[Paper] Bot hunter

내부 네트웍의 모든 트래픽을 감시하는 IDS를 두고 아래와 같은 봇 모델에 맞는 behavior를 검색함

• Scan을 찾는 모듈 (SCADE)로  e1과 e5를 찾음
• Payload를 보는 모듈 (SLADE)로 e2를 찾음
• Signature engine으로 e2, e3, e4를 찾음

[Paper] BotMiner

Protocol- and structure-independent botnet detection

Key idea: horizontal correlation

• C-plane clustering: BPS, FPH, BPP, PPF. Algorithm: X-mean
• A-plane clustering: Activity type, Activity features
• Correlation: Find common hosts (어느 두 호스트가 같은 A 클러스터 안에 있고, 그들이 최소한 하나의 같은 C 클러스터에 있으면 그 둘을 같은 클러스터로 묶는다)

Limitation

• C 플레인 모니터링을 피하기 위해 커뮤니케이션 패턴을 바꾼다.
• A 플레인 모니터링을 피하기 위해 activity를 보다 은밀하게 바꾼다.
• Cross-plane analysis는 너무 늦는 분석이다. (이미 봇넷이 할 일을 다 하고 나서 잡힐 수 있음)

Web security

Port scanning with (Java)Script

• Send request by <img src=”192.168.0.4:8080″/>
• Timeout: success, onError: failure

Same origin policy (SOP)

Can script from google.com access content from yahoo.com?

• Script access to document object model (DOM) considers protocol, domain, port
• Cookie reading considers protocol, domain, path
• Cookie writing considers domain

Guninski Attack

Some browsers allow any frame to navigate any other frame. If bad frame can navigate good frame, attacker gets password!

Cookie

A file created by a website to store information in the browser. Adds state to stateless HTTP protocol. Browser sends all cookies in URL scope.

Surf Jacking

Network attacker is in the middle of a victim and internet and is able to modify traffic between them.

1. A victim logs into https://bank.com. Login cookie is set and secured by HTTPS.
2. The victim also click a link to http://melisa.com.
3. The attacker drops the HTTP request to melisa.com and send HTTP response of “302 Moved Permanently” to redirect the victim to http://bank.com.
4. The victim’s browser sends bank.com’s login cookie without any encryption.
5. The attacker takes the login information.

Botnet

Attacking behavior

• Infecting new hosts: Sending e-mails, …
• Stealing personal information: key logger, network sniffer, …
• Phishing and spam proxy
• Distributed Denial of Service (DDoS)

C&C models

• Centralized
• P2P
  • Resilient to failures
  • Hard to discover or defend
  • Many small groups. (Current P2P tech. is capable of < 50 peers.)
  • Storm bot
    • 
    • Peers must periodically search for themselves to find nearby peers
• Randomized
  • Theoretical architecture

Rally mechanisms

• Hard-coded IP address (Easy one)
• Dynamic domain name
  • Hard-coded C&C domains
• Distributed DNS
  • Botnets run own DNS out of reach of authorities
• FastFlux
  • 

Communication protocols

• IRC
  • Most corporate networks does not allow any IRC traffic
• HTTP
  • Detecting HTTP botnets is harder but possible since the header fields and the payload do not match usual transmissions.
• IM and P2P
  • Growing future protocols

Observable Botnet activities

• Network activities
  • Abnormal L7 payload patterns
    • IRC conversations that human cannot understand
  • DNS queries to locate C&C server
  • Repetitive bursty and idle traffic patterns
• Host activities
  • Virus like activities
  • Sequence of routines
    • Modifying registries, system files
    • Suspicious network connections
• Global activities

Evasion techniques

• Sophistication to evade AV engines, IDS, …
• Techniques: executable packers rootkits, …
• Moving from IRC to HTTP, VoIP, IPv6, …

[Paper] Conficker and Beyond: A Large-Scale Empirical Study

Goal: To understand current powerful Botnet.

Conficker

[Paper] Effective and Efficient Malware Detection at the End Host

Behavior-based detection is effectiveness but slow because it is based on binary emulation. So, instead of running taint analysis for every binary inspection, analyze binary and extract data dependency graph for once and do only system call argument anticipation on the scanner. As a result, system resource utilization is almost same with binary signature based detection but much more effective.

[Paper] EFFORT: Efficient and Effective Bot Malware Detection with Correlative and Coordinated Analysis

Apply both host-side and network-side heuristics to detect malware.

• Human-process-network analysis
  • Monitor HCI events and DNS queries
  • See whether a process’s DNS queries are driven by human or not
• Process reputation analysis
  • Is the process contacting bad domains or good domains?
  • SVN classifier for domain classification
• System exposure analysis
  • Does the program
    • Modify critical registries?
    • Access files in system directory?
  • Apply OC-SVM
    • OC-SVM: The OCSVM algorithm maps input data into a high dimensional feature space (via a kernel) and iteratively finds the maximal margin hyperplane which best separates the training data from the origin.
• Network information trading
  • Bot’s traffic is mostly upstream while other’s is downstream.
  • Measure ratio of
    • outgoing packets / incoming packets
    • outgoing bytes / incoming bytes
• Correlation engine
  • Combine results from each module with OC-SVM

Limitation

• Underlying assumption that Bots use DNS
• Another assumption that the OS is not compromised

Network Security in SDN

Security issues in SDN

• Rule conflict
  • FortNOX
• Dynamic flow tunneling
  • Flover
• Flooding attack

Security applications with SDN

Why?

