challenges in experimenting
play

Challenges in Experimenting with Botnet Detection Systems Adam - PowerPoint PPT Presentation

Nov 12, 2023 •327 likes •767 views

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

  1. Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1

  2. Alice has developed a new botnet detector!!! What should the evaluation show? Alice's Detector August 8th, 2011 CSET-2011 2

  3. Ideal Alice deploys her detector live on her local network Alice is provided with a list of hosts that are botnet infected Alice deploys her detector on various other networks Academic, Residential, Corporate, etc. Alice records traces of each deployment Improve detector in the lab Readily available to other researchers August 8th, 2011 CSET-2011 3

  4. Realities Production-ready deployment? Ground truth of botnet infections? Deployment on various networks? Record trace and replay experiment? Traces available to other researchers? August 8th, 2011 CSET-2011 4

  5. T aking a Step Back August 8th, 2011 CSET-2011 5

  6. Many Challenges Multiple Administrative Focus on Academic Domains Networks Network Heterogeneity Scale Multimorbidity Mixing Artifacts Privacy False Postives & Negatives Controlled Environments Artifact Overfitting Repeatability Botnet Overfitting Comparability Lack of Verification August 8th, 2011 CSET-2011 6

  7. privacy August 8th, 2011 CSET-2011 7

  8. We have to worry about privacy, but the botnet authors don't! August 8th, 2011 CSET-2011 8

  9. Can we do better together? August 8th, 2011 CSET-2011 9

  10. Discussion/T opics/Questions Experimental Ideals vs. Realities Not just botnet detectors ... Raw Materials of the Experiment Sharing and Obtaining Traces Botnet and Background Traces Can we do better via collaboration? August 8th, 2011 CSET-2011 10

  11. Presentation Outline Ideal vs. Reality Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 11

  12. Alice has developed a new botnet detector!!! What should the evaluation show? Alice's Detector August 8th, 2011 CSET-2011 12

  13. Ideal vs. Reality Alice deploys her detector live on her Production-ready deployment? local network Alice is provided with list of hosts that are botnet infected Ground truth of botnet infections? Alice deploys her detector on other Deployment on various various networks networks? Corporate, Residential, Corporate, etc. Record trace and replay Alice records traces of each experiment? deployment Improve detector in the lab Readily available to other researchers Traces available to other researchers? August 8th, 2011 CSET-2011 13

  14. Evaluation Realities Performance Realistic Settings Network Heterogeneity Multiple Administrative Domains Modernity Comparability Lack of Ground T ruth & Repeatability Overfitting Privacy August 8th, 2011 CSET-2011 14

  15. Pitfalls Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 15

  16. Overlay Methodology v v v Internet v v v v Anonymizer v Network Trace August 8th, 2011 CSET-2011 16

  17. Replay and Evaluate Network Trace Detected 2 Bots! v v v v v v v v v v Collected Background Independently Trace is Sensitive August 8th, 2011 CSET-2011 17

  18. Prevalence in the Literature [13] [49] [15] [36] [46] [47] Overlay [41] [23] [6] Methodology [7] [28] [25] [24] [14] Other [20] [14] [45] Methodology [36] [11] [5] * See paper for references. August 8th, 2011 CSET-2011 18

  19. Advantages of Overlay Methodology v v v v v v v v v v Ground Truth August 8th, 2011 CSET-2011 19

  20. Pitfalls Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 20

  21. Obtaining Traces Realism Merging of Botnet and Background trace should be realistic August 8th, 2011 CSET-2011 21

  22. Collecting Botnet Traces v August 8th, 2011 CSET-2011 22

  23. Realistic Embedding Residential ISP ? SPAM! v v v v v v v v v v August 8th, 2011 CSET-2011 23

  24. Mixing Artifacts v v v v v v v v v v v v DHCP August 8th, 2011 CSET-2011 24

  25. Multimorbidity v v v v v v v v v v v v v v August 8th, 2011 CSET-2011 25

  26. Obtaining Traces Realism Merging of Botnet and Background trace should be realistic Representativeness Reflect diversity in network scenarios August 8th, 2011 CSET-2011 26

