l ow r ate f low l evel p eriodicity d etection
play

L OW -R ATE , F LOW -L EVEL P ERIODICITY D ETECTION Genevieve - PowerPoint PPT Presentation

Sep 05, 2022 •152 likes •538 views

University of Southern California: ISI L OW -R ATE , F LOW -L EVEL P ERIODICITY D ETECTION Genevieve Bartlett 1 , John Heidemann 1 , Christos Papapdopoulos 2 1 USC/Information Sciences Institute Marina del Rey, CA 2 Colorado State University, Ft.

  1. University of Southern California: ISI L OW -R ATE , F LOW -L EVEL P ERIODICITY D ETECTION Genevieve Bartlett 1 , John Heidemann 1 , Christos Papapdopoulos 2 1 USC/Information Sciences Institute Marina del Rey, CA 2 Colorado State University, Ft. Collins, CO

  2. M OTIVATION It’s 10pm, do you know what your computer’s doing??  Automatic computer initiated communication  More complex systems = more computer initiated communication 1

  3. L OW -R ATE AND P ERIODIC C ONNECTIONS  Subset of computer initiated: periodic connections  Find periodic series in aggregate traffic with signal processing  Flow-level  Event = connection start  Our methods could apply to many other events  Low-Rate: 2s to several hours (Days? Weeks?) 2

  4. A PPLIES TO M ANY A PPLICATIONS  Many applications are low-rate periodic:  User services (30-120 mins)  WeatherEye  MacOS Dashboard apps  Clock applet in Gnome (Linux)  RSS News Feeds (30-60mins)  Web Counters (5-30mins)  http refresh  Peer-to-Peer (~20-30 mins)  Adware (minutes to hours)  Spyware  Botnet Command & Control 3

  5. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 4

  6. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 5

  7. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 6

  8. A RE P ERIODIC A PPLICATIONS P REVALENT ?  Pick an interesting application  Malware!  How do we confirm periodic malware exists at USC?  No payload  Blacklisted sites  Aggregate traffic (groups of ~20)  Determine which groups show periodic communication 7

  9. H OW P REVALENT IS P ERIODIC C OMMUNICATION ? Nearly a third show periodic behavior! ∴ We can find 1/3 blacklisted servers on our network looking at periodic behavior as a first pass. 8

  10. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 9

  11. T YPICAL A PPROACH TO F INDING P ERIODIC E VENTS Network events > time series > FFT >analysis FFT Time Frequency 10

  12. W HAT A RE W E L OOKING F OR ?  Given network data:  Is there a periodic event?  If so, what is the period?  Location in time: Start/Stop of events Events Time 11

  13. G OALS AND D ESIGN Preserve time information wavelets Simple representation Haar wavelet basis: and implementation differencing/averaging match for sharp changes Low-rate periods Coarse time bins ~1min+ Large range of Iterative filter-bank frequencies Full decomposition 12

  14. M ULTIRESOLUTION A NALYSIS : S INGLE P ATH Different paths give different frequency splits. Can focus in on a frequency range, if we know which we want a priori. 13

  15. M ULTIRESOLUTION A NALYSIS : F ULL  Full decomposition  We examine multiple frequency ranges  Level of decomp determined by length and sample rate of original data 14

  16. V ISUALIZATION Original Time Series Level of decomp cv 15

  17. V ISUALIZATION Level of decomp 16

  18. V ISUALIZATION High time Res. Level of decomp High freq. Res. 17

  19. V ISUALIZATION (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. 18

  20. V ISUALIZATION (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. 19

  21. A RTIFICIAL E XAMPLE : 8 S P ERIOD (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. base harmonics 20

  22. A RTIFICIAL E XAMPLE : 8 S P ERIOD (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. base harmonics 21

  23. V ISUALIZATION : R EAL - WORLD E XAMPLE BitTorrent client communicating with tracker (hours)Longer periods Shorter periods (128s) High time Res. Level of decomp High freq. Res. 300s update with BitTorrent Tracker 22

  24. A UTOMATIC D ETECTION  Detection of period  Empirically derived threshold on energy  Threshold dependent on frequency range and decomposition level  Too few decompositions, not focused on frequency range  Too many decompositions, energy spreads out  Detection of when a change occurs  Start and stop of a periodic series of events  Move backwards on levels of decomposition to get more time resolution  Details in techreport 23

  25. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 24

  26. A PPLICATIONS  Self-surveillance  Desktop user  Changes indicate problems: stop in OS updates, addition of adware etc.  Pre-filtering  Target apps with low-rate periodic com.  Reduce set of hosts to investigate  Eg. Target BitTorrent trackers 25

  27. S ELF -S URVEILLANCE D EMONSTRATION  Detect start or stop of periodic communication  Here we look at unwanted communication: installation of a keylogger  Applies to stop of wanted periodic communication too!  Detect install of Keyboard Guardian on Windows  Set to report every 3 hours  3 day monitoring  1st day, no keylogger  2nd day, install keylogger 26

  28. N UMERICAL D ETECTION OF E VENT Automatic Detection Identifies presence (at harmonic) Correctly identifies installation time (within a 9 hour window). 27

  29. V ISUAL D ETECTION OF C HANGE Before After Report every 3 hours (every 10,800s) harmonics 28

  30. S UMMARY OF S ELF -S URVEILLANCE  Automatic detection  Identifies a periodic series of events  Identifies changes in events and when those changes occur  Demonstrated  Keylogger: Addition of a bad series of periodic communication  OS updates: Removal of a good series of periodic communication (techreport) 29

  31. S ENSITIVITY TO N OISE  Signal-to-Noise ratio  1 signal connection:10-20 unrelated connections  Easily achievable with periods of user inactivity  Watch for a long enough window 30

  32. S UMMARY  Variety of applications show periodic behavior  New wavelet based approach to finding periodic behavior in aggregate traffic  Demonstrated use for self-surveillance  Techreport & GI paper:  http://www.isi.edu/~bartlett/pubs/ Bartlett09a.html  http://www.isi.edu/~bartlett/pubs/ Bartlett11a.pdf 31

  33. E XTRAS 32

  34. H OW TO Q UANTIFY S ENSITIVITY ?  Why?  Know when we work and when we won’t  Quantify sensitivity to noise  Fixed amount of background traffic  Vary frequency  Study base frequency energy  With background / No background 33

  35. S ENSITIVITY TO N OISE Need SNR of at least ~0.05-0.1 1 periodic connection for every 10-20 non-periodic connections 34

  36. I S E VASION P OSSIBLE ?  Yes: Jitter  How much jitter is enough?  Experiment: vary jitter, study detection  Artificial signal  Jitter varies by Gaussian random 35

  37. E VALUATING J ITTER FOR E VASION Greater than 15% hides signal. Not disruptive to operation: 1 hr period ± 10 mins 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 8-2: Communit unity D Det etection Jilles Vreeken IRDM 15/16 3 Dec 2015 IRDM

Chapter 8-2: Communit unity D Det etection Jilles Vreeken IRDM 15/16 3 Dec 2015 IRDM

Chapter 8-2: Communit unity D Det etection Jilles Vreeken IRDM 15/16 3 Dec 2015 IRDM Chapter 8, overview The basics 1. Properties of Graphs 2. Frequent Subgraphs 3. Graph Clustering 4. Youll find this covered in: Aggarwal,

1.07k views • 60 slides
AKING L L ITER ACY E E FFO TS TO TO THE HE N N EX EXT L L EV EL : : ERAC FFORTS EVEL T HE HE L

AKING L L ITER ACY E E FFO TS TO TO THE HE N N EX EXT L L EV EL : : ERAC FFORTS EVEL T HE HE L

T AK AKING L L ITER ACY E E FFO TS TO TO THE HE N N EX EXT L L EV EL : : ERAC FFORTS EVEL T HE HE L EC ECTIO A A PPROAC ACH FO FOR E E NHAN ED I I MPAC ACT HANCED Kelly Kulsrud, EdM Nonie K. Lesaux, PhD lectioapproach.com Todays Na%onal

234 views • 11 slides
OBJECTIVES Introduction to Network 14 BSI Team Discuss focus facility selection Share

OBJECTIVES Introduction to Network 14 BSI Team Discuss focus facility selection Share

I NFECTION D ETECTION April 12, 2016 ORIENTATION WEBINAR JASON T. SIMMINGTON, MHS OBJECTIVES Introduction to Network 14 BSI Team Discuss focus facility selection Share goals of I NFECTION D ETECTION Explain project components

