Download Panoptes: Detecting Malware Activity in Home Networks Sarthak Grover, Nick Feamster Problem Panoptes

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript 
Panoptes: Detecting Malware Activity in Home Networks
Sarthak Grover, Nick Feamster
School of Computer Science, Georgia Tech
Problem
Panoptes
Scalable and efficient Bloom-filter based malware traffic detection system.
Monitor customer traffic passing through a gateway device in real-time.
Compare DNS queries against extensive blacklist compiled from third party expert
sources.
On detection of malicious traffic
Log access information: time, duration, compromised devices' ID, port
numbers, bytes transferred and malware website(s) accessed.
Notify the owner of (home) network about device information.
Gateway
Device 1
Device 2
Device x
Check and
download
new filter
every 12h
Implementation
Outsource security and home
network management to a trusted
and skilled third party.
Passively monitor traffic inside the
home, behind the NAT
Monitor suspicious traffic
exchanged with each device
Allows for identifying
individual devices
4
./bloom
malware_domains
sudo ./bloompassive.bin eth0
dig <domains>
NO
Anonymize
domain
Upload
trace to
server
every 30s
Future Work
malwarewebsite.com
4
3 2
DATA
1
Internet
BISmark
Client
curl
server:filter.bin
Panoptes
-lookup
(domain)
1
DATA
Ubuntu 13.04
Panoptes-add
(new_malware_
domain)
3
3
NO
Any new
malware
domain?
YES
4 response
query 1
Demonstration
dp4.gtnoise.net
 Real-time
 Scalable
 Not device specific
DNS resolver
DNS
Server
YES
Query third
party blacklist
sources
 DNS traffic
lookup against
blacklist
for each domain
in A-Record and
C-Name table
Server
Server
Approach
for each packet
trace(timestamp,
IP_header,
device_ID,
domain)
Gateway
(client)
…
Hosts on home networks can be
compromised.
Users don’t always install anti-virus.
Some devices do not have antivirus.
ISPs can only detect that a
compromise has occurred inside the
home, not which specific device has
been compromised.
System Overview
Server
 Download recent malware domain list
 Create bloom-filter at server [gtnoise.net]
https://github.com/shahifaqeer/bismark-passive
https://github.com/shahifaqeer/bloom_filter
Client





Download filter.bin if new
Start bismark-passive with Panoptes
Generate traffic using dig command or browser
Log traces into /tmp/bismark-uploads/
Upload log to server for detailed analysis
 Take action on suspicious traffic
[Comcast SAZO]. ISP alert to trigger
VPN at gateway to redirect traffic for
device showing suspicious activity,
followed by deep packet inspection
of malicious traffic.
 Early detection and malware
prediction. Analysis of DNS traces at
server to predict malicious traffic for
user.
Contact: [email protected]
Related documents
Cyber attack! Could you run services without IT for a week?
Cyber attack! Could you run services without IT for a week?
Open ended challenge rationale
Open ended challenge rationale
Read More - Wauchula State Bank
Read More - Wauchula State Bank
Do you know someone may be watching you?
Do you know someone may be watching you?
File
File
the Presentation
the Presentation
slides - University of Cambridge Computer Laboratory
slides - University of Cambridge Computer Laboratory
Emsisoft Internet Security
Emsisoft Internet Security
Threats – dangers on the web - Youth of Europe connect to a "Right
Threats – dangers on the web - Youth of Europe connect to a "Right
Slides - owasp
Slides - owasp
Math vs. Malware
Math vs. Malware
TNS03%20Introduction%20to%20Network%20Security
TNS03%20Introduction%20to%20Network%20Security
Summary of Trustworthiness Research at IU
Summary of Trustworthiness Research at IU
advised
advised
Dan A CSC 345 Term Paper
Dan A CSC 345 Term Paper
ppt
ppt
RedSocks Malicious Threat Detection
RedSocks Malicious Threat Detection
Professional Malware is a Pandemic
Professional Malware is a Pandemic
Remote Domain Security Awareness Training
Remote Domain Security Awareness Training
MALWARE ALERT: PROTECT YOUR BUSINESS AND RAISE
MALWARE ALERT: PROTECT YOUR BUSINESS AND RAISE
All Your iFRAMEs Point to Us
All Your iFRAMEs Point to Us
Advanced Malware Detection
Advanced Malware Detection