KR20100074504A - Method for analyzing behavior of irc and http botnet based on network - Google Patents

Abstract

PURPOSE: A network-based IRC and HTTP botnet action analyzing method are provided to effectively cope with various types of bonnets by classifying a domain-based traffic, an IP/port-based traffic, and an URL(Uniform Resource Locator) hash-based traffic according to the type of a new botnet and an existing botnet. CONSTITUTION: Multiple traffic information collecting sensors collect traffics having centralized access characteristic(ST100~ST120). If the collected traffic is one between IP/Port-based traffic and an URL(Uniform Resource Locator) hash-based traffic, a botnet matching module matches the traffic with one between an existing botnet and a new botnet through comparison with existing botnet information. A VDNS(Virtual Domain Name Service) check module checks VDNS on a domain-based traffic among the collected traffics of a traffic collection managing module(ST190). Based on the action traffic of the detected botnet, the action type of the botnet is classified.

Description

METHODO FOR ANALYZING BEHAVIOR OF IRC AND HTTP BOTNET BASED ON NETWORK}

The present invention relates to a botnet behavior analysis method, and more particularly, to a network-based IRC and HTTP botnet behavior analysis method.

Numerous threats are emerging in cyberspace. Threats on the Internet are interspersed by stealing or collecting third-party personal information, exploiting it indecently, disseminating advertising mail, distributing advertising money, or discouraging competitors from providing information devices. Amidst such cyber damage, a new threat is dominating the Internet, a botnet. Recently, Arbor Networks has selected botnets and distributed denial of service attacks as the most serious network threats.

BotNet is a network in which many computers infected by malicious software bots are connected by a network. In other words, botnets are networked by computers infected by bots, which are remotely controlled by a botmaster who has the authority to control bots and can perform various malicious activities. This is called.

Botnets have evolved into Forbot, PBot, Toxbot, Machbot, PHP Bot, Storm Bot, etc. in the last 10 years since it first came out as EggDrop in 1993. (5,000 new malwares appear every day, TechNewsWorld, 2007). In particular, C & C servers (command & control, servers for commanding and controlling bot zombies) and malicious bots are widely distributed and concentrated in specific regions. This is because in a well-equipped environment with high-speed Internet, even a single tenth of PCs can use a more powerful DDoS-like attack. In particular, a domestic area with a high-speed Internet infrastructure is preferred as a botnet infection area. In addition, the number of PCs infected with bots and turned into zombie PCs continues to grow, and the size of botnets is growing. Vint Cerf, co-founder of the TCP / IP protocol, estimates that between 11 and 150 million computers, about 11 percent of the world's computers, will be infected with bot malware and will be used to carry out attacks. It is known to be connected to 230,000 zombies by botnet.

The botnet attack is becoming more serious because of its criminalization. As in the case of the item trader's service failure and cash demand intimidation accidents in 2007, the company frequently threatened the service provider to extort money and extort money, collect personal / financial information, and send spam. It is happening.

Bots have various characteristics of various malicious codes such as worms / viruses, backdoors, spyware, and rootkits, and most cyber attacks such as DDoS, Ad-ware, Spyware, spam sending, and illegal information collection are possible through botnet.

Early botnets were mostly IRC botnets, which used the characteristics of IRC, which were flexible and widely used. However, in order to make detection and response more difficult, it is based on the web protocol HTTP or distributed command / control system where all zombies can become C & C by moving away from the centralized command / control system (IRC, HTTP botnet) called C & C. It is evolving into a control botnet (P2P botnet).

Furthermore, it is evolving into a hybrid form that uses two or more protocols for command / control. Recently introduced MayDay worms use two protocols, such as Hypertext Transfer Protocol (HTTP) and Internet Control Message Protocol (ICMP), or multiple centralized point (C & C servers). The centralized point is evolving into a hybrid form that is connected in a P2P fashion.

Along with the evolution of command / control methods, malware also evolves rapidly, making detection / response very difficult. Packing / compression / encryption technology, VM (Virtual Machine) / debugger / sandbox detection bypass technology, RootKit technology to hide malicious codes make it very difficult to detect and analyze bots. In a way that exploits vulnerabilities, it is being diversified by various means such as web, email and messenger.

These botnet response technologies are divided into host-based detection and analysis based on the application and behavior of malicious bot programs on the PC, and network-based detection and analysis based on network traffic from bot zombies and C & C. Depending on the technical characteristics, it can be divided into signature-based and behavior-based.

In recent years, the severity of the botnet has been increasing internationally, research has been active, but IRC botnets have been mainly in progress, and HTTP and P2P botnets only deal with the current status and characteristics. Most existing researches on IRC botnets can be avoided through channel encryption, stealth scanning, command / control pattern changes, DNS spoofing, and false positives, and they have insufficient response to new HTTP / P2P new botnets. Level.

The present invention has been presented to solve the above problems, and an object of the present invention is to provide a network-based IRC and HTTP botnet behavior analysis method that can effectively analyze the IRC and HTTP botnet for each action type.

In order to achieve the above object, the network-based IRC and HTTP botnet behavior analysis method according to the present invention, the traffic having a centralized connection characteristics including domain-based traffic, IP / Port-based traffic and URL hash-based traffic A traffic classification module (TC) for collecting and determining whether the collected traffic is a botnet, a botnet configuration analysis module (BOA) for performing configuration analysis of traffic collected by the traffic classification module (TC) and classified as botnets; A method for analyzing and classifying behavior types of IRC botnets and HTTP botnets in a botnet detection system including a botnet behavior analysis module (BBA) that performs behavioral analysis of traffic classified by botnets collected by the traffic classification module (TC) A first step of collecting traffic having the centralized connection characteristics collected by a plurality of traffic information collection sensors, the collected data If the pick is any one of IP / Port based traffic and URL hash based traffic, the second step of matching the traffic to any one of the existing botnet and the new botnet by comparing the detected botnet information to the traffic collection management module. And a fourth step of checking whether VDNS (Virtual DNS) is checked for the domain-based traffic among the traffic collected by the traffic, and a fourth step of classifying the behavior type of the botnet based on the detected traffic behavior of the botnet. do.

Advantageously, the second step further comprises: if the centralized server of the traffic is different from the C & C server information of the botnet information and the accessing client IP list of the traffic is different from the zombie list of the botnet information, the traffic is sent to the new botnet message queue. To store in step 2-1. Further, when the centralized server of the traffic matches the C & C server information of the botnet information and the access client IP list of the traffic is different from the zombie list of the botnet information, the traffic is classified into a botnet expansion action and a separate flag is assigned. And steps 2-2 to store in the existing botnet message queue. In addition, when the centralized server of the traffic matches the C & C server information of the botnet information and the access client IP list of the traffic is similar to the zombie list of the botnet information, the traffic is classified into a C & C server reconnection and egg download behavior. The second and second steps of assigning a separate flag to the existing botnet message queue, and the centralized server of the traffic is different from the C & C server information of the botnet information, and the access client IP list of the traffic Similar to the zombie list, the traffic may be classified into a C & C server migration and other main botnet behaviors, and a second flag may be stored in an existing botnet message queue by assigning a separate flag.

More preferably, the fourth step is an egg downoad, in which the fourth step of requesting additional behavioral traffic to the traffic information collecting sensor for the detected botnet, and an action type of zombie downloading an additional attack module. DDoS attack, a type of zombie's distributed denial of service attack, spamming, a type of zombie sending spam, and spying, a type of zombie stealing personal information. Include steps 4-2 of analyzing and classifying the attack behaviors included. In addition, a botnet expansion action, a gross action, a Rally action to reconnect and maintain a C & C server, a migration action to migrate a C & C server, and a propagation action to propagate bot malware (Propagation) Include steps 4-3 to analyze and classify the proliferation / migration behavior that includes the behavior. And a fourth step of synthesizing the analyzed results of steps 4-2 and 4-3 and transmitting them to the log manager.

At this time, step 4-2, step 4-5 of analyzing and classifying the egg download behavior by comparing and checking the average amount of received traffic per packet occurring for a certain time, DDoS by checking whether the same transmission traffic occurs periodically Include steps 4-6 to analyze and classify attack behaviors. In addition, steps 4-7 for analyzing and classifying spamming attack behavior by checking whether mail transmission traffic is sent to the SMTP (port 25) server and comparing and checking the average amount of outgoing traffic per packet generated for a certain period of time To include steps 4-8 to analyze and classify the spying attack behavior. In step 4-5, the zombie analyzes both the direct download from the C & C server and the detour download from another download-only server.

In addition, step 4-3, step 4-9 that monitors the new zombie IP accessing the existing C & C server and classifies it as a gross act, and classifies it as a rally action by monitoring the traffic to reconnect to the C & C server or maintain the existing connection. To include steps 4-10. In addition, steps 4-11 of monitoring existing zombie access to C & C having a new IP and classifying it as migration behavior, and monitoring traffic transmitted from a single source (Src) IP to multiple destination (Dst) IPs To include steps 4-12 that classify the propagation behavior. In this case, steps 4-9 to 4-11 may include steps 4-13 of collecting channel and URL information and transmitting the collected channel and URL information to the botnet analysis module.

Preferably, the behavior traffic information field includes a header including a local botnet ID and traffic generation time managed by the detection system, and a request traffic information for each behavior analysis and definition. To include. In addition, the behavior traffic information field may include a botnet type for distinguishing between IRC and HTTP botnet protocols in the case of a channel / URL string delivery format, and a string including any one of a channel string of the IRC botnet and a URL string of the HTTP botnet. do. In addition, the Sending / Receiving Traffic forwarding format includes an average data volume size per packet of outgoing traffic and an average data volume size per packet of incoming traffic, and in the MX Query list forwarding format, MX of all sampled zombies sampled Include the percentage of zombie individuals that generated the query. In addition, the Dst Port 25 list forwarding format includes the ratio of the number of zombie subjects that generated transmission traffic to the SMTP (port 25) server out of all the detected zombies sampled, and in the case of the Sending Frequency forwarding format, Include the same packet sending frequency over the same time frame. In addition, in the case of a multi-connection list transfer format, the ratio of the number of zombie individuals that generate connection request traffic to multiple IPs among all sampled zombies to be detected is included.

In addition, the format of the behavior traffic request data requesting the behavior traffic includes a header including the botnet ID to which the zombie requesting the behavior traffic collection belongs, the number of sampled zombies and the sampled zombie IP list. On the other hand, the behavior information of the botnet analyzed in step 4-4 is transmitted, and the data format of the behavior information of the botnet is, in the case of the botnet egg download behavior information, the local botnet ID number and the botnet behavior occurrence time for detecting the detection system. Include the header, DNS query domain name, response IP for DNS query, port number of access server, URL of access server, access protocol, file name downloaded by zombie and file size downloaded by zombie.

