anomaly detection algorithms for malware traffic analysis
play

Anomaly Detection Algorithms for Malware Traffic Analysis using - PowerPoint PPT Presentation

Dec 05, 2022 •135 likes •391 views

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

  1. Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015

  2. ‣ Introduction ‣ Motivation ‣ Related Work ‣ Data ‣ Approach ‣ Experimental Results ‣ Comparison with Previous Work ‣ Conclusion and Discussion ‣ References 2 Page

  3. Malware Infection Image credit: http://www.vblaze.com / 3 Page

  4. Malware/Legitimate Communication Packet Packet Do features extracted from packet headers discriminate legitimate applications from malware traffic ? How many packets should be aggregated for feature • extraction? Which feature subset should be used for detection? • 4 Page

  5. Goal: To analyze and detect the network-level behavior of malware traffic after blending into the normal traffic: ‣ Focus on detecting malware heartbeat traffic ‣ Features should be tamper resistant (i.e., not easy to fool such as port numbers or flags in packet headers) ‣ Malware traffic is rare, evaluation of anomaly detection algorithms 5 Page

  6. Related Work Current state of the art • Systems based on known signatures: Well studied, a drawback of these systems is not detecting unknown malware traffic • Payload inspection: Vulnerable to privacy issues, payload encryption and limitations in processing high- speed (multigigabit) networks • Feature representation: Drawbacks in selecting “tamper - proof” features such as using port numbers, payload information, protocol specific information and unrealistic malware traffic features when modelling the traffic • Supervised classification algorithms: The requirement of targeted anomalous samples is a disadvantage of these approaches 6 Page

  7. Dataset Malware Traffic Legitimate Traffic, 3513X13 instances 7753 x13 (as a total 16 different instances malware families) ‣ Legitimate Traffic features traces of a small scale organization network recorded at University of Twente with around 35 employees and over Image credit: http://www.vblaze.com/ 100 students 7 Page

  8. Feature space (13 features, all continuous): Flow duration: Difference between last packet time and first • packet time Count of Payload (+): The count of all the packets with at • least a byte of data payload Min data size (+): Minimum payload size observed • Mean of bytes (-): Data bytes divided by the total number of • packets Initial Data Length (*): The total number of bytes sent in initial • window RTT samples (*): Total number of RTT samples found in total • packets Median and Variance of bytes (+): Median and variance of • total packet bytes IP ratio(*): Ratio between the maximum packet size and • minimum packet size Goodput(*): Total number of frame bytes divided flow • duration 8 Page

  9. Feature selection: These papers are the guidelines for the feature selection process: Wei Li, Marco Canini, Andrew W Moore, and Raffaele Bolla. • Efficient application identification and the temporal and spatial stability of classification schema, Computer Networks, 2009 A. Moore, D. Zuev, and M. Crogan. Discriminators for use in • flow based classification . Queen Mary and Westfield College, Department of Computer Science, 2005 Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. • Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates. In USENIX Security ,2013 9 Page

  10. Approach Steps to achieve the goal Overview of Framework 10 Page

  11. Approach Steps to achieve the goal One-class support vector machine (OCSVM) • The distance to the kth nearest neighbor (k-NN) • K-means clustering by finding the distance from data to the • nearest cluster centre Least squares anomaly detection (LSAD) based on the least • squares probabilistic classifier Image from official Scikit-learn, One-class SVM 11 Page

  12. Approach Evaluation Metrics • AUC (Area Under Curve) • ROC curve when necessary • Further experiments for analysis of malware traffic Steps to achieve the goal • Confusion matrix • False positive and false negative counts • Interpretation of PCA and K-means clustering 12 Page

  13. Experimental Setup: • Hyper parameters are set using the subset of the training set • Stratified k-fold cross validation (k is selected depending on the malware traffic Steps to achieve the goal size) or random sampling is applied depending on the number of malware instances • A paired t-test with significance level 0.05 to report the differences of each algorithms' AUC values 13 Page

  14. Experimental Results Steps to achieve the goal 14 Page

  15. Experimental Results: Steps to achieve the goal (More details of ROC curve for each fold is given in report) • Avg. ROC plots the percentage of correctly classified malicious samples (true positive rate) against the percentage of legitimate samples falsely classified as malicious (false positive rate) 15 Page

