Graph and Flow-based Distributed Detection and Mitigation of Botnet Attacks

Alessio Izzillo

Abstract:
Nowadays, many organizations are constantly victims of several security threats which may cause economic and reputation damages. Among the large varietyof malware which affects several systems and online services, we can found software such as worms, viruses, spyware, trojans, key-loggers and botnets. Botnets are one of the most dangerous type of cyber-attacks, which are used in a variety of malicious campaigns such as email spam, financial theft, click fraud, distributed denial-of-service (DDoS) attacks for taking online services offline, and for committing cryptocurrency scams (using users’ processing power to mine cryptocurrency).
According to the Federal Bureau of Investigation, "Botnets have caused over 9 billion in losses to U.S. victims and over 110 billion in losses globally. Approximately 500 million computers are infected globally each year, translating into 18 victims per second". The first official recognized Botnet named "EarthLink Spammer" appeared in 2000: it was created to send phishing emails in large numbers, masked as communications from legitimate websites. Over 1.25 million malicious emails were sent to collect sensitive information. The botnet had downloaded viruses on victims’ computers when they clicked on the links in the emails, and these viruses remotely fed the information to the sender. In 2016, there was one of the largest and most lucrative digital ad malware ever devised: Methbot. It acquired thousands of IP addresses with US-based ISPs. The operators first created more than 6000 domains and 250267 distinct URLs that appeared to be from premium publishers (such as ESPN and Vogue), and then, video ads from malicious advertisers were posted on these websites which sent their bots “watch” around 30 million ads daily.
Over the years, the Botnet technology has evolved making the detection and mitigation of botnet attacks a very challenging problem. Many approaches have been proposed: signature-based, anomaly-based, DNS-based and mining-based. As it will be discussed, each approach presents advantages and disadvantages. The goal of this thesis is to use a hybrid analysis that relies on data mining flow and graph based patterns which can identify malicious external hosts which communicate with our hosts on which a distributed application of an online service is deployed. The hybrid analysis of this approach is performed online in order to mitigate the attacks. The process starts by capturing, in kernel space, some fields of the packets by means of an eBPF filter and passing them to userspace for grouping them in "batches" of a certain size, on which the hybrid analysis is carried out.
The eBPF filter in kernel space allows to inspect in real-time the packets in an unobtrusive and effective way. In fact, in addition to collecting packets characteristics, it is able to reject the packets coming from external hosts having IPs labeled as malicious by the userspace analysis.

BibTeX Entry: