Detecting Coordinated Attacks with Traffic Analysis
Page Content
 |
Nikita Borisov - University of Illinois at Urbana-Champaign
Nov 10, 2010
PDF (8.6MB)
Size: 439.5MBDownload:
MP4 Video
Watch in your Browser (Flash Required)
Abstract
Coordinated attacks, such as botnets, present a major threat to today's computing infrastructures. They are able to evade traditional detection techniques by using zero-day and polymorphic exploits, partitioning misbehavior, and encrypting communications. I will discuss our work that aims to identify coordinated activity itself by analyzing the patterns of network communication and inferring information via the available side information.First, I will discuss the detection of linked network flows that relay traffic across compromised computers, called stepping stones. We use statistical techniques to locate timing correlation between flows, aided by active perturbation of network delays to insert a specialized pattern, called a watermark. I will show that the use of watermarks provides superior detection performance over passive correlation and present two watermark designs: RAINBOW, a low-overhead watermark for enterprise-level stepping stone detection, and SWIRL, a scalable design that can be used in the wide area.
I will then discuss our work on using community detection to locate groups of computers organized into a structured peer-to-peer topology. Our tool, BotGrep, finds tightly connected components in communication graphs using several graph-theoretic metrics and heuristics. It is designed to scale to very large data sets, allowing large core ISPs to detect previously unknown peer-to-peer botnets.
About the Speaker
Nikita Borisov is an assistant professor at the University of Illinois at Urbana-Champaign. His research interests are network security and online privacy. He is the co-designer of the ``off-the-record'' (OTR) instant messaging protocol and was responsible for the first public analysis of 802.11 security. He is also the recipient of the NSF CAREER award in 2010. Prof. Borisov received his PhD from the University of California, Berkeley in 2005 and a BMath from the University of Waterloo in 1998.© 1999-2013 Purdue University. All rights reserved.
Use/Reuse Guidelines
CERIAS Seminar materials are intended for educational, non-commercial use only and any or all commercial use is prohibited. Any use must attribute "The CERIAS Seminar at Purdue University." Opinions expressed in the recordings are not necessarily representative of the views of CERIAS or of Purdue University.
Footer
RSS Feeds
Combined XML Feed
News XML Feed Events XML Feed Weblogs XML Feed Security Seminar Podcast
Twitter: @cerias, @ceriasarchive, #cerias
CERIAS, Purdue University / Recitation Building / 656 Oval Drive / West Lafayette IN 47907-2086
phone (765)494-7841 / fax (765)496-3181
Copyright © 2013, Purdue University, all rights reserved. Purdue University is an equal access/equal opportunity university.
If you have trouble accessing this page because of a disability, please contact the CERIAS webmaster at webmaster@cerias.purdue.edu. Some content on this site may require the use of a special plug-in or application. Please visit our plug-ins page for links to download these applications.
Privacy Policy
