Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia.

Published byMoses Reason Modified over 10 years ago

Similar presentations

Presentation on theme: "Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia."— Presentation transcript:

1 Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia

2 Content This is a presentation is about an alternative way to search and/or classify data travelling over a network I will be describing the background, methodology and results of the research This research covers two seemingly disparate disciplines so as the conference has a communication focus there is some background on bioinformatics to set the scene This presentation is (almost) maths free! if you want the maths, see the paper :) 2

3 Motivation Test and validate alternate ways to view network data Better visualise the intrinsic relationships between packets of data based on structure rather than content As part of Investigating the possibilities inherent in mining data via structure based methods Searching using statistical ranking of possible answers 3

4 About Searching for information in high speed network traffic is difficult - but is basically a "solved" problem! What is still a problem though is searching for partial, obfuscated or spatially separated (in the data stream) search terms The work described here is a successful attempt to use characteristics more commonly associated with biological systems to identify areas of interest in a network data stream 4

5 Searching Traditional database search results are the result of exact (yes/no) matching based on some regular expression system e.g., [Bb]ank* Traditional database search results are the result of exact (yes/no) matching based on some regular expression system e.g., [Bb]ank* Instead, the algorithms I am recommending match on the low level structure of a sequence of characters character value and position/relationship in the stream character/term substitution results are ranked according to identity score and include false error rate data 5

6 Problem: dealing with raw bits on a network 6

7 What do we mean by "bioinformatics" algorithms There are useful parallels between the way data is structured in a stream of network data and a biological genome Target the structures within a data stream for searching Very sophisticated, statistically valid search algorithms were developed for use in searching biological data Results can be statistically correlated and ranked 7

8 What is constant? - Structure! The property of the algorithms developed for bioinformatics that we are using primarily targets structure: IP numbers will change in the header of an IP packet. BUT the position and placement of other tokens near the IP number does not (fixed size fields) This property extends to data fields Example: DNS data packets will have a similar signature with slight differences depending on the mutable data 8

9 Structure 00 => A 01 => C 10 => G 11 => T 9

10 Example plot of relationships 10

11 Methodology The software used was standard bioinformatics software with the input data modified to suit Most bioinformatics software has been implemented by large teams over many years – it is not practical for an individual to re-implement it for a different purpose :( The software used was standard bioinformatics software with the input data modified to suit Most bioinformatics software has been implemented by large teams over many years – it is not practical for an individual to re-implement it for a different purpose :( Solution - translate packetised network data into bioinformatics compatible data files via mapping ones and zeros to the DNA alphabet – basic data abstraction 11

12 What? What we are proposing is to intelligently identify network traffic in a way that uses relationships between structural elements embedded in the data rather than the literal content of the data Use this as a method to identify and classify network data into categories against which an event can be notified What we are proposing is to intelligently identify network traffic in a way that uses relationships between structural elements embedded in the data rather than the literal content of the data Use this as a method to identify and classify network data into categories against which an event can be notified We have created a database of known good and bad data samples which allows us to place network data in one of three possible categories: known good known bad unknown 12

13 Database Creation Created with isolated island networks using generic PC's with various operating systems database pollution was a problem "Good" samples were typical email, database, browsing "Bad" samples were from PC's intentionally infected with botnet, virus and worm examples Database is in the form of indexed motifs in a "BLAST" formatted flat file design 13

14 Process Processing flow is started by extracting a packet of data to user space (via the linux kernel netfilter nfqueue module) The packet (as a whole) is transcoded and searched against the database returned is a set of "motifs" with score and false error rate statistics for each motif matched in the database Event notification is based on a threshold basis according to an election process for the top rated N hits returned (hits are ranked in order of the identity score) 14

15 Implementation The test design has proven less than reliable under higher packet rates mainly due to inefficient design Next step is to implement the reference design as a Snort IDS module and link to Snorts event notification process where the well designed data handling processes will alleviate the problems mentioned above 15

16 The Future These techniques have wide applicability to search problems where data is structured but mutable And for something completely different :) Using a similar process for detecting collusion between student assignments based on detecting structural similarities in software coding styles Create database of motifs based on code … search! 16

17 Existing work? Considering the advantages I have found, very little work has been undertaken in using these algorithms IBM proposed An Intrusion-Detection System Based on the Teiresias Pattern-Discovery Algorithm in 1999 IBM has proposed using the Teiresias algorithm for SPAM filtering in 2004. Commentators thought it was interesting but little further activity... 17

18 Conclusions It works :) Known/Unknown sorting might be a unique niche application Ability to statistically rank similarity is a useful tool opening up access to alternate ways to view search results 18

19 Questions? William (Bill) Kenworthy W.Kenworthy@murdoch.edu.au Thank you! 19

Download ppt "Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia."

Similar presentations

Towards Data Mining Without Information on Knowledge Structure

Towards Data Mining Without Information on Knowledge Structure
Chungnam National University DataBase System Lab. 2014 1 4 2014 1 4 2014 1 4 2014 1 4 2014 1 4 2014 1 4 2014.

Chungnam National University DataBase System Lab
Software Requirements

Software Requirements
Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
Art Foundations Exam 1.What are the Elements of Art? List & write a COMPLETE definition; you may supplement your written definition with Illustrations.

Art Foundations Exam 1.What are the Elements of Art? List & write a COMPLETE definition; you may supplement your written definition with Illustrations.
Chapter 6 Writing a Program

Chapter 6 Writing a Program
Building a Knowledge Management System as a Life Cycle

Building a Knowledge Management System as a Life Cycle
Growing Every Child! The following slides are examples of questions your child will use in the classroom throughout the year. The questions progress from.

Growing Every Child! The following slides are examples of questions your child will use in the classroom throughout the year. The questions progress from.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
OMV Ontology Metadata Vocabulary April 10, 2008 Peter Haase.

OMV Ontology Metadata Vocabulary April 10, 2008 Peter Haase.
Credit hours: 4 Contact hours: 50 (30 Theory, 20 Lab) Prerequisite: TB143 Introduction to Personal Computers.

Credit hours: 4 Contact hours: 50 (30 Theory, 20 Lab) Prerequisite: TB143 Introduction to Personal Computers.
Designing Services for Grid-based Knowledge Discovery A. Congiusta, A. Pugliese, Domenico Talia, P. Trunfio DEIS University of Calabria ITALY

Designing Services for Grid-based Knowledge Discovery A. Congiusta, A. Pugliese, Domenico Talia, P. Trunfio DEIS University of Calabria ITALY
Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)

Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)
0 - 0.

0 - 0.
Addition Facts 1 - 20.

Addition Facts
Limitations of the relational model 1. 2 Overview application areas for which the relational model is inadequate - reasons drawbacks of relational DBMSs.

Limitations of the relational model 1. 2 Overview application areas for which the relational model is inadequate - reasons drawbacks of relational DBMSs.
1 9 Moving to Design Lecture 4. 2 9 Analysis Objectives to Design Objectives Figure 9-2.

1 9 Moving to Design Lecture Analysis Objectives to Design Objectives Figure 9-2.
1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

Similar presentations

Ads by Google