Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi.

Published byNathaniel Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi."— Presentation transcript:

1 Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi

2 Outline Overview of CABALS Behaviors and Models Probabilistic Automata An Application to Computer Security CABALS Functionalities

3 Overview Finite State Models Behaviors CABALS Detect/Classify/Predict Covert Communications Denial-of-Service User Masquerading Resource Usage Anomalies etc… CABALS Detect/Classify/Predict Covert Communications Denial-of-Service User Masquerading Resource Usage Anomalies etc… 12 3 Web Server Model 12 3 Network Traffic Model 12 3 User Model HMMs K-grams

4 Behavior: collection of sequences of observable events exhibited by an agent or system: Client/Server interaction (e.g. time to respond to a request, type of received requests, protocols, etc.) User Signatures (e.g. typing habits, etc) Network Traffic Signatures Modeling: finite state machines HMMs k-grams DFAs/NFAs Behaviors and Models 1 2 3 Finite State Model

5 k-gram Automata Models k-order statistics of observed data 0 0 1 1 0 1 0 1 – Order Statistics 04 / 7 13 / 7 2 – Order Statistics 001 / 6 012 / 6 102 / 6 111 / 6 01 p 01 / 1 p 00 / 0 p 10 / 0 p 11 / 1 0001 1011 p 000 / 0 p 001 / 1 p 100 / 0p 011 / 1 p 111 / 1p 110 / 0 … …

6 A sample scenario: time covert channel CABALS Receiver Δt 1 Δt 2 Δt 3 Models the behavior of the inter-packet times 1 2 3 k-gram Compromised ! Observed Behavior: sequence of inter-packet delays 1-order stats 2-order stats Δt 4 Δt 5 Δt 6 Defense/Attack Dualism: [V. Crespi et al. “Attacking and Defending Covert Channels and Behavioral Models”, 2011] Trojan learns higher order models of traffic to hide covert communication behind higher order statistics. CABALS complexifies traffic at specific orders to detect anomalies and discover covert communications. Web Server

7 Analyzing Network Behavior First Order Statistics (K = 1) Second Order Statistics (K = 2) Normal Behavior Behavior Under Covert Communication

8 CABALS Infrastructure and Functionalities Monitor and logs live network traffic (type of connections can be customized) Train Hidden Markov Model (HMM) using the Baum-Welch algorithm (other algorithms being added) Train k-grams, for arbitrary k Compute properties of the learned models (e.g. KL-distance, likelihood of observed behavior to be classified, etc.) Complexifying module (in progress) Current Implementation: Collection of Command-line tools written in Java, using the JPCAP library (GUI being developed.) Existing Functionalities:

9 References 1. V. Crespi, G. Cybenko, and A. Giani. Attacking and Defending Covert Channels and Behavioral Models. ArXiv e-prints, April 2011. 2. Alberto Dainotti, Antonio Pescaṕe, Pierluigi Salvo Rossi, Francesco Palmieri, and Giorgio Ventre. Internet traffic modeling by means of Hidden Markov Models. Computer Networks, 52(14):2645–2662, 2008. 3. James Giles and Bruce Hajek. An Information-Theoretic and Game- Theoretic Study of Timing Channels. IEEE Transactions on Information Theory, 48(9):2455–2477, September 2002. 4. Lawrence E. Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. In Proceedings of the IEEE, 1989. 5. Dawn Xiaodong Song et. al. Timing Analysis of Keystrokes and Timing Attacks on SSH. In USENIX Security Symposium, 2001.

10

Download ppt "Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi."

Similar presentations

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011

Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011
Hidden Markov Models (HMM) Rabiner’s Paper

Hidden Markov Models (HMM) Rabiner’s Paper
The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.

The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Jensen’s Inequality (Special Case) EM Theorem.

ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Jensen’s Inequality (Special Case) EM Theorem.
2004/11/161 A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition LAWRENCE R. RABINER, FELLOW, IEEE Presented by: Chi-Chun.

2004/11/161 A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition LAWRENCE R. RABINER, FELLOW, IEEE Presented by: Chi-Chun.
An Introduction to Hidden Markov Models and Gesture Recognition Troy L. McDaniel Research Assistant Center for Cognitive Ubiquitous Computing Arizona State.

An Introduction to Hidden Markov Models and Gesture Recognition Troy L. McDaniel Research Assistant Center for Cognitive Ubiquitous Computing Arizona State.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
1 Hidden Markov Model Instructor : Saeed Shiry  CHAPTER 13 ETHEM ALPAYDIN © The MIT Press, 2004.

1 Hidden Markov Model Instructor : Saeed Shiry  CHAPTER 13 ETHEM ALPAYDIN © The MIT Press, 2004.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999.

The Mobile Code Paradigm and Its Security Issues Anthony Chan September 13, 1999.
Probabilistic Analysis of a Large-Scale Urban Traffic Sensor Data Set Jon Hutchins, Alexander Ihler, and Padhraic Smyth Department of Computer Science.

Probabilistic Analysis of a Large-Scale Urban Traffic Sensor Data Set Jon Hutchins, Alexander Ihler, and Padhraic Smyth Department of Computer Science.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

Similar presentations

Ads by Google