BotCop: An Online Botnet Traffic Classifier
|
|
- Tamsyn Sharp
- 8 years ago
- Views:
Transcription
1 2009 Seventh Annual Communications Networks and Services Research Conerence BotCop: An Online Botnet Traic Classiier Wei Lu, Mahbod Tavallaee, Goaletsa Rammidi and Ali A. Ghorbani Faculty o Computer Science University o New Brunswick Fredericton, NB E3B 5A3, Canada {wlu,m.tavallaee, g.rammidi, ghorbani}@unb.ca Abstract A botnet is a network o compromised computers inected with malicious code that can be controlled remotely under a common command and control (C&C) channel. As one the most serious security threats to the Internet, a botnet cannot only be implemented with existing network applications (e.g. IRC, HTTP, or Peerto-Peer) but also can be constructed by unknown or creative applications, thus making the botnet detection a challenging problem. In this paper, we propose a new online botnet traic classiication system, called BotCop, in which the network traic are ully classiied into dierent application communities by using payload signatures and a novel decision tree model, and then on each obtained application community, the temporalrequent characteristic o lows is studied and analyzed to dierentiate the malicious communication traic created by bots rom normal traic generated by human beings. We evaluate our approach with about 30 million lows collected over one day on a large-scale WiFi ISP network and results show that the proposed approach successully detects an IRC botnet rom about 30 million lows with a high detection rate and a low alse alarm rate.. Introduction Over the past ew years botnets have dierentiated themselves as the main source o malicious activities such as distributed-denial-o-service (DDoS) attacks, phishing, spamming, keylogging, click raud, identity thet and inormation exiltration. Similar to the other malicious sotware, botnets use a sel-propagating application to inect vulnerable hosts. They, however, take advantage o a command and control (C&C) channel through which they can be updated and directed. According to the command and control (C&C) models, botnets are divided into two groups o centralized (e.g., IRC and HTTP) and distributed (e.g., P2P). Centralized botnets employ two mechanisms to receive the command rom the server, namely push and pull. In the push mechanism, bots are connected to the C&C server (e.g., IRC server) and wait or the commands rom the botmaster. In contrast, in the pull mechanism, the botmaster sets the commands in a ile at C&C server (e.g., HTTP server), and the bots requently connect to the server to read the latest commands. While in centralized structure all bots receive the commands rom a speciic server, in distributed structure the command iles will be shared over P2P networks by botmaster, and bots can use speciic search keys to ind the published command iles. In reality, detecting and blocking such an IRC botnet, however, is not a diicult task since the whole botnet can be put down by blacklisting the IRC server. To overcome this issue, botnets have evolved by allowing more lexibility in the applied protocols, and now they are even transorming rom centralized structure into the advanced distributed strategy to solve the weakness o having a single point o ailure. Compared to the traditional centralized C&C model, the distributed (Peer-to-Peer) botnet is much harder to be detected and destroyed because the bot s communication does not heavily depend on a ew selected servers, and thus shutting down a single or even a couple o bots cannot necessarily lead to the complete destruction o the whole botnet. Early research to detect botnets are mainly based on honeypots [,2,3]. Setting up and installing honeypots on the Internet is very helpul to capture malware and understand the basic behavior o botnets, and, as a result, makes it possible to create bot binaries or botnet signatures. However, this analysis is always based on the existing botnets and provides no solution or the new botnets. To overcome this issue, new methods are proposed to automatically detect the botnets. These approaches can be categorized into two major groups: () passive anomaly analysis [e.g. 4,5]; and (2) traic classiication [e.g. 6]. Botnet detection based on the passive anomaly analysis is usually independent o the traic content and has the potential to ind dierent types o botnets (e.g., HTTP, IRC and P2P). This approach is, however, limited to a speciic botnet structure (e.g. centralized only). In contrast, traic classiication ocuses on classiying network traic into the corresponding applications, and then distinguishing between normal and malicious activities. The biggest challenge o this approach is classiication o traic into appropriate application groups /09 $ IEEE DOI 0.09/CNSR Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
2 Addressing the aorementioned challenges, we propose a hierarchical ramework or the next generation botnet detection, which consists o two levels: () in the higher level all unknown network traic are labeled and classiied into dierent network application communities, such as P2P community, HTTP Web community, Chat community, DataTranser community, Online Games community, Mail Communication community, Multimedia (streaming and VoIP) community and Remote Access community; (2) in the lower level ocusing on each application community, we investigate and apply the temporal-requent characteristics o network lows to dierentiate the malicious botnet behavior rom the normal application traic. The major contributions o this paper include: () we propose a novel application discovery approach or automatically classiying network applications on a largescale WiFi ISP network; and (2) we develop a generic algorithm to discriminate general botnet behavior rom the normal network traic on a speciic application community, which is based on n-gram (requent characteristics) o low payload over a time period (temporal characteristics). The rest o the paper is organized as ollows. Section 2 introduces related work, in which we discuss some typical literatures on the current botnet detection communities. The proposed online traic classiication method is discussed in Section 3. Section 4 presents the temporalrequent characteristic and then explains our botnet detection approach. Section 5 is the experimental evaluation or our detection model with a mixture o around 30 million lows collected on a large-scale WiFi ISP network and a botnet traic trace collected on a honeynet deployed on the public Internet. Finally, in Section 6 we make some concluding remarks and discuss the uture work. 2. Related work