1.22k views • 54 slides
DEV EVEL ELOPMENT PMENTS S BET ETWEEN EEN 194 945 5 AND 1970. 70. A. DESCRIBE THE WARREN

DEV EVEL ELOPMENT PMENTS S BET ETWEEN EEN 194 945 5 AND 1970. 70. A. DESCRIBE THE WARREN

SSUSH SUSH23 23 THE E STUDENT UDENT WIL ILL L DES ESCRIBE CRIBE AND ASSESS SESS THE E IM IMPACT CT OF POLI LITIC TICAL AL DEV EVEL ELOPMENT PMENTS S BET ETWEEN EEN 194 945 5 AND 1970. 70. A. DESCRIBE THE WARREN COURT AND

547 views • 17 slides
EL ELEV EVATED TED BL BLOOD OOD LEA EAD D LEV EVEL ELS S AMO MONG NG BUR URMES MESE

EL ELEV EVATED TED BL BLOOD OOD LEA EAD D LEV EVEL ELS S AMO MONG NG BUR URMES MESE

EL ELEV EVATED TED BL BLOOD OOD LEA EAD D LEV EVEL ELS S AMO MONG NG BUR URMES MESE CHI HILDREN DREN IN IN FOR ORT T WAYNE NE, , IN IN: : ENVI VIRONMENT ONMENTAL AL RISK SK FACTORS ORS *A A CO COMPAR ARISON ISON

730 views • 26 slides
Direct ection n fo for d dev evel elopment ent o of nea f near infr nfrared ed-dy dyes

Direct ection n fo for d dev evel elopment ent o of nea f near infr nfrared ed-dy dyes

Direct ection n fo for d dev evel elopment ent o of nea f near infr nfrared ed-dy dyes s for or dye ye-se sensit sitiz ized d so sola lar c cells lls from rom the he view ew p point nt of el f elect ectron i n inj

456 views • 42 slides
Budget et D Dev evel elopmen ent P Proces ess Driven by the FPS Strategic Plan

Budget et D Dev evel elopmen ent P Proces ess Driven by the FPS Strategic Plan

Framingham Public Schools Where every child can and will reach high levels of achievement FY20 Budget - Joint Finance Subcommittees March 1 8, 201 9 Budget et D Dev evel elopmen ent P Proces ess Driven by the FPS Strategic Plan

109 views • 9 slides
Dev evel elopm pment nt of of Nov ovel el B Biothe otherap apeu eutics for for the

Dev evel elopm pment nt of of Nov ovel el B Biothe otherap apeu eutics for for the

Dev evel elopm pment nt of of Nov ovel el B Biothe otherap apeu eutics for for the Treatm the eatmen ent of of Tauopat auopathies Panor anoram ama Res esea earch, h, I Inc nc . Innov novat ative NeuroTec echno hnologi

378 views • 18 slides
2020 Lev evel el 1 Tutorials Chapter er 2 Residential acreage parcels of more than one acre

2020 Lev evel el 1 Tutorials Chapter er 2 Residential acreage parcels of more than one acre

Departmen ent of Local Gov overnmen nment Finance Cost Approa oach Part B 2020 Lev evel el 1 Tutorials Chapter er 2 Residential acreage parcels of more than one acre and not used for agricultural purposes are valued using the

789 views • 56 slides
Fa arm le evel e econo omics s and NZ ni itroge en leac ching g poli cy: be est fri iends

Fa arm le evel e econo omics s and NZ ni itroge en leac ching g poli cy: be est fri iends

Fa arm le evel e econo omics s and NZ ni itroge en leac ching g poli cy: be est fri iends s or un nhapp py ma arriag ge? Gra aeme Do oole 1,2 1 Cen ntre for Environ nmental E Econom ics and P Policy, Univer rsity of W Western

400 views • 39 slides
New ew Direct ections for Cur urricul ulum um Development nt & Facu culty Dev evel

New ew Direct ections for Cur urricul ulum um Development nt & Facu culty Dev evel

New ew Direct ections for Cur urricul ulum um Development nt & Facu culty Dev evel elopmen ent through a Consortium Approach Jess Gerrior Ira a Feldman an SCC Director of SCC Founder & Learning & Practice Managing

441 views • 15 slides
DA DAY-NR NRLM LM Sust staina inable ble Dev evel elopment opment Goa oals s DAY-

DA DAY-NR NRLM LM Sust staina inable ble Dev evel elopment opment Goa oals s DAY-

DA DAY-NR NRLM LM Sust staina inable ble Dev evel elopment opment Goa oals s DAY- NRLM OVERVIEW Centre- piece of Government of Indias rural poverty alleviation strategy - Based on ground tested best practices in Bihar and the

1.26k views • 36 slides
North E Evel eleigh open pen spa pace a and com community u uses (C (Clothi hing S Stor

North E Evel eleigh open pen spa pace a and com community u uses (C (Clothi hing S Stor

Central to Eveleigh Urban Transformation and Transport Program North E Evel eleigh open pen spa pace a and com community u uses (C (Clothi hing S Stor ore) w wor orkshop 31 M 1 March 20 2016 00 M 00 Month 20 2012 Welc elcom

1.17k views • 73 slides
Finding the good in EVEL: An evaluation of English Votes for English Laws in the House of

Finding the good in EVEL: An evaluation of English Votes for English Laws in the House of

Finding the good in EVEL: An evaluation of English Votes for English Laws in the House of Commons Daniel Gover and Michael Kenny Mile End Institute Queen Mary University of London 28 November 2016, Houses of Parliament Research project

792 views • 16 slides
Evel Evelyne Can Canter errann nne Flavoractiv Structuring Sensory Practices for Excellence

Evel Evelyne Can Canter errann nne Flavoractiv Structuring Sensory Practices for Excellence

Evel Evelyne Can Canter errann nne Flavoractiv Structuring Sensory Practices for Excellence in Gin Quality & Innovation Gin a widely consumed distilled beverage Neutral Juniper Spirits Berries Variety of Botanicals (e.g.,

219 views • 21 slides
Toolkit Rec ecovery Ho Housi using Dev evel elopm pmen ent T Toolkit BUDGET T TOOL

Toolkit Rec ecovery Ho Housi using Dev evel elopm pmen ent T Toolkit BUDGET T TOOL

Community Capital Assistance Project Toolkit Rec ecovery Ho Housi using Dev evel elopm pmen ent T Toolkit BUDGET T TOOL OL This Excel Spread sheet will allow you to enter all of your accrued/expected development and

413 views • 20 slides
02 - Introduction to Security With material from Dave Levin, Mike Hicks Ad: Joe Bonneau

02 - Introduction to Security With material from Dave Levin, Mike Hicks Ad: Joe Bonneau

02 - Introduction to Security With material from Dave Levin, Mike Hicks Ad: Joe Bonneau tomorrow Comments on the reading Defining security properties Threat modeling Defensive strategies Intro to encryption Defining

907 views • 52 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE

A RIZONA S TATE U NIVERSITY Malware Forensics Sukwha Kyung The Center for Cybersecurity and Digital Forensics A RIZONA S TATE U NIVERSITY Common Types of Attacks Phishing Malware SQLi XSS MITM DoS Brute-force &

858 views • 55 slides
Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit

Threats to Mobile Devices Possible attack threats to mobile devices Network exploit Hackers takes advantage of vulnerability or flaw of users web browser on mobile device in WiFi communication to attack victims. Hackers send

464 views • 30 slides
Digital signing Digital signing an upcomming service for all apache projects Target of project:

Digital signing Digital signing an upcomming service for all apache projects Target of project:

Digital signing Digital signing an upcomming service for all apache projects Target of project: Use symantec as provider Infra-root as Enterprise Service Provider PMC as Software Publishers Provide signing for microsoft jani

359 views • 8 slides
Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad

Kharon dataset: Android malware under a microscope Nicolas Kiss Jean-Franois Lalande Mourad Leslous Valrie Viet Triem Tong The LASER Workshop 2016 Learning from Authoritative Security Experiment Results May 26th 2016 N. Kiss & J.-F.

367 views • 18 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why

Good Morning! INT1004 Computers for Business Ulrich Werner Multimedia: Text plus Why putting a focus on text? Multimedia: Text plus Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet Chapter

1.16k views • 81 slides

More recommend