CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION



Similar documents
Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

Trends and Differences in Connection-behavior within Classes of Internet Backbone Traffic

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

Intrusion Detection in AlienVault

An apparatus for P2P classification in Netflow traces

Next-Generation DNS Monitoring Tools

Network Traffic Characterization using Energy TF Distributions

Conclusions and Future Directions

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Preetham Mohan Pawar ( )

XPROBE. Building Efficient Network Discovery Tools. Fyodor Yarochkin

Intrusion Detection System

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

XPROBE-NG. What s new with upcoming version of the tool. Fyodor Yarochkin Armorize Technologies

Encrypted Internet Traffic Classification Method based on Host Behavior

Security Toolsets for ISP Defense

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Overview - Using ADAMS With a Firewall

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

How To Detect An Advanced Persistent Threat Through Big Data And Network Analysis

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Implementation of Botcatch for Identifying Bot Infected Hosts

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Massive Cloud Auditing using Data Mining on Hadoop

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Configuration Notes 0215

modeling Network Traffic

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Adding New Level in KDD to Make the Web Usage Mining More Efficient. Abstract. 1. Introduction [1]. 1/10

A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

How is SUNET really used?

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Performance Evaluation of Computer Networks

Firewalls, Tunnels, and Network Intrusion Detection

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

Networks and Security Lab. Network Forensics

SURVEY OF INTRUSION DETECTION SYSTEM

Keyword: Cloud computing, service model, deployment model, network layer security.

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

PeerRush: Mining for Unwanted P2P Traffic

F-SECURE MESSAGING SECURITY GATEWAY

Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme

Survey on DDoS Attack Detection and Prevention in Cloud

A Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

UNMASKCONTENT: THE CASE STUDY

Introducing IBM s Advanced Threat Protection Platform

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01

DoS/DDoS Attacks and Protection on VoIP/UC

Overview - Using ADAMS With a Firewall

NETWORK INTRUSION DETECTION SYSTEM USING HYBRID CLASSIFICATION MODEL

The Cyber Threat Profiler

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Introduction of Intrusion Detection Systems

Networking for Caribbean Development

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Operation Liberpy : Keyloggers and information theft in Latin America

How To Protect A Dns Authority Server From A Flood Attack

Chapter 12 Supporting Network Address Translation (NAT)

On-Premises DDoS Mitigation for the Enterprise

Guidance Regarding Skype and Other P2P VoIP Solutions

Computer Networks: Domain Name System

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Multifaceted Approach to Understanding the Botnet Phenomenon

Distributed Denial of Service Attack Tools

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Restorable Logical Topology using Cross-Layer Optimization

Cisco RSA Announcement Update

APPLICATION PROGRAMMING INTERFACE

Stop DDoS Attacks in Minutes

Chapter 9 Firewalls and Intrusion Prevention Systems

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

FortiDDos Size isn t everything

2010 Carnegie Mellon University. Malware and Malicious Traffic

First Line of Defense

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Network Load Balancing

Cisco IOS Flexible NetFlow Technology

Development of a Network Intrusion Detection System

Korea s experience of massive DDoS attacks from Botnet

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Transcription:

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University, Denmark e-mail: {mst, jens}@es.aau.dk

AGENDA BOTNETS TRAFFIC CLASSIFICATION FOR BOTNET DETECTION METHOD RESULTS FUTURE WORK CONCLUSION AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 2 OF 17 09.06.2015

BOTNETS WHAT IS BOTNET? Botnets - networks of computers compromised with sophisticated malicious software that provides remote control mechanisms to an attacker. Distributed platform for implementing a wide range of malicious and illegal activities. One of the biggest threats to Internet security today. Modern botnets: High number of compromised machines. Highly distributed botnet infrastructure. Sophisticated Command and Control (C&C) communication strategies. Highly developed resilience techniques. Diverse malicious and illegal activities. The growing business. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 3 OF 17 09.06.2015