At this time, in case of botnet DDoS behavior information, header including local botnet ID number and botnet behavior occurrence time for detection system recognition, domain name of damage system, IP (damage system IP, damage system port number and attack protocol) In addition, in case of botnet spamming information, the header including the local botnet ID number and the botnet behavior occurrence time for detecting the detection system, the domain name of the mail relay server, and the IP of the mail relay server should be included. , For botnet spying behavior information, a header containing the local botnet ID number and botnet behavior occurrence time for detection system identification, DNS query domain name, DNS query response IP, access server port number, access server URL, and Include the access protocol and, in the case of botnet gross behavioral information, the local botnet ID number for detection system detection. Header including botnet behavior occurrence time, new zombie population and new zombie IP list; for botnet rally behavior information, header containing local botnet ID number and botnet behavior occurrence time for detection system recognition; Include the number of active zombies and the IP list of active zombies.

In addition, in the case of botnet migration behavior information, a header including a local botnet ID number and botnet behavior occurrence time for detection system recognition, an IP of a new C & C server, and a URL of a new C & C server should be included. For botnet provisioning behavior information, include a header containing the local botnet ID number and botnet behavior occurrence time for detection system recognition, and a list of top access ports that are vulnerable target ports.

As described above, the network-based IRC and HTTP botnet behavior analysis method according to the present invention classifies domain-based traffic, IP / Port-based traffic, and URL hash-based traffic by botnet matching module by type of new and existing botnets. In addition, by effectively classifying and analyzing according to the behavior type of the botnet, it can effectively respond to various types of botnets.

Hereinafter, with reference to the accompanying drawings will be described in detail the advantages, features and preferred embodiments of the present invention.

1 is a block diagram of a botnet detection system according to the present invention. In order to detect IRC and HTTP botnets from the traffic information collection sensor, the data format of the traffic with centralized connection characteristics is received, and through this process, the centralized network constituting the star topology is found, and the botnet matching module After deciding whether or not a botnet is used, various actions are reclassified. The botnet matching module checks whether the network causing the centralized traffic found matches the existing botnet detected. If it is determined as a new botnet by the botnet matching module, the botnet configuration analysis module (BOA) requests additional behavioral traffic of the discovered zombies to the traffic information collection sensor.

Specifically, the botnet matching module performs botnet matching of the found centralized traffic by identifying the similarity between the centralized server and the access client IP list.

First, the botnet matching module matches existing detected botnets and detects botnets by defining them as new botnets when the centralized server is not the same as the existing C & C server information and the access client IP list is not similar to the existing zombie list. . The botnet configuration analysis module (BOA) requests traffic information collection sensors to collect additional behavior traffic generated by zombies of the detected new botnet, and then monitors and analyzes the behavior of the botnet.

On the other hand, if the centralized server is the same as the existing C & C server information, or the access client IP list is similar to the existing zombie list, the botnet matching module defines the existing botnet, and the matching result of the existing botnet is subsequently added by the botnet behavior analysis module (BBA). In order to be quickly recognized, the botnet matching module allows pre-classification and flagging by three behavioral bases (A, B, C). The flags according to each action base are as follows.

-A flag (botnet extension behavior): the centralized server matches the C & C server information but the access client IP list differs from the existing zombie list

-B flag (C & C server reconnection and egg download behavior): When centralized server matches C & C server information and access client IP list is similar to existing zombie list

C flag (C & C server migration and other major botnet behavior): Centralized server is different from C & C server information, but access client IP list is similar to existing zombie list

As described above, the botnet configuration analysis module (BOA) adds to the traffic information collection sensor for the detected botnet by monitoring the centralized traffic (DNS request domain, IP / Port information of the centralized server, and HTTP access URL). The behavioral traffic is requested, and based on the received behavioral traffic, the botnet behavior analysis module (BBA) reclassifies various botnet behaviors. The IRC Channel and HTTP URL information is passed back to the Botnet Configuration Analysis Module (BOA) to ensure accurate criteria for botnet protocol determination. The three groups of A / B / Cs that are largely classified based on the centralized traffic are further subdivided into specific activities based on the behavioral traffic.

2 is a block diagram of a traffic classification module TC according to the present invention. As shown in FIG. 1, the traffic classification module TC according to the present invention includes a filter, a collection / classification management policy module, a traffic collection management module, a botnet matching module, and a VDNS check module.

The filter receives only valid traffic from multiple traffic information collection sensors and provides a white list firewall for the IPs of the sensors in charge.

The collection / classification management policy module adjusts the status value by setting the policy transmitted from the management system and reflects it in the management policy so that the botnet detection system can respond quickly by referring to the real-time security event of the botnet control / security management system. Therefore, in order to quickly respond to unknown new botnets, C & C server blacklist matching can be enabled regardless of the zombie list distribution based on shared information of control systems.

The traffic collection management module collects and monitors traffic having central access characteristics, that is, basic traffic connected to a single common server to form a star topology. This is the basic collection traffic for IRC and HTTP botnet detection, and based on this, the botnet matching module determines whether a botnet is present. In addition, the traffic collection management module collects additional request traffic for analysis (traffic according to the behavioral traffic request of the botnet configuration analysis module), thereby allowing the botnet configuration analysis module to perform IRC and HTTP protocols (IRC Channel information, URL information, etc.) of the new botnet. ) To be analyzed. In this case, additional request traffic is collected only for some bots that have already been sampled among the detected bots, that is, the botnet configuration analysis module. In addition, the traffic collection management module may receive specific traffic urgently requested in order to prepare for the threat of a new botnet discovered by the security management policy and the shared information management policy of the control system.

When the traffic collected by the traffic collection management module is IP / Port-based traffic or HTTP hash-based traffic, the botnet matching module is divided into an existing botnet or a new botnet compared to the existing botnet. First, the botnet matching module detects similar traffic of the new botnet configuration for the traffic collected by the traffic collection management module. Specifically, if the centralized server is different from the existing C & C server information and the access IP list is different from the existing zombie list by matching the detected existing botnet information, it is detected and stored in the new botnet message queue. However, since the probability of normal traffic cannot be excluded, detailed reclassification should be performed in the botnet configuration analysis (BOA) module, and the final determination of authenticity of the traffic occurred in the new botnet configuration stage.

Next, the botnet matching module performs existing botnet detection and classification. Specifically, the centralized server detects and stores the existing botnet message queue when the centralized server is the same as the existing C & C server information or the access IP list is similar to the existing zombie list. The botnet matching module specifies three (A / B / C) behavior results that are classified in the message queue as flag bits so that the botnet behavior analysis (BBA) module can quickly recognize them. The three types of action result flags are as described above.

If the traffic collected by the traffic collection management module is domain-based traffic, the VDNS check module checks whether VDNS (Virtual DNS) is present. VDNS is a DNS operated by an attacker and can be used to easily change the IP of a C & C server domain without using Dynamic DNS. Since most of the requested domains are not returned during normal DNS queries, the VDNS check module checks the VDNS by matching the normal DNS table, and stores the newly detected VDNS query information in the message queue to analyze the botnet configuration module. And botnet behavior analysis module for reference.

3 is a diagram illustrating a traffic classification process of the traffic classification module. As shown in FIG. 2, the traffic classification process of the traffic classification module includes a collection management procedure, a botnet matching procedure, and a VDNS check procedure.

1. Collection Management Procedures

After the filter filters valid traffic among the traffic collected from the traffic information collection sensor according to the collection / classification management policy, the traffic collection management module collects traffic having a centralized access characteristic according to the collection / classification management policy ( ST100 to ST120).

The traffic collection management module then classifies the C & C based zombie list and detection system request traffic. The C & C-based zombie list represents the IP list of the zombies who requested the connection based on the same C & C, and the detection system request traffic represents the content information of the C & C communication protocol as behavior traffic for the new botnet requested by the botnet configuration analysis module.

The C & C based zombie list additionally enumerates zombie IP lists introduced based on the same C & C for a certain waiting time for botnet matching (ST130). If the number of enumerated IP lists after the set waiting time exceeds a threshold, botnet matching is performed (ST140). On the other hand, even when the number of IP lists does not reach the threshold, botnet matching is performed as a next step even when it is determined that the traffic of the botnet is matched with the C & C server blacklist updated by the sharing information of the control system (ST150).

First of all, “Connect Dst IP / Port” and “C & C Server IP / Port” are matched. The blacklist of C & C server IP / Port is updated by the shared information of the control system, and the blacklist update of C & C server domain is not necessary. not. It also matches “response IP for request domain” and “DNS sinkhole IP”. The DNS sinkhole IP list is not a shared information of the control system but a fixed list that the botnet detection system should have in advance. Specifically, 1) extract the domain of the C & C server finally determined by the control system, 2) share information with other ISPs, 3) apply all DNS sinkholes for the domain, and 4) When the traffic requesting the domain is collected (sensored), 5) when the response IP of the requesting domain is the sinkhole IP, it is determined as an action of the zombie. In all cases of ST130 to ST150, if it is impossible to determine whether or not botnet traffic, the traffic is invalidated. As described above, the zombie IP list is updated based on the same C & C server while maintaining a prescribed data format of various traffic collected by the traffic information collecting sensor.

2. Botnet Matching Procedure

As described above, the botnet matching module compares centralized server information with existing C & C server information for IP / Port based traffic and HTTP hash based traffic. It also compares access client IP lists with existing zombie lists to configure new botnets, collect existing botnets (A flag), reconnect C & C servers and download eggs (B flag), migrate C & C servers, and other major botnet behaviors for collected traffic. The data is classified into (C flags) and stored in each message queue (ST160 to ST180).

3. VDNS check procedure

The VDNS check module checks the VDNS status according to the collection / classification management policy for the domain-based traffic and stores new domain query information in the message queue (ST190).

4 is a block diagram of a botnet configuration analysis module according to the present invention.

The temporary configuration log receives and stores classified traffic information (Domain, Dst_IP / Port, Dst_URL_len) from the traffic collection management module. Meanwhile, the unclassified server access IP list log stores domains, IP / Ports and URLs classified as normal traffic in the C & C analysis and detection module, and transmits the results to the analysis result log.

The C & C analysis and detection module periodically reads traffic information needed for analysis from the temporary configuration log and analyzes similarity by domain, Dst_IP / Port, and URL. First, domain similarity analysis periodically reads domain information from a temporary configuration log, records source IPs requested for each domain in a matrix, and analyzes the matrix after a specific time to generate a zombie IP list. Next, the Dst_IP / Port similarity analysis periodically reads the Dst_IP / Port information from the temporary configuration log, records the source IPs that transmit packets matching each IP / Port combination, and analyzes the matrix after a specific time. The similarity is measured to generate a zombie IP list. In addition, URL similarity analysis periodically reads the Dst_URL information from the temporary configuration log, records the source IPs requested for each URL in a matrix, and analyzes the matrix after the feature time has elapsed to generate a zombie IP list. On the other hand, access protocol (command) analysis receives the traffic information sampled from the traffic information collection sensor and analyzes the access protocol (command) of each botnet, and in this process, the traffic detected by the botnet behavior is transmitted to the C & C extraction module.

The C & C extraction module receives the botnet traffic detected by the C & C analysis and detection module, stores the extracted C & C, and sends the analyzed traffic back to the zombie list extraction module.

The zombie list extraction module receives botnet traffic from the C & C extraction module and extracts a zombie list that accesses the URL detected by the botnet and stores it in the analysis result log.

The configuration event trigger aggregates the analysis results of each module and sends them to the log manager. The analysis result generates a trigger message to be used in a later policy and sends it to the event trigger.

5 is a block diagram of a botnet behavior analysis module according to the present invention.

Attack behavior analysis module analyzes Egg downoad behavior, DDoS attack behavior, Spamming attack behavior, and Spying attack behavior.

The egg download action corresponds to the B flag and the C flag, in the form of zombies downloading additional attack modules. At this time, the purpose of the download of the zombies is 1) to download the detailed attack execution module, 2) to download the e-mail address and mail content template for sending spam, and 3) to download the patch file for self-update and to remove other malicious code. Vaccine downloads, etc.). Egg download is performed by comparing and checking the average amount of received traffic per packet during a certain period of time. Both downloading directly from C & C server (B flag) and bypassing downloading from other download-only server (C flag) Analysis is possible.

DDoS attack behavior corresponds to the C flag, indicating a distributed denial of service attack. DDoS attack is performed by checking whether the same transmission traffic is occurred periodically.

Spamming attacks correspond to the C flag, which indicates that zombies send spam. Spamming attack behavior can be analyzed by checking whether a mail transmission traffic is sent to SMTP (port 25) server. When a zombie host sends a direction, MX query type DNS (port 53) traffic is generated for an IP request of a mail address domain. When sending through a mail relay server, an MX query action is performed. It does not occur.

Spying attacks correspond to the C flag, indicating that zombies steal personal information. Spying attack behavior can be analyzed by comparing and checking the average amount of transmission traffic per packet, that is, uploading traffic, over a certain period of time.

The diffusion / migration behavior analysis module analyzes growth behavior, rally behavior, migration behavior, and propagation behavior.

The growth behavior is the botnet expansion behavior, which corresponds to the A flag. When a new zombie IP is found that connects to an existing C & C server, it is classified as a growth behavior, that is, a botnet expansion behavior. In this case, the behavioral traffic that is the basis of the judgment is unnecessary and can be classified only as the centralized traffic. However, if determined to be a growth behavior, it transmits the collected channel and URL information to the botnet configuration analysis module.

The rally action corresponds to the B flag as the C & C server reconnect and maintain connection action. Rally behavior of IRC bots and HTTP bots is different.The IRC bot maintains a TCP connection by default until logout, but requires a reconnection in case of network failure or user shutdown. TCP must be reconnected. Zombies reissue DNS queries when reconnecting to TCP, and some zombies remember the IP obtained by DNS query once in their memory and do not query again (but if the C & C server's IP is changed and the connection fails, there is a problem. box). In addition, communication with the C & C server (command delivery and control) may generate traffic similar to Rally. On the other hand, even if the C & C server is migrated and the IP is changed, the attacker registers the domain of the C & C server with Dynamic DNS in order to maintain connection with existing zombies. Here, Dynamic DNS means re-registering the IP by changing the DNS table for the corresponding domain whenever the IP is changed. Rally behavior is determined by monitoring traffic that attempts to reconnect to the C & C server or maintain an existing connection. As in the growth behavior, when determined to be a rally behavior, the collected channel and URL information is transmitted to the botnet configuration analysis module.

The migration action is to migrate the C & C server, which corresponds to the C flag. Based on the behavior of existing zombies accessing C & C with a new IP. If the active C & C server is detected by the botnet detection system, the attacker can migrate to another server. After migration, the C & C server IP is changed, but the communication with existing zombies is not interrupted by the Dynamic DNS service. If it is determined to be a migration, it extracts the channel and URL information collected at this time and updates the information of the new C & C server.

Propagation acts to propagate bot malware. Propagation behavior cannot be analyzed with centralized traffic to a single destination, and can be propagated after scanning vulnerable ports or can be propagated immediately without scanning. Propagation acts as one zombie attempts to access the vulnerable ports of multiple IP without scanning process. It is characterized by whether it is scanned or not. Therefore, there is no traffic sent from a single Src (zombie) IP to multiple Dst IPs. It can be analyzed by checking.

The action event trigger aggregates the results analyzed in each module and sends them to the log manager. From the analysis results, a trigger message to be used in a later policy is generated and sent to the event trigger.

6 is a flowchart of transmission and reception data between the traffic information collecting sensor, the botnet detection system, and the control system.

