Uma Arquitetura Baseada em Assinaturas para Mitigação de Botnets
Resumo
As botnets são consideradas uma das principais ameaças à segurança da Internet. Tais ameaças caracterizam-se por serem muito dinâmicas, frequentemente incorporando novas características às suas estruturas, de forma a diminuir a efetividade de sistemas, por exemplo, de antivírus e IDS's. Este artigo apresenta uma arquitetura de ferramenta para mitigação e detecção de botnets baseada em assinaturas de rede de máquinas comprometidas por bots. Identificar assinaturas de botnets de forma automatizada auxilia no processo de detecção de máquinas comprometidas e no processo de atenuação dos danos causadas pelas mesmas.Referências
CAIDA (2010). The Cooperative Association for Internet Data Analysis. Disponível em: http://www.caida.org. Acesso em: Julho de 2010.
Ceron, J., Granville, L. Z., and Tarouco, L. (2009). Taxonomia de malwares: Uma avaliação dos malwares automaticamente propagados na rede. In SBSeg 2009 Artigos Completos/Full Papers.
Cisco (2010). Cisco Netflow Cisco Systems.
GeoIP (2010). GeoIP API Location from IP. Disponível em: http://www.geoipapi.com/. Acesso em: Junho de 2010.
Goebel, J. and Holz, T. (2007). Rishi: identify bot contaminated hosts by irc nickname evaluation. In HotBots’07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA. USENIX Association.
Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008a). Botminer: clustering analysis of network traffic for protocoland structure-independent botnet detection. In SS’08: Proceedings of the 17th conference on Security symposium, pages 139–154, Berkeley, CA, USA. USENIX Association.
Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. (2007). BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security’07).
Gu, G., Zhang, J., and Lee, W. (2008b). BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. (2008). Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In LEET’08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pages 1–9, Berkeley, CA, USA. USENIX Association.
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. (2009). Spamcraft: An inside look at spam campaign orchestration. In Proceedings of the Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, USA.
Nazario, J. and Holz, T. (2008). As the net churns: Fast-flux botnet observations. In 3rd International Conference on Malicious and Unwanted Software Malware’08.
Nepenthes (2010). Nepenthes finest collection . Disponível em: http://nepenthes.carnivore.it. Acesso em: Junho 2010.
Wang, P., Wu, L., Cunningham, R., and Zou, C. C. (2010). Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur., 4(1):30–51.
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., and Kirda, E. (2009). Automatically generating models for botnet detection tr-iseclab-0609-001. In Lecture Notes in Computer Science, pages 108–125.
Ceron, J., Granville, L. Z., and Tarouco, L. (2009). Taxonomia de malwares: Uma avaliação dos malwares automaticamente propagados na rede. In SBSeg 2009 Artigos Completos/Full Papers.
Cisco (2010). Cisco Netflow Cisco Systems.
GeoIP (2010). GeoIP API Location from IP. Disponível em: http://www.geoipapi.com/. Acesso em: Junho de 2010.
Goebel, J. and Holz, T. (2007). Rishi: identify bot contaminated hosts by irc nickname evaluation. In HotBots’07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA. USENIX Association.
Gu, G., Perdisci, R., Zhang, J., and Lee, W. (2008a). Botminer: clustering analysis of network traffic for protocoland structure-independent botnet detection. In SS’08: Proceedings of the 17th conference on Security symposium, pages 139–154, Berkeley, CA, USA. USENIX Association.
Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. (2007). BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security’07).
Gu, G., Zhang, J., and Lee, W. (2008b). BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. (2008). Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In LEET’08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pages 1–9, Berkeley, CA, USA. USENIX Association.
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. (2009). Spamcraft: An inside look at spam campaign orchestration. In Proceedings of the Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET), Boston, USA.
Nazario, J. and Holz, T. (2008). As the net churns: Fast-flux botnet observations. In 3rd International Conference on Malicious and Unwanted Software Malware’08.
Nepenthes (2010). Nepenthes finest collection . Disponível em: http://nepenthes.carnivore.it. Acesso em: Junho 2010.
Wang, P., Wu, L., Cunningham, R., and Zou, C. C. (2010). Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur., 4(1):30–51.
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., and Kirda, E. (2009). Automatically generating models for botnet detection tr-iseclab-0609-001. In Lecture Notes in Computer Science, pages 108–125.
Publicado
11/10/2010
Como Citar
CERON, João Marcelo; GRANVILLE, Lisandro Zambenedetti; TAROUCO, Liane Margarida Rockenbach.
Uma Arquitetura Baseada em Assinaturas para Mitigação de Botnets. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 105-118.
DOI: https://doi.org/10.5753/sbseg.2010.20581.