Master Blaster: Identifying Influential Player in Botnet Transactions

Master Blaster: Identifying Influential Player in Botnet Transactions
Slide Note
Embed
Share

This research paper delves into the intricate world of botnets, specifically focusing on identifying influential players in botnet transactions. By categorizing nodes and analyzing botmaster interactions, the study sheds light on the evolving characteristics of botnets akin to human social networks. The report provides insights on the roles of botmasters and the impact of communication mediums on botnet operations.

  • Botnet
  • Transactions
  • Influential Player
  • Cybersecurity
  • Research
tessan
tessan Follow

Uploaded on Mar 09, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Master Blaster: Identifying Influential Player in Botnet Transaction Author: Napoleon C. Paxton College of Computing and Informatics UNC Charlotte Gail-Joon Ahn School of Computing , Informatics and Decision System Engineering Arizona State University Mohamed Shehab College of Computing and Informatics UNC Charlotte Reporter: https://www.youtube.com/watch?v=5KyoHjIoMkQ

  2. OUTLINE Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion

  3. Introduction Bots carry out the commands of botmaster through communication mediums. Communication mediums: Internet Relay Chat (IRC) P2P social networks. Botnet monitoring an effective method to garner in-depth information about the threat of bonnets to capture and modify a bot allow the bot to connect to its command and control center monitor actual communications that take place on the botnet

  4. most botnets are controlled by multiple botmasters. botmaster 1 initially creating the botnet botmaster 1,2, and N have their own attack agenda.

  5. Introduction In this paper to categories the nodes to categorize the transactions based on a modified version of the reflective- impulsive model. bonet is just a tool. a tool is only as useful as the way it is used with the intentions of the person who use it to categorize the botmaster interactions (between the botmaster and the node in a botnet ) as social characteristics There are five categories of node Botmaster node Bot node Compromised Machine node: The machine that was originally attacked and turned into a bot node. Storehouse node: The node that provides a download service to the botmaster node or the bot node Victim node: The nod that is attacked. .

  6. Introduction In this paper to identify the evolution of the physical characteristics (size) of a botnet like human social networks : born grow shrink disappear to correlate the discovered social characteristics and the evolutionary characteristics to shed light on the role each botmaster plays in a botnet.

  7. OUTLINE Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion

  8. Easy to covertly infiltrate a botnet and monitor its transactions botnet monitoring has become a common way to analyze and identity botnet and the destruction they cause This paper to introduce the novel idea of monitoring botnet traffic to identify the roles each botmaster has in the botnet. to discover motives and characteristics which lead to discovering the root cause behind the botnet

  9. OUTLINE Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion

  10. MASTER BLASTER: SYSTEM OVERVIEW A. Bot Capture B. Closed analysis C. Open analysis D. Network Monitoring E. Correlation

  11. A. Bot Capture pretend to be a legitimate vulnerable machine Three elements in capture component Socket manger: The attacker attempts to connect a port through the socket manager General shell code handler: General shell code handler are created to receive the data to pass the code to the Perl regex shell code handler Perl regex shell code handler: Step1: to determine what type of code it is. Step2: the code is downloaded without executing it.

  12. B. Closed Analysis adapt and modify the reflective-impulsive mode to bonet. the reflective-impulsive mode to depict social behavior as a joint function of the two systems Reflective system : is built by responses of knowledge on facts and their decisions is denoted by the expression SR= set F F is composed of k-subsets: { fd1,fd2, ..,fdk-1,fdk} include a finite amount of facts f and their decisions d Impulsive system : (be discovered in the component D.Network Monitoring ) In the closed analysis, to discover the ASCII text in the bot codes which are reflective keywords these keywords represent the facts to use RFC 1459 and RFC 1812 (IRC protocol) to help us determine the protocol based keywords. to derive the semantics of the facts from the command and control protocol. Keyword reflective keyword : from the ASCII text in the bot codes user/system based

  13. From the original paper the reflective-impulsive system In the reflective system, behavior is elicited as a consequence of a decision process. Specifically, knowledge about the value and the probability of potential consequences is weighed and integrated to reach a preference for one behavioral option. If a decision is made, the reflective system activates appropriate behavioral schemata through a self-terminating mechanism of intending. In contrast, the impulsive system activates behavioral schemata through spreading activation, which may originate from perceptual input or from reflective processes. As described in James (1890) ideo-motor principle (see also Lotze, 1852), a behavior maybe elicited without the person s intention or goal. In addition, the activation of behavioral schemata may be moderated by motivational orientations or deprivation.