As shown in FIG. 6, the collected traffic data transmitted from the traffic information collection sensor is centralized traffic data, Class O-1 (Domain-based traffic), Class 0-2 (IP / Port-based traffic), and Class 0- 3 (URL hash based traffic) and Class B-1 to 6 as behavior traffic data. In addition, the behavior traffic collection request data transmitted from the botnet detection system, specifically, the botnet configuration analysis module, is expressed as Class R for delivering the zombie list to be collected. In addition, the detection data transmitted from the botnet detection system to the control system includes Class O-1, which is the initial configuration of the botnet, Class O-2, which is suspected of the initial configuration of the botnet, and It includes Class B-1 to 8 as a result of behavior classification.

7 is a diagram illustrating a transmission data format of traffic information collected by the traffic collection management module. The basic processing data format of the centralized traffic detected by the traffic collection management module is generated in the form of enumerating IPs of zombies connected to it based on information of one C & C server. Meanwhile, the new botnet configuration information is transmitted to the botnet configuration analysis module, and the existing botnet behavior information is transmitted to the botnet behavior analysis module.

First, in case of Domain-based traffic, Time (Traffic occurrence time) is recorded in the header, and C & C Domain (C & C server's DNS query domain name) and C & C IP (Response IP at this time) in the centralized server (C & C server of botnet) field. ) Is recorded. Also, the Server Connection Host (Zombie List on Botnet) field contains Count (total number of Src objects found), Time Window (time interval from first zombie outbreak to last zombie outbreak), and Zombie IP List (IP List of Total Zombies Connected). Is recorded. At this time, the value of the centralized server field is collected from the communication traffic with the DNS server, not the direct communication traffic with the C & C server, and the collecting target port number is port 53.

Next, in case of IP / Port based traffic, Time (Traffic occurrence time) is also recorded in the header, and C & C IP (C & C Server's IP) and C & C Port (Access port number) in the centralized server (C & C server of botnet) field. ) Is recorded. Also, the Server Connection Host (Zombie List on Botnet) field contains Count (total number of Src objects found), Time Window (time interval from first zombie outbreak to last zombie outbreak), and Zombie IP List (IP List of Total Zombies Connected). Is recorded. At this time, the value of the centralized server field is collected from direct communication traffic with the C & C server, and the collection target port numbers are all ports.

Next, for URL hash-based traffic, the header also records Time, and the centralized server (C & C server on the botnet) field contains the C & C IP (the IP of the C & C server) and the URL hash (the same C & C server). Request HTTP URL string length). Also, the Server Connection Host (Zombie List on Botnet) field contains Count (total number of Src objects found), Time Window (time interval from first zombie outbreak to last zombie outbreak), and Zombie IP List (IP List of Total Zombies Connected). Is recorded. At this time, the value of the centralized server field is collected from direct communication traffic with the C & C server, and the collection target port numbers are all ports.

Meanwhile, each traffic sets a 2-bit flag for three classifications of behavior information. The flag indicates a bit value indicating whether the centralized server matches the C & C server and whether the access IP list matches the existing zombie list. It can be configured as a bit value.

FIG. 8 is a diagram illustrating a data format of behavior traffic information and illustrates a data format of behavior traffic information transmitted from a traffic information sensor to a botnet detection system, specifically, a botnet behavior analysis module. Basically, all data formats are created in the form of enumerating a list of Src IPs connected to one Dst server information.

The local ID in the header represents the local botnet ID managed by the detection system, and the time represents the traffic generation time. In addition, the behavior traffic information represents the request traffic information of the BOA for each behavior analysis and definition.

First, for the Channel / URL string delivery format (Class B-1), specify the IRC or HTTP botnet protocol in the botnet type (protocol) identification field, and the string is interpreted as a channel for the IRC botnet and a URL for the HTTP botnet. Interpreted If different strings are found, the sensor must select and transmit only one, and select the highest frequency of access channel / URL for all sampled zombies. In the case of IRC botnets, the access channels of all zombies are almost the same. In the case of HTTP botnets, if the normal user tries to connect to the same C & C server, the URL is different from the URL used by the botnet.

In addition, the Sending / Receiving Traffic transmission format (Class B-2) includes an average data volume (byte) size per packet of transmission traffic and an average data volume (byte) size per packet of reception traffic. In addition, the MX Query list delivery format (Class B-3) includes the ratio of the number of zombie individuals that generated MX queries among the total detected zombies (% of MX query zombies), and the Dst Port 25 list delivery format (Class B-4) includes the ratio of zombie populations (Dst Port 25 zombie number%) that generated the transmission traffic to the SMTP (port 25) server among all the sampled zombies sampled.

The Sending Frequency Delivery Format (Class B-5) includes a measure (distribution frequency distribution) for determining the distribution of the same packet sending frequency over the same time period for each zombie, which is necessary information for storing DDoS attacks after detection. The Sending Frequency delivery format also includes the DDoS attack protocol (except when based on ICMP). Attack target IP / Port information can be extracted from the centralized traffic information detected.

The multi-connection list delivery format (Class B-6) contains the percentage of zombie populations (% multi-connected zombies) that generated connection request traffic to multiple IPs among all the sampled zombies sampled. Information necessary for storing propagation actions. In addition, the multi-connection list transfer format includes port numbers (maximum of 10) of the attacking host that attempted access. At this time, the port number provides a good clue to identify the vulnerability that the attacker attempted to infiltrate, and specify only the top 10 port numbers accessed.

9 is a diagram illustrating the format of behavior traffic request data, which is a diagram illustrating the format of behavior traffic request data transmitted from the botnet configuration analysis module to the traffic information collection sensor. The behavior traffic request data automatically requests the traffic information collection sensor for the detected botnet's behavior traffic through the botnet configuration analysis of the botnet configuration analysis module, and detects only some zombie activity for botnet behavior traffic collection. In addition, the botnet detection system allows the traffic information collecting sensor to pre-sample and provide a zombie list to be detected.

