* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Intrusion Detection Mechanisms for Peer-to
Survey
Document related concepts
Computer network wikipedia , lookup
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
Network tap wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Storm botnet wikipedia , lookup
Serial digital interface wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Distributed firewall wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Transcript
Intrusion Detection Mechanisms for Peer-to-Peer Networks – Pratik Narang BITS Pilani Hyderabad Campus Acknowledgements Dr. Chittaranjan Hota (BITS – Pilani, Hyderabad) Dr. V.N. Venkatakrishnan (University of Illinois at Chicago) Dr. Nasir Memon (New York University, Abu Dhabi) Supported by Introduction What are P2P networks ? What’s a bot ? What are botnets ? What are Peer-to-Peer based botnets ? Peer-to-Peers networks are distributed systems consisting of interconnected nodes are able to be self-organized into network topologies are built with purpose of sharing resources such as content, CPU cycles, storage and bandwidth Famous applications BitTorrent Skype eMule SETI @ home Peer-to-Peers networks P2P overlay layer C A F H G D B A E C E F H AS1 AS4 B AS2 AS6 D AS3 G AS5 Native IP layer Generic P2P architecture Search API Overlay Messaging API Peer Role Selection Capability & Configuration Routing and Forwarding Neighbor Discovery Join/Leave Bootstrap NAT/ Firewall Traversal Operating System Content Storage P2P: uses & misuses Traditional Botnets Bot-Master Peer-to-Peer Botnets Source: www.lightcyber.com Dataset Botnet What it does? Type /Size of data Source of data Sality Infects executable files, attempts to disable security software. Binary (.exe) file Generated on testbed Storm Email Spam .pcap file/ 4.8 GB Obtained from Univ. of Georgia Waledac Email spam, password stealing .pcap file/ 1.1 GB Obtained from Univ. of Georgia ZeuS Steals banking information by MITM key logging and form grabbing .pcap file/ 1 GB Obtained from Univ. of Georgia and CVUT Prague + Generated on testbed Nugache Email spam .pcap file/ 58 MB Obtained from University of Texas at Dallas and multiple P2P applications, web traffic, etc. P2P apps v/s P2P bots • • • Applications: A human user – ‘bursty’ traffic • High volume of data transfers seen • Small inter-arrival time of packets seen in apps • Botnets: Automated / scripted commands Low in volume, high in duration Large inter-arrival time of packets seen in stealthy bots *Both randomize ports, use TCP as well as UDP Approach Gather five-tuple flows from network traffic Cluster flows based on bi-directional features Conversations: IP1, IP2 For each tuple, extract 4 features : – – – – Protocol, Packets per sec (f/w), Packets per sec (b/w), Avg. Payload size (f/w), and Avg. Payload size (b/w) Create two-tuple conversations within each cluster Flows: IP1, IP1-port, IP2, IP2-port, protocol The duration of the conversation The number of packets exchanged in the conversation The volume of the conversation (no. of bytes) The Median value of the inter-arrival time of packets in the conversation Differentiate between and categorize P2P apps & bots with these features Architecture Packet Filtering Module P2P traffic Flow Creation Module TIMEGAP Machine Learning based modules Conversation Generation Module FLOWGAP Valid packets Discarded packets (Corrupted or missing headers) Flows made from valid packets Clusters of flows Conversations classified as benign Conversations classified as malicious Flow Clustering Module Data crunching Results Performance of classifiers on test data Performance of classifiers on unseen P2P botnets PeerShark: Detecting P2P Botnets by Tracking Conversations. Presented at IEEE Security & Privacy Workshops (co-located with the 35th IEEE Symposium on Security & Privacy), San Jose, USA, May 2014. (Pratik Narang, Subhajit Ray, Chittaranjan Hota and V.N. Venkatakrishnan). PeerShark: Flow-clustering and Conversation-generation for Malicious P2P traffic Identification. The EURASIP Journal on Information Security 2014, 2014:15. (Pratik Narang, Chittaranjan Hota and V.N. Venkatakrishnan) Other tracks Signal-processing Techniques for P2P Botnet Detection Approach & Contributions: To uncover hidden patterns between the communications of bots, we convert the time-domain network communication of peers to the frequency-domain. We extract 2-tuple conversations from network traffic and treat those conversations as a signal. We extract several ‘signal-processing’ based features using Fourier Transforms and Shannon's Entropy theory. We calculate: FFT(inter-arrival_time) FFT(payload_sizes) Compression-ratio(payload_sizes) Signal-processing Techniques for P2P Botnet Detection Packet Validation and Filtering Module Conversation Creation Module Feature Set Extraction Module Signalprocessing based features P2P botnets identified Valid packets Machine Learning based modules Discarded packets Extracted Features Malicious conversation Networkbehavior based features Benign conversation Machine-learning Approaches for P2P Botnet Detection using Signal-processing Techniques. The 8th ACM International Conference on Distributed Event-Based Systems (DEBS’ 14), ACM SIGMOD/SIGSOFT, Mumbai, India, pp. 338-341, May 2014. (Pratik Narang, Vansh Khurana and Chittaranjan Hota) Host-based approach using Hadoop Distributed Systems Lab Student Hostels 1. Data collection … 2. Parse Packets with Tshark 3. Push data to HDFS 4. Host-based features extracted with Hive Name node Data nodes Trigger Firewall rules 5. Feature set evaluated against models built with Mahout P2P bots detected Hades: A Hadoop-based Framework for Detection of Peer-to-Peer Botnets. The 20th International Conference on Management of Data (COMAD) 2014, Hyderabad, Dec 2014. (Pratik Narang, Abhishek Thakur and Chittaranjan Hota) Code: www.github.com/pratiknarang Feedback: [email protected]