Upload
mercy-walker
View
224
Download
3
Embed Size (px)
Citation preview
BITS PilaniHyderabad Campus
Intrusion Detection Mechanisms for Peer-to-Peer Networks– Pratik Narang
Acknowledgements
Dr. Chittaranjan Hota (BITS – Pilani, Hyderabad) Dr. V.N. Venkatakrishnan (University of Illinois at
Chicago) Dr. Nasir Memon (New York University, Abu
Dhabi)
Supported by
Introduction
What are P2P networks ?
What’s a bot ?
What are botnets ?
What are Peer-to-Peer based botnets ?
Peer-to-Peers networks
are distributed systems consisting of interconnected nodes
are able to be self-organized into network topologies
are built with purpose of sharing resources such as content, CPU cycles, storage and bandwidth
Famous applications- BitTorrent Skype eMule SETI @ home
Peer-to-Peers networks
A
D
E F
G
H
FH
GA
EC
C
B
P2P overlay layer
Native IP layer
D
B
AS1
AS2
AS3
AS4
AS5
AS6
Generic P2P architecture
Capability &Configuration
Peer Role Selection
Operating System
NAT/ Firewall Traversal
Routing and Forwarding Neighbor Discovery Join/Leave Bootstrap
Overlay Messaging API
Content Storage
Search API
GNUnet
DC++
P2P: uses & misuses
Traditional Botnets
Bot-Master
Peer-to-Peer Botnets
Source: www.lightcyber.com
Dataset
Botnet What it does? Type /Size of data Source of data
SalityInfects executable files,
attempts to disable security software.
Binary (.exe) file Generated on testbed
Storm Email Spam .pcap file/ 4.8 GB Obtained from Univ. of Georgia
Waledac Email spam, password stealing .pcap file/ 1.1 GB Obtained from Univ. of
Georgia
ZeuS
Steals banking information by MITM key
logging and form grabbing
.pcap file/ 1 GB
Obtained from Univ. of Georgia and CVUT
Prague+ Generated on
testbed
Nugache Email spam .pcap file/ 58 MB
Obtained from University of Texas at
Dallasand multiple P2P applications, web traffic, etc.
P2P apps v/s P2P bots
• A human user – ‘bursty’ traffic
• High volume of data transfers seen
• Small inter-arrival time of packets seen in apps
• Automated / scripted commands
• Low in volume, high in duration
• Large inter-arrival time of packets seen in stealthy bots
Applications: Botnets:
*Both randomize ports, use TCP as well as UDP
Approach
Gather five-tuple flows from network traffic Flows: IP1, IP1-port, IP2, IP2-port, protocol
Cluster flows based on bi-directional features Protocol, Packets per sec (f/w), Packets per sec (b/w), Avg. Payload size (f/w), and Avg. Payload size (b/w)
Create two-tuple conversations within each cluster Conversations: IP1, IP2
For each tuple, extract 4 features :– The duration of the conversation– The number of packets exchanged in the conversation– The volume of the conversation (no. of bytes)– The Median value of the inter-arrival time of packets in the conversation
Differentiate between and categorize P2P apps & bots with these features
Architecture
Flow Clusterin
g Module
Conversation
GenerationModule
Machine Learning
based modules
PacketFilteringModule
FLOWGAP
Flow Creation Module
Valid packets Discarded packets (Corrupted or missing headers)
Conversations classified as benign
Conversations classified as malicious
Flows made from valid packets
Clusters of flows
TIMEGAP
P2P traffic
Data crunching
ResultsPerformance of classifiers on test data
Performance of classifiers on unseen P2P botnets
PeerShark: Detecting P2P Botnets by Tracking Conversations. Presented at IEEE Security & Privacy Workshops (co-located with the 35th IEEE Symposium on Security & Privacy), San Jose, USA, May 2014. (Pratik Narang, Subhajit Ray, Chittaranjan Hota and V.N. Venkatakrishnan).
PeerShark: Flow-clustering and Conversation-generation for Malicious P2P traffic Identification. The EURASIP Journal on Information Security 2014, 2014:15. (Pratik Narang, Chittaranjan Hota and V.N. Venkatakrishnan)
Other tracks
Signal-processing Techniques for P2P Botnet Detection
Approach & Contributions: To uncover hidden patterns between the
communications of bots, we convert the time-domain network communication of peers to the frequency-domain.
We extract 2-tuple conversations from network traffic and treat those conversations as a signal.
We extract several ‘signal-processing’ based features using Fourier Transforms and Shannon's Entropy theory.
We calculate: FFT(inter-arrival_time) FFT(payload_sizes)
Compression-ratio(payload_sizes)
Packet Validation
and Filtering Module
Conversation Creation Module
P2P botnets identified
Valid packets Discarded packets Malicious conversation Benign conversation
Feature Set Extraction
Module
Signal-processing
based featuresMachine
Learning based modules Network-
behavior based features
Extracted Features
Machine-learning Approaches for P2P Botnet Detection using Signal-processing Techniques. The 8th ACM International Conference on Distributed Event-Based Systems (DEBS’ 14), ACM SIGMOD/SIGSOFT, Mumbai, India, pp. 338-341, May 2014. (Pratik Narang, Vansh Khurana and Chittaranjan Hota)
Signal-processing Techniques for P2P Botnet Detection
Host-based approach using Hadoop
…
Data nodes
P2P botsdetected
Name node
2. Parse Packets
with Tshark
5. Feature set evaluated
against models built with Mahout
4. Host-based
features extracted with Hive
3. Push data to HDFS
1. Data collection
Trigger Firewall
rules
Distributed Systems Lab
Student Hostels
Hades: A Hadoop-based Framework for Detection of Peer-to-Peer Botnets. The 20th International Conference on Management of Data (COMAD) 2014, Hyderabad, Dec 2014. (Pratik Narang, Abhishek Thakur and Chittaranjan Hota)
Code: www.github.com/pratiknarang
Feedback: [email protected]