SlideShare a Scribd company logo

Hota iitd

Download as PPT, PDF
Pratik Narang
Pratik Narang
Technology
1 of 35
P2P Security ThreatsP2P Security Threats And TheirAnd Their CountermeasuresCountermeasures Chittaranjan Hota, PhD Associate Professor, Dept. of Computer Science & Engineering Birla Institute of Technology & Science-Pilani, Hyderabad Campus Shameerpet, Hyderabad, AP, India hota@hyderabad.bits-pilani.ac.in 3rd August 2013 Workshop on Cyber Security, Bharti School, IIT, Delhi
[Source: Privacy & Security, Eric Byres, Communications of the ACM, August 2013] Air gap MythAir gap Myth
GenesisGenesis P2P appsP2P apps running onrunning on BITS campusBITS campus detected…detected…
Power of InternetPower of Internet Source: Cisco VNI Global Forecast, 2011-2016 Source: Envisional: Internet bandwidth usage estimation report, 2011
Source: http://www.fbi.gov/scams-safety/peertopeer
Attack examplesAttack examples Tiversa Inc., 2011 SC Magazine, March 2009 "lol is this your new profile pic?" Times of India, Oct 2012
What is a P2P NetworkWhat is a P2P Network (BYOR)(BYOR) A D E F G H F H GA E C C B P2P overlay layer Native IP layer D B AS1 AS2 AS3 AS4 AS5 AS6
DC++
TorrentsTorrents Threads: 186,123, Posts: 2,383,449, Members: 546,944 Seeders: 56668, Leechers: 8246, Peers: 64914, Torrents: 19197   [Source: desitorrents.com, 31st July 2013 (3.00pm)]
P2P Traffic ControlP2P Traffic Control
Security Gap in P2PSecurity Gap in P2P Internet Peer A Peer B Malicious Peer C Protected Network Peer X Firewall A TCP Port
Effect of NATing on P2PEffect of NATing on P2P Private IP Addresses Public IP Addresses Server P2P Application Internet NAT
NAT TraversalNAT Traversal Private IP Addresses Public IP Addresses Internet Private IP Addresses Application Relay
Possible Attacks on P2PPossible Attacks on P2P 192.168.100.220:80 (target) Query: “star” QueryHit “star”,” 192.168.100.220:80” Query: “pop” Query: “star” QueryHit “pop”, ” 192.168.100.220:80” “star”,” 192.168.100.220:80” Query: “pop” Query: “star” Malicious Peer 192.168.100.40:4442 QueryHit: “star”,” 192.168.100.220:80” QueryHit: “pop”, ” 192.168.100.220:80” 1 2 3 P1 P2 P3 A GET /index.html HTTP/1.0
File sharing network Alice Possible Attacks on P2PPossible Attacks on P2P Bob
index title location file1 120.18.89.100 file2 46.100.80.23 file3 234.8.98.20 file4 111.22.22.22 file sharing network 120.18.89.100 46.100.80.23 234.8.98.20 Possible Attacks on P2PPossible Attacks on P2P Poisoning
Possible Attacks on P2PPossible Attacks on P2P Attacker Genuine Blocks 2.FakeBitMap 4.FakeBlock 3.BlockRequest Victim Peer 5. Hash Fail Genuine Blocks Genuine Blocks 1.TCPConnection
Victim Possible Attacks on P2PPossible Attacks on P2P Sybil
Possible Attacks on P2PPossible Attacks on P2P Tracker Seeder Free RiderFree Rider
Testbed at BITS HyderabadTestbed at BITS Hyderabad Botnet traffic generation InternetInfo. Sec. Lab Dist. Sys. Lab Multimedia Lab Hostels Wing Firewall/Router Core Switch 6509 Distribution Switch 4500 Access Switch 2500 Content Mgmt. Application Servers DB Cluster Intrusion Detection Sys. Ethernet Data collection for P2P and web traffic Traffic Anonymization (Anon tool) Classifier, and IDS for botnet detection
Privacy aware P2P ClassifierPrivacy aware P2P Classifier public Conversation(String sender, String receiver, Int src, int dst, boolean tcp){ sender_ip = sender; receiver_ip = receiver; this.setSender(new Flow(sender, receiver, src, dst, tcp)); this.setReceiver(new Flow(receiver,sender, dst, src, tcp)); sndr_port = src; rcvr_port = dst; set =false; last = 0; first = 0; timestamps = new TreeSet<Long>(); } for(Packet p : plist){ if(p.isTcp() && !p.getTcp_flag()[7] && !p.getTcp_flag()[6] && !p.getTcp_flag()[5]){ ++nonsyn_count; }else if(!p.isTcp()){ ++nonsyn_count; }if(p.isTcp()&&p.getTcp_flag()[4]){ ++psh_count; }++count; hdr_size_total = hdr_size_total + p.getHdr_size(); pkt_size_total = pkt_size_total + p.getPacket_size(); pktsize.add(p.getPacket_size());} Categories Application Number of Flows Web mail, http, https, ftp 23,014 p2p BitTorrent, AntsP2P, Gnutella, Mute, eMule 2,76,093 [ Ref: 34]
Experimental ResultsExperimental Results       +++ + = FNTNFPTP TNTP Accuracy
Identifying FrostWire trafficIdentifying FrostWire traffic
Botnet DetectionBotnet Detection
P2P Botnet TracesP2P Botnet Traces Botnet name What it does? Size of data Source of data Kelihos-Hlux Email spam, DoS, steal Bitcoin wallets 5 MB Generated on testbed + obtained form online sources [35] Waledac Email spam, password stealing 25 MB ISOT dataset [36] ZeuS Steals banking information by MITM key logging and form grabbing 5 MB Generated on testbed TRAINING DATA TEST DATA ZeuS Steals banking information by MITM key logging and form grabbing 25 MB ISOT dataset [36] Storm Email spam 30 MB ISOT dataset [36] Conficker Disables important system services and security products 50 GB Obtained from CAIDA [37]
Bayesian Regularized NNBayesian Regularized NN •  Bayesian Regularized Neural Network based Real-time Peer-to-Peer Botnet Detection, Pratik Narang, Sharat Chandra, Chittaranjan Hota, Accepted in IEEE P2P 2013, Trento, Italy (Sept 2013) • 23 features extracted from flows. • Information Gain with ranking used to rank the features . • Top 16 features chosen. Output Correct Classification Incorrect Classification Malicious samples 25898 276 Percentage 98.9455% 1.0545%
Feature SelectionFeature Selection • 23 features extracted from flows
Large Botnet TracesLarge Botnet Traces Botnet name What it does? Type of data/Size of data Source of data Sality Infects executable files,  attempts to disable security software. Binary (.exe) file Generated on testbed Storm Email Spam .pcap file/ 4.8 GB Obtained from Uni. of Georgia [34] Waledac Email spam, password stealing .pcap file/ 68 GB Obtained from Uni. of Georgia [34] ZeuS Steals banking information by MITM key logging and form grabbing .pcap file/ 105 MB Obtained from Uni. of Georgia [34] + Generated on test bed
Experimental ResultsExperimental Results
Distributed Data collectionDistributed Data collection and processingand processing Botnet traffic generation InternetInfo. Sec. Lab Dist. Sys. Lab Multimedia Lab Hostels Wing Firewall/Router Core Switch 6509 Distribution Switch 4500 Access Switch 2500 Content Mgmt. Application Servers DB Cluster Intrusion Detection Sys. Ethernet Data collection for P2P and web traffic Classifier, and IDS for botnet detection Traffic Anonymization (Anon tool) Hadoop Name node Hadoop Data nodes
Hadoop setup running atHadoop setup running at BITS HydBITS Hyd
ReferencesReferences1. http://news.netcraft.com/archives/2007/05/23/p2p_networks_hijacked_for_ddos_attacks.htm 2. S Mcbride, and G A Flower, Estimate of Film-piracy cost soars: Hollywood loss is put at $6.1b a year, The Wall Street Journal Europe, may 4th , 2006. 3. Thomas Karagiannis, Andre Broido, Michalis Faloutsos, Kc claffy, Transport Layer Identification of P2P Traffic, in Proc. 4th ACM SIGCOMM conference on Internet measurement, pp. 121-134, 2004. 4. Subhabrata Sen, Oliver Spatscheck, and Dongmei Wang, Accurate, Scalable InNetwork Identification of P2P Traffic Using Application Signatures, WWW 2004, May 2004. 5. S Sen, Jia Wang, Analyzing Peer-To-Peer Traffic Across Large Networks, IEEE/ACM Transactions on Networking, Vol. 12, No. 2, April 2004. 6. Thuy T T N, and G Armitage, A survey of Techniques for Internet Traffic Classification using Machine Learning, IEEE Communications Surveys & Tutorials, Vol. 10, No. 4, 2008. 7. Hassan Khan, S A Khayam, L Golubchik, M. Rajarajan, and Michael Orr, Wirespeed, Privacy-Preserving P2P Traffic Detection on Commodity Switches, Available Online at www.xflowresearch.com 8. Intrusion detection system: At: http://en.wikipedia.org/wiki/Intrusion_detection_system. 9. P. Garcia-Teodoroa, J. Diaz-Verdejo, G.Macia-Fernandeza, and E. Vazquezb, Anomaly-based network intrusion detection: Techniques, systems and challenges, Computers and Security, vol. 28, Issue: 1-2, pp. 18-28, 2009. 10. Gupta R, and Somani A K, Game theory as a tool to strategize as well as predict node’s behavior in peer-to-peer networks , International conf. on PDS, 2005, pp. 244-249. 11. Roberto G Cascella, 2nd ENISA Workshop on Authentication Interoperability Languages held at the ENISA/EEMA European eIdentity conference, Paris, France, June 12-13, 2007. 12. C Wang, Li Chen, H Chen, and K Zhou, Incentive Mechanism Based on Game Theory in P2P Networks, ITCS 2010, pp. 190-193. 13. Sarraute, C., et al., Simulation of Computer Network Attacks, CoreLabs, Core Security Technologies, 2010. 14. http://www.metasploit.com/ 15. www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray 16. www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids 17. http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi 18. Quinlan, J. R, C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, 1993. 19. http://www.cs.waikato.ac.nz/ml/weka/ 20. http://pytbull.sourceforge.net/ 21. http://www.secdev.org/projects/scapy 22. Massicotte, F. and Labiche, Y, An analysis of signature overlaps in Intrusion Detection Systems, Dependable Systems & Networks (DSN) IEEE/IFIP 41st International Conference, pp. 109-120, 2011. 23. Cheng-Yuan Ho, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang, and Wei-Hsuan Tai, Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems, Communication Magazine, IEEE, pp.146-154, 2012. 24. Sardar Ali, Hassan Khan, and Syed Ali Khayam, What is the Impact of P2P Traffic on Anomaly Detection?, Proceeding of 13th International symposium, Recent Advances in Intrusion Detection (RAID) 2010, pp. 1-7, 2010.  25. Jeffrey Erman, et al. Identifying and Discriminating Between Web and Peer-to-Peer in the Network Core, WWW 2007, ACM, pp. 883-892. 26. Genevieve B, et al., Estimating P2P traffic volume at USC, Technical Report, USC, June 2007. 27. Alok Madhukar, Carey W, A Longitudinal Study of P2P Traffic Classification, IEEE International Symposium on Modeling, Analysis, and Simulation, CA, 2006, pp. 179-188. 28. Hongwei C, et al., A SVM method for P2P traffic identification based on multiple traffic mode, Journal of Networks, Nov 2010, pp. 1381-1388. 29. K Ilgun, et al, State transition analysis: A rule based intrusion detection approach, IEEE transactions on software engineering, Vol 21, 1995. 30. F Jemili, et al, A framework for an adaptive intrusion detection system using bayesian network, IEEE Intelligence and Security Informatics, May 2007, pp.66-70. 31. Soysal, Murat, and Ece Guran Schmidt. "Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison." Performance Evaluation 67.6 (2010): 451-467. 32. Williams, Nigel, Sebastian Zander, and Grenville Armitage. "A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification." ACM SIGCOMM Computer Communication Review36.5 (2006): 5-16. 33. Berg, Peter Ekstrand. "Behavior-based Classification of Botnet Malware." Thesis Report 2011, Gjovik University College, Norway. 34. Rahbarinia, Babak, Roberto Perdisci1 Andrea Lanzi, and Kang Li. "PeerRush: Mining for Unwanted P2P Traffic.“ DIMVA 2013 35. www.contagiodump.blogspot.in 36. Saad, Sherif, et al. "Detecting P2P botnets through network behavior analysis and machine learning." Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on. IEEE, 2011. 37. CAIDA, UCSD. "Network Telescope" Three Days Of Conficker“ 21st Nov. 2008."Paul Hick, Emile Aben, Dan Andersen and kcclaffy http://www. caida. org/data/passive/telescope-3days-conficker_dataset. xml. 38. Abbes, Tarek, Adel Bouhoula, and Michaël Rusinowitch. "Protocol analysis in intrusion detection using decision tree." Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on. Vol. 1. IEEE, 2004. 39. S. Chebrolu, A. Abraham, and J. P. Thomas. Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4):295–307, 2005. 40. A.H.Sung and S. Mukkamala. The feature selection and intrusion detection problems. In Advances in Computer Science-ASIAN 2004. Higher-Level Decision Making, pages 468–482. Springer, 2005. 41. McHugh, John. "Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory." ACM transactions on Information and system Security 3.4 (2000): 262-294.
Thank You! QuestionsQuestions

Recommended

IP spoofing attacks & defence
IP spoofing attacks & defenceIP spoofing attacks & defence
IP spoofing attacks & defencevisor999
 
BasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet FiltersBasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet Filtersbhasker nalaveli
 
Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Mumbai Academisc
 
A017510102
A017510102A017510102
A017510102IOSR Journals
 
C010521418
C010521418C010521418
C010521418IOSR Journals
 
digital stega
digital stegadigital stega
digital stegaJames Eglinton
 
從監聽門事件看資通訊安全演進
從監聽門事件看資通訊安全演進從監聽門事件看資通訊安全演進
從監聽門事件看資通訊安全演進Gemini Reich
 
IRJET- Data Security in Network Flow using Obfuscation Technique
IRJET- Data Security in Network Flow using Obfuscation TechniqueIRJET- Data Security in Network Flow using Obfuscation Technique
IRJET- Data Security in Network Flow using Obfuscation TechniqueIRJET Journal
 

Recommended

IP spoofing attacks & defence
IP spoofing attacks & defenceIP spoofing attacks & defence
IP spoofing attacks & defencevisor999
 
BasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet FiltersBasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet Filtersbhasker nalaveli
 
Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Mumbai Academisc
 
A017510102
A017510102A017510102
A017510102IOSR Journals
 
C010521418
C010521418C010521418
C010521418IOSR Journals
 
digital stega
digital stegadigital stega
digital stegaJames Eglinton
 
從監聽門事件看資通訊安全演進
從監聽門事件看資通訊安全演進從監聽門事件看資通訊安全演進
從監聽門事件看資通訊安全演進Gemini Reich
 
IRJET- Data Security in Network Flow using Obfuscation Technique
IRJET- Data Security in Network Flow using Obfuscation TechniqueIRJET- Data Security in Network Flow using Obfuscation Technique
IRJET- Data Security in Network Flow using Obfuscation TechniqueIRJET Journal
 
Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryptionAcad
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnetsAcad
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationssusercb4686
 
Internet Relay Chat Forensics
Internet Relay Chat ForensicsInternet Relay Chat Forensics
Internet Relay Chat ForensicsIJSRD
 
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-JM code group
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...Codemotion
 
Data Science for IoT
Data Science for IoTData Science for IoT
Data Science for IoTOlivera Kotevska, Ph.D.
 
Fog Computing - DEV.BG 2018
Fog Computing - DEV.BG 2018Fog Computing - DEV.BG 2018
Fog Computing - DEV.BG 2018Trayan Iliev
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...Open Networking Perú (Opennetsoft)
 
2018 learning approach-digitaltrends
2018 learning approach-digitaltrends2018 learning approach-digitaltrends
2018 learning approach-digitaltrendsAbhilash Gopalakrishnan
 
DEF CON 27 - BRENT STONE - reverse enginerring 17 cars
DEF CON 27 - BRENT STONE - reverse enginerring 17 carsDEF CON 27 - BRENT STONE - reverse enginerring 17 cars
DEF CON 27 - BRENT STONE - reverse enginerring 17 carsFelipe Prado
 
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IJECEIAES
 
Python for Big Data Analytics
Python for Big Data AnalyticsPython for Big Data Analytics
Python for Big Data AnalyticsEdureka!
 
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...Edureka!
 
fogcomputing
fogcomputingfogcomputing
fogcomputingMDPiasKhan
 
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...IRJET Journal
 
Internet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.pptInternet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.pptAliSalman110
 
Microsoft Dryad
Microsoft DryadMicrosoft Dryad
Microsoft DryadColin Clark
 
Hades_poster_Comad
Hades_poster_ComadHades_poster_Comad
Hades_poster_ComadPratik Narang
 
Hades
HadesHades
HadesPratik Narang
 

More Related Content

Similar to Hota iitd

Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryptionAcad
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnetsAcad
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationssusercb4686
 
Internet Relay Chat Forensics
Internet Relay Chat ForensicsInternet Relay Chat Forensics
Internet Relay Chat ForensicsIJSRD
 
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-JM code group
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...Codemotion
 
Fog Computing - DEV.BG 2018
Fog Computing - DEV.BG 2018Fog Computing - DEV.BG 2018
Fog Computing - DEV.BG 2018Trayan Iliev
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...Open Networking Perú (Opennetsoft)
 
DEF CON 27 - BRENT STONE - reverse enginerring 17 cars
DEF CON 27 - BRENT STONE - reverse enginerring 17 carsDEF CON 27 - BRENT STONE - reverse enginerring 17 cars
DEF CON 27 - BRENT STONE - reverse enginerring 17 carsFelipe Prado
 
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IJECEIAES
 
Python for Big Data Analytics
Python for Big Data AnalyticsPython for Big Data Analytics
Python for Big Data AnalyticsEdureka!
 
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...Edureka!
 
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...IRJET Journal
 
Internet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.pptInternet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.pptAliSalman110
 

Similar to Hota iitd (20)

Bot net detection by using ssl encryption
Bot net detection by using ssl encryptionBot net detection by using ssl encryption
Bot net detection by using ssl encryption
 
Literature survey on peer to peer botnets
Literature survey on peer to peer botnetsLiterature survey on peer to peer botnets
Literature survey on peer to peer botnets
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Internet Relay Chat Forensics
Internet Relay Chat ForensicsInternet Relay Chat Forensics
Internet Relay Chat Forensics
 
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
 
Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection final
 
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
The Secret Recipe for Automating Android Malware Analysis - Lorenzo Cavallaro...
 
Data Science for IoT
Data Science for IoTData Science for IoT
Data Science for IoT
 
Fog Computing - DEV.BG 2018
Fog Computing - DEV.BG 2018Fog Computing - DEV.BG 2018
Fog Computing - DEV.BG 2018
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
 
2018 learning approach-digitaltrends
2018 learning approach-digitaltrends2018 learning approach-digitaltrends
2018 learning approach-digitaltrends
 
DEF CON 27 - BRENT STONE - reverse enginerring 17 cars
DEF CON 27 - BRENT STONE - reverse enginerring 17 carsDEF CON 27 - BRENT STONE - reverse enginerring 17 cars
DEF CON 27 - BRENT STONE - reverse enginerring 17 cars
 
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
IPv6 flood attack detection based on epsilon greedy optimized Q learning in s...
 
Python for Big Data Analytics
Python for Big Data AnalyticsPython for Big Data Analytics
Python for Big Data Analytics
 
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
Webinar: Mastering Python - An Excellent tool for Web Scraping and Data Anal...
 
fogcomputing
fogcomputingfogcomputing
fogcomputing
 
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
EFFICIENT IDENTIFICATION AND REDUCTION OF MULTIPLE ATTACKS ADD VICTIMISATION ...
 
Internet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.pptInternet of Things (IoT) Security using stream cipher.ppt
Internet of Things (IoT) Security using stream cipher.ppt
 
Microsoft Dryad
Microsoft DryadMicrosoft Dryad
Microsoft Dryad
 

More from Pratik Narang

Machine-learning Approaches for P2P Botnet Detection using Signal-processing...
Machine-learning Approaches for P2P Botnet Detection using Signal-processing...Machine-learning Approaches for P2P Botnet Detection using Signal-processing...
Machine-learning Approaches for P2P Botnet Detection using Signal-processing...Pratik Narang
 
PeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
PeerShark - Detecting Peer-to-Peer Botnets by Tracking ConversationsPeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
PeerShark - Detecting Peer-to-Peer Botnets by Tracking ConversationsPratik Narang
 
Abhishek presentation october 2013
Abhishek presentation october 2013Abhishek presentation october 2013
Abhishek presentation october 2013Pratik Narang
 
Feature selection for detection of peer to-peer botnet traffic
Feature selection for detection of peer to-peer botnet trafficFeature selection for detection of peer to-peer botnet traffic
Feature selection for detection of peer to-peer botnet trafficPratik Narang
 

More from Pratik Narang (7)

Hades_poster_Comad
Hades_poster_ComadHades_poster_Comad
Hades_poster_Comad
 
Hades
HadesHades
Hades
 
Machine-learning Approaches for P2P Botnet Detection using Signal-processing...
Machine-learning Approaches for P2P Botnet Detection using Signal-processing...Machine-learning Approaches for P2P Botnet Detection using Signal-processing...
Machine-learning Approaches for P2P Botnet Detection using Signal-processing...
 
PeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
PeerShark - Detecting Peer-to-Peer Botnets by Tracking ConversationsPeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
PeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
 
Gokul seminar
Gokul seminarGokul seminar
Gokul seminar
 
Abhishek presentation october 2013
Abhishek presentation october 2013Abhishek presentation october 2013
Abhishek presentation october 2013
 
Feature selection for detection of peer to-peer botnet traffic
Feature selection for detection of peer to-peer botnet trafficFeature selection for detection of peer to-peer botnet traffic
Feature selection for detection of peer to-peer botnet traffic
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Hota iitd

  • 1. P2P Security ThreatsP2P Security Threats And TheirAnd Their CountermeasuresCountermeasures Chittaranjan Hota, PhD Associate Professor, Dept. of Computer Science & Engineering Birla Institute of Technology & Science-Pilani, Hyderabad Campus Shameerpet, Hyderabad, AP, India hota@hyderabad.bits-pilani.ac.in 3rd August 2013 Workshop on Cyber Security, Bharti School, IIT, Delhi
  • 2. [Source: Privacy & Security, Eric Byres, Communications of the ACM, August 2013] Air gap MythAir gap Myth
  • 3. GenesisGenesis P2P appsP2P apps running onrunning on BITS campusBITS campus detected…detected…
  • 4. Power of InternetPower of Internet Source: Cisco VNI Global Forecast, 2011-2016 Source: Envisional: Internet bandwidth usage estimation report, 2011
  • 6. Attack examplesAttack examples Tiversa Inc., 2011 SC Magazine, March 2009 "lol is this your new profile pic?" Times of India, Oct 2012
  • 7. What is a P2P NetworkWhat is a P2P Network (BYOR)(BYOR) A D E F G H F H GA E C C B P2P overlay layer Native IP layer D B AS1 AS2 AS3 AS4 AS5 AS6
  • 9.
  • 10.
  • 11. TorrentsTorrents Threads: 186,123, Posts: 2,383,449, Members: 546,944 Seeders: 56668, Leechers: 8246, Peers: 64914, Torrents: 19197   [Source: desitorrents.com, 31st July 2013 (3.00pm)]
  • 12. P2P Traffic ControlP2P Traffic Control
  • 13. Security Gap in P2PSecurity Gap in P2P Internet Peer A Peer B Malicious Peer C Protected Network Peer X Firewall A TCP Port
  • 14. Effect of NATing on P2PEffect of NATing on P2P Private IP Addresses Public IP Addresses Server P2P Application Internet NAT
  • 15. NAT TraversalNAT Traversal Private IP Addresses Public IP Addresses Internet Private IP Addresses Application Relay
  • 16. Possible Attacks on P2PPossible Attacks on P2P 192.168.100.220:80 (target) Query: “star” QueryHit “star”,” 192.168.100.220:80” Query: “pop” Query: “star” QueryHit “pop”, ” 192.168.100.220:80” “star”,” 192.168.100.220:80” Query: “pop” Query: “star” Malicious Peer 192.168.100.40:4442 QueryHit: “star”,” 192.168.100.220:80” QueryHit: “pop”, ” 192.168.100.220:80” 1 2 3 P1 P2 P3 A GET /index.html HTTP/1.0
  • 17. File sharing network Alice Possible Attacks on P2PPossible Attacks on P2P Bob
  • 18. index title location file1 120.18.89.100 file2 46.100.80.23 file3 234.8.98.20 file4 111.22.22.22 file sharing network 120.18.89.100 46.100.80.23 234.8.98.20 Possible Attacks on P2PPossible Attacks on P2P Poisoning
  • 19. Possible Attacks on P2PPossible Attacks on P2P Attacker Genuine Blocks 2.FakeBitMap 4.FakeBlock 3.BlockRequest Victim Peer 5. Hash Fail Genuine Blocks Genuine Blocks 1.TCPConnection
  • 20. Victim Possible Attacks on P2PPossible Attacks on P2P Sybil
  • 21. Possible Attacks on P2PPossible Attacks on P2P Tracker Seeder Free RiderFree Rider
  • 22. Testbed at BITS HyderabadTestbed at BITS Hyderabad Botnet traffic generation InternetInfo. Sec. Lab Dist. Sys. Lab Multimedia Lab Hostels Wing Firewall/Router Core Switch 6509 Distribution Switch 4500 Access Switch 2500 Content Mgmt. Application Servers DB Cluster Intrusion Detection Sys. Ethernet Data collection for P2P and web traffic Traffic Anonymization (Anon tool) Classifier, and IDS for botnet detection
  • 23. Privacy aware P2P ClassifierPrivacy aware P2P Classifier public Conversation(String sender, String receiver, Int src, int dst, boolean tcp){ sender_ip = sender; receiver_ip = receiver; this.setSender(new Flow(sender, receiver, src, dst, tcp)); this.setReceiver(new Flow(receiver,sender, dst, src, tcp)); sndr_port = src; rcvr_port = dst; set =false; last = 0; first = 0; timestamps = new TreeSet<Long>(); } for(Packet p : plist){ if(p.isTcp() && !p.getTcp_flag()[7] && !p.getTcp_flag()[6] && !p.getTcp_flag()[5]){ ++nonsyn_count; }else if(!p.isTcp()){ ++nonsyn_count; }if(p.isTcp()&&p.getTcp_flag()[4]){ ++psh_count; }++count; hdr_size_total = hdr_size_total + p.getHdr_size(); pkt_size_total = pkt_size_total + p.getPacket_size(); pktsize.add(p.getPacket_size());} Categories Application Number of Flows Web mail, http, https, ftp 23,014 p2p BitTorrent, AntsP2P, Gnutella, Mute, eMule 2,76,093 [ Ref: 34]
  • 27. P2P Botnet TracesP2P Botnet Traces Botnet name What it does? Size of data Source of data Kelihos-Hlux Email spam, DoS, steal Bitcoin wallets 5 MB Generated on testbed + obtained form online sources [35] Waledac Email spam, password stealing 25 MB ISOT dataset [36] ZeuS Steals banking information by MITM key logging and form grabbing 5 MB Generated on testbed TRAINING DATA TEST DATA ZeuS Steals banking information by MITM key logging and form grabbing 25 MB ISOT dataset [36] Storm Email spam 30 MB ISOT dataset [36] Conficker Disables important system services and security products 50 GB Obtained from CAIDA [37]
  • 28. Bayesian Regularized NNBayesian Regularized NN •  Bayesian Regularized Neural Network based Real-time Peer-to-Peer Botnet Detection, Pratik Narang, Sharat Chandra, Chittaranjan Hota, Accepted in IEEE P2P 2013, Trento, Italy (Sept 2013) • 23 features extracted from flows. • Information Gain with ranking used to rank the features . • Top 16 features chosen. Output Correct Classification Incorrect Classification Malicious samples 25898 276 Percentage 98.9455% 1.0545%
  • 29. Feature SelectionFeature Selection • 23 features extracted from flows
  • 30. Large Botnet TracesLarge Botnet Traces Botnet name What it does? Type of data/Size of data Source of data Sality Infects executable files,  attempts to disable security software. Binary (.exe) file Generated on testbed Storm Email Spam .pcap file/ 4.8 GB Obtained from Uni. of Georgia [34] Waledac Email spam, password stealing .pcap file/ 68 GB Obtained from Uni. of Georgia [34] ZeuS Steals banking information by MITM key logging and form grabbing .pcap file/ 105 MB Obtained from Uni. of Georgia [34] + Generated on test bed
  • 32. Distributed Data collectionDistributed Data collection and processingand processing Botnet traffic generation InternetInfo. Sec. Lab Dist. Sys. Lab Multimedia Lab Hostels Wing Firewall/Router Core Switch 6509 Distribution Switch 4500 Access Switch 2500 Content Mgmt. Application Servers DB Cluster Intrusion Detection Sys. Ethernet Data collection for P2P and web traffic Classifier, and IDS for botnet detection Traffic Anonymization (Anon tool) Hadoop Name node Hadoop Data nodes
  • 33. Hadoop setup running atHadoop setup running at BITS HydBITS Hyd
  • 34. ReferencesReferences1. http://news.netcraft.com/archives/2007/05/23/p2p_networks_hijacked_for_ddos_attacks.htm 2. S Mcbride, and G A Flower, Estimate of Film-piracy cost soars: Hollywood loss is put at $6.1b a year, The Wall Street Journal Europe, may 4th , 2006. 3. Thomas Karagiannis, Andre Broido, Michalis Faloutsos, Kc claffy, Transport Layer Identification of P2P Traffic, in Proc. 4th ACM SIGCOMM conference on Internet measurement, pp. 121-134, 2004. 4. Subhabrata Sen, Oliver Spatscheck, and Dongmei Wang, Accurate, Scalable InNetwork Identification of P2P Traffic Using Application Signatures, WWW 2004, May 2004. 5. S Sen, Jia Wang, Analyzing Peer-To-Peer Traffic Across Large Networks, IEEE/ACM Transactions on Networking, Vol. 12, No. 2, April 2004. 6. Thuy T T N, and G Armitage, A survey of Techniques for Internet Traffic Classification using Machine Learning, IEEE Communications Surveys & Tutorials, Vol. 10, No. 4, 2008. 7. Hassan Khan, S A Khayam, L Golubchik, M. Rajarajan, and Michael Orr, Wirespeed, Privacy-Preserving P2P Traffic Detection on Commodity Switches, Available Online at www.xflowresearch.com 8. Intrusion detection system: At: http://en.wikipedia.org/wiki/Intrusion_detection_system. 9. P. Garcia-Teodoroa, J. Diaz-Verdejo, G.Macia-Fernandeza, and E. Vazquezb, Anomaly-based network intrusion detection: Techniques, systems and challenges, Computers and Security, vol. 28, Issue: 1-2, pp. 18-28, 2009. 