Botnet Defense
From MilcordWiki
demo ... blog ... publications ...Overview
Our botnet defense solution detects and classifies fast flux service networks (FFSNs) in real time. FFSNs exploit a network of compromised machines (zombies) for illegal activities such as spam, phishing and malware delivery using DNS record manipulation techniques.
Need
- 20 Million PCs infected with bots – 250,000 more infected each day (Zombie Statistics)
- Botnets used for identity theft, spam, ad networks, pump and dump, malware distribution, DDoS
- A compliance and national security risk in the government sector
- A brand damage, financial loss, and legal risk in the commercial sector
Approach
Our botnet defense solution is a web service that detects and classifies fast flux service networks using both active and passive DNS monitoring. In addition, our approach is able to differentiate and classify all three fast-flux variants, including name server flux and double-flux. The primary components of our botnet defense solution include:
- sensors which perform real-time detection of FF service networks using behavioral analysis that examine various indicators
- a database of known FF service networks – zombie IPs used for domain names, nameservers
- analytical knowledge harvested from the database
The active sensors include Fast Flux Activity Index, Footprint Index, Time To Live (TTL), Guilt by Association Index, and others. Activity Index captures how aggressively the domain’s DNS information changes. The Footprint Index captures the global dispersion of the fast flux service network. TTL captures the low values of this parameter employed by fast flux service networks. The ‘Guilt by Association’ sensor examines if any of the current IP addresses of a domain have previously been associated with another fast flux domain. A Bayesian classifier fuses the multiple active and passive DNS sensors.
Detailed reports for the domains and nameservers provide details for both current and historical behavior. Analytical reports include the fast flux service network’s size and growth rate estimates , the social network of a fast flux service network, the footprint of a fast flux service network for a given ASN, ISP, and country.
Benefits
- Risk Aversion: Limits exposure to liability associated with identity theft
- Performance: 97% accuracy in detecting fast flux domains
- Adaptability: Real time detection enables fastest discovery of fast flux domains
Applications
- Enterprise: Checks outbound traffic to detect visits to malicious sites
- ISP: Tracks consumer machines recruited as zombies by fast flux service networks
- Threat Intelligence Services: Detects client domains used in phishing scams for brand protection
- Registrars: Provides evidence for malicious behavior of hosted domains
- Law Enforcement: Furnishes solid evidence for prosecution
Test Drive
- Want to evaluate our botnet defense web service?
Please visit FastFluxMonitor
References
- "Massey, D. and Caglayan, A." Event Detection via DNS and Route Monitoring, 6th Annual GFIRST National Conference, GFIRST6: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace, 15-20 August 2010, San Antonio, TX. solution
- Caglayan, A., Improving Malware Situational Awareness by Monitoring the Relationships in DNS Infrastructure, Multiagency and Industry Malware and Bot Reverse Engineering Technical Exchange Meeting (MTEM 10), MIT Lincoln Laboratory, 15-16 July 2010. abstract | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2010) Guilt by Association based Discovery of Botnet Footprints , NATO Research and Technology Organization Workshop on Information Security and Defense. Antalya, Turkey, Apr. 26-30, 2010. abstract | paper | blog | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2010) Behavioral Patterns of Fast Flux Service Networks, Hawaii International Conference on System Sciences (HICSS-43) Cyber Security and Information Intelligence Research Minitrack. Koloa, Kauai, Hawaii, Jan. 5-8, 2010. abstract | paper | press | solution
- Naone, E. Tracking Devious Phishing Websites MIT Technology Review, Oct. 19, 2009.
- Naone, E. Why Don't Spammers Get Shut Down Faster? MIT Technology Review Blog, Oct. 19, 2009.
- McGrath, D. K., Kalafut, A., Gupta, M., Phishing Infrastructure Fluxes All the Way, IEEE Security and Privacy, pp. 21-28, September/October, 2009 paper
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., Eaton, G., Van Randwyk, J., Lloyd, L., Proebstel, E., Burnett, D., Bayer, G., and Sanders, B. (2009) Botnet Analytics Appliance , Final Report, Department of Homeland Security Cyber Security R&D Center Contract No. NBCHC070126, October, 2009. abstract | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) Behavioral Analysis of Fast Flux Service Networks , Fifth Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW 09), Oak Ridge, TN, April 13-15, 2009. abstract | paper | presentation | blog | press | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) Real Time Detection of Fast Flux Service Networks , Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH 2009), Washington, DC, March 3-4, 2009. abstract | presentation | blog | press | solution
- Buxbaum, P. A. Battling Botnets Military Information Technology, 2008, Vol. 12, No. 7.
- Caglayan, A., Toothaker, M. and Windholz, T. (2007) A Bayesian Activity Monitor for Botnet Defense, 2007 Monterey Homeland Security Conference, Monterey, CA August 2007. presentation | solution
- Caglayan, A., Toothaker, M. and Windholz, T. (2007) A Bayesian Activity Monitor for Botnet Defense, Final Report, Department of Homeland Security Cyber Security R&D Center Contract No. NBCHC060135, March, 2007. : abstract | solution