Previous attempts to detect botnets are mainly based on honeypots, passive anomaly analysis and traic classiication. In order to get a ull understanding o botnets behavior, honeypots are widely installed and setup on the Internet to capture the malware and consequently track and analyze the bots [,2,3,]. A typical example is the Nepenthes honeypot that is commonly used to collect the shell code or bot binaries by mimicking a reply that can be generated by a vulnerable service. Rajab et al. in [] deployed nepenthes to collect malware in their unused IP address space. A honeynet consisting o VMWare virtual machines running Windows XP is used to capture any exploits that may be missed by Nepenthes. Once all binaries are collected, they use greybox testing that runs the collected binary on a clean image o Windows XP virtual machine while logging all traic, to try and get details o how a compromised host will join that particular botnet in the wild. During this testing, network ingerprints are created to capture network inormation like DNS requests, Destinations IP addresses, contacted ports and presence o deault scanning behavior. IRCrelated eatures are also extracted by running an IRC server in the testing hosts and then any attempted connections are logged and an IRC ingerprint consisting o PASS, NICK, USER, MODE and JOIN values is created. Botnets are then tracked by joining a modiied IRC tracker to the actual IRC server and observing it, and also DNS cache probing. Although the honeypot based approach is quite helpul in creating bot binaries and bot signatures, it is always limited to the existing botnets and provides no solution or the new bots. To overcome this shortcoming two botnet detection approaches have been proposed recently, namely traic classiication and passive anomaly analysis. A typical work o traic classiication based botnet detection using machine learning algorithms is illustrated at [6], in which Strayer et al. propose an approach or detecting botnets by examining low characteristics such as bandwidth, duration, and packet timing in order to look or the evidence o the botnet command and control activities. They propose an architecture that irst eliminates traic that is unlikely to be a part o a botnet, then classiies the remaining traic into a group that is likely to be part o a botnet, and inally correlates the likely traic to ind common communications patterns that would suggest the activity o a botnet. Typical approaches o passive anomaly based botnet detection are discussed in [4,5]. In [4], Karasaridis et al. study network lows and detect IRC botnet controllers in a ashion o our steps, in which the most important one is to identiy hosts with suspicious behavior and isolate low records to/rom those hosts. In [5], Gu et al. investigate the spatial-temporal correlation and similarity in network traic and implement a prototype system, BotSnier, to detect botnets. All the above mentioned botnet detection techniques are either limited to the speciic C&C protocols or limited to the speciic botnet structures. 3. Traic classiication Early common techniques or identiying network application rely on the association o a particular port with a particular protocol. Such a port number based traic classiication approach has been proved to be ineective due to: () the constant emergence o new peer-to-peer networking applications that IANA does not deine the corresponding port numbers [7], (2) the dynamic port number assignment or some applications (e.g. FTP or data transer), and (3) the encapsulation o dierent 7 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
3 services into same application (e.g. chat or steaming can be encapsulated into the same HTTP protocol). Recent studies on network traic application classiication include "applying machine learning algorithm or clustering and classiying traic lows based on a set o statistical eatures" [8,9], "modeling payload content signatures or traic application classiication "[0,] and "identiying traic based on heuristics derived rom analysis o communication patterns o hosts" [2,3]. Although existing traic classiication mechanisms generate a number o good ideas, they are ar rom completed yet due to the limited number o applications they can identiy and the rough application scopes (e.g. BLINC in [3] attempts to identiy the general P2P traic instead o the speciic underlying P2P applications like edonkey or BitTorrent). Moreover comparing all above mentioned methods is diicult because o the lack o sharable dataset and appropriate metrics [4]. Addressing these limitations, we propose in this paper a hybrid mechanism or classiying low applications on the ly, in which we irst model and generate signatures or more than 470 applications according to port numbers and protocol speciications o these applications and then concentrating on unknown lows that cannot be identiied by signatures, we investigate their temporal-requent characteristics in order to dierentiate them into the already labeled applications based on a decision tree trained by corresponding temporal-requent characteristics o known lows. Next we discuss the online traic classiication system in more detailed. 3.. Signatures based classiier The payload signature based classiier is to investigate the characteristics o bit strings in the packet payload. For most applications, their initial protocol handshake steps are usually dierent and thus can be used or classiication. Moreover, the protocol signatures can be modeled through either public documents like RFC or empirical analysis or deriving the distinct bit strings on both TCP and UDP traic. The signatures based classiier is deployed on Fred-eZone, a ree wireless idelity (WiFi) network service provider being operated by the City o Fredericton [5]. Table lists the general workload dimensions or the Fred-eZone network capacity. From Table, we see, or example, that the unique number o source IP addresses (SrcIP) appeared over one day is about,055 thousands and the total number o packets is about 944 millions. All the lows are bi-directional and we clean all unidirectional lows beore applying the classiier. Table 2 lists the classiication results over one hour traic collected on Fred-eZone. From Table 2, we see that about 249,000 lows can be identiied by the application payload signatures and about 25,000 lows cannot be identiied. A general result is that about 40% lows cannot be classiied by the current payload signatures based classiication method. In next section we build a module that works in parallel with the signatures based application detection engine. The new module ocuses