  27. Focus on Academic Networks v v v v v v v v v v Corporate Business State University August 8th, 2011 CSET-2011 27

  28. Prevalence in the Literature At Least One Academic Traces Other Trace [13] [49] [15] [28] [25] [24] Overlay [36] [46] [47] [14] Methodology [41] [23] [6] [7] Other [20] [14] [45] [36] [11] [5] Methodology * See paper for references. August 8th, 2011 CSET-2011 28

  29. Scale v v v v v v v v v v v v vv v v vv v v v v v v v v v v v v v v v vv v v v v v v v v v v v v v v vv v v v v v v v v v vv v v v v v v v v v vv v vv v v v vv v v v v v v v v v v v v v v v v v v v v vv v v v vv v v v v v v v v vv v v v vv v v v v v v v v v v v v v v v vv v v v v v v v v v v v v v v v vv v v v v v v v v v vv v v v v v v v v v v v v v vv v v vv v v v v v v v v vv v v vv v v vv v v v v v v v v v v v v v v v v v v v v v vv vv vv v v v v v v v v v v v v vv vv August 8th, 2011 CSET-2011 29

  30. Obtaining Traces Realism Merging of Botnet and Background trace should be realistic Representativeness Reflect diversity in network scenarios Performance False postives and negatives August 8th, 2011 CSET-2011 30

  31. Lack of Verification v v v v v v v v v August 8th, 2011 CSET-2011 31

  32. Example From the Literature T aMD “ ” We suspect that the reason not every bot in the botnet was detected is due to the randomness in our choice of selected internal hosts to which the malware traffic was assigned, such that a selected internal host that was also contacting other suspicious subnets (not relevant to the botnet) is likely to bias the dimension reduction and clustering algorithm. August 8th, 2011 CSET-2011 32

  33. privacy August 8th, 2011 CSET-2011 33

  34. Sharing Traces v v v v v v v v v v Is the experiment independently repeatable? Can we do apples to apples comparison? August 8th, 2011 CSET-2011 34

  35. What can be done? Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 35

  36. Observations Much of these challenges stem from difficulties in sharing and obtaining realistic data sets. Similar to problems faced by researchers studying large scale distributed systems ---> PlanetLab August 8th, 2011 CSET-2011 36

  37. Can we do better together? A PlanetLab for Botnet Detection? August 8th, 2011 CSET-2011 37

  38. Strawman Distributed Evaluation PlanetLab-like nodes on participating networks Cannot communicate network traces outside of network Researchers Deploy Detector Code on Nodes Reports are reviewed and declassified by sys-admins Researcher can test and debug on local node Incentives Sys-Admins gain access to bleeding edge detectors, for FREE! Researchers gain insight into usefulness of reports or “ground truth” August 8th, 2011 CSET-2011 38

  39. Address Challenges Performance Realistic Settings Network Heterogeneity Lack of Ground Truth Multiple Administrative Domains Modernity Comparability & Repeatability Overfitting Privacy August 8th, 2011 CSET-2011 39

  40. Huge Deployment Challenges Privacy Accountability August 8th, 2011 CSET-2011 40

  41. Conclusions T aking a step back Overlay Methodology Literature Review And, its pitfalls Ideal is hard Can we do better Ideal vs. Reality together? Privacy! PlanetLab for Sharing and Obtaining realistic traces Botnet detectors? August 8th, 2011 CSET-2011 41

  42. Backup August 8th, 2011 CSET-2011 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Experimenting on the World Wide Web Ulf-Dietrich Reips University of Tbingen, Germany Contact:

Experimenting on the World Wide Web Ulf-Dietrich Reips University of Tbingen, Germany Contact:

Reips, U.-D. (1996, October). Experimenting in the World Wide Web. Paper presented at the 1996 Society for Computers in Psychology conference, Chicago. Current e-mail address: ureips@genpsy.unizh.ch Experimenting on the World Wide Web

601 views • 22 slides
Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the

Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the

Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the Dutch academic landscape Dr. Thed van Leeuwen Centre for Science and Technology Studies (CWTS), Leiden University Annual NARMA Meeting Lillestrom ,

528 views • 37 slides
Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi

Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi

I zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi Methods Stella Q"vmd BAE SYSTEMS ISMOR 1 1 1 The Problem Developed

127 views • 10 slides
Experimenting with Flexible D2D Communications in Current and Future LTE networks: A D2D Radio

Experimenting with Flexible D2D Communications in Current and Future LTE networks: A D2D Radio

Experimenting with Flexible D2D Communications in Current and Future LTE networks: A D2D Radio Technology Primer & Software Modem Implementation May, 18 th , 2017, Oulu-Finland Presented by: Dr. Antonis Gotsis, Feron Technologies P.C.

