CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Transcription

1 CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University, Denmark {mst,

2 AGENDA BOTNETS TRAFFIC CLASSIFICATION FOR BOTNET DETECTION METHOD RESULTS FUTURE WORK CONCLUSION AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 2 OF

3 BOTNETS WHAT IS BOTNET? Botnets - networks of computers compromised with sophisticated malicious software that provides remote control mechanisms to an attacker. Distributed platform for implementing a wide range of malicious and illegal activities. One of the biggest threats to Internet security today. Modern botnets: High number of compromised machines. Highly distributed botnet infrastructure. Sophisticated Command and Control (C&C) communication strategies. Highly developed resilience techniques. Diverse malicious and illegal activities. The growing business. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 3 OF

4 TRAFFIC CLASSIFICATION FOR BOTNET DETECTION NETWORK TRAFFIC CLASSIFICATION Botnets are characterized by network activity, that is often seen as their identifying trait. Network traffic classification is widely used for identifying network traffic patterns. The approaches based on traffic classification promise efficient detection of botnet traffic patterns independent from content of the packet payload, and specific knowledge about botnet traffic patterns. Existing methods: Different point of traffic monitoring. Targeting different heuristics of botnet traffic. Targeting different phases of C&C life cycle. Based on different machine learning algorithms. Evaluated using diverse traffic datasets. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 4 OF

5 METHOD PAPER CONTRIBUTIONS The goal of the paper is to evaluate different strategies of traffic classification for botnet detection. We develop three traffic classification methods that target three protocols: TCP UDP DNS Targeting botnets at local network. The methods are evaluated using one of the most comprehensive botnet data sets. We analyze if botnet traffic can be identified in less time and expense. Examine can the proposed detection method be used within future on-line detection systems. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 5 OF

6 METHOD BASIC PRINCIPLES TCP, UDP and DNS the main carriers of botnet traffic activity. A separate classifier for each of the protocols is developed. Following standard scheme of using supervised MLAs. Two main components. Relying on existing botnet traffic. Generalizing the knowledge about the malicious traffic. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 6 OF

7 METHOD BASIC PRINCIPLES Time window operation. Random Forests classifier used for implementation of all three classifiers: A capable ensemble classifier. Consisting of 10 trees. log n features on each node, n number of features. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 7 OF

8 TCP / UDP TRAFFIC ANALYSIS PRINCIPLES OF TCP/UDP TRAFFIC ANALYSIS Traffic analyzed from the perspective of transport layer conversations: Covering traffic on both TCP and UDP. Two-way conversations. Conversations defined as traffic on specific 5-tuple: (IP address A, port A, IP address B, port B, protocol identifier) where A and B are conversation endpoints. For every conversation a number of traffic features have been extracted. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 8 OF

9 TCP / UDP TRAFFIC ANALYSIS TRAFFIC REPRESENTATION Features designed to capture malicious TCP/UDP traffic: Basic conversation features. Time-based features. Bidirectional features. TCP specific features. Simplistic set of features. Host identifiers such as IP addresses are not used as features. UDP conversation that carry DNS traffic are excluded. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 9 OF

10 DNS TRAFFIC ANALYSIS PRINCIPLES OF DNS TRAFFIC ANALYSIS DNS is analyzed from perspective of queries/responses for a particular FQDN (Fully Qualified Domain Name). For each queried FQDN a following sets of features have been extracted: FQDNs-based features Query-based features Response-based features Geographical location features AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 10 OF

11 EVALUATION PRINCIPLES OF EVALUATION An extensive malicious and non-malicious data set: Traffic traces from local networks. Traces from 40 botnet samples. Traces from diverse non-malicious applications. Results for 10-fold cross validation evaluation scheme. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 11 OF

12 RESULTS TCP TRAFFIC ANALYSIS Performances for malicious traffic: Precision > Recall > 0.98 Influence of the number of packets per conversation. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 12 OF

13 RESULTS UDP TRAFFIC ANALYSIS Performances for malicious traffic: Precision > 0.99 Recall > 0.97 No influence of the number of packets per conversation. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 13 OF

14 RESULTS DNS TRAFFIC ANALYSIS Performances for malicious traffic: Precision > Recall > AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 14 OF

15 FUTURE WORK AN ONLINE MULTI-LEVEL BOTNET DETECTOR Adding Post-processing entity. Correlation of findings of the three classifiers. Open issues: Limiting number of false positives. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 15 OF

16 CONCLUSION TAKE HOME MESSAGES The results of evaluation indicate the possibility of obtaining: High accuracy of botnet traffic classification for all three classification methods. Time efficient operation of the classification methods. The presented methods promise a possibility of being implemented within future on-line detection system. The future work will be devoted to developing a methods for correlating findings from the three levels of traffic analysis. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 16 OF

17 THANK YOU