NetFlow BasedBotnetDetectionSEYEDALIREZA VAZIRI – RIPE75
AboutMe
SeyedAlireza Vaziri
• Network/SystemEngineersince2007• SecurityAdministratorsince2016• MachineLearningnewbie
SEYEDALIREZA VAZIRI - RIPE 75 2
Agenda• Botnets,Usage,History• ModernBotnets• Botnetdetectionandcountermeasure• Netflow baseddetection• Machinelearningclassification• Questions
SEYEDALIREZA VAZIRI - RIPE 75 3
BotVulnerableandunattendedDevices:
• Computers
• Smartphones
• IoT (e.g.CCTV,xDSL Modem)
SEYEDALIREZA VAZIRI - RIPE 75 4
BotnetUsageNetworkofbotsisnamedBotnetandbeingused
for:
• Spams
• DDoS
• MalwareDistribution
SEYEDALIREZA VAZIRI - RIPE 75 5
BotnetHistory• Marina
• Zeus
• Cutwail
• Mirai
SEYEDALIREZA VAZIRI - RIPE 75 6
BotnetDictionary• Bot
• Botnet
• CnC (CommandandControl)
• Botmaster
SEYEDALIREZA VAZIRI - RIPE 75 7
BotnetDiagram
SEYEDALIREZA VAZIRI - RIPE 75 8
ModernBotnetDiagram
SEYEDALIREZA VAZIRI - RIPE 75 9
ModernBotnet• P2PCommunication
• NoSPOF(SinglePointofFailure)
• Encryption
• Randomness
• Obfuscation
SEYEDALIREZA VAZIRI - RIPE 75 10
Botlifecycle
Execute Command
Listen For Command
Join CnCInfection
ReportCnC
Retrieve Payload
SEYEDALIREZA VAZIRI - RIPE 75 11
BotnetDetectionCurrentmethods:
• IDPS
• DPI
• SignatureBased,AnomalyBased
SEYEDALIREZA VAZIRI - RIPE 75 12
DealingwithBotnets
InternalWeareattackingothers
ExternalOthersattackingus
SEYEDALIREZA VAZIRI - RIPE 75 13
NetFlow/S-Flow/IPFIX• src/dst IP/Port
• Packet
• Bytes
• ASN
• Duration
SEYEDALIREZA VAZIRI - RIPE 75 14
BlacklistListsofCnC IPaddresses:
• ISC
• CYMRU
• Spamhaus
• Manymore
SEYEDALIREZA VAZIRI - RIPE 75 15
ELKStackPowerfull SearchEngine:
• Elasticsearch,Logstash,Kibana
• OpenSource
• Handlemillionsofrecordswithease
• Scalable
SEYEDALIREZA VAZIRI - RIPE 75 16
Netflow toELK
NetFlow Logstash Elasticsearch Kibana
SEYEDALIREZA VAZIRI - RIPE 75 17
Logstash Filtering• BlacklistIPDictionaries
• Markingmalicioustraffic
• GeoIP translation
SEYEDALIREZA VAZIRI - RIPE 75 18
Logstash Diagram
Logstash • Capturedflows
GeoIP • AddExtraInformation
Blacklist• MarkMalicioustraffic
SEYEDALIREZA VAZIRI - RIPE 75 19
CorporateMaliciousTraffic
SEYEDALIREZA VAZIRI - RIPE 75 20
MachineLearningFindingSimilarFlows
• SupervisedLearning
• InfectedFlowsasTrain/Testdata
• Classifyflowsbasedonlearneddata
SEYEDALIREZA VAZIRI - RIPE 75 21
FeaturesforML• Maliciousmarkedtraffic• SRCIP• DSTport• SRCport• Byte• Packets• Duration• ASN
SEYEDALIREZA VAZIRI - RIPE 75 22
TargetsforML• MaliciousFlows
• Zeus
• Mirai
• anyothermaliciousflow
SEYEDALIREZA VAZIRI - RIPE 75 23
ReduceFalsePositives• TrustedFlows
• DNS
• HTTP
• HTTPS
• …
SEYEDALIREZA VAZIRI - RIPE 75 24
Scikit Learn• PythonbasedMLlibrary
• Easytouse
SEYEDALIREZA VAZIRI - RIPE 75 25
Zeus(UDP)CaseStudy
SEYEDALIREZA VAZIRI - RIPE 75 26
Classifier Dataset Train/Test AccuracyKNN– K=7 60000 50/50 82.9%KNN – K=7 80000 50/50 86.8%KNN– K=7 100000 50/50 89.3%
More data beats better algorithm!
Whynot100%
SEYEDALIREZA VAZIRI - RIPE 75 27
• Flowsareunidirectional
• Flowsarenotclassifiedintolifecyclesteps
• Timeoutsandretry
• SpeedandBandwidth
• DifferentversionsofZeus
FinalDiagram
NetFlow Logstash Elasticsearch
ScikitBlacklistUpdate
SEYEDALIREZA VAZIRI - RIPE 75 28
ASNwhitelist
• Akamai
• Telegram
SEYEDALIREZA VAZIRI - RIPE 75 29
ToDo
• BidirectionalandrelatedFlows
• ASN/Prefixreputation/anomaly
• Actionsfordetectedbotnets
SEYEDALIREZA VAZIRI - RIPE 75 30
Finalwords
• Netflow ischeapandhandy
• Machinelearningisamazing
• MListhetoolthatwillrescueusfrominternet
threats
SEYEDALIREZA VAZIRI - RIPE 75 31
aliereza/flyzer
SEYEDALIREZA VAZIRI - RIPE 75 32
QuestionsComments
SEYEDALIREZA VAZIRI - RIPE 75 33