only on those applications that the signature-based detector could not identiy and that appear to the signatures-based classiier as unknown. Table. Workload o Fred-eZone WiFi network over day SrcIP DstIP Packets Bytes 055K 228K 30783K 994M 500G Table 2. Classiication results with one hour traic on FredeZone Known Applications Unknown Applications ScrIPs DstIPs App. SrcIPs DstIPs 249K 02K 202K 82 25K 00K 055K 3.2. Decision tree based classiier N-gram bytes distribution has proven its eiciency on detecting network anomalies. Wang et al. examine -gram byte distribution o the packet payload, represent each packet into a -dimenational vector describing the occurrence requency o one o the ASCII characters in the payload and then construct the normal packet proile through calculating the statistical average and deviation value o normal packets to a speciic application service (e.g. HTTP) [6]. Anomalies will be alerted once a Mahalanobis distance deviation o the testing data to the normal proiles exceeds a predeined threshold. Gu et al. improve this approach and apply it or detecting malware inection in their recent work [7]. Dierent with previous n-gram based approaches or network intrusion detection, we extend in this paper n-gram requency into a temporal domain and generate a set o -dimentional vector representing the temporal-requent characteristics o the ASCII binary bytes on the payload over a predeined time interval. By observing and analyzing the known network traic applications, labeled by the signatures based classiier, over a long period on a large-scale WiFi ISP network, we ound that the n-gram (i.e. n = in particular) over a one second time interval or both source low payload and destination low payload is a strong enough eature that can be applied to dierentiate traic applications. As an example, Figures to 5 illustrate this novel temporal-requent metric or the application BitTorrent (P2P), Gnutella (P2P), LimeWire (P2P), HTTPWeb (WEB) and SecureWeb (WEB), respectively. Axis X in all these 5 Figures is the ASCII characters rom 0 to 255 on the source low payload. Axis Y stands or the 72 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
4 requent value or each ASCII character appeared over a predeined time interval (i.e. second). Figure. Temporal-requent metric or source low payload o BitTorrent application. By comparing Figures to 3 with the Figures 4 and 5, we see that the temporal-requent metric o low payload are very dierent or P2P and WEB applications. In more ine-grained level, we see that the temporal-requent metric o low payload or applications BitTorrent, Gnutella and LimeWire are dierent as well by comparing Figures to 3. Similar results also apply to dierentiate the two applications (i.e. HTTPWeb and SecureWeb) in the same application group (i.e. WEB). We denote the -dimensional n-gram byte i i i distribution as a vector < t, t 2,..., t >, where t i j stands or the requency o the th j ASCII character on the low payload over a time window ti ( j =, 2...; i = 0,, 2,...) (i.e. the temporal-requent metric o the low payload). Given n historical known lows or each speciic application, we deine a n app matrix, p, or proiling applications, which are illustrated as ollows: Figure 2. Temporal-requent metric or source low payload o Gnutella application. p a p p n t t t t 2 t 2 t = t n t n t n Figure 3. Temporal-requent metric or source low payload o LimeWire application. Figure 4. Temporal-requent metric or source low payload o HTTPWeb application. Figure 5. Temporal-requent metric or source low payload o SecureWeb application. We create over 470 application proiling matrix or all the applications on the signatures base. Unknown lows that cannot be identiied by signatures based classiier, thereore, could be labeled by the new application proiling matrix because unknown lows with payload, even though no signature is ound to match the signature base, their temporal-requent characteristics can always be modeled and thus can be used or unknown traic classiication. The decision tree technique is a good candidate to achieve the unknown traic classiication in this case due to its low computational complexity and the training capability or large-size dataset. A typical decision tree is represented in a orm o a tree structure (e.g. Figure 6), in which each node is either a lea node or a decision node. A lea node indicates the value o the target class, such as Application = Gnutella in the Figure 6 and a decision node speciies some test to be carried out on a single attribute value, with one branch and sub-tree or each possible outcome o the test, or instance a decision 5 with a branch test in Figure 6. A decision tree can be used to classiy an example by starting at the root o the tree and moving through it until a lea node, which provides the classiication o the instance. Suppose Figure 6 is the decision tree or application classiication trained by the -dimensional 73 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
5 attribute <, 2,..., >, an unknown low with a new -dimensional vector will be compared starting rom root node to see i it is bigger than 0. or not, and i the testing result is 0., then 5 is selected to see i it is bigger than 0.3 or not, i it is bigger than 0.3, the unknown low will be labeled as Gnutella application. The training o the decision tree or obtaining a decision model is based on the historical 470 application proiling matrix and each application proiling matrix includes at least 0,00 instances (i.e. the size o the matrix is000 ). The decision tree algorithm we apply is the C4.5 proposed by Quinlan [8] since it is well known and requently used over the years. 