Botnet Defense
From MilcordWiki
demo blog publicationsOverview
Our botnet defense solution detects and classifies fast flux service networks (FFSNs) in real time. FFSNs exploit a network of compromised machines (zombies) for illegal activities such as spam, phishing, and malware delivery using DNS record manipulation techniques.
Need
- 20 million PCs are infected with bots – 250,000 more infected each day (Zombie Statistics)
- Botnets are used for identity theft, spam delivery, ad networks, pump and dump, malware distribution, and DDoS
- Botnets pose a compliance and national security risk in the government sector and a threat to brand damage, financial loss, and legal risk in the commercial sector
Approach
Our botnet defense solution is a web service that detects and classifies fast flux service networks using both active and passive DNS monitoring. In addition, our approach is able to differentiate and classify all three fast flux variants, including name server flux and double-flux. The primary components of our botnet defense solution include:
- sensors which perform real-time detection of fast flux service networks using behavioral analysis that examine various indicators
- a database of known fast flux service networks – zombie IPs used for domain names, nameservers
- analytical knowledge harvested from the database
The active sensors include Fast Flux Activity Index, Footprint Index, Time To Live (TTL), Guilt by Association Index, and others. Activity Index captures how aggressively the domain’s DNS information changes. The Footprint Index captures the global dispersion of the fast flux service network. TTL captures the low values of this parameter employed by fast flux service networks. The ‘Guilt by Association’ sensor examines if any of the current IP addresses of a domain have previously been associated with another fast flux domain. A Bayesian classifier fuses the multiple active and passive DNS sensors.
Detailed reports for the domains and nameservers provide details for both current and historical behavior. Analytical reports include the fast flux service network’s size and growth rate estimates, the social network of a fast flux service network, and the footprint of a fast flux service network for a given ASN, ISP, and country.
Benefits
- Risk Aversion: Limits exposure to liability associated with identity theft
- Performance: 97% accuracy in detecting fast flux domains
- Adaptability: Real-time detection enables fastest discovery of fast flux domains
Applications
- Enterprise: Checks outbound traffic to detect visits to malicious sites
- ISP: Tracks consumer machines recruited as zombies by fast flux service networks
- Threat Intelligence Services: Detects client domains used in phishing scams for brand protection
- Registrars: Provides evidence for malicious behavior of hosted domains
- Law Enforcement: Furnishes solid evidence for prosecution
Test Drive
- Want to evaluate our botnet defense web service?
Please visit FastFluxMonitor
References
- Caglayan, A. and Toothaker, M. FastFluxMonitor vs. Darknet traffic, SIE Workshop, October 3, 2010, Atlanta, GA.
- Massey, D. and Caglayan, A. Event Detection via DNS and Route Monitoring, 6th Annual GFIRST National Conference, GFIRST6: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace, August 15-20, 2010, San Antonio, TX. solution
- Caglayan, A. Improving Malware Situational Awareness by Monitoring the Relationships in DNS Infrastructure, Multiagency and Industry Malware and Bot Reverse Engineering Technical Exchange Meeting (MTEM 10), MIT Lincoln Laboratory, 15-16 July 2010. abstract | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2010) Guilt by Association based Discovery of Botnet Footprints, NATO Research and Technology Organization Workshop on Information Security and Defense. Antalya, Turkey, April 26-30, 2010. abstract | paper | blog | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2010) Behavioral Patterns of Fast Flux Service Networks, Hawaii International Conference on System Sciences (HICSS-43) Cyber Security and Information Intelligence Research Minitrack, Koloa, Kauai, Hawaii, January 5-8, 2010. abstract | paper | press | solution
- Naone, E. Tracking Devious Phishing Websites MIT Technology Review, October 19, 2009.
- Naone, E. Why Don't Spammers Get Shut Down Faster? MIT Technology Review Blog, October 19, 2009.
- McGrath, D. K., Kalafut, A., Gupta, M. Phishing Infrastructure Fluxes All the Way, IEEE Security and Privacy, pp. 21-28, September/October 2009. paper
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., Eaton, G., Van Randwyk, J., Lloyd, L., Proebstel, E., Burnett, D., Bayer, G., and Sanders, B. (2009) Botnet Analytics Appliance, Final Report, Department of Homeland Security Cyber Security R&D Center Contract No. NBCHC070126, October 2009. abstract | solution
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) Behavioral Analysis of Fast Flux Service Networks, Fifth Annual Cyber Security and Information Intelligence Research Workshop (CSIIRW 09), Oak Ridge, TN, April 13-15, 2009. abstract | paper | presentation | blog | press
- Caglayan, A., Toothaker, M., Drapeau, D., Burke, D. and Eaton, G. (2009) Real Time Detection of Fast Flux Service Networks, Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH 2009), Washington, DC, March 3-4, 2009. abstract | presentation | blog | press
- Buxbaum, P. A. Battling Botnets Military Information Technology, Vol. 12, No. 7., 2008.
- Caglayan, A., Toothaker, M. and Windholz, T. (2007) A Bayesian Activity Monitor for Botnet Defense, 2007 Monterey Homeland Security Conference, Monterey, CA, August 2007. presentation
- Caglayan, A., Toothaker, M. and Windholz, T. (2007) A Bayesian Activity Monitor for Botnet Defense, Final Report, Department of Homeland Security Cyber Security R&D Center Contract No. NBCHC060135, March 2007. abstract | solution
