Transcript Intrusion Detection Mechanisms for Peer-to

Intrusion Detection Mechanisms
for Peer-to-Peer Networks
– Pratik Narang
BITS Pilani
Hyderabad Campus
Acknowledgements
Dr. Chittaranjan Hota (BITS – Pilani, Hyderabad)
 Dr. V.N. Venkatakrishnan (University of Illinois at Chicago)
 Dr. Nasir Memon (New York University, Abu Dhabi)


Supported by
Introduction

What are P2P networks ?

What’s a bot ?

What are botnets ?

What are Peer-to-Peer based botnets ?
Peer-to-Peers networks
are distributed systems consisting of interconnected
nodes
are able to be self-organized into network topologies
are built with purpose of sharing resources such as
content, CPU cycles, storage and bandwidth
Famous applications BitTorrent
 Skype
 eMule
 SETI @ home
Peer-to-Peers networks
P2P
overlay
layer
C
A
F
H
G
D
B
A
E
C
E
F
H
AS1
AS4
B
AS2
AS6
D
AS3
G
AS5
Native IP
layer
Generic P2P architecture
Search API
Overlay Messaging API
Peer Role Selection
Capability &
Configuration
Routing and Forwarding
Neighbor Discovery
Join/Leave
Bootstrap
NAT/ Firewall Traversal
Operating System
Content
Storage
P2P: uses & misuses
Traditional Botnets
Bot-Master
Peer-to-Peer Botnets
Source: www.lightcyber.com
Dataset
Botnet
What it does?
Type /Size of data
Source of data
Sality
Infects executable
files, attempts to disable
security software.
Binary (.exe) file
Generated on testbed
Storm
Email Spam
.pcap file/ 4.8 GB
Obtained from Univ. of
Georgia
Waledac
Email spam, password stealing
.pcap file/ 1.1 GB
Obtained from Univ. of
Georgia
ZeuS
Steals banking information by
MITM key logging and form
grabbing
.pcap file/ 1 GB
Obtained from Univ. of
Georgia and CVUT Prague
+ Generated on testbed
Nugache
Email spam
.pcap file/ 58 MB
Obtained from University of
Texas at Dallas
and multiple P2P applications, web traffic, etc.
P2P apps v/s P2P bots

•
•
•
Applications:

A human user – ‘bursty’
traffic
•
High volume of data
transfers seen
•
Small inter-arrival time
of packets seen in apps
•
Botnets:
Automated / scripted
commands
Low in volume,
high in duration
Large inter-arrival time
of packets seen in
stealthy bots
*Both randomize ports, use TCP as well as UDP
Approach

Gather five-tuple flows from network traffic


Cluster flows based on bi-directional features


Conversations: IP1, IP2
For each tuple, extract 4 features :
–
–
–
–

Protocol, Packets per sec (f/w), Packets per sec (b/w),
Avg. Payload size (f/w), and Avg. Payload size (b/w)
Create two-tuple conversations within each cluster


Flows: IP1, IP1-port, IP2, IP2-port, protocol
The duration of the conversation
The number of packets exchanged in the conversation
The volume of the conversation (no. of bytes)
The Median value of the inter-arrival time of packets in the conversation
Differentiate between and categorize P2P apps & bots with
these features
Architecture
Packet
Filtering
Module
P2P traffic
Flow
Creation
Module
TIMEGAP
Machine Learning
based modules
Conversation
Generation
Module
FLOWGAP
Valid packets
Discarded packets (Corrupted or missing headers)
Flows made from valid packets
Clusters of flows
Conversations classified as benign
Conversations classified as malicious
Flow
Clustering
Module
Data crunching
Results
Performance of classifiers on test data
Performance of classifiers on unseen P2P botnets
PeerShark: Detecting P2P Botnets by Tracking Conversations. Presented at IEEE Security & Privacy Workshops (co-located
with the 35th IEEE Symposium on Security & Privacy), San Jose, USA, May 2014.
(Pratik Narang, Subhajit Ray, Chittaranjan Hota and V.N. Venkatakrishnan).
PeerShark: Flow-clustering and Conversation-generation for Malicious P2P traffic Identification. The EURASIP Journal on
Information Security 2014, 2014:15. (Pratik Narang, Chittaranjan Hota and V.N. Venkatakrishnan)
Other tracks
Signal-processing Techniques for P2P
Botnet Detection





Approach & Contributions:
To uncover hidden patterns between the communications
of bots, we convert the time-domain network
communication of peers to the frequency-domain.
We extract 2-tuple conversations from network traffic
and treat those conversations as a signal.
We extract several ‘signal-processing’ based features
using Fourier Transforms and Shannon's Entropy theory.
We calculate:
FFT(inter-arrival_time)
 FFT(payload_sizes)
 Compression-ratio(payload_sizes)

Signal-processing Techniques for P2P
Botnet Detection
Packet
Validation
and Filtering
Module
Conversation
Creation
Module
Feature Set
Extraction
Module
Signalprocessing
based features
P2P botnets
identified
Valid packets
Machine Learning
based modules
Discarded packets
Extracted
Features
Malicious conversation
Networkbehavior based
features
Benign conversation
Machine-learning Approaches for P2P Botnet Detection using Signal-processing Techniques. The 8th ACM International
Conference on Distributed Event-Based Systems (DEBS’ 14), ACM SIGMOD/SIGSOFT, Mumbai, India, pp. 338-341, May 2014.
(Pratik Narang, Vansh Khurana and Chittaranjan Hota)
Host-based approach using Hadoop
Distributed Systems Lab
Student Hostels
1. Data collection
…
2. Parse
Packets with
Tshark
3. Push data to HDFS
4. Host-based
features
extracted
with Hive
Name node
Data nodes
Trigger
Firewall rules
5. Feature set
evaluated against
models built with
Mahout
P2P bots
detected
Hades: A Hadoop-based Framework for Detection of Peer-to-Peer Botnets. The 20th International Conference on Management of
Data (COMAD) 2014, Hyderabad, Dec 2014. (Pratik Narang, Abhishek Thakur and Chittaranjan Hota)
Code: www.github.com/pratiknarang
Feedback: [email protected]