NetFlowBased Botnet Detection - ripe75.ripe.net · Agenda • Botnets, Usage, History • Modern...

NetFlow BasedBotnetDetectionSEYEDALIREZA VAZIRI – RIPE75

AboutMe

SeyedAlireza Vaziri

• Network/SystemEngineersince2007• SecurityAdministratorsince2016• MachineLearningnewbie

SEYEDALIREZA VAZIRI - RIPE 75 2

Agenda• Botnets,Usage,History• ModernBotnets• Botnetdetectionandcountermeasure• Netflow baseddetection• Machinelearningclassification• Questions

SEYEDALIREZA VAZIRI - RIPE 75 3

BotVulnerableandunattendedDevices:

• Computers

• Smartphones

• IoT (e.g.CCTV,xDSL Modem)

SEYEDALIREZA VAZIRI - RIPE 75 4

BotnetUsageNetworkofbotsisnamedBotnetandbeingused

for:

• Spams

• DDoS

• MalwareDistribution

SEYEDALIREZA VAZIRI - RIPE 75 5

BotnetHistory• Marina

• Zeus

• Cutwail

• Mirai

SEYEDALIREZA VAZIRI - RIPE 75 6

BotnetDictionary• Bot

• Botnet

• CnC (CommandandControl)

• Botmaster

SEYEDALIREZA VAZIRI - RIPE 75 7

BotnetDiagram

SEYEDALIREZA VAZIRI - RIPE 75 8

ModernBotnetDiagram

SEYEDALIREZA VAZIRI - RIPE 75 9

ModernBotnet• P2PCommunication

• NoSPOF(SinglePointofFailure)

• Encryption

• Randomness

• Obfuscation

SEYEDALIREZA VAZIRI - RIPE 75 10

Botlifecycle

Execute Command

Listen For Command

Join CnCInfection

ReportCnC

Retrieve Payload

SEYEDALIREZA VAZIRI - RIPE 75 11

BotnetDetectionCurrentmethods:

• IDPS

• DPI

• SignatureBased,AnomalyBased

SEYEDALIREZA VAZIRI - RIPE 75 12

DealingwithBotnets

InternalWeareattackingothers

ExternalOthersattackingus

SEYEDALIREZA VAZIRI - RIPE 75 13

NetFlow/S-Flow/IPFIX• src/dst IP/Port

• Packet

• Bytes

• ASN

• Duration

SEYEDALIREZA VAZIRI - RIPE 75 14

BlacklistListsofCnC IPaddresses:

• ISC

• CYMRU

• Spamhaus

• Manymore

SEYEDALIREZA VAZIRI - RIPE 75 15

ELKStackPowerfull SearchEngine:

• Elasticsearch,Logstash,Kibana

• OpenSource

• Handlemillionsofrecordswithease

• Scalable

SEYEDALIREZA VAZIRI - RIPE 75 16

Netflow toELK

NetFlow Logstash Elasticsearch Kibana

SEYEDALIREZA VAZIRI - RIPE 75 17

Logstash Filtering• BlacklistIPDictionaries

• Markingmalicioustraffic

• GeoIP translation

SEYEDALIREZA VAZIRI - RIPE 75 18

Logstash Diagram

Logstash • Capturedflows

GeoIP • AddExtraInformation

Blacklist• MarkMalicioustraffic

SEYEDALIREZA VAZIRI - RIPE 75 19

CorporateMaliciousTraffic

SEYEDALIREZA VAZIRI - RIPE 75 20

MachineLearningFindingSimilarFlows

• SupervisedLearning

• InfectedFlowsasTrain/Testdata

• Classifyflowsbasedonlearneddata

SEYEDALIREZA VAZIRI - RIPE 75 21

FeaturesforML• Maliciousmarkedtraffic• SRCIP• DSTport• SRCport• Byte• Packets• Duration• ASN

SEYEDALIREZA VAZIRI - RIPE 75 22

TargetsforML• MaliciousFlows

• Zeus

• Mirai

• anyothermaliciousflow

SEYEDALIREZA VAZIRI - RIPE 75 23

ReduceFalsePositives• TrustedFlows

• DNS

• HTTP

• HTTPS

• …

SEYEDALIREZA VAZIRI - RIPE 75 24

Scikit Learn• PythonbasedMLlibrary

• Easytouse

SEYEDALIREZA VAZIRI - RIPE 75 25

Zeus(UDP)CaseStudy

SEYEDALIREZA VAZIRI - RIPE 75 26

Classifier Dataset Train/Test AccuracyKNN– K=7 60000 50/50 82.9%KNN – K=7 80000 50/50 86.8%KNN– K=7 100000 50/50 89.3%

More data beats better algorithm!

Whynot100%

SEYEDALIREZA VAZIRI - RIPE 75 27

• Flowsareunidirectional

• Flowsarenotclassifiedintolifecyclesteps

• Timeoutsandretry

• SpeedandBandwidth

• DifferentversionsofZeus

FinalDiagram

NetFlow Logstash Elasticsearch

ScikitBlacklistUpdate

SEYEDALIREZA VAZIRI - RIPE 75 28

ASNwhitelist

• Google

• Facebook

• Akamai

• Telegram

SEYEDALIREZA VAZIRI - RIPE 75 29

ToDo

• BidirectionalandrelatedFlows

• ASN/Prefixreputation/anomaly

• Actionsfordetectedbotnets

SEYEDALIREZA VAZIRI - RIPE 75 30

Finalwords

• Netflow ischeapandhandy

• Machinelearningisamazing

• MListhetoolthatwillrescueusfrominternet

threats

SEYEDALIREZA VAZIRI - RIPE 75 31

aliereza/flyzer

SEYEDALIREZA VAZIRI - RIPE 75 32

QuestionsComments

SEYEDALIREZA VAZIRI - RIPE 75 33