TRAFFIC CLASSIFICATION FOR BOTNET DETECTION NETWORK TRAFFIC CLASSIFICATION Botnets are characterized by network activity, that is often seen as their identifying trait. Network traffic classification is widely used for identifying network traffic patterns. The approaches based on traffic classification promise efficient detection of botnet traffic patterns independent from content of the packet payload, and specific knowledge about botnet traffic patterns. Existing methods: Different point of traffic monitoring. Targeting different heuristics of botnet traffic. Targeting different phases of C&C life cycle. Based on different machine learning algorithms. Evaluated using diverse traffic datasets. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 4 OF 17 09.06.2015

METHOD PAPER CONTRIBUTIONS The goal of the paper is to evaluate different strategies of traffic classification for botnet detection. We develop three traffic classification methods that target three protocols: TCP UDP DNS Targeting botnets at local network. The methods are evaluated using one of the most comprehensive botnet data sets. We analyze if botnet traffic can be identified in less time and expense. Examine can the proposed detection method be used within future on-line detection systems. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 5 OF 17 09.06.2015

METHOD BASIC PRINCIPLES TCP, UDP and DNS the main carriers of botnet traffic activity. A separate classifier for each of the protocols is developed. Following standard scheme of using supervised MLAs. Two main components. Relying on existing botnet traffic. Generalizing the knowledge about the malicious traffic. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 6 OF 17 09.06.2015

METHOD BASIC PRINCIPLES Time window operation. Random Forests classifier used for implementation of all three classifiers: A capable ensemble classifier. Consisting of 10 trees. log n 2 + 1 features on each node, n number of features. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 7 OF 17 09.06.2015

TCP / UDP TRAFFIC ANALYSIS PRINCIPLES OF TCP/UDP TRAFFIC ANALYSIS Traffic analyzed from the perspective of transport layer conversations: Covering traffic on both TCP and UDP. Two-way conversations. Conversations defined as traffic on specific 5-tuple: (IP address A, port A, IP address B, port B, protocol identifier) where A and B are conversation endpoints. For every conversation a number of traffic features have been extracted. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 8 OF 17 09.06.2015

TCP / UDP TRAFFIC ANALYSIS TRAFFIC REPRESENTATION Features designed to capture malicious TCP/UDP traffic: Basic conversation features. Time-based features. Bidirectional features. TCP specific features. Simplistic set of features. Host identifiers such as IP addresses are not used as features. UDP conversation that carry DNS traffic are excluded. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 9 OF 17 09.06.2015

DNS TRAFFIC ANALYSIS PRINCIPLES OF DNS TRAFFIC ANALYSIS DNS is analyzed from perspective of queries/responses for a particular FQDN (Fully Qualified Domain Name). For each queried FQDN a following sets of features have been extracted: FQDNs-based features Query-based features Response-based features Geographical location features AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 10 OF 17 09.06.2015

EVALUATION PRINCIPLES OF EVALUATION An extensive malicious and non-malicious data set: Traffic traces from local networks. Traces from 40 botnet samples. Traces from diverse non-malicious applications. Results for 10-fold cross validation evaluation scheme. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 11 OF 17 09.06.2015

RESULTS TCP TRAFFIC ANALYSIS Performances for malicious traffic: Precision > 0.975 Recall > 0.98 Influence of the number of packets per conversation. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 12 OF 17 09.06.2015

RESULTS UDP TRAFFIC ANALYSIS Performances for malicious traffic: Precision > 0.99 Recall > 0.97 No influence of the number of packets per conversation. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 13 OF 17 09.06.2015

RESULTS DNS TRAFFIC ANALYSIS Performances for malicious traffic: Precision > 0.987 Recall > 0.983 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 14 OF 17 09.06.2015

FUTURE WORK AN ONLINE MULTI-LEVEL BOTNET DETECTOR Adding Post-processing entity. Correlation of findings of the three classifiers. Open issues: Limiting number of false positives. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 15 OF 17 09.06.2015

CONCLUSION TAKE HOME MESSAGES The results of evaluation indicate the possibility of obtaining: High accuracy of botnet traffic classification for all three classification methods. Time efficient operation of the classification methods. The presented methods promise a possibility of being implemented within future on-line detection system. The future work will be devoted to developing a methods for correlating findings from the three levels of traffic analysis. AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION 16 OF 17 09.06.2015

THANK YOU

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information