0. > 0. speciic time period or botnet IRC traic. Figure 7. Average byte requency over ASCIIs or normal IRC lows > > 0.45 App=Gnutella App=BitTorrent 64 App=Secureweb 64 < App=LimeWire App=Httpweb Figure 6. A typical decision tree or traic classiication 4. Botnet detection The temporal-requent characteristic based on n-gram over a time period cannot only be applied to train the decision tree model or traic classiication, but also can discriminate the malicious traic by bots rom the normal traic created by human-beings. The temporal eature is important in botnet detection due to two empirical observations o botnets behavior: () the response time o bots is usually immediate and accurate once they receive commands rom botmaster, while normal human behavior might perorm an action with various possibilities ater a reasonable thinking time, and (2) bots basically have preprogrammed activities based on botmaster's commands, and thus all bots might be synchronized with each other. These two observations have been conirmed by a preliminary experiment conducted in [9]. As an example, Figures 7 and 8 illustrate the average byte requency over the normal IRC lows and IRC botnet lows, respectively. By comparing Figures 7 and 8, we see the average byte requency over a speciic time period or normal IRC traic is much smaller than average byte requency over a Figure 8. Average byte requency over ASCIIs or botnet IRC lows Ater obtaining the n-gram (n = in this case) eatures or lows over a time window, we then apply an agglomerative hierarchical clustering algorithm to cluster the data objects with eatures. We do not construct the normal proiles because normal traic is sensitive to the practical networking environment and a high alse positive rate might be generated when deploying the training model on a new environment. In contrast, the agglomerative hierarchical clustering is unsupervised and does not deine threshold that needs to be tuned in dierent cases. In our approach, the inal number o clusters is set to 2. Given a set o N data objects F ~ { F i =, 2,..., N}, F =<,,..., >, the detection approach is ti ti ti where i 2 described in Algorithm. In practice, labeling clusters is always a challenging problem when applying unsupervised algorithm or intrusion detection. Previous intrusive cluster labeling methods are based on two assumptions: () there are two clusters only, one is normal and the other is intrusive, and i 74 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
6 (2) the number o instances in normal cluster is much bigger than the number o instances in intrusive cluster [20] and thus the cluster with small number o instances is usually labeled as intrusive cluster. We apply the same labeling strategy in this paper. Algorithm. Implementation o Botnet detection approach Function BotDel (F) returns botnet cluster t Inputs: Collection o data objects i t, 2 i t Fi =<,..., i >, i =,2,..., N Initialization: initialize number o clusters k (i.e. k = N ) by assigning each data instance to a cluster so that each cluster contains only one data instance Repeat: k k ind the closest pair o clusters and then merge them into a single cluster compute distance between new clusters and each data o old clusters Until: k = 2 calculate number o instances in each cluster, g,., g m, m k I gb = min( g, g2,..., gm) then cluster b is labeled as botnet cluster Return the botnet cluster b with g. 5. Experimental evaluation We implement a prototype system or the approach and then evaluate it on a large-scale WiFi ISP network over one day. The botnet traic is collected on a honeypot deployed on a real network, aggregated them into 243 lows. The time interval or low aggregation is second. When evaluating the prototype system, we randomly insert and replay botnet traic lows on the normal daily traic. Since our approach is a two-stage process (i.e. unknown traic classiication irst and botnet detection on application communities next), the evaluation is accordingly divided into two parts: () the perormance testing or unknown traic classiication, not only ocusing on the capability o our approach to classiy the unknown IRC traic, we also concentrate on the classiication accuracy or other unknown applications (e.g. new P2P) since we expect the algorithm could be extended to detect any new appeared decentralized botnet; (2) the perormance evaluation or system to discriminate malicious IRC bonnet traic rom normal human being IRC traic. 5.. Evaluation on traic classiication The data set or traic trace used in the experimental evaluation is collected over three consecutive days on a large-scale WiFi ISP network, in which we achieve a 60% classiication rate over 00 millions lows. The workload or Fred-eZone network is illustrated in Table. In order b to create the training dataset or learning the decision tree based classiier, typical applications belonging to 8 typical application groups are modeled rom known labeled lows, which are illustrated in Table 3. The size o input data or training decision tree is 000. In order to validate the decision tree model we conduct a realtime classiication evaluation in which traic trace collected over 2 days are used or training and the realtime traic lows collect on the 3 rd day are used or testing. Table 3. Applications in training dataset Application ID Application Name Application Group Size o Matrix 2006 BitTorrent P2P Gnutella P2P LimeWire P2P HTTPWeb WEB SecureWeb WEB POP MAIL SMTP MAIL FTP DataTranser MSN CHAT SSH RemoteAccess WindowsMediaPlayer Streaming 000 During the online evaluation, the decision tree based classiier is deployed on a large-scale WiFi ISP network and works in parallel with the signature based classiier. More than 90,000 lows are collected over the testing day on the network and are enorced to be identiied as unknown, o which the real labels are illustrated in Table 4. Tables 5 and 6 describe the detailed classiication accuracy or each speciic application using source low based classiier and destination low based classiier, respectively. The general classiying accuracy is illustrated in Table 7 or both classiiers. The online evaluation results show that the decision tree classiier based on destination lows achieves a 92.6% classiication accuracy which is higher than 89.4% accuracy obtained by the source lows based classiier. All unknown lows are identiied to speciic applications and no unclassiied lows happen due to the deterministic mechanism o decision tree structure Evaluation on botnet detection During the evaluation o botnet detection, the proposed approach is evaluated with one day traic. Table 8 shows the low distribution or the application community with bot lows and the total number o lows ater the traic classiication step. As illustrated in Table 8, the total number o lows is 32,693K and the number o lows 75 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
