Titan: A Testbed for network based fingerprinting of botnets Hardware/Software Requirements: To construct the test-bed, we need the following hardware modules: Hardware Requirements 1. One Server with following distinguishing specifications: a. Minimum 4 GB RAM b. Core i3 processor c. Hard drive 500 GB d. Two LAN Cards 2. One L2 Switch 3. One systems which serves as a client and host XEN with following specifications: a. Minimum 4 GB RAM b. Core i5 Processor c. Hard drive 250 GB 4. Internet connection provided to the Server Software Requirement: Following software modules are required: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Scientific Linux/Fedora on Server DHCP server running on Server Debian/Ubuntu linux with XEN 4.1 installed OpenVSwitch installed on Server and Client System OpenFlow Installed on Server Auto-IT installed on virtual machines inside the client systems OpenFlow Controller installed on the Server/Gateway “Nmap” installed on Server and Client Python v.2.7.3 installed along with lxml Java JDK 6.0 & JRE v7 along with eclipse IDE for jsp Apache web server Testbed Web Overview Titan provides some simple options via a web interface to the user for running an experiment. These options include 1. Bot monitoring time : The amount of time for a bot to run inside a virtual machine (time for a single phase) 2. Experiment scenario: Currently only supports virtual machines 3. Network settings: NATed, Public IP & Proxy setup 4. No of experiment phases: No of phases in an experiment 5. Bot binary path: Bot binary to upload The following figure represents the current jsp based website of testbed: Once an experiment starts the web interface calls the appropriate network creation script to start the experiment. The following diagram describes the whole process Web Interface ec.sh Scenario creation scripts sudo.sh The creation process is also displayed on the testbed web interface One the scenario is created, our containment policy module starts running and uses the following process to iteratively improve the policy. Containment Policy Process OpenFlow/Pox Spawn Learning Module DNS Module Log Logging Attack Detection Generate Containment Policy Generation Apply The experiment runs for the user defined time and no of phases, during experiment various AutoIt scripts are running inside the infected virtualmachine. These scripts are simulating user activity and include visiting various sites. Once the experiment is finished, the output of logging module contains various log files, these log files are processed and a network fingerprint is generated. The following process diagram shows the various stages of fingerprint generation. Fingerprint Generation Process Logging XML Generator CnC Info URL Checker VM ports info We are still in the process of testing and adding more features into the xml file and displaying the xml file in more formatted and graphical format. All the relevant scripts are attached along with this report in a separate zip file.