C&C Tracer: Botnet Command and Control Behavior Tracing
2013/10/28Presented:羅傑聘
102064529
OutlineBasic Imformation
Problems to solve
C&C Tracer
Experiment Results
Discussion
2/16
Basic Information Title:
−C&C Tracer: Botnet Command and Control Behavior Tracing Authors:
−Meng-Han Tsai −Chang-Cheng Lin−Ching-Hao Mao
(Institute for Information Industry Project Resource Division)−Huey-Ming Lee (Chinese Culture Univeristy)
Publication:−Systems, Man, and Cybernetics (SMC), IEEE International
Conference Year:2011 Cited (Google):1
3/15
Problems to SolveBotnet command and control (C&C) behavior becomesmore dynamic and rapid so it is difficult to capture theBotnet behavior in real time.
In practical analysis, the scalability and the real-time aretwo important issues.
Reducing the latency of the C&C behavior tracing couldenhance the detection covering in rapid changes of C&Cbehaviors.
4/15
C&C Tracer
Botnet C&C behavior tracing system (naming C&C Tracer)
The C&C Tracer consists of three components:1. C&C active behavior feature extracting (CAFE)2. C&C status tracing analyzer(CSTA) 3. Domain name status querying (DNSQ)
The C&C Tracer can reduce the non-active C&C domainname close to 80% with only 0.69% false postive rate.
5/15
C&C Tracer – Architecture
6/15
C&C Tracer – CAFE
C&C Active Behavior Feature Extracting
CAFE can parse the different sources of blacklists to thesame format and recognizes the Botnet types.
CAFE includes:1. Botnet type identifying2. malicious URL rendering3. domain name extracting4. temporal and spatial feature extracting
7/15
C&C Tracer – CAFE(2)
propose the nine features that consider both spatial and temporal information
8/15
C&C Tracer – CSTA
C&C Status Tracing Analyzer
Determine which domain name is valuable for continuingtracing or ignored.
CSTA includes:1. domain name behavior extracting2. Domain name activity measuring 3. potential domain name selecting
9/15
C&C Tracer – CSTA(2)
use different kinds of data mining classification algorithmfor evaluating the active degree of domain name
such as: 1. logistic regression (LR)2. naive bayes (NB),3. RIPPERS4. K-nearest-neighbors (KNN)
10/15
C&C Tracer – DNSQ
Domain Name Status Querying
DNSQ can query the corresponded domain name fromonline data repositories and extract the C&C behavior toexport to C&C behavior database.
11/15
Experiment Results
1. domain extension belonged to gTLD or ccTLD2. AutNS + IP + ASN + CC + ISP ≧ 53. Average TTL (time-to-live) < 1 day4. AppearDuration > ActiveRecent
TP (true positive) : the numbers of active domain that arecorrectly detected;FN (false negative) : the numbers of active domain that arenot detected; TN (true negative) : the number of domain name withoutactive domain labeling that are correctly classified;FP (false positive) : the number of non-active domain thatare incorrectly detected as active domain; 12/
15
Experiment Results (2)
13/15
Experiment Results (3)
The C&C Tracer can reduce the non-active C&C domainname close to 80% with only 0.69% false postive rate.
14/15
Discussion
What I Like− The model of C&C Tracer is clearly presented.
What I Dislike− Some parts of the evaluations are not clear enough,
readers might have to work hard on studying reference much more.
− Appication in real cases are rarely mentioned.
15/15
Thank you!
16/15