Botnet Defense

From MilcordWiki

Jump to: navigation, search



Botnet Defense

Image:Botnet.gif

Mission Provide real-time botnet intelligence situation awareness to the enterprise while contributing to the botnet community knowledge base to enhance DHS cyber security mission
Sponsor Image:DHS_Logo.GIF DHS Cyber Security R&D Center

Overview

Our botnet defense solution detects and classifies fast flux service networks (FFSNs) in real time. FFSNs exploit a network of compromised machines (zombies) for illegal activities such as spam, phishing and malware delivery using DNS record manipulation techniques.

Need

  • 20 Million PCs infected with bots – 250,000 more infected each day (Zombie Statistics)
  • Botnets used for identity theft, spam, ad networks, pump and dump, malware distribution, DDoS
  • A compliance and national security risk in the government sector
  • A brand damage, financial loss, and legal risk in the commercial sector

Approach

Our botnet defense solution is a web service that detects and classifies fast flux service networks using both active and passive DNS monitoring. In addition, our approach is able to differentiate and classify all three fast-flux variants, including name server flux and double-flux. The primary components of our botnet defense solution include:

Fast Flux Monitor Architecture
Fast Flux Monitor Architecture
  • sensors which perform real-time detection of FF service networks using behavioral analysis that examine various indicators
  • a database of known FF service networks – zombie IPs used for domain names, nameservers
  • analytical knowledge harvested from the database

The active sensors include Fast Flux Activity Index, Footprint Index, Time To Live (TTL), Guilt by Association Index, and others. Activity Index captures how aggressively the domain’s DNS information changes. The Footprint Index captures the global dispersion of the fast flux service network. TTL captures the low values of this parameter employed by fast flux service networks. The ‘Guilt by Association’ sensor examines if any of the current IP addresses of a domain have previously been associated with another fast flux domain. A Bayesian classifier fuses the multiple active and passive DNS sensors.

Detailed reports for the domains and nameservers provide details for both current and historical behavior. Analytical reports include the fast flux service network’s size and growth rate estimates , the social network of a fast flux service network, the footprint of a fast flux service network for a given ASN, ISP, and country.

Fast Flux Monitor Dashboard
Fast Flux Monitor Dashboard

Benefits

  • Risk Aversion: Limits exposure to liability associated with identity theft
  • Performance: 97% accuracy in detecting fast flux domains
  • Adaptability: Real time detection enables fastest discovery of fast flux domains

Applications

  • Enterprise: Checks outbound traffic to detect visits to malicious sites
  • ISP: Tracks consumer machines recruited as zombies by fast flux service networks
  • Threat Intelligence Services: Detects client domains used in phishing scams for brand protection
  • Registrars: Provides evidence for malicious behavior of hosted domains
  • Law Enforcement: Furnishes solid evidence for prosecution

Test Drive

  • Want to evaluate our botnet defense web service?
    > Please contact for more information.

References

Personal tools