BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang.

Slides:



Advertisements
Similar presentations
NetServ Dynamic in-network service deployment Henning Schulzrinne (Columbia University) Srinivasan Seetharaman (Georgia Tech) Volker Hilt (Bell Labs)
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.
Understanding KaZaA Jian Liang Rakesh Kumar Keith Ross Polytechnic University Brooklyn, N.Y.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
Skype & Network Management Taken from class reference : An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne.
Comparison between Skype and SIP- based Peer-to-Peer Voice-Over-IP Overlay Network Johnson Lee EECE 565 Data Communications.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
More about Skype. Overview Any node with a public IP address having sufficient CPU, memory and network bandwidth is a candidate to become a super node.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Skype & its protocol Aaron Loar CPE 401. Introduction Skype’s Background Topology 3 Node Types Questions.
Department Of Computer Engineering
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
BotNet Detection Techniques By Shreyas Sali
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Presentation on Osi & TCP/IP MODEL
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
Chapter 2: Application layer
Software Security Testing Vinay Srinivasan cell:
Windows 7 Firewall.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
A NAMED DATA NETWORKING FLEXIBLE FRAMEWORK FOR MANAGEMENT COMMUNICATION Authors: Daneil Corjuo and Rui L. Aguiar Ivan Vidal and Jamie Garcia-Reinoso Presented.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Understanding KaZaA Jian Liang Rakesh Kumar Keith Ross Polytechnic University Brooklyn, N.Y.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
An analysis of Skype protocol Presented by: Abdul Haleem.
Module 7: Advanced Application and Web Filtering.
Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]
TCAM –BASED REGULAR EXPRESSION MATCHING SOLUTION IN NETWORK Phase-I Review Supervised By, Presented By, MRS. SHARMILA,M.E., M.ARULMOZHI, AP/CSE.
Module 10: Windows Firewall and Caching Fundamentals.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 1.Introduction.
Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.
09/13/04 CDA 6506 Network Architecture and Client/Server Computing Peer-to-Peer Computing and Content Distribution Networks by Zornitza Genova Prodanoff.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham,
Mike Switlick. Overview What is a covert channel? Storage / Timing Requirements Bunratty attack Covert_tcp Questions.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Transport Layer Identification of P2P Traffic
Presentation transcript:

BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang

Acknowledgements  Dr. Chittaranjan Hota (BITS – Pilani, Hyderabad)  Dr. V.N. Venkatakrishnan (University of Illinois at Chicago)  Dr. Nasir Memon (New York University, Abu Dhabi)  Supported by

Introduction  What are P2P networks ?  What’s a bot ?  What are botnets ?  What are Peer-to-Peer based botnets ?

Peer-to-Peers networks  are distributed systems consisting of interconnected nodes  are able to be self-organized into network topologies  are built with purpose of sharing resources such as content, CPU cycles, storage and bandwidth  Famous applications-  BitTorrent  Skype  eMule  home

Peer-to-Peers networks A D EF G H F H G A E C C B P2P overlay layer Native IP layer D B AS 1 AS 2 AS 3 AS 4 AS 5 AS 6

Generic P2P architecture Capability & Configuration Peer Role Selection Operating System NAT/ Firewall Traversal Routing and Forwarding Neighbor Discovery Join/Leave Bootstrap Overlay Messaging API Content Storage Search API

P2P: uses & misuses

Traditional Botnets Bot-Master

Peer-to-Peer Botnets Source:

Dataset BotnetWhat it does?Type /Size of dataSource of data Sality Infects executable files, attempts to disable security software. Binary (.exe) fileGenerated on testbed Storm Spam.pcap file/ 4.8 GB Obtained from Univ. of Georgia Waledac spam, password stealing.pcap file/ 1.1 GB Obtained from Univ. of Georgia ZeuS Steals banking information by MITM key logging and form grabbing.pcap file/ 1 GB Obtained from Univ. of Georgia and CVUT Prague + Generated on testbed Nugache spam.pcap file/ 58 MB Obtained from University of Texas at Dallas and multiple P2P applications, web traffic, etc.

P2P apps v/s P2P bots A human user – ‘bursty’ traffic High volume of data transfers seen Small inter-arrival time of packets seen in apps Automated / scripted commands Low in volume, high in duration Large inter-arrival time of packets seen in stealthy bots  Applications:  Botnets: * Both randomize ports, use TCP as well as UDP

Approach  Gather five-tuple flows from network traffic  Flows: IP1, IP1-port, IP2, IP2-port, protocol  Cluster flows based on bi-directional features  Protocol, Packets per sec (f/w), Packets per sec (b/w), Avg. Payload size (f/w), and Avg. Payload size (b/w)  Create two-tuple conversations within each cluster  Conversations: IP1, IP2  For each tuple, extract 4 features : – The duration of the conversation – The number of packets exchanged in the conversation – The volume of the conversation (no. of bytes) – The Median value of the inter-arrival time of packets in the conversation  Differentiate between and categorize P2P apps & bots with these features

Architecture

Data crunching

Results Performance of classifiers on test data Performance of classifiers on unseen P2P botnets PeerShark: Detecting P2P Botnets by Tracking Conversations. Presented at IEEE Security & Privacy Workshops (co-located with the 35th IEEE Symposium on Security & Privacy), San Jose, USA, May (Pratik Narang, Subhajit Ray, Chittaranjan Hota and V.N. Venkatakrishnan). PeerShark: Flow-clustering and Conversation-generation for Malicious P2P traffic Identification. The EURASIP Journal on Information Security 2014, 2014:15. (Pratik Narang, Chittaranjan Hota and V.N. Venkatakrishnan)

Other tracks

Signal-processing Techniques for P2P Botnet Detection  Approach & Contributions:  To uncover hidden patterns between the communications of bots, we convert the time-domain network communication of peers to the frequency-domain.  We extract 2-tuple conversations from network traffic and treat those conversations as a signal.  We extract several ‘signal-processing’ based features using Fourier Transforms and Shannon's Entropy theory.  We calculate:  FFT(inter-arrival_time)  FFT(payload_sizes)  Compression-ratio(payload_sizes)

Packet Validation and Filtering Module Conversation Creation Module P2P botnets identified Valid packets Discarded packets Malicious conversation Benign conversation Feature Set Extraction Module Signal- processing based features Machine Learning based modules Network- behavior based features Extracted Features Machine-learning Approaches for P2P Botnet Detection using Signal-processing Techniques. The 8th ACM International Conference on Distributed Event-Based Systems (DEBS’ 14), ACM SIGMOD/SIGSOFT, Mumbai, India, pp , May (Pratik Narang, Vansh Khurana and Chittaranjan Hota) Signal-processing Techniques for P2P Botnet Detection

Host-based approach using Hadoop … Data nodes P2P bots detected Name node 2. Parse Packets with Tshark 5. Feature set evaluated against models built with Mahout 4. Host-based features extracted with Hive 3. Push data to HDFS 1. Data collection Trigger Firewall rules Distributed Systems LabStudent Hostels Hades: A Hadoop-based Framework for Detection of Peer-to-Peer Botnets. The 20 th International Conference on Management of Data (COMAD) 2014, Hyderabad, Dec (Pratik Narang, Abhishek Thakur and Chittaranjan Hota)

Code: Feedback: