Securing Enterprise Networks with Statistical Node Behavior Profiling

The substantial proliferation of the Internet has made it the most critical infrastructure in today\u27s world. However, it is still vulnerable to various kinds of attacks/malwares and poses a number of great security challenges. Furthermore, we have also witnessed in the past decade that there is always a fast self-evolution of attacks/malwares (e.g. from worms to botnets) against every success in network security. Network security thereby remains a hot topic in both research and industry and requires both continuous and great attention. In this research, we consider two fundamental areas in network security, malware detection and background traffic modeling, from a new view point of node behavior profiling under enterprise network environments. Our main objectives are to extend and enhance the current research in these two areas. In particular, central to our research is the node behavior profiling approach that groups the behaviors of different nodes by jointly considering time and spatial correlations. We also present an extensive study on botnets, which are believed to be the largest threat to the Internet. To better understand the botnet, we propose a botnet framework and predict a new P2P botnet that is much stronger and stealthier than the current ones. We then propose anomaly malware detection approaches based directly on the insights (statistical characteristics) from the node behavior study and apply them on P2P botnet detection. Further, by considering the worst case attack model where the botmaster knows all the parameter values used in detection, we propose a fast and optimized anomaly detection approach by formulating the detection problem as an optimization problem. In addition, we propose a novel traffic modeling structure using behavior profiles for NIDS evaluations. It is efficient and takes into account the node heterogeneity in traffic modeling. It is also compatible with most current modeling schemes and helpful in generating better realistic background traffic. Last but not least, we evaluate the proposed approaches using real user trace from enterprise networks and achieve encouraging results. Our contributions in this research include: 1) a new node behavior profiling approach to study the normal node behavior; 2) a framework for botnets; 3) a new P2P botnet and performance comparisons with other P2P botnets; 4) two anomaly detection approaches based on node behavior profiles; 4) a fast and optimized anomaly detection approach under the worst case attack model; 5) a new traffic modeling structure and 6) simulations and evaluations of the above approaches under real user data from enterprise networks. To the best of our knowledge, we are the first to propose the botnet framework, consider the worst case attack model and propose corresponding fast and optimized solution in botnet related research. We are also the first to propose efficient solutions in traffic modeling without the assumption of node homogeneity

Implementation of realistic scenarios for ground truth purposes

Mestrado em Engenharia Electrónica e TelecomunicaçõesA segurança em redes de telecomunicações é um tópico que desde sempre gerou preocupação em todos os meios (instituições, empresas e outros) que utilizam estas redes. Novas ameaças ou mutações de ameaças já existentes surgem a uma elevada velocidade e os meios disponíveis parecem não ser suficientes para uma detecção positiva das mesmas. As respostas actuais para combater estas ameaças baseiam-se numa análise em tempo real do tráfego ou num treino prévio que muitas vezes tem que ser supervisionado por um ser humano que, dependendo da sua experiência na área pode estar a criar uma falha de segurança no sistema sem se aperceber do sucedido. Novas técnicas surgem para uma detecção eficaz de muitos ataques ou anomalias. No entanto, estas técnicas devem ser testadas de modo a validar o seu correcto funcionamento e, nesse sentido, são precisos fluxos de tráfego gerados na rede que possam ser utilizados sem comprometer a confidencialidade dos utilizadores e que obedeçam a critérios préestabelecidos. Com esta dissertação pretende-se constituir um conjunto de dados fiável e o mais abrangente possível de um conjunto de cenários realistas de rede, através da emulação em ambiente controlado de diferentes topologias, diferentes serviços e padrões de tráfego. Um outro objectivo fundamental deste trabalho passa por disponibilizar os dados obtidos à comunidade científica de modo a criar uma base de dados uniforme que permita avaliar o desempenho de novas metodologias de detecção de anomalias que venham a ser propostas. ABSTRACT: Security in telecommunication networks is a topic that has caused a lot of worries to network users (institutions, enterprises and others). New threats or mutations of existing ones appear at a very fast rate and the available solutions seem not to be enough for a positive detection of these threats. The solutions that are nowadays used to fight these threats require the realtime analysis of the network traffic or have to be previously trained. Most of the times, this training has to be supervised by a human being that, depending on his experience, can create a security breach in the system without knowing it. New techniques have been proposed in order to more efficiently detect many security attacks or threats. However, these techniques need to be tested in order to validate their correct functioning and, in order to do that, network traffic flows that can be used without compromising the users confidentiality and that obey to a pre-established criteria are needed. This dissertation intends to establish a set of trustworthy data as extensive as possible from a set of realistic network scenarios. Network emulation techniques will be used in a controlled environment, building different network topologies, with different services and traffic patterns. Another main objective of this work it is to make all this obtained data available to the scientific community in order to create a uniform data base that will allow the performance evaluation of new anomaly detection methodologies that can be proposed in the future

Realistic Internet Traffic Simulation Through Mixture Modeling And A Case Study

Internet background traffic modeling and simulation is the main challenge when constructing a test environment for network intrusion detection experiments. However, a realistic simulation of network traffic through analytical models is difficult, because the classic distributions are usually ineffective when applied to traffic-related random variables. A modeling and simulation approach using heavytailed mixture distributions is introduced in this paper. In the case study, this approach is used to build analytical models for random variables of several major Internet applications (FTP, HTTP, SMTP, POPS, SSH) of a campus network. Several statistical features of an NS2 simulation are compared against those of the traffic traces being simulated. The comparison indicates that the simulation is statistically similar to the real traffic

REALISTIC INTERNET TRAFFIC SIMULATION THROUGH MIXTURE MODELING AND A CASE STUDY ABSTRACT

Internet background traffic modeling and simulation is the main challenge when constructing a test environment for network intrusion detection experiments. However, a realistic simulation of network traffic through analytical models is difficult, because the classic distributions are usually ineffective when applied to traffic-related random variables. A modeling and simulation approach using heavytailed mixture distributions is introduced in this paper. In the case study, this approach is used to build analytical models for random variables of several major Internet applications (FTP, HTTP, SMTP, POP3, SSH) of a campus network. Several statistical features of an NS2 simulation are compared against those of the traffic traces being simulated. The comparison indicates that the simulation is statistically similar to the real traffic.

Contribución a las metodologías de estimación de demanda de tráfico de Internet mediante la caracterización de perfiles de usuario

Esta tesis doctoral propone una metodología de estimación de demanda de tráfico de Internet basada en la caracterización de perfiles de usuario de Internet, con el objetivo de analizar el rendimiento y dimensionamiento de una red de acceso. Se realiza un exhaustivo análisis del estado del arte clasificado en tres partes. La primera parte se encuentra relacionada con la caracterización de usuarios en Internet. Incluye un estudio de las metodologías de extracción de conocimiento basado en técnicas de minería de datos, y un análisis de modelos teóricos y estudios previos de usuarios de Internet. En la segunda parte, se incluye un análisis de modelos teóricos para caracterizar fuentes de tráfico de aplicaciones de Internet, así como un estudio comparativo de los modelos de tráfico ON/OFF para un conjunto de aplicaciones representativas de Internet. En la última parte, se incluye un estudio de las arquitecturas de redes de acceso más relevantes y se propone un modelo genérico de arquitectura de red de acceso. Esta tesis doctoral define un marco metodológico basado en Procesos de Descubrimiento de Conocimiento (KDPs), con el que extraer, identificar y caracterizar, a los usuarios de Internet a partir de fuentes de información estadística. Se ha aplicado esta metodología a los usuarios residenciales en España y se ha identificado una distinción clara entre No-Usuarios (47%) y Usuarios de Internet (53%). Dentro de los usuarios de Internet se han extraído 4 perfiles de usuarios: Esporádicos (16%), Instrumentales (10%), Sociales (14%) y Avanzados (13%). Esta metodología también ha sido aplicada a años anteriores con el fin de realizar un pronóstico de la evolución de la tipología de usuarios de Internet en España. A continuación, se propone un método de estimación de demanda de tráfico basado en los perfiles de usuario de Internet identificados, con el objetivo de analizar el rendimiento de la red de acceso subyacente. Esta metodología se encuentra basada en 3 modelos: red de acceso, tráfico de red y perfiles de usuario y aplicaciones. Por último, la tesis presenta un modelo y una herramienta de simulación con la que se implementa el método de estimación de demanda anteriormente descrito. El modelo y la herramienta de simulación han sido validados frente a un modelo analítico mediante el uso de un escenario simplificado basado en fuentes de tráfico ON/OFF homogéneas. Mediante el uso de la herramienta de simulación desarrollada, se aplica la metodología de estimación de demanda a dos casos de uso, que se corresponden a dos escenarios de redes de acceso idénticas, a excepción de la caracterización de los usuarios de la misma. En el primer caso de uso, la red de acceso se caracteriza por los perfiles de usuario residenciales de Internet identificados para el año 2012, y en el segundo caso de uso, se utiliza el pronóstico de evolución de perfiles de usuario de Internet para el año 2017. Se concluye con una comparación del rendimiento de la red de acceso para ambos casos de uso, a partir del análisis del Grado de Servicio (GoS) de ambos escenarios