1-0009-10094CASE会议论文.pdf

Construction P2P firewall HTTP Botnet defense mechanis Tung Ming Koo Department of Information Management National Yunlin University of Science and Technology Yunlin Taiwan koo yuntech edu tw Hung Chang Chang Department of Information Management National Yunlin University of Science and Technology Yunlin Taiwan g9823811 yuntech edu tw Guo Quan Wei Department of Information Management National Yunlin University of Science and Technology Yunlin Taiwan g9723743 yuntech edu tw Abstract The scale of Botnet is still increasing on the Internet in recently years If there is no corresponding solution there will be more serious and malicious attacks in the future HTTP Botnet uses HTTP protocol By using the general HTTP protocol and 80 port the attacks not only can be hidden more easily but go through the firewall and IDS systems without detected In this study we use the Repeatability Standard Deviation method to detect the connection of Botnets within HTTP protocol Furthermore we use the JXTA P2P network to share the results we have detected and users can compare the packets of traffic with lists of the filtering mechanism Using P2P technique to exchange the information we have detected users who have been infected can find the connection of HTTP Botnet servers And uninfected users can use this information as a comparison sample when there are new packets Users can use it for determining whether the connections are malicious or not to achieve the purpose of co defensive Lists of filtering mechanism allow the duplicated packets entered in computers compared only one time with the large number of blacklist By using the P2P technique we can not only decrease the cost of implementation but also let the network more resilient Keywords HTTP Botnet P2P Network Firewall I INTRODUCTION Recently the malicious botnets which have been organized and developed fast are the most dangerous on Internet environment 12 It has been appeared on Internet from 1990 early and developed to Peer to peer bots after 2000 Most recently it has developed HTTP bots The Kraken a part of HTTP botnets becomes a malicious network with more than 400 thousand bots 8 11 According to internal Microsoft network environment we find that there are at least more than 200 computers reduced to a fixed control Botnet virus host as hackers attack the springboard for a particular object In this paper we will represent the relations of HTTP clients to HTTP servers via analysis of periodic Repeatability Also we will make it clear where malicious HTTP bots are different from normal users using degree of periodic repeatability This paper is composed of four chapters First chapter introduces the background purpose and method this study Second chapter introduces related works of malicious HTTP botnets Third chapter describes a detection method of malicious HTTP botnets Last chapter provides an overall view of the result of this study II BOTNET RELATED WORK In this chapter we explain history of malicious bots and botnets and study detection methods in DNS traffic A History of Malicious Bots In the beginning bots and botnets were legitimate tools mainly used for functional purposes such as maintaining an IRC internet relay chat channel open when no user is logged in or maintaining control of the IRC channel The first of malicious botnets is the new age of Trojan horses Botnets are the melding of many threats into one 3 They are becoming a major tool for cybercrime partly because they can be designed to disrupt targeted computer systems in different ways very effectively and because a malicious user without possessing strong technical skills can initiate these disruptive effects in cyberspace by simply renting botnet services from a cybercriminal 6 They are called Swiss Army knives of the underground economy 2 with this reason Wherever Times is specified Times Roman or Times New Roman may be used If neither is available on your word processor please use the font closest in appearance to Times Avoid using bit mapped fonts if possible True Type 1 or Open Type fonts are preferred Please embed symbol fonts as well for math etc 33 978 1 4244 8726 4 11 26 00 2011 IEEE Figure 1 History of Malicious Bots The malicious botnets which have been organized and developed fast is the most dangerous on Internet environment 12 IRCbot had been appeared on Internet from 1990 early and developed to P2P peer to peer bots after 2000 Most recently it has developed HTTP hyper text transfer protocol bots i e HTTP based bots as shown in above Figure 1 B Detection Methods Based on DNS Traffic Some existing detection methods are based on analysis of DNS domain name system queries which are sent from bots to DNS server whenever bots connect to a C C server and attack to a target They have been studied steadily Nevertheless their studies would be more difficult detecting malicious bots and botnets because recent bots have been developed toward to minimize DNS queries Choi 5 proposed the botnet detection by monitoring group activities in DNS traffic He analyzed the different features of botnet DNS and legitimate DNS He said that the botnet can evade our algorithms when the botnet uses DNS only at initializing and never use it again e g some HTTP botnets 5 III DETECTION OF MALICIOUS HTTP BOTNETS Typically HTTP botnets are using the HTTP protocol It is different from IRC botnets which use the IRC protocol SDbot which is typical IRC bot maintains connection and doesn t reconnect after the first connecting to a C C server 10 On the other side HTTP botnets are not maintaining connection with a C C server Therefore malicious HTTP bots connect repeatedly with a regular interval which is configured by botmaster BlackEnergy that is analyzed in this study is similar to that Bots which are generated via BlackEnergy bot builder of a botmaster take two C C servers The first C C server of BlackEnergy bots is a server that is specified on being generated by botmaster The second C C