  14. From the original paper the reflective-impulsive system

  15. C. Open Analysis all information about the initial bootstrapping has to be included in the bot binary and thus can be cloned to extract the general packet information from the botnet data Three elements in open analysis component bot agents: the bot is stripped of its ability to attack victim machines botnet connection: The bot agent to connects to the command and control locations botnet payload collection: Captures all the readable contents of the payload

  16. D. Network Monitoring to analyze the ASCII readable data in the payload (founded in C. open analysis component ) to extract characteristic elements from the content of data to discover conversations initiated by commands between the bot master node and the other node. the structure of these conversations are discovered in commands based on the command and control protocol. Within these conversation, to discover the Impulsive System the Evolutionary Characteristics.

  17. D. Network Monitoring 1/2 Impulsive system : SI is built on associative links and motivational drives. SI S =m1 m2 m3, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive (M1), Monetary (M2), and other (M3) and mibelong to Mi In this paper s model, each command given by the botmaster is one impulsive human initiated command. Each subset (m1,m2,m3) is composed of a set of commands. The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet . That means that each command that resides in a k-subnet is linked to each other. In the paper s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the botmaster is. Destructive: concerned with causing damage that physically affect potential victim s system (including getting money from potential victims) Monetary: Concerned only with covertly stealing money Other: all unknown motives. The operation of the paper s reflective-impulsive process is as follow: an impulsive command e in a set S is matched to a reflective keyword f in a set F, then determine two entities, e and f, to be one characteristic E which conjoins two system , SR and SI.

  18. D. Network Monitoring : Impulsive system: SI In this paper s model, each command given by the botmaster is one impulsive human initiated command. Impulsive system is built on associative links and motivational drives. Motivational drives: SI S =m1 m2 m3, where S is the ground set of motivations based on 3 k-subsets of motivations M, Destructive (M1), Monetary (M2), and other (M3) and mibelong to Mi In the paper s framework, after the finite value of each k-subnets is discovered, the upper-bound k-subnet determines what the motivation the botmaster is. Destructive: concerned with causing damage that physically affect potential victim s system (including getting money from potential victims) Monetary: Concerned only with covertly stealing money Other: all unknown motives. associative links: Each subset (m1,m2,m3) is composed of a set of commands. each command that resides in a k-subnet is linked to each other. The associative links are the semantic connections of each command to another that meet a defined criteria for the subnet The operation of the paper s reflective-impulsive process is as follow: an impulsive command e in a set S is matched to a reflective keyword f in a set F, then determine two entities, e and f, to be one characteristic E which conjoins two system , SR and SI.

  19. D. Network Monitoring : Evolutionary characteristics Evolutionary Characteristics: Each stage of evolution is defined as the following: Birth Growth Contraction

  20. E. Correlation the output of this component is to discover what role each botmaster plays there elements in this component Component correlation : Each result from the components has a timestamp Using this timestamp and the botmaster name, the results of the components are correlated. Botmaster characteristic statistics: Evolutionary characteristic statistics: use autocorrelation function , C(t), to discover the number of botnet that consecutive timesteps t. Reflective-impulsive characteristic statistics: the ratio of protocol based commands to user/system based commands. Correlation engine: correlates the results of the closed analysis component the open analysis component the network monitoring component the botnet characteristic component to discover the botmaster based patterns.