7 labeled by the payload signature based classiier is 20,596. The rest unknown lows are 2,097, in which 243 unknown lows are classiied into known IRC community (i.e. they actually represent the IRC C&C bot lows). Since we know all these unknown lows are actually belong to IRC, our approach obtains 00% accuracy or classiying these malicious bot C&C lows into their own application community. Next, we evaluate the capability o our approach or discriminating the bot generated traic rom normal traic in the same application community. As illustrated in Table 9, we show the detection results in terms o number o correctly detected bot C&C lows and the number o alsely detected bot lows over the actual number o bot lows and normal lows on the speciic community. From Table 8, we see that the total number o lows we collect or one day is over 30 millions and the total number o known lows which can be labeled by the payload signatures is over 20 millions. The number o IRC C&C lows is a very small part o the total lows. Our traic classiication approach can classiy the unknown (malicious) IRC lows to the IRC application communities with a 00% classiication rate on the evaluation. All the IRC C&C lows are dierentiated rom the normal traic with a low alse alarm rate, i.e. only 4 alse alarms on the evaluation. Table 4. Distribution o "unknown" application lows Applications Number o BitTorrent FTP 224 Gnutella 509 HTTPWeb 626 LimeWire 4 MSN 4049 POP 26 SecureWeb 2886 SMTP 522 SSH 297 WindowsMediaPlayer 722 Table 6. Classiication results with destination low based decision tree classiier Applications Number o Unknown BitTorrent FTP Gnutella HTTPWeb LimeWire 4 08 MSN POP SecureWeb SMTP SSH WindowsMediaPlayer Number o Labeled Table 7. General classiication accuracy or both classiiers Decision Tree Classiier Based on Source Total Classiication Number o Accuracy (%) Indentiied Table 8. Description o application community Total Known 32693K K Table 9. Detection perormance Normal IRC Bot C&C in Botnet Communities 264 IRC {2 normal} detected Bot C&C Decision Tree Classiier Based on Destination Total Classiication Number o Accuracy (%) Indentiied Number o Falsely Identiied Bot C&C Table 5. Classiication results with source low based decision tree classiier Applications Number o Unknown BitTorrent FTP Gnutella HTTPWeb LimeWire 4 3 MSN POP SecureWeb SMTP SSH WindowsMediaPlayer Number o Labeled 6. Conclusions In this paper, we present a novel generic botnet traic classiication ramework, in which unknown applications on the current network are irstly classiied into dierent application communities, such as Chat (or more speciic IRC) community, P2P community, Web community, to name a ew, and then ocusing on each application community, a novel temporal-requent characteristic is applied or discriminating network traic by bots rom normal network traic by human-beings. Since botnets are usually exploring existing application protocols, our approach can be extended to ind dierent types o 76 Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
8 botnets and has the potential to ind the new botnets when exploring speciically the traic on the "unknown" community. In particular, we evaluate our ramework on IRC chat community and evaluation results show that our approach obtains a very high detection rate (approaching 00% or IRC bot) with a low alse alarm rate when detecting IRC botnet traic. In the immediate uture, we will evaluate our approach on the P2P community and measure its perormance on P2P based botnets. Acknowledgement The authors graciously acknowledge the unding rom the Atlantic Canada Opportunity Agency (ACOA) through the Atlantic Innovation Fund (AIF) to Dr. Ali Ghorbani. Reerences [] M.A. Rajab, J. Zaross, F. Monrose, and A. Terzis, "A multiaceted approach to understanding the botnet phenomenon," In Proceedings o the 6 th ACM SIGCOMM Conerence on Internet measurement, pp. 4-52, [2] V. Yegneswaran, P. Barord, and V. Paxson, "Using honeynets or internet situational awareness," In Proceedings o the 4 th Workshop on Hot Topics in Networks, College Park, MD, [3] F. Freiling, T. Holz, and G. Wicherski. "Botnet tracking: exploring a root-cause methodology to prevent Denial o Service attacks". In Proceedings o 0 th European Symposium on Research in Computer Security (ESORICS 05), [4] A. Karasaridis, B. Rexroad, and D. Hoelin, "Widescale botnet detection and characterization," In Proceedings o the st Conerence on st Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, [5] G.F. Gu, J.J. Zhang, and W.K. Lee, "BotSnier: detecting botnet command and control channels in network traic," In Proceedings o the 5 th Annual Network and Distributed System Security Symposium, San Diego, CA, February [6] T. Strayer, D. Lapsley, R. Walsh, and C. Livadas, "Botnet detection based on network behavior," Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Inormation Security, Vol. 36, W. K. Lee, C. Wang, D. Dagon, (Eds.), Springer, [7] IANA port numbers, available and retrieved in Dec [8] J. Erman, A. Mahanti, M. Arlitt,, I. Cohen, and C. Williamson, "Oline/realtime traic classiication using semi-supervised learning", Perormance Evaluation, Vol. 64, No. 9-2., 94-23, [9] L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian, "Traic classiication on the ly", ACM SIGCOMM Computer Communication Review, Vol. 36, Issue 2, 23-26,2006. [0] L. Bernaille and R. Teixeira, "Early recognition o encrypted applications". In Proceedings o Passive and Active Measurement Conerence (PAM 2007), Louvain-la-neuve, Belgium, 65-75, [] S. Sen, and J. Wang, "Analyzing peer-to-peer traic across large networks". In Proceedings o ACM SIGCOMM Internet Measurement Workshop, Marseilles, France, [2] A. Moore and K. Papagiannaki, "Toward the accurate identiication o network applications", In Proceedings o 6th Passive and Active Measurement Workshop (PAM 2005), [3] T. Karagiannis, K. Papagiannaki, and M. Faloutsos. "BLINC: multilevel traic classiication in the dark", In Proceedings o the 2005 Conerence on Applications, Technologies, Architectures, and Protocols or Computer Communications, Philadelphia, Pennsylvania, , [4] L. Salgarelli, F. Gringoli, and T. Karagiannis, "Comparing traic classiiers", ACM SIGCOMM Computer Communication Review, Volume 37, Issue 3, 65-68, [5] Fred-eZone WiFi ISP, available and retrieved in December2008, [6] K. Wang, and S. Stolo, "Anomalous payload-based network intrusion detection", In Proceedings o the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, France, [7] G.. F. Gu, P. Porras, V. Yegneswaran, M. Fong, and W.K. Lee, "BotHunter: detecting malware inection through IDS-Driven dialog correlation". In Proceedings o the 6th USENIX Security Symposium, Boston, MA, [8] J. R. Quinlan, C4.5: Programs or Machine Learning. Morgan Kaumann Publishers, 993. [9] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, "A proposal o metrics or botnet detection based on its cooperative behavior," In Proceedings o the 2007 International Symposium on Applications and the Internet Workshops, pp , [20] E. Eskin, "Anomaly detection over noisy data using learned probability distributions," In Proceedings o 7 th International Conerence on Machine Learning, pp , Palo Alto, Authorized licensed use limited to: National Taiwan University. Downloaded on December 30, 2009 at 08:4 rom IEEE Xplore. Restrictions apply.
