Proactively Removing the Botnet Threat

1
Proactively Removing the Botnet Threat

• ONR Award N00014-09-10757
• http//www.cs.utexas.edu/aseehra/botnets/index.ht
  ml
• PI Joan Feigenbaum (Yale)
• http//www.cs.yale.edu/homes/jf/
• Project Review February 9, 2010
• Columbia University New York, NY

2
Investigators

• Yale (Prime contractor)
• Joan Feigenbaum, PI
• Bryan Ford
• Columbia (Subcontractor)
• Steven M. Bellovin, PI
• Angelos Keromytis
• Salvatore J. Stolfo
• UT Austin (Subcontractor)
• Vitaly Shmatikov, PI
• Michael Walfish
• ATT Labs (Industrial partner)
• William Cheswick

3
Botnets are groups of machines that

• are assembled by a botmaster,
• act together under the botmasters control, and
• engage in malicious activity.

4

• Question Is there a botnet threat (thats
  distinct from the general threat of
  network/computer insecurity)?
• WRT prevention No
• WRT detection Yes

5
Prevention

• Consent-based network architecture
• disallow unauthorized flows
• (Walfish and Keromytis)
• Deterministic virtualization
• disallow unauthorized actions
• (Ford)

6
Detection

• Characterize botnet traffic (Bellovin)
• First step CU NetFlow data
• Next step Larger NetFlow datasets,
• including ATTs
• Identify botmasters (Keromytis)
• Current Track induced traffic fluctuations in
  response traffic.
• Future Use poisoned documents with
  embedded beacons.

7
Detection and Prevention

• Network scan revealed many vulnerable embedded
  devices.
• Parasitic Embedded Machines can prevent this type
  of attack.
• (Stolfo)

• Lots of low-hanging fruit for botmasters
• Total scale of the problem still unknown

8
Shape and Scope of Project

• Originally proposed as a 5-year 7.5M MURI
  project.
• Currently an 18-month, 884K project with (only
  modestly) reduced scope.
• Whether, why, and how to continue after Sept.
  2010. (TBC this afternoon)