Presentation is loading. Please wait.

Presentation is loading. Please wait.

BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang.

Published byMercy Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang."— Presentation transcript:

1 BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang

2 Acknowledgements  Dr. Chittaranjan Hota (BITS – Pilani, Hyderabad)  Dr. V.N. Venkatakrishnan (University of Illinois at Chicago)  Dr. Nasir Memon (New York University, Abu Dhabi)  Supported by

3 Introduction  What are P2P networks ?  What’s a bot ?  What are botnets ?  What are Peer-to-Peer based botnets ?

4 Peer-to-Peers networks  are distributed systems consisting of interconnected nodes  are able to be self-organized into network topologies  are built with purpose of sharing resources such as content, CPU cycles, storage and bandwidth  Famous applications-  BitTorrent  Skype  eMule  SETI @ home

5 Peer-to-Peers networks A D EF G H F H G A E C C B P2P overlay layer Native IP layer D B AS 1 AS 2 AS 3 AS 4 AS 5 AS 6

6 Generic P2P architecture Capability & Configuration Peer Role Selection Operating System NAT/ Firewall Traversal Routing and Forwarding Neighbor Discovery Join/Leave Bootstrap Overlay Messaging API Content Storage Search API

7 P2P: uses & misuses

8 Traditional Botnets Bot-Master

9 Peer-to-Peer Botnets Source: www.lightcyber.com

10 Dataset BotnetWhat it does?Type /Size of dataSource of data Sality Infects executable files, attempts to disable security software. Binary (.exe) fileGenerated on testbed StormEmail Spam.pcap file/ 4.8 GB Obtained from Univ. of Georgia WaledacEmail spam, password stealing.pcap file/ 1.1 GB Obtained from Univ. of Georgia ZeuS Steals banking information by MITM key logging and form grabbing.pcap file/ 1 GB Obtained from Univ. of Georgia and CVUT Prague + Generated on testbed NugacheEmail spam.pcap file/ 58 MB Obtained from University of Texas at Dallas and multiple P2P applications, web traffic, etc.

11 P2P apps v/s P2P bots A human user – ‘bursty’ traffic High volume of data transfers seen Small inter-arrival time of packets seen in apps Automated / scripted commands Low in volume, high in duration Large inter-arrival time of packets seen in stealthy bots  Applications:  Botnets: * Both randomize ports, use TCP as well as UDP

12

13 Approach  Gather five-tuple flows from network traffic  Flows: IP1, IP1-port, IP2, IP2-port, protocol  Cluster flows based on bi-directional features  Protocol, Packets per sec (f/w), Packets per sec (b/w), Avg. Payload size (f/w), and Avg. Payload size (b/w)  Create two-tuple conversations within each cluster  Conversations: IP1, IP2  For each tuple, extract 4 features : – The duration of the conversation – The number of packets exchanged in the conversation – The volume of the conversation (no. of bytes) – The Median value of the inter-arrival time of packets in the conversation  Differentiate between and categorize P2P apps & bots with these features

14 Architecture

15 Data crunching

16 Results Performance of classifiers on test data Performance of classifiers on unseen P2P botnets PeerShark: Detecting P2P Botnets by Tracking Conversations. Presented at IEEE Security & Privacy Workshops (co-located with the 35th IEEE Symposium on Security & Privacy), San Jose, USA, May 2014. (Pratik Narang, Subhajit Ray, Chittaranjan Hota and V.N. Venkatakrishnan). PeerShark: Flow-clustering and Conversation-generation for Malicious P2P traffic Identification. The EURASIP Journal on Information Security 2014, 2014:15. (Pratik Narang, Chittaranjan Hota and V.N. Venkatakrishnan)

17 Other tracks

18 Signal-processing Techniques for P2P Botnet Detection  Approach & Contributions:  To uncover hidden patterns between the communications of bots, we convert the time-domain network communication of peers to the frequency-domain.  We extract 2-tuple conversations from network traffic and treat those conversations as a signal.  We extract several ‘signal-processing’ based features using Fourier Transforms and Shannon's Entropy theory.  We calculate:  FFT(inter-arrival_time)  FFT(payload_sizes)  Compression-ratio(payload_sizes)

19 Packet Validation and Filtering Module Conversation Creation Module P2P botnets identified Valid packets Discarded packets Malicious conversation Benign conversation Feature Set Extraction Module Signal- processing based features Machine Learning based modules Network- behavior based features Extracted Features Machine-learning Approaches for P2P Botnet Detection using Signal-processing Techniques. The 8th ACM International Conference on Distributed Event-Based Systems (DEBS’ 14), ACM SIGMOD/SIGSOFT, Mumbai, India, pp. 338-341, May 2014. (Pratik Narang, Vansh Khurana and Chittaranjan Hota) Signal-processing Techniques for P2P Botnet Detection

20 Host-based approach using Hadoop … Data nodes P2P bots detected Name node 2. Parse Packets with Tshark 5. Feature set evaluated against models built with Mahout 4. Host-based features extracted with Hive 3. Push data to HDFS 1. Data collection Trigger Firewall rules Distributed Systems LabStudent Hostels Hades: A Hadoop-based Framework for Detection of Peer-to-Peer Botnets. The 20 th International Conference on Management of Data (COMAD) 2014, Hyderabad, Dec 2014. (Pratik Narang, Abhishek Thakur and Chittaranjan Hota)

21 Code: www.github.com/pratiknarang Feedback: pratiknarang@outlook.com

Download ppt "BITS Pilani Hyderabad Campus Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang."

Similar presentations

NetServ Dynamic in-network service deployment Henning Schulzrinne (Columbia University) Srinivasan Seetharaman (Georgia Tech) Volker Hilt (Bell Labs)

NetServ Dynamic in-network service deployment Henning Schulzrinne (Columbia University) Srinivasan Seetharaman (Georgia Tech) Volker Hilt (Bell Labs)
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.

Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.
Understanding KaZaA Jian Liang Rakesh Kumar Keith Ross Polytechnic University Brooklyn, N.Y.

Understanding KaZaA Jian Liang Rakesh Kumar Keith Ross Polytechnic University Brooklyn, N.Y.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
Skype & Network Management Taken from class reference : An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne.

Skype & Network Management Taken from class reference : An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol Salman A. Baset and Henning Schulzrinne.
Comparison between Skype and SIP- based Peer-to-Peer Voice-Over-IP Overlay Network Johnson Lee EECE 565 Data Communications.

Comparison between Skype and SIP- based Peer-to-Peer Voice-Over-IP Overlay Network Johnson Lee EECE 565 Data Communications.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Similar presentations

Ads by Google