An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets
An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets Sajjad Arshad 1, Maghsoud Abbaspour 1, Mehdi Kharrazi 2, Hooman Sanatkar 1 1 Electrical and Computer Engineering Department,
More informationImplementation of Botcatch for Identifying Bot Infected Hosts
Implementation of Botcatch for Identifying Bot Infected Hosts GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus
More informationSymptoms Based Detection and Removal of Bot Processes
Symptoms Based Detection and Removal of Bot Processes 1 T Ravi Prasad, 2 Adepu Sridhar Asst. Prof. Computer Science and engg. Vignan University, Guntur, India 1 Thati.Raviprasad@gmail.com, 2 sridharuce@gmail.com
More informationBotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol
More informationAn apparatus for P2P classification in Netflow traces
An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA
More informationOnline Classification of Network Flows
2009 Seventh Annual Communications Networks and Services Research Conference Online Classification of Network Flows Mahbod Tavallaee, Wei Lu and Ali A. Ghorbani Faculty of Computer Science, University
More informationA Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification
A Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification Riyad Alshammari and A. Nur Zincir-Heywood Dalhousie University, Faculty of Computer Science {riyad, zincir}@cs.dal.ca
More informationEncrypted Internet Traffic Classification Method based on Host Behavior
Encrypted Internet Traffic Classification Method based on Host Behavior 1,* Chengjie GU, 1 Shunyi ZHANG, 2 Xiaozhen XUE 1 Institute of Information Network Technology, Nanjing University of Posts and Telecommunications,
More informationMultifaceted Approach to Understanding the Botnet Phenomenon
Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic
More informationBotnet Detection by Abnormal IRC Traffic Analysis
Botnet Detection by Abnormal IRC Traffic Analysis Gu-Hsin Lai 1, Chia-Mei Chen 1, and Ray-Yu Tzeng 2, Chi-Sung Laih 2, Christos Faloutsos 3 1 National Sun Yat-Sen University Kaohsiung 804, Taiwan 2 National
More informationExtending Black Domain Name List by Using Co-occurrence Relation between DNS queries
Extending Black Domain Name List by Using Co-occurrence Relation between DNS queries Kazumichi Sato 1 keisuke Ishibashi 1 Tsuyoshi Toyono 2 Nobuhisa Miyake 1 1 NTT Information Sharing Platform Laboratories,
More informationP2P-BDS: Peer-2-Peer Botnet Detection System
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 16, Issue 5, Ver. V (Sep Oct. 2014), PP 28-33 P2P-BDS: Peer-2-Peer Botnet Detection System Navjot Kaur 1, Sunny
More informationDetecting Bots with Automatically Generated Network Signatures
Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,
More informationAn Efficient Methodology for Detecting Spam Using Spot System
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,
More informationCLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA
CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA Professor Yang Xiang Network Security and Computing Laboratory (NSCLab) School of Information Technology Deakin University, Melbourne, Australia http://anss.org.au/nsclab
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More information!!! Technical Notes : The One-click Installation & The AXIS Internet Dynamic DNS Service. Table of contents
Technical Notes: One-click Installation & The AXIS Internet Dynamic DNS Service Rev: 1.1. Updated 2004-06-01 1 Table o contents The main objective o the One-click Installation...3 Technical description
More informationMulti-phase IRC Botnet and Botnet Behavior Detection Model
Multi-phase IRC otnet and otnet ehavior Detection Model Aymen Hasan Rashid Al Awadi Information Technology Research Development Center, University of Kufa, Najaf, Iraq School of Computer Sciences Universiti
More informationA Review on IRC Botnet Detection and Defence
A Review on IRC Botnet Detection and Defence Bernhard Waldecker St. Poelten University of Applied Sciences, Austria Bachelor programme: IT-Security 1 Introduction Nowadays botnets pose an enormous security
More informationDetecting P2P-Controlled Bots on the Host
Detecting P2P-Controlled Bots on the Host Antti Nummipuro Helsinki University of Technology anummipu # cc.hut.fi Abstract Storm Worm is a trojan that uses a Peer-to-Peer (P2P) protocol as a command and
More informationIntrusion Detection System
Intrusion Detection System Time Machine Dynamic Application Detection 1 NIDS: two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
, pp.81-90 http://dx.doi.org/10.14257/ijfgcn.2013.6.6.09 Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1, 2, Lei Yang 1 and Jin Wang 1 1 School of Computer
More informationBotnets Detection Based on IRC-Community
Botnets Detection Based on IRC-Counity Wei Lu and Ali A. Ghorbani Network Security Laboratory, Faculty of Coputer Science University of New Brunswick, Fredericton, NB E3B 5A3, Canada {wlu, ghorbani}@unb.ca
More informationHow To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme
Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi
More informationConcept and Project Objectives
3.1 Publishable summary Concept and Project Objectives Proactive and dynamic QoS management, network intrusion detection and early detection of network congestion problems among other applications in the
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationDISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS
DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS GONG JIAN 2 jgong@njnet.edu.cn Jiangsu Key Laboratory of Computer Networking Technology, China, Nanjing, Southeast University AHMAD JAKALAN
More informationHYBRID INTRUSION DETECTION FOR CLUSTER BASED WIRELESS SENSOR NETWORK
HYBRID INTRUSION DETECTION FOR CLUSTER BASED WIRELESS SENSOR NETWORK 1 K.RANJITH SINGH 1 Dept. of Computer Science, Periyar University, TamilNadu, India 2 T.HEMA 2 Dept. of Computer Science, Periyar University,
More informationNetwork Intrusion Detection Systems
Network Intrusion Detection Systems False Positive Reduction Through Anomaly Detection Joint research by Emmanuele Zambon & Damiano Bolzoni 7/1/06 NIDS - False Positive reduction through Anomaly Detection
More informationCYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION
CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,
More informationAn analysis of network trac characteristics for Botnet detection
An analysis of network trac characteristics for Botnet detection Maria Jose Erquiaga 1, Carlos Catania 1 and Carlos García Garino 1,2 1 Instituto para las Tecnologías de la Información y las Comunicaciones
More informationKeywords Attack model, DDoS, Host Scan, Port Scan
Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationBOTNET Detection Approach by DNS Behavior and Clustering Analysis
BOTNET Detection Approach by DNS Behavior and Clustering Analysis Vartika Srivastava, Ashish Sharma Dept of Computer science and Information security, JIIT Noida, India Abstract -Botnets are one of the
More informationFlow-based detection of RDP brute-force attacks
Flow-based detection of RDP brute-force attacks Martin Vizváry vizvary@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic Jan Vykopal vykopal@ics.muni.cz Institute of Computer
More informationBehaviour Based Worm Detection and Signature Automation
Journal of Computer Science 7 (11): 1724-1728, 2011 ISSN 1549-3636 2011 Science Publications Behaviour Based Worm Detection and Signature Automation 1 Mohammed Anbar, 1 Selvakumar Manickam, 2 Al-Samarraie
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationTraffic Analysis of Mobile Broadband Networks
Traffic Analysis of Mobile Broadband Networks Geza Szabo,Daniel Orincsay,Balazs Peter Gero,Sandor Gyori,Tamas Borsos TrafficLab, Ericsson Research, Budapest, Hungary Email:{geza.szabo,daniel.orincsay,
More informationDetection of Botnets Using Honeypots and P2P Botnets
Detection of Botnets Using Honeypots and P2P Botnets Rajab Challoo Dept. of Electrical Engineering & Computer Science Texas A&M University Kingsville Kingsville, 78363-8202, USA Raghavendra Kotapalli Dept.
