Download presentation
Presentation is loading. Please wait.
Published byNathaniel Porter Modified over 8 years ago
1
Sanmit Narvekar Department of Computer Science California State University, Los Angeles Advisor: Prof. Valentino Crespi
2
Outline Overview of CABALS Behaviors and Models Probabilistic Automata An Application to Computer Security CABALS Functionalities
3
Overview Finite State Models Behaviors CABALS Detect/Classify/Predict Covert Communications Denial-of-Service User Masquerading Resource Usage Anomalies etc… CABALS Detect/Classify/Predict Covert Communications Denial-of-Service User Masquerading Resource Usage Anomalies etc… 12 3 Web Server Model 12 3 Network Traffic Model 12 3 User Model HMMs K-grams
4
Behavior: collection of sequences of observable events exhibited by an agent or system: Client/Server interaction (e.g. time to respond to a request, type of received requests, protocols, etc.) User Signatures (e.g. typing habits, etc) Network Traffic Signatures Modeling: finite state machines HMMs k-grams DFAs/NFAs Behaviors and Models 1 2 3 Finite State Model
5
k-gram Automata Models k-order statistics of observed data 0 0 1 1 0 1 0 1 – Order Statistics 04 / 7 13 / 7 2 – Order Statistics 001 / 6 012 / 6 102 / 6 111 / 6 01 p 01 / 1 p 00 / 0 p 10 / 0 p 11 / 1 0001 1011 p 000 / 0 p 001 / 1 p 100 / 0p 011 / 1 p 111 / 1p 110 / 0 … …
6
A sample scenario: time covert channel CABALS Receiver Δt 1 Δt 2 Δt 3 Models the behavior of the inter-packet times 1 2 3 k-gram Compromised ! Observed Behavior: sequence of inter-packet delays 1-order stats 2-order stats Δt 4 Δt 5 Δt 6 Defense/Attack Dualism: [V. Crespi et al. “Attacking and Defending Covert Channels and Behavioral Models”, 2011] Trojan learns higher order models of traffic to hide covert communication behind higher order statistics. CABALS complexifies traffic at specific orders to detect anomalies and discover covert communications. Web Server
7
Analyzing Network Behavior First Order Statistics (K = 1) Second Order Statistics (K = 2) Normal Behavior Behavior Under Covert Communication
8
CABALS Infrastructure and Functionalities Monitor and logs live network traffic (type of connections can be customized) Train Hidden Markov Model (HMM) using the Baum-Welch algorithm (other algorithms being added) Train k-grams, for arbitrary k Compute properties of the learned models (e.g. KL-distance, likelihood of observed behavior to be classified, etc.) Complexifying module (in progress) Current Implementation: Collection of Command-line tools written in Java, using the JPCAP library (GUI being developed.) Existing Functionalities:
9
References 1. V. Crespi, G. Cybenko, and A. Giani. Attacking and Defending Covert Channels and Behavioral Models. ArXiv e-prints, April 2011. 2. Alberto Dainotti, Antonio Pescaṕe, Pierluigi Salvo Rossi, Francesco Palmieri, and Giorgio Ventre. Internet traffic modeling by means of Hidden Markov Models. Computer Networks, 52(14):2645–2662, 2008. 3. James Giles and Bruce Hajek. An Information-Theoretic and Game- Theoretic Study of Timing Channels. IEEE Transactions on Information Theory, 48(9):2455–2477, September 2002. 4. Lawrence E. Rabiner. A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition. In Proceedings of the IEEE, 1989. 5. Dawn Xiaodong Song et. al. Timing Analysis of Keystrokes and Timing Attacks on SSH. In USENIX Security Symposium, 2001.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.