Frequent Sequential Attack Patterns of Malware in Botnets
Nur Rohman Rosyid
Tokai UniversityKikuchi Laboratory
Outlines
1. Botnet attack
2. PrefixSpan method
3. Results and Analysis
4. Conclusion
Tokai UniversityKikuchi Laboratory
Botnet
Tokai University
Honeypots
Kikuchi Laboratory
CCC DATA set 2009 consist of the access log of attack to 94 honeypots in 1 year (may 1, 2008 – April 30 2009).
This research observes one of honeypot runs on Windows XP+SP1
Tokai UniversityKikuchi Laboratory
Coordinated attack
TROJ_QHOST.WT BKDR_POEBOT.AHP
PE_VIRUT.AV
TSPY_ONLINEG.OPJ
TSPY_KOLABC.CH TROJ_AGENT.AGSB
Tokai University
Sequential pattern
It is difficult to find sequential pattern of attacks in the access log of attacks manually.
Kikuchi Laboratory
Sequence_id Sequence
100 <PE WO TR>
101 <PE TR WO>
102 <BK PE TR TS WO>
103 <TS PE PE TR WO BK>
104 <PE WO TR WO>
Tokai University
Objective
Discover the frequent sequential attack pattern on CCC DATA set 2009
Kikuchi Laboratory
Tokai University
Method
PrefixSpan data mining algorithm1 to discover the frequent sub-sequences as patterns in a sequence database.
Example: Given a sequence database and minimum support threshold 2
Kikuchi Laboratory
1) J. Pei, et al., ``PrefixSpan: Mining Sequential Patterns by Prefix-Projected Growth'‘, in Proc. of The
17th Int'l Conf. on Data Engineering, pp.215-224, 2001.
Sequence_id Sequence
100 <PE WO TR>
101 <PE TR WO>
102 <BK PE TR TS WO>
103 <TS PE PE TR WO BK>
104 <PE WO TR WO>
Tokai University
Method (count)
Kikuchi Laboratory
Seq. DatabaseProjected Database
<PE> <PE WO> <PE TR>
<PE WO TR> <WO TR> <TR>
<PE TR WO> <TR WO> <WO>
<BK PE TR TS WO> <TR TS WO> <TS WO>
<TS PE PE TR WO BK> <PE TR WO BK> <BK> <WO BK>
<PE WO TR WO> <WO TR WO> <TR WO> <WO>
Sequential Patterns<PE>:5 <PE WO>:5 <PE WO TR>:2 <PE TR WO>:4
<PE TR>:5
<PE>:5, <WO>:5, <TR>:5, <BK>:2, and <TS>:2
Tokai University
Method (count)
Kikuchi Laboratory
Seq. DatabaseProjected Database
<PE> <PE WO> <PE TR>
<PE WO TR> <WO TR> <TR>
<PE TR WO> <TR WO> <WO>
<BK PE TR TS WO> <TR TS WO> <TS WO>
<TS PE PE TR WO BK> <PE TR WO BK> <BK> <WO BK>
<PE WO TR WO> <WO TR WO> <TR WO> <WO>
Sequential Patterns<PE>:5 <PE WO>:5 <PE WO TR>:2 <PE TR WO>:4
<PE TR>:5
<PE>:5, <WO>:5, <TR>:5, <BK>:2, and <TS>:2
Tokai University
Method (count)
Sequential Patterns
<PE WO>:5, <PE TR>:5, <PE WO TR>:2,<PE TR WO>:4
<WO TR>:2
<TR WO>:4
<TS WO>:2
Kikuchi Laboratory
Tokai University
Pre-Processing Data
Kikuchi Laboratory
Slot Sequence of Malware0 TROJ_SYSTEMHI.BQ
1 KDR_AGENT.ANHZ UNKNOWN TROJ_SYSTEMHI.BQ DR_AGENT.ANHZ UNKNOWN
2 PE_BOBAX.AH
3 PE_BOBAX.AH UNKNOWN BKDR_AGENT.ANHZ
… …
15323 PE_VIRUT.AV TROJ_IRCBRUTE.BW WORM_AUTORUN.CZU
15324 UNKNOWN PE_VIRUT.AV PE_VIRUT.AV WORM_AUTORUN.CZU TROJ_IRCBRUTE.BW
Tokai University
sequential 2-Pattern of malware attack
Kikuchi Laboratory
1270
987
519 492385
290 211 190 156 153 90
(P2.1) PE_VIRUT.AV PE_VIRUT.AV (P2.2) PE_BOBAX.AK PE_BOBAX.AK
(P2.3) PE_VIRUT.D-1 PE_VIRUT.D-1 (P2.4) PE_VIRUT.AV TSPY_KOLABC.CH
(P2.6) PE_VIRUT.AV WORM_SWTYMLAI.CD (P2.13) TROJ_QHOST.WT WORM_HAMWEQ.AP
(P2.24) PE_VIRUT.AV BKDR_SDBOT.BU (P2.28) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU
(P3.36) BKDR_SCRYPT.ZHB PE_VIRUT.AV (P2.37) BKDR_RBOT.CZO WORM_HAMWEQ.AP
(P2.78) TSPY_ONLINEG.OPJ TROJ_QHOST.WT
Pattern
Fre
qu
en
cy (
slo
ts)
length serial
Tokai University
sequential 3-Pattern of malware attack
Kikuchi Laboratory
414
286
168134 119
82 74 74 73 67 57
(P3.1) PE_VIRUT.AV PE_VIRUT.AV PE_VIRUT.AV (P3.2) PE_BOBAX.AK PE_BOBAX.AK PE_BOBAX.AK
(P3.4) TROJ_QHOST.WT WORM_HAMWEQ.AP BKDR_POEBOT.AHP (P3.7) PE_VIRUT.AV WORM_SWTYMLAI.CD TSPY_KOLABC.CH
(P3.10) PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CD (P3.21) PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI
(P3.27) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI (P3.29) TSPY_ONLINEG.OPJ TROJ_QHOST.WT BKDR_POEBOT.AHP
(P3.30) BKDR_RBOT.CZO WORM_HAMWEQ.AP TROJ_QHOST.WT (P3.37) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB
(P3.49) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU
Pattern
Fre
qu
en
cy (
slo
ts)
P3.1P3.2
P3.4P3.21
P3.27P3.2
9 P3.37
P3.49P3.30
P3.10P3.7
Tokai University
Distribution of attacks of duplicate 3-pattern
Kikuchi Laboratory
Tokai University
Distribution of attacks of non-duplicate 3-pattern
Kikuchi Laboratory
(P3.4) TROJ_QHOST.WT, WORM_HAMWEQ.AP, BKDR_POEBOT.AHP(P3.29) TSPY_ONLINEG.OPJ, TROJ_QHOST.WT, BKDR_POEBOT.AHP(P3.30) BKDR_RBOT.CZO, WORM_HAMWEQ.AP, TROJ_QHOST.WT
A(P3.21) PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI(P3.27) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI(P3.49) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU
B(P3.7) PE_VIRUT.AV WORM_SWTYMLAI.CD TSPY_KOLABC.CH(P3.10) PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CDc (P3.37) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSBD
20 days 25 days 26 days8 days
Tokai University
Distribution of time interval of the 3-pattern
Kikuchi Laboratory
Time interval is a time difference between the first and last malware infections in the same sequential pattern at the honeypot.
Tokai UniversityKikuchi Laboratory
Sequential attack pattern based on source IP address and timestamp
Pattern based on IP Address
IP pattern code IP Pattern
A1 S1 S1 S1
A2 S1 S1 S2A3 S1 S2 S1A4 S1 S2 S2
A5 S1 S2 S3
Pattern based on Timestamp
Time pattern code Time pattern
E1 T1 T1 T1E2 T1 T1 T2E3 T1 T2 T2E4 T1 T2 T3
Tokai UniversityKikuchi Laboratory
Sequential attack pattern by source IP address and timestamp (count)
A4E1 : 10%A4E4 : 90%
A5E4 : 20%A5E5 : 80%
TROJ_QHOST.WT BKDR_POEBOT.AHP
PE_VIRUT.AV
TSPY_ONLINEG.OPJ
TSPY_KOLABC.CH TROJ_AGENT.AGSB
Company Name
Confidence of sequential attack pattern
How strong the n-pattern coordinated attack, if (n-1)-pattern, a subsequence of n-pattern occur
where n is the length of pattern and m is the length of subsequence of n-pattern
www.themegallery.com
for n > 1 and m = (n-1), Conf(n-pattern) =Supp(n-pattern)Supp(m-pattern)
Tokai University
Confidence of 3-pattern
Kikuchi Laboratory
290
90
153
211190
156
385
492 492
168
74 73 82 74 57
134 119
67
2-Pattern 3-Pattern
Pattern
Fre
qu
en
cy (
slo
ts)
P2.13P3.4 P2.78
P3.29P2.37
P3.30P2.24
P3.21P2.28
P3.27P2.36
P3.49P2.6
P3.7P2.4
P3.10P2.4
P3.37
57.93%
34.81%
24.19%
38.86%38.95%
82.22%
47.71%
13.62%
36.54%
Tokai University
Conclusion
Kikuchi Laboratory
PrefixSpan method sufficiently discover all sequential attack patterns.
Coordinated attacks are performed by multiple sequential attack patterns within certain short time interval.
The sequential pattern of coordinated attack tends to change all the time.
This result gives several behaviors useful for alerting threats of botnets attacks.