1.15k views • 25 slides
An Lightweight Infrastructure to Support Experimenting with Heterogeneous Transformations An

An Lightweight Infrastructure to Support Experimenting with Heterogeneous Transformations An

An Lightweight Infrastructure to Support Experimenting with Heterogeneous Transformations An Application of .NET Wolfgang Lohmann, Gnter Riedewald, Thomas Zhlke University of Rostock, Germany 31.5.2006 .Net Technologies 2006 1 Outline

541 views • 33 slides
Outline Introduction Variation Among Batches Variation Within Batches Experimenting

Outline Introduction Variation Among Batches Variation Within Batches Experimenting

Dennis R. Buckmaster Purdue University Agricultural & Biological Engineering Outline Introduction Variation Among Batches Variation Within Batches Experimenting on the farm How Example analysis Summary 1 Goals of

583 views • 22 slides
Experimenting Cognitive Radio Communication on FIT/CorteXlab Tanguy Risset and the FIT Team:

Experimenting Cognitive Radio Communication on FIT/CorteXlab Tanguy Risset and the FIT Team:

FIT/CorteXlab Experiment examples Links with R2Lab Conclusion Experimenting Cognitive Radio Communication on FIT/CorteXlab Tanguy Risset and the FIT Team: Leonardo Cardoso, Jean-Marie Gorce, Guillaume Villemaud, Florin Hutu, Matthieu Imbert,

512 views • 36 slides
Simulation for Experimenting HPC Systems Martin Quinson (Nancy University, France) et Al. Nancy,

Simulation for Experimenting HPC Systems Martin Quinson (Nancy University, France) et Al. Nancy,

Simulation for Experimenting HPC Systems Martin Quinson (Nancy University, France) et Al. Nancy, June 3 2010 Scientific Computation Applications Physics Nobel Price 1996 Classical Approaches in science and engineering Georges Smoot 1.

716 views • 53 slides
Experimenting along the road to 5G Adding adaptability to access networks Prof Luiz DaSilva

Experimenting along the road to 5G Adding adaptability to access networks Prof Luiz DaSilva

FUTEBOL Federated Union of Telecommunications Research Facilities for an EU-Brazil Open Laboratory Experimenting along the road to 5G Adding adaptability to access networks Prof Luiz DaSilva Trinity College Dublin WRNP Campos do Jordo, 7-8

557 views • 18 slides
Bioinformatics Vocabulary Processing, analyzing, experimenting with data Where does the

Bioinformatics Vocabulary Processing, analyzing, experimenting with data Where does the

Bioinformatics Vocabulary Processing, analyzing, experimenting with data Where does the data come from? How do we get it? What does it mean? What do we do with it? From nucleotide to protein to gene Identification is

452 views • 24 slides
Experimenting with quinoa: the Indian experience By: Atul Bhargava, Sudhir Shukla and Deepak Ohri

Experimenting with quinoa: the Indian experience By: Atul Bhargava, Sudhir Shukla and Deepak Ohri

International Quinoa Conference 2016: Quinoa for Future Food and Nutrition Security in Marginal Environments Dubai, 6-8 December 2016 www.quinoaconference.com Experimenting with quinoa: the Indian experience By: Atul Bhargava, Sudhir Shukla and

336 views • 30 slides
Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP 2017 2017-05-03 Intro M.Sc. in Computational Biology Ph.D. in Microbiology Samba Team member 2/45 Overview Programming

776 views • 45 slides
Experimenting with Matrix federation over Yggdrasil Bachelor Semester Project Timothe Floure

Experimenting with Matrix federation over Yggdrasil Bachelor Semester Project Timothe Floure

Experimenting with Matrix federation over Yggdrasil Bachelor Semester Project Timothe Floure Responsible / Prof. Bryan Ford Supervisor / Cristina Basescu EPFL / DEDIS 2020-01-13 Timothe Floure (EPFL / DEDIS) Matrix over Yggdrasil

