGP: shortest path
EGP: safety policy of AS