BITS PilaniHyderabad Campus

Intrusion Detection Mechanisms for Peer-to-Peer Networks– Pratik Narang

Acknowledgements

Dr. Chittaranjan Hota (BITS – Pilani, Hyderabad) Dr. V.N. Venkatakrishnan (University of Illinois at

Chicago) Dr. Nasir Memon (New York University, Abu

Dhabi)

Supported by

Introduction

What are P2P networks ?

What’s a bot ?

What are botnets ?

What are Peer-to-Peer based botnets ?

Peer-to-Peers networks

are distributed systems consisting of interconnected nodes

are able to be self-organized into network topologies

are built with purpose of sharing resources such as content, CPU cycles, storage and bandwidth

Famous applications- BitTorrent Skype eMule SETI @ home

Peer-to-Peers networks

A

D

E F

G

H

FH

GA

EC

C

B

P2P overlay layer

Native IP layer

D

B

AS1

AS2

AS3

AS4

AS5

AS6

Generic P2P architecture

Capability &Configuration

Peer Role Selection

Operating System

NAT/ Firewall Traversal

Routing and Forwarding Neighbor Discovery Join/Leave Bootstrap

Overlay Messaging API

Content Storage

Search API

GNUnet

DC++

P2P: uses & misuses

Traditional Botnets

Bot-Master

Peer-to-Peer Botnets

Source: www.lightcyber.com

Dataset

Botnet What it does? Type /Size of data Source of data

SalityInfects executable files,

 attempts to disable security software.

Binary (.exe) file Generated on testbed

Storm Email Spam .pcap file/ 4.8 GB Obtained from Univ. of Georgia

Waledac Email spam, password stealing .pcap file/ 1.1 GB Obtained from Univ. of

Georgia

ZeuS

Steals banking information by MITM key

logging and form grabbing

.pcap file/ 1 GB

Obtained from Univ. of Georgia and CVUT

Prague+ Generated on

testbed

Nugache Email spam .pcap file/ 58 MB

Obtained from University of Texas at

Dallasand multiple P2P applications, web traffic, etc.

P2P apps v/s P2P bots

• A human user – ‘bursty’ traffic

• High volume of data transfers seen

• Small inter-arrival time of packets seen in apps

• Automated / scripted commands

• Low in volume, high in duration

• Large inter-arrival time of packets seen in stealthy bots

Applications: Botnets:

*Both randomize ports, use TCP as well as UDP

Approach

Gather five-tuple flows from network traffic Flows: IP1, IP1-port, IP2, IP2-port, protocol

Cluster flows based on bi-directional features Protocol, Packets per sec (f/w), Packets per sec (b/w), Avg. Payload size (f/w), and Avg. Payload size (b/w)

Create two-tuple conversations within each cluster Conversations: IP1, IP2

For each tuple, extract 4 features :– The duration of the conversation– The number of packets exchanged in the conversation– The volume of the conversation (no. of bytes)– The Median value of the inter-arrival time of packets in the conversation

Differentiate between and categorize P2P apps & bots with these features

Architecture

Flow Clusterin

g Module

Conversation

GenerationModule

Machine Learning

based modules

PacketFilteringModule

FLOWGAP

Flow Creation Module

Valid packets Discarded packets (Corrupted or missing headers)

Conversations classified as benign

Conversations classified as malicious

Flows made from valid packets

Clusters of flows

TIMEGAP

P2P traffic

Data crunching

ResultsPerformance of classifiers on test data

Performance of classifiers on unseen P2P botnets

PeerShark: Detecting P2P Botnets by Tracking Conversations. Presented at IEEE Security & Privacy Workshops (co-located with the 35th IEEE Symposium on Security & Privacy), San Jose, USA, May 2014. (Pratik Narang, Subhajit Ray, Chittaranjan Hota and V.N. Venkatakrishnan).

PeerShark: Flow-clustering and Conversation-generation for Malicious P2P traffic Identification. The EURASIP Journal on Information Security 2014, 2014:15. (Pratik Narang, Chittaranjan Hota and V.N. Venkatakrishnan)

Other tracks

Signal-processing Techniques for P2P Botnet Detection

Approach & Contributions: To uncover hidden patterns between the

communications of bots, we convert the time-domain network communication of peers to the frequency-domain.

We extract 2-tuple conversations from network traffic and treat those conversations as a signal.

We extract several ‘signal-processing’ based features using Fourier Transforms and Shannon's Entropy theory.

We calculate: FFT(inter-arrival_time) FFT(payload_sizes)

Compression-ratio(payload_sizes)

Packet Validation

and Filtering Module

Conversation Creation Module

P2P botnets identified

Valid packets Discarded packets Malicious conversation Benign conversation

Feature Set Extraction

Module

Signal-processing

based featuresMachine

Learning based modules Network-

behavior based features

Extracted Features

Machine-learning Approaches for P2P Botnet Detection using Signal-processing Techniques. The 8th ACM International Conference on Distributed Event-Based Systems (DEBS’ 14), ACM SIGMOD/SIGSOFT, Mumbai, India, pp. 338-341, May 2014. (Pratik Narang, Vansh Khurana and Chittaranjan Hota)

Signal-processing Techniques for P2P Botnet Detection

Host-based approach using Hadoop

…

Data nodes

P2P botsdetected

Name node

2. Parse Packets

with Tshark

5. Feature set evaluated

against models built with Mahout

4. Host-based

features extracted with Hive

3. Push data to HDFS

1. Data collection

Trigger Firewall

rules

Distributed Systems Lab

Student Hostels

Hades: A Hadoop-based Framework for Detection of Peer-to-Peer Botnets. The 20th International Conference on Management of Data (COMAD) 2014, Hyderabad, Dec 2014. (Pratik Narang, Abhishek Thakur and Chittaranjan Hota)

Code: www.github.com/pratiknarang

Feedback: pratiknarang@outlook.com