Anomaly-based botnet detection for 10 Gb/s networks

Current network data rates have made it increasingly difficult for cyber security specialists to protect the information stored on private systems. Greater throughput not only allows for higher productivity, but also creates a “larger” security hole that may allow numerous malicious applications (e.g. bots) to enter a private network. Software-based intrusion detection/prevention systems are not fast enough for the massive amounts of traffic found on 1 Gb/s and 10 Gb/s networks to be fully effective. Consequently, businesses accept more risk and are forced to make a conscious trade-off between threat and performance. A solution that can handle a much broader view of large-scale, high-speed systems will allow us to increase maximum throughput and network productivity. This paper describes a novel method of solving this problem by joining a pre-existing signature-based intrusion prevention system with an anomaly-based botnet detection algorithm in a hybrid hardware/software implementation. Our contributions include the addition of an anomaly detection engine to a pre-existing signature detection engine in hardware. This hybrid system is capable of processing full-duplex 10 Gb/s traffic in real-time with no packet loss. The behavior-based algorithm and user interface are customizable. This research has also led to improvements of the vendor supplied signal and programming interface specifications which we have made readily available

A Feasibility Study on the Application of the ScriptGenE Framework as an Anomaly Detection System in Industrial Control Systems

Recent events such as Stuxnet and the Shamoon Aramco have brought to light how vulnerable industrial control systems (ICSs) are to cyber attacks. Modern society relies heavily on critical infrastructure, including the electric power grid, water treatment facilities, and nuclear energy plants. Malicious attempts to disrupt, destroy and disable such systems can have devastating effects on a populations way of life, possibly leading to loss of life. The need to implement security controls in the ICS environment is more vital than ever. ICSs were not originally designed with network security in mind. Today, intrusion detection systems are employed to detect attacks that penetrate the ICS network. This research proposes the use of a novel algorithm known as the ScriptGenE framework as an anomaly-based intrusion detection system. The anomaly detection system (ADS) is implemented between an engineering workstation and programmable logic controller to monitor traffic and alert the operator to anomalous behavior. The ADS achieves true positive rates of 0.9011 and 1.00 with false positive rates of 0 and 0.054. This research demonstrates the viability of using the ScriptGenE framework as an anomaly detection system in a simulated ICS environment

SENATUS: An Approach to Joint Traffic Anomaly Detection and Root Cause Analysis

In this paper, we propose a novel approach, called SENATUS, for joint traffic anomaly detection and root-cause analysis. Inspired from the concept of a senate, the key idea of the proposed approach is divided into three stages: election, voting and decision. At the election stage, a small number of \nop{traffic flow sets (termed as senator flows)}senator flows are chosen\nop{, which are used} to represent approximately the total (usually huge) set of traffic flows. In the voting stage, anomaly detection is applied on the senator flows and the detected anomalies are correlated to identify the most possible anomalous time bins. Finally in the decision stage, a machine learning technique is applied to the senator flows of each anomalous time bin to find the root cause of the anomalies. We evaluate SENATUS using traffic traces collected from the Pan European network, GEANT, and compare against another approach which detects anomalies using lossless compression of traffic histograms. We show the effectiveness of SENATUS in diagnosing anomaly types: network scans and DoS/DDoS attacks

MALICIOUS TRAFFIC DETECTION IN DNS INFRASTRUCTURE USING DECISION TREE ALGORITHM

Domain Name System (DNS) is an essential component in internet infrastructure to direct domains to IP addresses or conversely. Despite its important role in delivering internet services, attackers often use DNS as a bridge to breach a system. A DNS traffic analysis system is needed for early detection of attacks. However, the available security tools still have many shortcomings, for example broken authentication, sensitive data exposure, injection, etc. This research uses DNS analysis to develop anomaly-based techniques to detect malicious traffic on the DNS infrastructure. To do this, We look for network features that characterize DNS traffic. Features obtained will then be processed using the Decision Tree algorithm to classifyincoming DNS traffic. We experimented with 2.291.024 data traffic data matches the characteristics of BotNet and normal traffic. By dividing the data into 80% training and 20% testing data, our experimental results showed high detection aacuracy (96.36%) indicating the robustness of our method

Machine Learning DDoS Detection for Consumer Internet of Things Devices

An increasing number of Internet of Things (IoT) devices are connecting to the Internet, yet many of these devices are fundamentally insecure, exposing the Internet to a variety of attacks. Botnets such as Mirai have used insecure consumer IoT devices to conduct distributed denial of service (DDoS) attacks on critical Internet infrastructure. This motivates the development of new techniques to automatically detect consumer IoT attack traffic. In this paper, we demonstrate that using IoT-specific network behaviors (e.g. limited number of endpoints and regular time intervals between packets) to inform feature selection can result in high accuracy DDoS detection in IoT network traffic with a variety of machine learning algorithms, including neural networks. These results indicate that home gateway routers or other network middleboxes could automatically detect local IoT device sources of DDoS attacks using low-cost machine learning algorithms and traffic data that is flow-based and protocol-agnostic.Comment: 7 pages, 3 figures, 3 tables, appears in the 2018 Workshop on Deep Learning and Security (DLS '18