Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Panoptes: Detecting Malware Activity in Home Networks Sarthak Grover, Nick Feamster School of Computer Science, Georgia Tech Problem Panoptes Scalable and efficient Bloom-filter based malware traffic detection system. Monitor customer traffic passing through a gateway device in real-time. Compare DNS queries against extensive blacklist compiled from third party expert sources. On detection of malicious traffic Log access information: time, duration, compromised devices' ID, port numbers, bytes transferred and malware website(s) accessed. Notify the owner of (home) network about device information. Gateway Device 1 Device 2 Device x Check and download new filter every 12h Implementation Outsource security and home network management to a trusted and skilled third party. Passively monitor traffic inside the home, behind the NAT Monitor suspicious traffic exchanged with each device Allows for identifying individual devices 4 ./bloom malware_domains sudo ./bloompassive.bin eth0 dig <domains> NO Anonymize domain Upload trace to server every 30s Future Work malwarewebsite.com 4 3 2 DATA 1 Internet BISmark Client curl server:filter.bin Panoptes -lookup (domain) 1 DATA Ubuntu 13.04 Panoptes-add (new_malware_ domain) 3 3 NO Any new malware domain? YES 4 response query 1 Demonstration dp4.gtnoise.net Real-time Scalable Not device specific DNS resolver DNS Server YES Query third party blacklist sources DNS traffic lookup against blacklist for each domain in A-Record and C-Name table Server Server Approach for each packet trace(timestamp, IP_header, device_ID, domain) Gateway (client) … Hosts on home networks can be compromised. Users don’t always install anti-virus. Some devices do not have antivirus. ISPs can only detect that a compromise has occurred inside the home, not which specific device has been compromised. System Overview Server Download recent malware domain list Create bloom-filter at server [gtnoise.net] https://github.com/shahifaqeer/bismark-passive https://github.com/shahifaqeer/bloom_filter Client Download filter.bin if new Start bismark-passive with Panoptes Generate traffic using dig command or browser Log traces into /tmp/bismark-uploads/ Upload log to server for detailed analysis Take action on suspicious traffic [Comcast SAZO]. ISP alert to trigger VPN at gateway to redirect traffic for device showing suspicious activity, followed by deep packet inspection of malicious traffic. Early detection and malware prediction. Analysis of DNS traces at server to predict malicious traffic for user. Contact: [email protected]