SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Slides:



Advertisements
Similar presentations
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
DOT – Distributed OpenFlow Testbed
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Measurement in Networks & SDN Applications. Interesting Questions Who is sending a lot to a subnet? – Heavy Hitters Is someone doing a port Scan? Is someone.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.
Network Innovation using OpenFlow: A Survey
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Department Of Computer Engineering
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Anomaly detection Problem motivation Machine Learning.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
Honeypot and Intrusion Detection System
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Distributed Anomaly Detection in Wireless Sensor Networks Ksutharshan Rajasegarar, Christopher Leckie, Marimutha Palaniswami, James C. Bezdek IEEE ICCS2006(Institutions.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Web Botnet Detection Based on Flow Information Chia-Mei Chen, Ya-Hui Ou, and Yu-Chou Tsai, National Sun Yat –Sen University,IEEE 2010.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Presented By: Mohammed Al-Mehdhar Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
ODL based AI/ML for Networks Prem Sankar Gopannan, Ericsson
SDN and Security Security as a service in the cloud
Software defined networking: Experimental research on QoS
The DPIaaS Controller Prototype
Critical Security Controls
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Distributed Network Traffic Feature Extraction for a Real-time IDS
EN Lecture Notes Spring 2016
Speaker : YUN–KUAN,CHANG Date : 2009/11/17
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
DDoS Attack Detection under SDN Context
2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.
SDN Based IoT-Cloud Comm.
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
Jia-Bin Huang Virginia Tech
2019/7/26 OpenFlow-Enabled User Traffic Profiling in Campus Software Defined Networks Presenter: Wei-Li,Wang Date: 2016/1/4 Author: Taimur Bakhshi and.
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

ABOUT ME Sofware Engineer/Security Researcher at Ixia in the ATI (Application Threat Intelligence) team Reverse engineering & emulating application protocols and strikes Doing a PhD on Software-Enabled Adaptive Network Traffic Management (short version: SDN + ML )

SHORT INTRODUCTION Problem: Traditional signature-based IPS/IDS approaches won’t scale as the network becomes complex Solution: Adaptive way of defending the network: SDN & Machine Learning Allows: Anomaly detection, botnet detection, honeypot rerouting

SYSTEM OVERVIEW

INTEGRATING FLOW CLASSIFICATION INTO AN SDN CONTROLLER Modern SDN Controllers are basically event handlers Streams of events come into the controller from the network and are transformed into forwarding rules Structure flow classification as events (e.g. flow match)

NETWORK ANOMALY DETECTION Continually train & refine supervised models for the traffic flows in our network When a new flow doesn’t match any model flag it as suspicious, add it to the queue for the clustering algorithm Run clustering with side information to see if there are other flows similar to it If it’s in a separate cluster => anomaly; if not, refine the model for the closest match

BOTNET DETECTION Groups of hosts communicate periodically with a C&C server and receive commands from it that are executed (eg. performing DDoS, scanning the network, sending spam, etc.) Communication flow with the C&C server => anomaly Similar communication flows are performed afterwards for the command => group of related flows Anomaly + group of related flows originating from the same host afterwards => bot

HONEYPOT TRAFFIC REROUTING As before, if the flow doesn’t match any supervised model, mark the host which initiated it as suspicious and store the flow 5-tuple Next time the host that initiated it tries to communicate reroute that flow to a honeypot

SYSTEM ARCHITECTURE

EXPERIMENTAL TESTBED

TESTING & RESULTS Used the Ixia BreakingPoint traffic emulator to simulate Enterprise, Small Business and ISP network traffic: Enterprise, SOHO/Small Business, Sandvine 2H 2013 North America Fixed application profiles

TESTING & RESULTS Along with the normal network traffic, we also emulated application attacks (Critical Strikes strikelist – 607 strikes) as well as botnet traffic (1646 different botnets, the majority of them HTTP based)

EVALUATION & RESULTS For training data, we generated packet captures with 256 streams for each flow type in the application profile Then, we proceeded to train classification models for Diffuse (C4.5) for each flow type through the WEKA ML framework Classification Accuracy: Application ProfileWithout attack/botnet trafficWith attack/botnet traffic Enterprise82%68% SOHO/Small Business87%71% Sandvine 2H 2013 North America Fixed 79%63%

CLASSIFICATION TIME How many packets do we have to inspect before we can reach a conclusion about the flow type? (cap at 20 packets) Flow features: Minimum, mean, maximum, standard deviation and sum of the packet sizes First 10 packet sizes First 10 packet communication endpoint (initiator/responder)

RESOURCE USAGE OVERHEAD 1 Mininet VM with Diffuse installed simulating a topology with 4 switches; learning switch SDN controller running in the same machine; CPU usage overhead when enabling Diffuse: 17% Memory usage overhead: 13%

CONCLUSIONS Machine learning flow classification & SDN can work together to make the network adaptive We can extract & use three types of information from the network: Flow type classification New flow type classifiers Flow groups Anomaly detection, botnet detection & honeypot rerouting can be done ML traffic classification overhead is manageable