586 views • 20 slides
BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES Urban Ministries CHALLENGES FINDING SHAPE for a CHANGING CHURCH CHALLENGES for GREATER NEW JERSEY 560 congregations 90,697 members

579 views • 15 slides
these paintings, as I feel this effects the overall experience of looking at them. I briefly

these paintings, as I feel this effects the overall experience of looking at them. I briefly

Exhibition 1 For the first exhibition of the Autumn term I was experimenting with different approaches to painting. Some paintings are more abstract than others. This would then help me decide which approach to take for future work/exhibitions.

181 views • 14 slides
Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical

Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical

Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical Industry Dr Gino Martini FRPharmS EIPG President Why do I enjoy being an Industrial Pharmacist? Something happened here Sir Alexander Fleming & his

647 views • 46 slides
Compilers and computer architecture: Just-in-time compilation Martin Berger 1 December 2019 1

Compilers and computer architecture: Just-in-time compilation Martin Berger 1 December 2019 1

Compilers and computer architecture: Just-in-time compilation Martin Berger 1 December 2019 1 Email: M.F.Berger@sussex.ac.uk , Office hours: Wed 12-13 in Chi-2R312 1 / 1 Recall the function of compilers 2 / 1 Welcome to the cutting edge

778 views • 50 slides
IBM project Objective Bring IBM Power Systems back into the Top5 list Push

IBM project Objective Bring IBM Power Systems back into the Top5 list Push

MareNostrum Building and running the system Sergi Girona Lisbon, August 29th, 2005 Operations Head History: Three Rivers Project IBM project Objective Bring IBM Power Systems back into the Top5 list Push forward Linux

489 views • 24 slides
Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com>

Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com>

Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com> Cryptography adoption criteria Conservative security assumptions Or graceful security degradation Reasonably compact serialisation

1.18k views • 22 slides
Winter GLIF Tech 2012 Wrap-Up Baton Rouge, 25-26 January 2012 Day 1 Time Subject 13.30 -

Winter GLIF Tech 2012 Wrap-Up Baton Rouge, 25-26 January 2012 Day 1 Time Subject 13.30 -

Winter GLIF Tech 2012 Wrap-Up Baton Rouge, 25-26 January 2012 Day 1 Time Subject 13.30 - 13.45 Welcome, agenda overview - Lars Fischer (NORDUnet) 13.45 - 13.50 Tech WG administration, announcements - Lars Fischer (NORDUnet) 13.50 - 14.20

269 views • 10 slides
Enter a new world of web development where everything is serverless Whats possible and how

Enter a new world of web development where everything is serverless Whats possible and how

Enter a new world of web development where everything is serverless Whats possible and how will infrastructure be shaped in the future WAQ 18 Bastian Widmer - @dasrecht | @amazeeio Bonjour WAQ18! Bonjour WAQ18! Pardon my Franais - or

731 views • 55 slides
Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack

Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack

Understanding Critical Infrastructure Cybersecurity Introduction to Concepts, Language, Policy About me Jack Whitsitt | http://twitter.com/sintixerr | jack@energysec.org Broad Background Lived in a little hacker compound as a

850 views • 47 slides
Armageddon Redux The changing face of the Infocalypse DISCLAIMER The views expressed in

Armageddon Redux The changing face of the Infocalypse DISCLAIMER The views expressed in

Armageddon Redux The changing face of the Infocalypse DISCLAIMER The views expressed in this talk are my own and not approved by or representative of my employer or this conference. WHOIS @headhntr http://twitter.com/headhntr

914 views • 57 slides
Virtual Parent Meetings: Return-to-School Leslie Nichols, Superintendent August 5, 6, & 7,

Virtual Parent Meetings: Return-to-School Leslie Nichols, Superintendent August 5, 6, & 7,

Virtual Parent Meetings: Return-to-School Leslie Nichols, Superintendent August 5, 6, & 7, 2020 Schedule of Zoom Meetings Wednesday, August 5, 9:00am Wednesday, August 5, 5:30pm Thursday, August 6, 12:30pm Friday, August

298 views • 13 slides

More recommend