More informationBOTNET SPREADING DETECTION AND PREVENTION VIA WEBSITES
BOTNET SPREADING DETECTION AND PREVENTION VIA WEBSITES Jonas Juknius, Nikolaj Goranin Vilnius Gediminas Technical University, Faculty of Fundamental Sciences Saulėtekio al. 11, 10223 Vilnius In this article
More informationMalware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks R. Kannan Department of Computer Science Sri Ramakrishna Mission Vidyalaya College of Arts and Science Coimbatore,Tamilnadu,India.
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationBotnet Command Detection using Virtual Honeynet
Botnet Command Detection using Virtual Honeynet J.S.Bhatia #1, R.K.Sehgal *2, Sanjeev Kumar #3 # Cyber Security Technology Division, CDAC Mohali, INDIA 160071 #1 jsb@cdacmohali.in *2 rks@cdacmohali.in
More informationPeer-to-Peer Botnets. Chapter 1. 1.1 Introduction
Chapter 1 Peer-to-Peer Botnets Ping Wang, Baber Aslam, Cliff C. Zou School of Electrical Engineering and Computer Science, University of Central Florida, Orlando, Florida 32816 Botnet is a network of computers
More informationAnalysis of Network Packets. C DAC Bangalore Electronics City
Analysis of Network Packets C DAC Bangalore Electronics City Agenda TCP/IP Protocol Security concerns related to Protocols Packet Analysis Signature based Analysis Anomaly based Analysis Traffic Analysis
More informationNear Real Time Online Flow-based Internet Traffic Classification Using Machine Learning (C4.5)
Near Real Time Online Flow-based Internet Traffic Classification Using Machine Learning (C4.5) Abuagla Babiker Mohammed Faculty of Electrical Engineering (FKE) Deprtment of Microelectronics and Computer
More informationDaryl Ashley Senior Network Security Analyst University of Texas at Austin - Information Security Office ashley@infosec.utexas.edu January 12, 2011
AN ALGORITHM FOR HTTP BOT DETECTION Daryl Ashley Senior Network Security Analyst University of Texas at Austin - Information Security Office ashley@infosec.utexas.edu January 12, 2011 Introduction In the
More informationSecurity workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013
Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a
More informationAn Empirical Analysis of Malware Blacklists
An Empirical Analysis of Malware Blacklists Marc Kührer and Thorsten Holz Chair for Systems Security Ruhr-University Bochum, Germany Abstract Besides all the advantages and reliefs the Internet brought
More informationBotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee School of Computer Science, College of Computing Georgia Institute of Technology Atlanta,
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationIndex Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.
Volume 3, Issue 6, June 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Techniques to Differentiate
More informationA Visualization Technique for Monitoring of Network Flow Data
A Visualization Technique for Monitoring of Network Flow Data Manami KIKUCHI Ochanomizu University Graduate School of Humanitics and Sciences Otsuka 2-1-1, Bunkyo-ku, Tokyo, JAPAPN manami@itolab.is.ocha.ac.jp
More informationConclusions and Future Directions
Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions
More informationHow is SUNET really used?
MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering
More informationHow To Classify Network Traffic In Real Time
22 Approaching Real-time Network Traffic Classification ISSN 1470-5559 Wei Li, Kaysar Abdin, Robert Dann and Andrew Moore RR-06-12 October 2006 Department of Computer Science Approaching Real-time Network
More informationDDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR
Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,
More informationA Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
More informationLayered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks
Layered Approach of Intrusion Detection System with Efficient Alert Aggregation for Heterogeneous Networks Lohith Raj S N, Shanthi M B, Jitendranath Mungara Abstract Protecting data from the intruders
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationNetwork Monitoring Using Traffic Dispersion Graphs (TDGs)
Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George
More informationInspecting DNS Flow Traffic for Purposes of Botnet Detection
Inspecting DNS Flow Traffic for Purposes of Botnet Detection Vojtěch Krmíček, GEANT3 JRA2 T4 Internal Deliverable 2011 Abstract The goal of this report is to examine DNS IP flow traffic and its relation
More informationClassifying P2P Activity in Netflow Records: A Case Study on BitTorrent
IEEE ICC 2013 - Communication Software and Services Symposium 1 Classifying P2P Activity in Netflow Records: A Case Study on BitTorrent Ahmed Bashir 1, Changcheng Huang 1, Biswajit Nandy 2, Nabil Seddigh
More informationProtecting DNS Query Communication against DDoS Attacks
Protecting DNS Query Communication against DDoS Attacks Ms. R. Madhuranthaki 1, Ms. S. Umarani, M.E., (Ph.D) 2 II M.Tech (IT), IT Department, Maharaja Engineering College, Avinashi, India 1 HOD, IT Department,
More informationBotnet Detection Based on Traffic Monitoring
201O International Conference on Networking and Information Technology Botnet Detection Based on Traffic Monitoring Hossein Rouhani Zeidanloo, Azizah Bt Manaf Centre for Advanced Software Engineering University
More informationWE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA
WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA Email {wei.xu, ksanders, yzhang}@ paloaltonetworks.com ABSTRACT Malicious domains
More informationBLINC: Multilevel Traffic Classification in the Dark
BLINC: Multilevel Traffic Classification in the Dark Thomas Karagiannis UC Riverside tkarag@cs.ucr.edu Konstantina Papagiannaki Intel Research, Cambridge dina.papagiannaki@intel.com Michalis Faloutsos
More informationPERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT
PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT December 6, 2013 Julien Lavesque CTO Itrust j.lavesque@itrust.fr Security experts company founded
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationTraffic Analysis. Scott E. Coull RedJack, LLC. Silver Spring, MD USA. Side-channel attack, information theory, cryptanalysis, covert channel analysis
Traffic Analysis Scott E. Coull RedJack, LLC. Silver Spring, MD USA Related Concepts and Keywords Side-channel attack, information theory, cryptanalysis, covert channel analysis Definition Traffic analysis
More informationAn Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation
An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation Shanofer. S Master of Engineering, Department of Computer Science and Engineering, Veerammal Engineering College,
More informationTwo State Intrusion Detection System Against DDos Attack in Wireless Network
Two State Intrusion Detection System Against DDos Attack in Wireless Network 1 Pintu Vasani, 2 Parikh Dhaval 1 M.E Student, 2 Head of Department (LDCE-CSE) L.D. College of Engineering, Ahmedabad, India.
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationNetwork Monitoring Tool to Identify Malware Infected Computers
Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationEchidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis
Echidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis Abdun Mahmood, Christopher Leckie, Parampalli Udaya Department of Computer Science and Software Engineering University of
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationAnalysis of Communication Patterns in Network Flows to Discover Application Intent
Analysis of Communication Patterns in Network Flows to Discover Application Intent Presented by: William H. Turkett, Jr. Department of Computer Science FloCon 2013 January 9, 2013 Port- and payload signature-based
More informationCHAPTER 1 INTRODUCTION
21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationClassifying P2P Activities in Netflow Records: A Case Study (BitTorrnet & Skype) Ahmed Bashir
Classifying P2P Activities in Netflow Records: A Case Study (BitTorrnet & Skype) by Ahmed Bashir A thesis submitted to the Faculty of Graduate and Postdoctoral Affairs in partial fulfillment of the requirements
More informationA Network Monitoring System with a Peer-to-Peer Architecture
A Network Monitoring System with a Peer-to-Peer Architecture Paulo Salvador, Rui Valadas University of Aveiro / Institute of Telecommunications Aveiro E-mail: salvador@av.it.pt; rv@det.ua.pt Abstract The
More informationBotnet Detection using NetFlow and Clustering
Botnet Detection using NetFlow and Clustering Pedram Amini1, Reza Azmi2 and MuhammadAmin Araghizadeh3 1 2 3 ICT Department, Malek-Ashtar University of Technology Tehran, Iran amini@mut.ac.ir Department
More informationLASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic
LASTLINE WHITEPAPER The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic Abstract A distinguishing characteristic of bots is their ability to establish a command and
More informationThe Application Usage and Threat Report
The Application Usage and Threat Report An Analysis of Application Usage and Related Threats within the Enterprise 10th Edition February 2013 PAGE 1 Executive Summary Global Findings Since 2008, Palo Alto
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationTraffic Classification with Sampled NetFlow
Traffic Classification with Sampled NetFlow Valentín Carela-Español, Pere Barlet-Ros, Josep Solé-Pareta Universitat Politècnica de Catalunya (UPC) {vcarela,pbarlet,pareta}@ac.upc.edu Abstract The traffic
More informationDiscovering and Analyzing Deviant Communities: Methods and Experiments
Discovering and Analyzing Deviant Communities: Methods and Experiments Napoleon C. Paxton *, Dae-il Jang **, Ira S. Moskowitz *, Gail-Joon Ahn ** and Stephen Russell * * Information Technology Division,
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationIndex Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System
Detection of DDoS Attack Using Virtual Security N.Hanusuyakrish, D.Kapil, P.Manimekala, M.Prakash Abstract Distributed Denial-of-Service attack (DDoS attack) is a machine which makes the network resource
More informationTaxonomy of Hybrid Honeypots
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore Taxonomy of Hybrid Honeypots Hamid Mohammadzadeh.e.n 1, Masood Mansoori 2 and Roza
More informationWEB APPLICATION FIREWALL
WEB APPLICATION FIREWALL CS499 : B.Tech Project Final Report by Namit Gupta (Y3188) Abakash Saikia (Y3349) under the supervision of Dr. Dheeraj Sanghi submitted to Department of Computer Science and Engineering
More information