Titan: A Testbed for network based fingerprinting of botnets

Titan: A Testbed for network based
fingerprinting of botnets
Hardware/Software Requirements:
To construct the test-bed, we need the following hardware modules:
Hardware Requirements
1. One Server with following distinguishing specifications:
a. Minimum 4 GB RAM
b. Core i3 processor
c. Hard drive 500 GB
d. Two LAN Cards
2. One L2 Switch
3. One systems which serves as a client and host XEN with following specifications:
a. Minimum 4 GB RAM
b. Core i5 Processor
c. Hard drive 250 GB
4. Internet connection provided to the Server
Software Requirement:
Following software modules are required:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Scientific Linux/Fedora on Server
DHCP server running on Server
Debian/Ubuntu linux with XEN 4.1 installed
OpenVSwitch installed on Server and Client System
OpenFlow Installed on Server
Auto-IT installed on virtual machines inside the client systems
OpenFlow Controller installed on the Server/Gateway
“Nmap” installed on Server and Client
Python v.2.7.3 installed along with lxml
Java JDK 6.0 & JRE v7 along with eclipse IDE for jsp
Apache web server
Testbed Web Overview
Titan provides some simple options via a web interface to the user for running an experiment. These
options include
1. Bot monitoring time : The amount of time for a bot to run inside a virtual machine (time for a
single phase)
2. Experiment scenario: Currently only supports virtual machines
3. Network settings: NATed, Public IP & Proxy setup
4. No of experiment phases: No of phases in an experiment
5. Bot binary path: Bot binary to upload
The following figure represents the current jsp based website of testbed:
Once an experiment starts the web interface calls the appropriate network creation script to start the
experiment. The following diagram describes the whole process
Web Interface
ec.sh
Scenario
creation scripts
sudo.sh
The creation process is also displayed on the testbed web interface
One the scenario is created, our containment policy module starts running and uses the following
process to iteratively improve the policy.
Containment Policy Process
OpenFlow/Pox
Spawn
Learning Module
DNS Module
Log
Logging
Attack Detection
Generate
Containment Policy Generation
Apply
The experiment runs for the user defined time and no of phases, during experiment various AutoIt
scripts are running inside the infected virtualmachine. These scripts are simulating user activity and
include visiting various sites.
Once the experiment is finished, the output of logging module contains various log files, these log files
are processed and a network fingerprint is generated. The following process diagram shows the various
stages of fingerprint generation.
Fingerprint Generation
Process
Logging
XML
Generator
CnC Info
URL Checker
VM ports info
We are still in the process of testing and adding more features into the xml file and displaying the xml
file in more formatted and graphical format.
All the relevant scripts are attached along with this report in a separate zip file.