A Network-Aware Distributed Membership Protocol for Collaborative Defense

To counteract current trends in network malware, distributed solutions have been developed that harness the power of collaborative end-host sensors. While these systems greatly increase the ability to defend against attack, this comes at the cost of complexity due to the coordination of distributed hosts across the dynamic network. Many previous solutions for distributed membership maintenance are agnostic to network conditions and have high overhead, making them less than ideal in the dynamic enterprise environment. In this work, we propose a network-aware, distributed membership protocol, CLUSTER, which improves the performance of the overlay system by biasing neighbor selection towards beneficial nodes based on multiple system metrics and network social patterns (of devices and their users). We provide an extensible method for aggregating and comparing multiple, possibly unrelated metrics. We demonstrate the effectiveness and utility of our protocol through simulation using real-world data and topologies. As part of our results, we highlight our analysis of node churn statistics, offering a new distribution to accurately model enterprise churn

Detecting Botnets with Tight Command and Control

Systems are attempting to detect botnets by examining traffic content for IRC commands or by setting up honeynets. Our approach for detecting botnets is to examine flow characteristics such as bandwidth, duration, and packet timing looking for evidence of botnet command and control activity. We have constructed an architecture that first eliminates traffic that is unlikely to be a part of a botnet, classifies the remaining traffic into a group that is likely to be part of a botnet, then correlates the likely traffic to find common communications patterns that would suggest the activity of a botnet. Our results show that botnet evidence can be extracted from a traffic trace containing almost 9 million flows

Using Machine Learning Techniques to Identify Botnet Traffic

To date, techniques to counter cyber-attacks have predominantly been reactive; they focus on monitoring network traffic, detecting anomalies and cyber-attack traffic patterns, and, a posteriori, combating the cyber-attacks and mitigating their effects. Contrary to such approaches, we advocate proactively detecting and identifying botnets prior to their being used as part of a cyber-attack [12]. In this paper, we present our work on using machine learning-based classification techniques to identify the command and control (C2) traffic of IRC-based botnets — compromised hosts that are collectively commanded using Internet Relay Chat (IRC). We split this task into two stages: (I) distinguishing between IRC and non-IRC traffic, and (II) distinguishing between botnet and real IRC traffic. For Stage I, we compare the performance of J48, naive Bayes, and Bayesian network classifiers, identify the features that achieve good overall classification accuracy, and determine the classification sensitivity to the training set size. While sensitive to the training data and the attributes used to characterize communication flows, machine learning-based classifiers show promise in identifying IRC traffic. Using classification in Stage II is trickier, since accurately labeling IRC traffic as botnet and non-botnet is challenging. We are currently exploring labeling flows as suspicious and non-suspicious based on telltales of hosts being compromised. 1

Adaptive dynamic radio open-source intelligent team (ADROIT): Cognitively-controlled collaboration among SDR nodes

Abstract — The ADROIT project is building an open-source software-defined data radio, intended to be controlled by cognitive applications. The goal is to create a system that enables teams of radios, where each radio both has its own cognitive controls and the ability to collaborate with other radios, to create cognitive radio teams. The desire to create cognitive radio teams, and the goal of having an open-source system, requires a rich and carefully architected system that provides great flexibility (enabling cognitive applications to change the radio’s behavior) and also has a clear structure (both so that others may add or enhance the software, and also so that the system can be clearly modeled for cognitive applications). What follows is a summary of the ADROIT system and the key architectural features intended to enable cognitive radio teams. 1 I