  16. Experimental Results: Steps to achieve the goal Kaiten vs Neris malware (More details of ROC curve for each fold is given in report) • ROC plots with cross validation the percentage of correctly classified malicious samples (true positive rate) against the percentage of legitimate samples falsely classified as malicious (false positive rate) 16 Page

  17. Lessons Learned from initial results: • No single algorithm performs better than others • Detection Results decrease with the recent evolution of malware families e.g., Zeus V1 Steps to achieve the goal to Zeus V2 • Recent malware traffic gets stealthy, and evades the detection (disguising traffic) 17 Page

  18. Understanding source of false negatives and false positives: Number of legitimate HTTP(S) flows classified as malware Steps to achieve the goal Number of malware flows classified as legitimate HTTP(S) • Mean Values, std is in range +/- 0.53 for all families • Port numbers as a ground truth labels • C4.5 algorithm for classification 18 Page

  19. Detailed Analysis: Steps to achieve the goal Confusion Matrix after cross validation Base Classifier (majority class) vs. C4.5 algorithm (More details are given in report) 19 Page

  20. Network Behavior of Malware Families: Steps to achieve the goal Log scale plot of incoming and outgoing ratio of packet bytes • Most similar HTTP traffic observed between malware and legitimate traces, from constant packet ratio to varying packet ratio 20 Page

  21. Analysis of Feature Space of Malware (Code Reuse): Steps to achieve the goal Feature Projection to two Dimensional Space using PCA and K-means Clustering • Tbot and Kaiten are close to each other, and form a single cluster. However, Agabot is not as close as the other malware families. Zeus V1, ZeusGameover, ZeusPonyloader, ZeusV2 and Sality form in similar feature range, and most of their instances are assigned to the same clusters 21 Page

  22. Recent papers: • Looks for the multiple source of information i.e., features extracted from not only packets, but also IP addresses, DNS features, HTTP requests etc. ‣ T. Nelms, R. Perdisci, and M. Ahamad. Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates. In Proc. USENIX Security Symposium , 2013 • Focusing on before infection phase, we assume that hosts Steps to achieve the goal are already infected and generates traffic. More challenging... ‣ L. Invernizzi, S.-J. Lee, S. Miskovic, M. Mellia, R. Torres, C. Kruegel, S. Saha, and G. Vigna. Nazca: Detecting malware distribution in largescale networks. In Proc. Network and Distributed System Security Symposium (NDSS) , 2014 • Detection Accuracy is mostly high due to the use of tamper proof features ‣ Port numbers, flags and payload is used 22 Page

  23. Conclusion/Discussion • Presented a framework that evaluates the detection performance of malware heartbeat traffic after blending into legitimate applications • Our framework effectively discriminates most of the C&C heartbeat traffic from legitimate traffic by only using tamper resistant features of transport layer protocol Steps to achieve the goal • We observe substantial decrease in detection with the recent malware families ‣ Malware traffic is disguised in HTTP traffic to conduct an evasion attack • Code reuse is common practice in malware families • Provide a discussion of importance of using tamper resistant feature space, and multiple source of information to alleviate the false negatives by improving the underlying feature space 23 Page

  24. Key Papers Feature Selection: Wei Li, Marco Canini, Andrew W Moore, and Raffaele Bolla. Efficient application identification and the temporal and spatial stability of classification schema, Computer Networks, 2009 Methodology and Insights: F.Kocak, D. J. Miller, and G. Kesidis. Detecting anomalous latent Steps to achieve the goal classes in a batch of network traffic flows. In Proc. Information Sciences and Systems (CISS), 2014 Anomaly Detection Algorithms: V. Chandola, A. Banerjee, and V. Kumar. Anomaly detection: A survey. In ACM Computing Surveys, 2009. State of the art paper in this research area: Gu, R. Perdisci, J. Zhang, W. Lee, et al. Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In Proc. USENIX Security Symposium, 2008 24 Page

  25. QUESTIONS Anomaly Detection Algorithms for Malware Traffic Analysis using 25 Tamper Resistant Features

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman.

On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman.

Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015

690 views • 24 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1 , Augustin Soule 2 , Jennifer Rexford 1 , Christophe Diot 2 1 Princeton University, 2 Thomson Research Outline Context

598 views • 15 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon,

Traffic Measurement Analysis & Robust Methods Modeling Anomaly Detection Traffic Classification Conclusion + Internet Traffic: Analysis, Modeling with real-world aspects Pierre B ORGNAT CNRS ENS Lyon, Laboratoire de Physique (UMR

716 views • 60 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1

Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1

Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1 Ismael Castell-Uroz 1 Pere Barlet-Ros 1 Xenofontas Dimitropoulos 2 Josep Sol-Pareta 1 1 UPC BarcelonaTech, Spain

616 views • 36 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Metadata format for benchmarking anomaly detection algorithms Youki Kadobayashi NICT / NAIST

Metadata format for benchmarking anomaly detection algorithms Youki Kadobayashi NICT / NAIST

Metadata format for benchmarking anomaly detection algorithms Youki Kadobayashi NICT / NAIST youki-k <at> is.naist.jp 10 th CAIDA-WIDE workshop / 1 st CAIDA-WIDE-CASFI workshop August 2008 Anomaly detection algorithms:

444 views • 10 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series <Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Temporal Privacy in Wireless Sensor Networks Temporal Privacy in Wireless Sensor Networks

Temporal Privacy in Wireless Sensor Networks Temporal Privacy in Wireless Sensor Networks

Temporal Privacy in Wireless Sensor Networks Temporal Privacy in Wireless Sensor Networks Pandurang Kamat, Wenyuan Xu, Wade Trappe and Yanyong Zhang WINLAB Rutgers University 1 Temporal Privacy in Sensor Networks Temporal Privacy in Sensor

280 views • 14 slides
Deduplicated Storage Danny Harnik, Moshik Hershcovitch, Yosef Shatsky, Amir Epstein, Ronen Kat

Deduplicated Storage Danny Harnik, Moshik Hershcovitch, Yosef Shatsky, Amir Epstein, Ronen Kat

IBM Research - Haifa Sketching Volume Capacities in Deduplicated Storage Danny Harnik, Moshik Hershcovitch, Yosef Shatsky, Amir Epstein, Ronen Kat Previous Works on Estimating Data Reduction Plenty of previous works on data reduction

352 views • 17 slides
Introduction to Temporal Logic Mads Dam Theoretical Computer Science KTH, 2015 About the Course

Introduction to Temporal Logic Mads Dam Theoretical Computer Science KTH, 2015 About the Course

Introduction to Temporal Logic Mads Dam Theoretical Computer Science KTH, 2015 About the Course Lecturers Content Examination Lecture material Registration What is TL About? Formalised properties of time-varying systems

1.04k views • 41 slides
Temporal Temporal Radiance Caching Radiance Caching Pascal Gautron R&D Engineer Thomson

Temporal Temporal Radiance Caching Radiance Caching Pascal Gautron R&D Engineer Thomson

Practical Global Illumination With Irradiance Caching August 2008 (SIGRAPH 2008 Class) Temporal Temporal Radiance Caching Radiance Caching Pascal Gautron R&D Engineer Thomson Corporate Research France P. Gautron Practical Global

578 views • 33 slides
CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal verification? Does so&ware correctly implement a specifica3on? Does so&ware have desired proper3es (safety, liveness, other)? Is a par3cular

1.25k views • 47 slides
Hands, objects, and videotape: recognizing object interactions from streaming wearable cameras

Hands, objects, and videotape: recognizing object interactions from streaming wearable cameras

Hands, objects, and videotape: recognizing object interactions from streaming wearable cameras Deva Ramanan UC Irvine Students doing the work Greg Rogez Hamed Pirsiavash Mohsen Hejrati Post-doc, looking to Former student, now Current

974 views • 70 slides
CSE 158 Lecture 16 Web Mining and Recommender Systems T emporal data mining This week

CSE 158 Lecture 16 Web Mining and Recommender Systems T emporal data mining This week

CSE 158 Lecture 16 Web Mining and Recommender Systems T emporal data mining This week Temporal models This week well look back on some of the topics already covered in this class, and see how they can be adapted to make use of temporal

531 views • 40 slides
Analysis of Peer Review data from WoS Data part 3: temporal analyses Temporal distributions

Analysis of Peer Review data from WoS Data part 3: temporal analyses Temporal distributions

Peer Review from WoS V. Batagelj, A. Ferligoj Analysis of Peer Review data from WoS Data part 3: temporal analyses Temporal distributions Temporal networks Vladimir Batagelj and Anu ska Ferligoj Results Conclusions University of

543 views • 32 slides

More recommend