  21. OUTLINE Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion

  22. . Implementation and results. The following scripts in one version of the bot codes were identified by closed analysis: Reflective keywords extracted from these results are PRIVMSG (line 123,133,135 and 138) dccflood (line 133)

  23. Table1 shows the number of impulsive commands generated by the top 10 botmasters. active botmasters generated more human user/system commands most of the impulsive commands generated by the active botmasters are human based and therefore are more apt to reflect the true intentions of the botmaster.

  24. Lager channels decayed more rapidly.

  25. More active botmasters had a higher ration of human initiated elements to protocol base element. This is very important since it means the botmaster is using his own intuitions in this channel and most of the transactions are not by scripts. Human error continues to be the best way to catch botmasters or malware writers in general.

  26. OUTLINE Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion

  27. A. Current state of botnets: This paper is focus on IRC based botnets. to leave the monitoring of more advanced C&C protocol for the future work B. Limitations Only can identify the botmaster characteristics of transactions that have been decrypted.

  28. OUTLINE Introduction Scope of research Master blaster : System overview Implementation and results Discussion Conclusion

  29. To discover the role each botmaster plays help reduce analysis time the approach enable us to identify the generalize motives for each botmaster The paper indicated most attacks occurred during times where the botnet was at its largest size. The future work would focus on other forms of botnets (e.g. http-based P2P-based hybrid attacks)

Related


Mirai Botnet

Mirai Botnet

michaela
Buy Master Kush 50g Bag Online - herbalincense24.com

Buy Master Kush 50g Bag Online - herbalincense24.com

Dorothy1
Taxation and Reporting of Futures and Options (F&O) Transactions

Taxation and Reporting of Futures and Options (F&O) Transactions

chaim
Delete Expense Transactions in QuickBooks Online?

Delete Expense Transactions in QuickBooks Online?

paxton1
Taxation of F&O Transactions under Indian Income Tax Law

Taxation of F&O Transactions under Indian Income Tax Law

cassius
Little League Player Agent Guidelines and Registration Process

Little League Player Agent Guidelines and Registration Process

journi
Guide to Player Development in Youth Sports

Guide to Player Development in Youth Sports

rowen
AYSO National Referee Program - Player Development Initiative Implementation

AYSO National Referee Program - Player Development Initiative Implementation

emely
Efficient Submission of Forms Solution via EDI Transactions

Efficient Submission of Forms Solution via EDI Transactions

senara
Matchmaking in League of Legends: A Study on Player Balance and Enjoyment

Matchmaking in League of Legends: A Study on Player Balance and Enjoyment

liow631
Ultimatum Game in Game Theory

Ultimatum Game in Game Theory

mron
The Effects of Delay on Moving Target Selection in Real-Time Games

The Effects of Delay on Moving Target Selection in Real-Time Games

swayzeema
Awardees of Pradhan Mantri Bal Puraskar 2019 - Ministry of Women and Child Development

Awardees of Pradhan Mantri Bal Puraskar 2019 - Ministry of Women and Child Development

kameri
NHL Department of Player Safety: Suspension Analytics and Player Offender Data

NHL Department of Player Safety: Suspension Analytics and Player Offender Data

nverm
Secure Electronic Transactions (SET)

Secure Electronic Transactions (SET)

sobe_r
AYSO National Referee Program Player Development Initiatives Overview

AYSO National Referee Program Player Development Initiatives Overview

mask_ss
Database Transactions in SQL

Database Transactions in SQL

east_lee
Advanced Methods in NHL Player Development Modelling

Advanced Methods in NHL Player Development Modelling

tsche
The Impact of Math Video Games on Learning and Education

The Impact of Math Video Games on Learning and Education

khnd621
InTown Coaches Meeting Summary and Guidelines

InTown Coaches Meeting Summary and Guidelines

jermiahbi
Taxation Guidelines for Share and Derivative Transactions by CA Mahavir Atal

Taxation Guidelines for Share and Derivative Transactions by CA Mahavir Atal

aubrye
Distributed Transactions in Spanner: Insights and Mechanisms

Distributed Transactions in Spanner: Insights and Mechanisms

edmonson_l

More Related Content