server is a server specified by the developer who is the bot builder of BlackEnergy Figure 2 Traffic Analysis of BlackEnergy A BlackEnergy BlackEnergy is an HTTP based botnet used primarily for DDoS attacks by the Russian hacker underground BlackEnergy gives the attackers an easy to control web based bot that can launch various attacks and control the bots using a minimal syntax and structure 7 As shown in above Figure 2 it queries only one time when it connects to a C C server and gives first attack to targets Therefore detection methods of malicious botnets based on DNS queries analysis are depreciated Fortunately bots of BlackEnergy are connected to a C C server again and again to get a new command of botmaster like other malicious HTTP botnets This general feature of malicious HTTP bots is a good reason to detect B Degree of Periodic Repeatability The repeatability is the variation in measurements taken by a single person or an instrument on the same item under the same conditions A measurement may be said to be repeatable when this variation is smaller than some agreed limit 1 This repeatability is usable for analysis of HTTP clients and servers We use degree of periodic repeatability to describe relationship between them and we use degree of freedom and standard deviation to calculate repeatability standard deviation 4 9 This repeatability standard deviation represents degree of periodic repeatability between HTTP clients and HTTP servers Below Figure 3 represents relationship that means degree of periodic repeatability between clients and a HTTP server If degree of periodic repeatability is low it means high periodic repeatability If not it is not repeatable periodically 34 User5 User6 User4 User2 User3 User 1 A HTTP Server DPR 0 956 DPR 0 976 DPR 0 678 DPR 0 876 DPR 0 799 DPR 0 016 Figure 3 Relationship between HTTP clients and a HTTP server Particularly the degree of periodic repeatability DPR of User5 is quite lower than other users as shown in above Figure 3 In this case we should carefully observe behavior because User5 is a potential bot DPRs of normal users i e all but User5 are calculated highly because the intervals between pollings in normal users is are not regular TABLE I CDT TABLE OF A NORMAL USER No Time Interval Source Destination 1 1213141516 000410 2 000400 192 168 1 3 192 168 2 1 2 1213141713 570490 197 570080 192 168 1 3 192 168 2 1 3 1213141746 000410 32 429920 192 168 1 3 192 168 2 1 4 1213141753 570490 7 570080 192 168 1 3 192 168 2 1 5 1213141846 000410 62 429920 192 168 1 3 192 168 2 1 n The above Table I is a CDT connection data table table of a normal user i e User1 TABLE II CDT TABLE OF A POTENTIAL BOT No Time Interval Source Destination 1 1218351876 770121 36 023633 192 168 1 2 192 168 2 1 2 1218351939 793754 66 078177 192 168 1 2 192 168 2 1 3 1218352005 871931 67 042784 192 168 1 2 192 168 2 1 4 1218352072 914715 69 053623 192 168 1 2 192 168 2 1 5 1218352141 968338 67 026150 192 168 1 2 192 168 2 1 n The above Table II is a CDT Table of a potential bot i e User 5 Connections of User5 are very periodic as shown in the third column in In this case the degree of periodic repeatability was calculated lowly in Figure 3 IV FIREWALL SYSTEM STRUCTURE P2P transfer into the main system module detection module and the module of the firewall filter as shown as Figure 4 When P2P module are updates it will go to update the filtering module list and determine whether there is connection with the blacklist It wiill inform the user immediately with any connections and use a firewall filter module block warning users of the possibility of infection Bot The detection module after the discovery of Bot Server will notify the user and transmitted to the filtering module block Then transmitted to the P2P transfer module and detection of Internet users to share information Figure 4 System Architecture A FIREWALL OPERATION In the list of filters if used directly to filter blacklist black list because of excessive lead to decreased system performance as packets come in they will compare all the blacklist If you use a list system the new incoming packets only the first level attained on all the recognized blacklist which will then be no infection in the list of IP into the local ash the next match will be in the ratio of the ash Stop list Custom White List Each packet come in firewall will be compared as a general software users but misjudgment whith the features are too close to the detection system software It can use a custom white list users are free to join or for some of the more frequently connected to IP the user is free to join and increase system performance Custom black list Users can set their own black list or find that they have infection HTTP Bot can be directly blocked White List System will list the machine used gray IP in the implementation of detection no detection of a malicious act of IP as the native white list This machine s IP white list will use the period when the time comes will be automatically deleted into the gray list white list to prevent the machine IP into C C Server Sufficient number of such connections the detection system will be re calculated with the judge if the connection is not malicious acts will be promoted to the whitelist Gray List The machine is to record a gray list of connection IP but the detection of insufficient number of connections will be recorded it is 35 observed that the list of the native gray connection connection times until enough time then repeat the calculation of standard deviation determine connection patterns of behavior if is no problem of IP to accession to the native white list then delete the native gray list The problem will be added to the machine IP black list black list with the accepted and shared to other network users Black List The machine in the black list is to connect through this computer recognized black lists IP because of connections with the local computer before Bot on behalf of the machine has the