• Collaborate with security middleboxes for more efficient detection
• Possibly replace security middleboxes
• Dynamic security control service

How?

• CloudWatcher (Security-aware routing)
  • Multipath shortest: find shortest path that the traffic go to both of destination and security middlebox.
    
• FRESCO (Security applications)
  • Development environment for SDN security applications
  • Ease the application development
  • Provides a set of 7 security action primitives: block, deny, allow, redirect and quarantine
  • Development environment module (DE) runs FRESCO script

[Paper] Rosemary: A Robust, Secure, and High-performance Network Operating System

Goal: make NOSs be more robust and secure without performance degradation.

Network application may crash, leak memory or change DB of underlying NOS.

• Robustness
  • No separation of application from NOS
    –> Separation
  • No application resource control
    –> Controlling application resource utilization
  • NOSs are monolithic
    –> Micro-Kernel approach: compartmentalizing NOS kernel modules
• Security
  • No authentication
  • No access control
    –> Providing access control and authentication
    –> Monitoring & safely restarting NOS
• Performance
  • –> Request pipelining
  • –> Trusted execution

SDN Attack/Misuse Genome Project

Motivation: what kind of attacks or misuse cases are possible?

Goal:

• Systemically summarize existing attacks/misuses
• Find more possible attacks/misuses
• Test attacks/misuses to investigate if they are really feasible/practical

SDN security issues

1. Forged or faked traffic flows (e.g., DoS attack)
   –> IDS + rate bounds for control plane requests
2. Attacks on vulnerabilities in switches
   –> SW/HW attestation with automatic trust management
3. Attacks on control plane communications
   –> Threshold cryptography across controller replicas
4. Attacks on and vulnerabilities in controllers
   –> Replication + diversity + recovery
5. Lack of mechanisms to ensure trust between controller and management apps
   –> SW attestation without autonomic trust management
6. Attacks on and vulnerabilities in admin stations
   –> Double credential verivfication
7. Lack of trusted resources for forensics and remediation
   –> Indelible logging

AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks

Challenges

• Scalability: controller is bottleneck
• Responsiveness: limited controller’s data plane sampling rate

Scalability: Data plane switch does TCP handshake with SYN cookie on behalf of end hosts, to avoid controller-switch communication caused by abnormal TCP packets. Once the handshake is successfully finished, migrate the connection to the other end and keep on relaying it by translating sequence numbers.

Responsiveness: Reporting is triggered by data plane, not by control plane. Control plane defines and registers a condition to trigger reporting, meanwhile, data plane checks the condition and does predefined action.

Spam

SMTP does not verify sender of a mail, nor encrypt mail-contents.

Realtime Blackhole Lists (RBL)

Spamming techniques

• Using open SMTP relays
  1. Hack a relay to prevent it from revealing source IP address.
  2. Send list of recipients and email body to the relay.
• Using open HTTP proxies
  1. Find open proxies by port scan (Fingerprinting SQUID or SOCKS proxies).
  2. Make the proxy connect to victims and send SMTP commands instead of HTTP.
• Thin pipe / Thick pipe method
  • Spammer has High Speed Broadband server (HSB) and Low Speed Zombie (LSZ).
  • Let LSZ make TCP connection and send SMTP bulk mail by HSB, to hide IP address of HSB while utilizing its high network throughput.

Anti-spam methods

The law: CAN-SPAM act

• A law to prohibit spamming, email harvesting and proxying.
• No impact on spam originating outside the US

Sender verification: SPF

• Mail recipient compare sender’s IP address with DNS query response, to prevent sending SMTP bounce flooding.

Graylists

• Recipient’s mail server records triple: sender email, recipient email, peer IP.
• Refuse to accept the mail at first time.
• Accept the the mail after 5 minutes.
• Keep the triple for 3 days

Puzzles and CAPTCHA

Phishing & Pharming

Phishing

• Phishing sites often hosted on bot-net drones.
• Use misleading domain name or URLs with multiple redirections.

Industrial response

• IE7 filters phishing URL with assist of MS server.

Pharming

• Cause DNS to point to phishing site (e.g. DNS cache poisoning)
• Able to bypass URL checks

Industrial response

• High assurance SSL certificate

The UI problem

T.G.s: Transaction generation malware

• Wait for user to login to banking sites
• Issue money transfer requests on behalf of user

Protection tools

• SpoofGuard: Use heuristics to detect spoofed web page.
• PwdHash: Provide hashed password.

[Paper] Temporal Correlations between Spam and Phishing Websites

• Spam mails and phishing sites live in the same period
• Most spam mails are delivered at the time when phishing sites are launched
• Attackers running phishing sites on fast-flux send more spam mails

[Paper] Detecting Spammer on Twitter

By manually analyzing tremendous size of tweet data, the authors found that

• Spammer’s tweets contains more URLs
• Spammer’s tweets contains more spam words
• Spammer’s tweets has more hashtags
• Spammers have more followers than followees
• Spammers are new accounts
• Spammers receives less tweets

Inter-domain Security

BGP

BGP session is on TCP

IGP: shortest path

EGP: safety policy of AS