10. Gupta R, and Somani A K, Game theory as a tool to strategize as well as predict node’s behavior in peer-to-peer networks , International conf. on PDS, 2005, pp. 244-249. 11. Roberto G Cascella, 2nd ENISA Workshop on Authentication Interoperability Languages held at the ENISA/EEMA European eIdentity conference, Paris, France, June 12-13, 2007. 12. C Wang, Li Chen, H Chen, and K Zhou, Incentive Mechanism Based on Game Theory in P2P Networks, ITCS 2010, pp. 190-193. 13. Sarraute, C., et al., Simulation of Computer Network Attacks, CoreLabs, Core Security Technologies, 2010. 14. http://www.metasploit.com/ 15. www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray 16. www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids 17. http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi 18. Quinlan, J. R, C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, 1993. 19. http://www.cs.waikato.ac.nz/ml/weka/ 20. http://pytbull.sourceforge.net/ 21. http://www.secdev.org/projects/scapy 22. Massicotte, F. and Labiche, Y, An analysis of signature overlaps in Intrusion Detection Systems, Dependable Systems & Networks (DSN) IEEE/IFIP 41st International Conference, pp. 109-120, 2011. 23. Cheng-Yuan Ho, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang, and Wei-Hsuan Tai, Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems, Communication Magazine, IEEE, pp.146-154, 2012. 24. Sardar Ali, Hassan Khan, and Syed Ali Khayam, What is the Impact of P2P Traffic on Anomaly Detection?, Proceeding of 13th International symposium, Recent Advances in Intrusion Detection (RAID) 2010, pp. 1-7, 2010.  25. Jeffrey Erman, et al. Identifying and Discriminating Between Web and Peer-to-Peer in the Network Core, WWW 2007, ACM, pp. 883-892. 26. Genevieve B, et al., Estimating P2P traffic volume at USC, Technical Report, USC, June 2007. 27. Alok Madhukar, Carey W, A Longitudinal Study of P2P Traffic Classification, IEEE International Symposium on Modeling, Analysis, and Simulation, CA, 2006, pp. 179-188. 28. Hongwei C, et al., A SVM method for P2P traffic identification based on multiple traffic mode, Journal of Networks, Nov 2010, pp. 1381-1388. 29. K Ilgun, et al, State transition analysis: A rule based intrusion detection approach, IEEE transactions on software engineering, Vol 21, 1995. 30. F Jemili, et al, A framework for an adaptive intrusion detection system using bayesian network, IEEE Intelligence and Security Informatics, May 2007, pp.66-70. 31. Soysal, Murat, and Ece Guran Schmidt. "Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison." Performance Evaluation 67.6 (2010): 451-467. 32. Williams, Nigel, Sebastian Zander, and Grenville Armitage. "A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification." ACM SIGCOMM Computer Communication Review36.5 (2006): 5-16. 33. Berg, Peter Ekstrand. "Behavior-based Classification of Botnet Malware." Thesis Report 2011, Gjovik University College, Norway. 34. Rahbarinia, Babak, Roberto Perdisci1 Andrea Lanzi, and Kang Li. "PeerRush: Mining for Unwanted P2P Traffic.“ DIMVA 2013 35. www.contagiodump.blogspot.in 36. Saad, Sherif, et al. "Detecting P2P botnets through network behavior analysis and machine learning." Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on. IEEE, 2011. 37. CAIDA, UCSD. "Network Telescope" Three Days Of Conficker“ 21st Nov. 2008."Paul Hick, Emile Aben, Dan Andersen and kcclaffy http://www. caida. org/data/passive/telescope-3days-conficker_dataset. xml. 38. Abbes, Tarek, Adel Bouhoula, and Michaël Rusinowitch. "Protocol analysis in intrusion detection using decision tree." Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference on. Vol. 1. IEEE, 2004. 39. S. Chebrolu, A. Abraham, and J. P. Thomas. Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4):295–307, 2005. 40. A.H.Sung and S. Mukkamala. The feature selection and intrusion detection problems. In Advances in Computer Science-ASIAN 2004. Higher-Level Decision Making, pages 468–482. Springer, 2005. 41. McHugh, John. "Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory." ACM transactions on Information and system Security 3.4 (2000): 262-294.