possibility of infection the native black list is to record a connection over of IP and then continuously monitoring its behavior to judge is not a continuous activity usually found in connection with the problem it will notify the user as soon as possible the current malware removal Recognized Black List black list is recognized by other computers or their computer connection detection system to identify malicious behavior of IP through the P2P system will be transmitted to all of the PEER the computer receiving the update the computer will check with the local gray list White List to determine whether this machine had a connection if connected will notify the user the computer may have been infected Bot B DETECTION MODULE System will record every period of data in the interval of time put to the formula the last computation repeatability standard deviation can be calculated on an IP in the interval between each repetition degree then they can judge it Calculation of Standard Deviation of Repeated Repeat first calculate the standard deviation of a standard deviation of each Si and then use every Si repeat the standard deviation calculation P for the Si sample number then take the square of a Si after accumulation divided by P you can repeat the standard deviation calculated si 1 2 n iijXX 1 i to 1 n Si for every standard deviation Xi for the time Xij as the time difference which Xi to Xi 1 Xi as the average which X1 to Xi sr P P i is 1 2 2 Sr for Repeat the standard deviation Si for each standard deviation P for the sample number System Process Flow Detection system from the gray list find out the connection of the IP re use connection interval of time to detect record the use of a cycle of repetition in the same way using the standard deviation calculated with the freedom to repeat the standard deviation the system calculates the value of each connection record go check it possible to Bot if possible already infected HTTP Bot detection system will first notify the user the user will first determine whether it is to misjudge the behavior then by P2P network to deliver out the list and add blacklist recognized and use a firewall filter the process shown in Figure 5 非誤判 Figure 5 Detection Flow V EXPERIMENTAL RESULTS AND ANALYSIS Objective of this study is to use the host found HTTP Bot users will result detected through P2P networks to share the results of detection to detect the shared objective of the joint defense Part of the system implementation can be divided into three parts namely packet detection packet filtering and P2P transfer module A ENVIRONMENT AND TEST The main purpose of experiment is found Botnet early for the user The subjects were divided into three types and found the first virus for the infection Bot users the second 36 was infected but not detected Bot Bot users and the third has not yet infected users As shown in Figure 6 and Table III The goal was to show detect Bot users can share their detection results Bot infected user not found can detect the results of others to find themselves infected Bot Without infection of users can use to detect the results of others to achieve real time defense Figure 6 Environment Architecture TABLE III CDT TABLE OF A NORMAL USER HTTP SERVER HTTP Botnet Server Bot Master Set user to control HTTP Botnet USER A Uninfected host Bot USER B detected infected hosts USER C undetected infected hosts Test environment is the use the TEST BED network of National Cheng Kung University to install our environment and network topology shown in Figure 7 Figure 7 Experiment Topology B EXPERIMENTAL ANALYSIS Comparison of single and joint defense For the comparison which use the network connections for joint defense or not this study made the following comparison as shown in Table IV the following is a description In the detection the single user each connection information to be alone to take notes with calculations required to consume a lot of time the use of joint defense you can use to detect the earliest found in the main computer Bot to determine their own their connections over the record is not an infection In the single side users will shut down the computer after the recording time will be errors so records will no longer it must be delete and re record while the use of joint defense users will have some situation can be used to some of has recorded with the detection of infected computers that was not affected In the single side must wait until the true infection Bot before you can start recording and detection but must take some time On the use of joint defense can avoid this from happening you can use the first found to be infected computer users on the Internet warning TABLE IV COMPARISON OF SINGLE AND JOINT DEFENSE DEFENSE single joint defense Share detection detect a single potential alone Sharing results Shutdown PC shutdown Less Computer Shutdown Real time detection None Using a computer found Bot first P2P and Client Server Comparison This system make joint defense by the P2P network this study made the following comparison with the Client Server as shown in table V the following is a description In the Client Server architecture as a specific host so vulnerable to attacks illicit users especially the most commonly used Botnet attacks blocking services but in P2P systems because there is no specific host when the illegal the user to collapse the network more difficult In bandwidth use Client Server requires a dedicated host each Client and Server need to do communications in the Server on a larger bandwidth On the P2P network you can make use of the bandwidth the dispersion in each network better bandwidth utilization In the build cost Client Server requires a Server as a shared point of access to many of the Client so bandwidth and hardware devices require implementation costs and also requires maintenance personnel and P2P These costs do not need to build using the user s computer and network we can achieve our goals In strength and toughn