The behavior traffic request data format (Class R) includes a local ID (botnet ID of the zombies to which the zombies to request collection of behavior traffic belong) in the header, and includes Count (sampled zombie population) and Sampled Zombie IP list. It includes.

10 is a diagram illustrating a data format of botnet behavior information. Each data format includes a local ID (local botnet ID number for detection system identification) and a Time (action occurrence time) in the header.

First, the botnet growth behavior information (Class B-1) includes Count (new zombie population) and Zombie IP List, and the botnet behavior behavior information (Class B-2) includes Count (active zombie population). And a Zombie IP List. In addition, the botnet migration behavior information (Class B-3) includes an IP (new C & C server IP (= new response IP for Dynamic DNS query)) and a URL (new C & C server URL (for web servers)). Botnet DDoS behavior information (Class B-4) includes Domain (damage system domain name (for DNS query generation)), IP (damage system IP (= response IP of DNS query)), and Port (damage system port number (TCP / UDP attack)) and Protocol (Attack Protocol (TCP | UDP | ICMP)). Botnet Spamming behavior information (Class B-5) includes Domain (mail relay server domain name (when DNS query occurs in case of relay)) and IP (mail relay server IP (in case of relay)). At this time, when the bot sends directly without passing through the relay server, the IP has a default value of '0'. In addition, botnet spying behavior information (Class B-6) includes Domain (DNS query domain name (for DNS query occurrence)), IP (access server IP (= response IP of DNS query)), and Port (access server port number). , URL (access server URL (for web servers)) and Protocol (connection protocol (TCP | UDP)). In addition, botnet egg download behavior information (Class B-7) includes Domain (DNS query domain name (for DNS query occurrence)), IP (access server IP (= response IP of DNS query)), and Port (access server port number). ), URL (access server URL (for web servers)), Protocol (connection protocol (TCP | UDP)), Filename (download file name (in conjunction with host-based detection systems)), Filesize (download file size (host-based detection) Interworking with the system). Finally, the botnet propagation behavior information (Class B-8) contains a Port list (Top 10 connection port list (= vulnerability target port)).

While the preferred embodiments of the present invention have been described using specific terms, such descriptions are for illustrative purposes only and it should be understood that various changes and modifications can be made without departing from the spirit and scope of the following claims. do.

1 is a block diagram of a botnet detection system according to the present invention.

2 is a block diagram of a traffic classification module according to the present invention.

3 is a flowchart illustrating a traffic classification process of the traffic classification module according to the present invention.

4 is a block diagram of a botnet configuration analysis module according to the present invention.

5 is a block diagram of a botnet behavior analysis module according to the present invention.

6 is a flowchart of transmission and reception data between the traffic information collecting sensor, the botnet detection system, and the control system.

7 is a diagram illustrating a transmission data format of traffic information collected by the traffic collection management module.

8 is a diagram illustrating a data format of behavior traffic information.

9 is a diagram illustrating a format of behavior traffic request data.

10 is a diagram illustrating a data format of botnet behavior information.

Claims (12)

