PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham,

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
A General Framework for Mining Concept-Drifting Data Streams with Skewed Distributions Jing Gao Wei Fan Jiawei Han Philip S. Yu University of Illinois.
Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
Data Stream Classification: Training with Limited Amount of Labeled Data Mohammad Mehedy Masud Latifur Khan Bhavani Thuraisingham University of Texas at.
Assured Information Sharing for Security Applications: Malicious Code Detection Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu.
Date : 21 st of May, Shri Ramdeo Baba College of Engineering and Management Presentation By : Rimjhim Singh Under the Guidance of: Dr. M.B. Chandak.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
On Appropriate Assumptions to Mine Data Streams: Analyses and Solutions Jing Gao† Wei Fan‡ Jiawei Han† †University of Illinois at Urbana-Champaign ‡IBM.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Automated malware classification based on network behavior
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
Introduction to Honeypot, Botnet, and Security Measurement
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
BotNet Detection Techniques By Shreyas Sali
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen.
Assured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof. Kevin.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Reactively Adaptive Malware What is it? How do we detect it? Dr. Bhavani Thuraisingham Cyber Security Research and Education Institute
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.
Classification and Novel Class Detection in Data Streams Classification and Novel Class Detection in Data Streams Mehedy Masud 1, Latifur Khan 1, Jing.
Cyber Security Research at the University of Texas at Dallas Sample Projects Prof. Bhavani Thuraisingham, PhD, CISSP Prof. Latifur Khan, PhD Prof. Murat.
Assured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof. Kevin.
1 University of California, Irvine Done By : Ala Khalifeh (Note : Not Presented)
Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Active Learning for Network Intrusion Detection ACM CCS 2009 Nico Görnitz, Technische Universität Berlin Marius Kloft, Technische Universität Berlin Konrad.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Mining Concept-Drifting Data Streams Using Ensemble Classifiers Haixun Wang Wei Fan Philip S. YU Jiawei Han Proc. 9 th ACM SIGKDD Internal Conf. Knowledge.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
Assured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof. Kevin.
Assured Information Sharing for Security Applications: Malicious Code Detection Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu.
Reactively Adaptive Malware What is it. How do we detect it. Dr
A lustrum of malware network communication: Evolution & insights
Botnets.
Assured Information Sharing for Security and Intelligence Applications Prof. Bhavani Thuraisingham Prof. Latifur Khan Prof. Murat Kantarcioglu Prof.
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Reactively Adaptive Malware What is it. How do we detect it. Dr
Automatic Discovery of Network Applications: A Hybrid Approach
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
Computer Networks ARP and RARP
Internet Traffic Classification Using Bayesian Analysis Techniques
Lecture 4a Mobile IP 1.
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham, B 1 1 University of Texas at Dallas 2 University of Illinois at Urbana Champaign 1

Botnet ◦ Network of compromised machines ◦ Under the control of a botmaster Taxonomy: ◦ C&C : Centralized, Distributed etc. ◦ Protocol: IRC, HTTP, P2P etc. ◦ Rallying mechanism: Hard-coded IP, Dynamic DNS etc. Network traffic monitoring Background 2 Botnet

Monitor Payload / Header? Problems with payload monitoring ◦ Privacy ◦ Unavailability ◦ Encryption/Obfuscation Information extracted from Header (features) ◦ New connection rate ◦ Packet size ◦ Upload/Download bandwidth ◦ Arp request & ICMP echo reply rate What To Monitor? 3 Botnet detection

Stream data : Stream data refers to any continuous flow of data. ◦ For example: network traffic / sensor data. Properties of stream data : Stream data has two important properties: infinite length & concept drift Stream data classification: Cannot be done with conventional classification algorithms We propose a multi-chunk multi-level ensemble approach to solve these problems, ◦ which significantly reduces error over the single- chunk single-level ensemble approaches. Mapping to Stream Data Mining 4 Stream Data

The Single-Chunk Single-Level Ensemble (SCE) Approach Divide the data stream into equal sized chunks ◦ Train a classifier from each data chunk ◦ Keep the best K such classifier-ensemble ◦ Select best K classifiers from {c 1,…c k } U {c k+1 } 5 Stream Data Classification D1D1 D2D2 D3D3 …DkDk c1c1 D k+1 c2c2 c3c3 ckck c k+1

Our Approach: Multi-Chunk Multi- Level Ensemble (MCE) ◦ Train v classifiers from r consecutive data chunks, and create an ensemble, and Keep the best K such ensembles ◦ Two-level ensemble hierarchy:  Top level (A): ensemble of K middle level ensembles Ai  Middle level (A i ): ensemble of v bottom level classifiers A i(j) 6 MCE approach A A1A1 AKAK {{ A 1(1) A 1(v) A K(1) A K(V) Top level ensemble Middle level ensembles Bottom level classifiers

Middle-level Ensemble Construction 7 MCE approach

Top Level Ensemble Updating Let D n be the most recent labeled data chunk Let A be the top-level ensemble Construct a middle-level ensemble A` ◦ using r consecutive data chunks: D={D n-r+1,…,D n } Obtain error of A` on D by testing each classifier A` (j) on its corresponding test data d j Obtain error of each middle level ensemble A 1,…A k on the latest chunk D n A  K lowest error middle level ensembles in classifiers in A U {A`} 8 MCE approach

Error Reduction Analysis 9 MCE approach Proof:

Error Reduction Analysis (continued) 10 MCE approach Proof:

Evaluation 11 MCE approach Results on synthetic data Results on botnet data

Offensive Operation Masud, M. M., Mohan, V., Khan, L., Hamlen, K., and Thuraisingham, B

Overview Goal ◦ To hack/attack other person’s computer and steal sensitive information ◦ Without having been detected Idea ◦ Propagate malware (worm/spyware etc.) through network ◦ Apply obfuscation so that malware detectors fail to detect the malware Assumption ◦ The attacker has the malware detector (valid assumption because anti-virus software are public)

Strategy Steps: ◦ Extract the model from the malware detector ◦ Obfuscate the malware to evade the model ◦ There have been some works on automatic model extraction from malware detector, such as: Christodorescu and Jha. Testing Malware Detectors. In Proc ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2004). Malware detector Model Model extraction Malware Analysis Obfuscation /refinement

Example Suppose the malware detector is a data mining based malicious code detector such as [a]. ◦ Assume that the model is a decision tree as follows: ◦ Given this model,  if malware x has pattern pt 1 then it will be detected as benign  must insert the pattern pt 1 into the malware - insertion  If malware x doesn’t have pt 1 and pt 2 then it will be detected as benign  must remove pt 2 from the malware (assuming it doesn’t have pt 1 ) - removal [a] Masud, M. M., Khan, L. & Thuraisingham, B. A Scalable Multi-level Feature Extraction Technique to Detect Malicious Executables. Information System Frontiers, 10:33-35, Pt 1 Pt does not have has does not have

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.