A traffic classification module (TC) for collecting traffic having a centralized connection characteristic including domain-based traffic, IP / port-based traffic, and URL hash-based traffic, and determining whether the collected traffic is a botnet; Botnet configuration analysis module (BOA) for performing configuration analysis of traffic collected by botnet and classified into botnets and botnet behavior analysis module for conducting behavior analysis of traffic collected by the traffic classification module (TC) In a botnet detection system that includes (BBA), a method of analyzing and classifying the types of behavior of IRC botnets and HTTP botnets, A first step of collecting traffic having the centralized connection characteristic collected by a plurality of traffic information collecting sensors; A second step of matching the traffic to any one of an existing botnet and a new botnet by comparing the detected botnet information with any one of IP / Port based traffic and URL hash based traffic; A third step of checking whether a virtual DNS (VDNS) is applied to domain-based traffic among the traffic collected by the traffic collection management module; And And a fourth step of classifying the behavior type of the botnet based on the detected traffic of the botnet. The method of claim 1, The second step, A second step of storing the traffic in a new botnet message queue when the centralized server of the traffic is different from the C & C server information of the botnet information and the access client IP list of the traffic is different from the zombie list of the botnet information; If the centralized server of the traffic matches the C & C server information of the botnet information and the access client IP list of the traffic is different from the zombie list of the botnet information, the traffic is divided into botnet expansion actions and given a separate flag. Step 2-2 storing the existing botnet message queue; When the centralized server of the traffic matches the C & C server information of the botnet information, and the access client IP list of the traffic is similar to the zombie list of the botnet information, the traffic is divided into a C & C server reconnection and an egg download action. Granting a flag and storing it in an existing botnet message queue; And When the centralized server of the traffic is different from the C & C server information of the botnet information and the access client IP list of the traffic is similar to the zombie list of the botnet information, the traffic is divided into C & C server migration and other main botnet behaviors. Method of analyzing the network-based IRC and HTTP botnet behavior, characterized in that the step 2-4 to give a flag of the existing botnet message queue. The method of claim 1, The fourth step, And a step 4-1 of requesting additional behavior traffic from the traffic information collecting sensor for the detected botnet. The method of claim 1, The fourth step, Egg downoad, a type of zombie downloading additional attack modules, DDoS attack, a type of zombie distributed denial of service attack, Spaming attack, type of zombie sending spam, and zombie A step 4-2 of analyzing and classifying an attacking behavior including a spying attacking behavior, which is a type of activity of stealing personal information; Growth, botnet expansion, Rally, reconnecting and maintaining C & C servers, migration, migrating C & C servers, and propagation, propagating bot malware 4-3) analyzing and classifying a spreading / migrating activity including the act; And Method 4-4, the network-based IRC and HTTP botnet behavior analysis method comprising the step of 4-4 and the step of combining the analyzed results of the step 4-3 and the log manager. The method of claim 4, wherein The fourth step 2, A step 4-5 of analyzing and classifying egg download behavior by comparing and checking an average amount of received traffic per packet occurring for a predetermined time; Step 4-6 of analyzing and classifying DDoS attack behavior by checking whether the same transmission traffic is periodically generated; Steps 4 to 7 analyzing and classifying spamming attack behavior by checking whether mail transmission traffic sent to the SMTP (port 25) server is generated; And And a fourth step of analyzing and classifying spying attack behaviors by comparing and checking an average amount of transmission traffic per packet occurring for a predetermined time period. The method of claim 5, In the above 4-5 step, A method for analyzing network-based IRC and HTTP botnet behaviors, which analyzes both zombies downloading directly from the C & C server and bypassing downloads from other download-only servers. The method of claim 4, wherein Step 4-3, Steps 4-9 of monitoring new zombie IPs connecting to the existing C & C server and classifying them as gross behaviors; Step 4-10 of monitoring the traffic to be reconnected to the C & C server or maintaining the existing connection and classifying it as a rally action; Step 4-11 of monitoring existing zombie access to C & C having a new IP and classifying it as a migration action; And Network-based IRC and HTTP botnet behavior analysis comprising steps 4-12 that monitor and classify traffic transmitted from a single source (Src) IP to multiple destination (Dst) IPs as provisioning behavior Way. The method of claim 7, wherein Steps 4-9 to 4-11, A method for analyzing network-based IRC and HTTP botnet behavior, comprising the step of 4-13 collecting channel and URL information and transmitting the collected channel and URL information to the botnet configuration analysis module. The method of claim 1, The data format of the behavioral traffic of the botnet is A network-based IRC and HTTP botnet comprising a header including a local botnet ID and traffic generation time managed by the detection system, and a behavior traffic information field including request traffic information for each behavior analysis and definition. Behavior analysis method. The method of claim 9, The behavior traffic information field is The Channel / URL string delivery format includes a botnet type that distinguishes between IRC and HTTP botnet protocols, and a String including any one of a channel string of an IRC botnet and a URL string of an HTTP botnet, For the Sending / Receiving Traffic forwarding format, it includes the average data volume size per packet of outgoing traffic and the average data volume size per packet of incoming traffic, In the case of the MX Query list delivery format, it includes the ratio of the number of zombie individuals that generated MX queries out of all the detected zombies sampled, For the Dst Port 25 list forwarding format, contains the ratio of zombie populations that generated transport traffic to the SMTP (port 25) server out of all detected zombie samples, For the Sending Frequency delivery format, include the same packet sending frequency over the same time zone for each zombie, In the case of a multi-connection list transmission format, a network-based IRC and HTTP botnet behavior analysis method comprising the ratio of the number of zombie individuals that generate connection request traffic to multiple IPs among all the detected zombies sampled. The method of claim 3, wherein The format of the behavior traffic request data requesting the behavior traffic is A network-based IRC and HTTP botnet behavior analysis method comprising a header including a botnet ID to which a zombie to request collection of behavior traffic belongs, a number of sampled zombies and a sampled zombie IP list. The method of claim 4, wherein Transmitting the behavior information of the botnet analyzed in step 4-4, and the data format of the behavior information of the botnet, For botnet egg download behavior information, the header contains the local botnet ID number and the time when the botnet behavior occurred, the DNS query domain name, the response IP for the DNS query, the port number of the access server, the URL of the access server, Including connection protocols, filenames downloaded by zombies, and file sizes downloaded by zombies, In the case of botnet DDoS behavior information, it includes a header containing the local botnet ID number for the detection system and the time of the botnet behavior, the domain name of the victim system, the IP (the victim system's IP, the victim's port number, and the attack protocol). , In the case of botnet spamming information, the header includes a local botnet ID number for detecting the detection system and a header including the time of the botnet behavior occurrence, the domain name of the mail relay server, and the IP of the mail relay server. In the case of botnet spying behavior information, a header containing the local botnet ID number and botnet behavior occurrence time for detection system identification, DNS query domain name, DNS query response IP, access server port number, access server URL and access Including protocols, For botnet gross behavior information, it includes a header containing the local botnet ID number and the botnet behavior occurrence time for detection system recognition, the number of new zombie population and the IP list of new zombie, For botnet rally behavior information, it includes a header containing the local botnet ID number and botnet behavior occurrence time for detection system identification, the number of active zombies and the IP list of active zombies, For botnet migration behavior information, include a header containing the local botnet ID number and botnet behavior occurrence time for detection system identification, the IP of the new C & C server, and the URL of the new C & C server, In the case of botnet provisioning behavior information, a network-based IRC including a header containing a local botnet ID number for detecting a detection system and a botnet behavior occurrence time, and a list of upper access ports which are vulnerable target ports; How to analyze HTTP botnet behavior.

Images