Nikita Borisov - University of Illinois at Urbana-Champaign
Nov 10, 2010
Download: MP4 Video
Watch in your Browser
Watch on YouTube
"Detecting Coordinated Attacks with Traffic Analysis"
Coordinated attacks, such as botnets, present a major threat to today's computing infrastructures. They are able to evade traditional detection techniques by using zero-day and polymorphic exploits, partitioning misbehavior, and encrypting communications. I will discuss our work that aims to identify coordinated activity itself by analyzing the patterns of network communication and inferring information via the available side information.
First, I will discuss the detection of linked network flows that relay traffic across compromised computers, called stepping stones. We use statistical techniques to locate timing correlation between flows, aided by active perturbation of network delays to insert a specialized pattern, called a watermark. I will show that the use of watermarks provides superior detection performance over passive correlation and present two watermark designs: RAINBOW, a low-overhead watermark for enterprise-level stepping stone detection, and SWIRL, a scalable design that can be used in the wide area.
I will then discuss our work on using community detection to locate groups of computers organized into a structured peer-to-peer topology. Our tool, BotGrep, finds tightly connected components in communication graphs using several graph-theoretic metrics and heuristics. It is designed to scale to very large data sets, allowing large core ISPs to detect previously unknown peer-to-peer botnets.
About the Speaker
Nikita Borisov is an assistant professor at the University of Illinois at Urbana-Champaign. His research interests are network security and online privacy. He is the co-designer of the ``off-the-record'' (OTR) instant messaging protocol and was responsible for the first public analysis of 802.11 security. He is also the recipient of the NSF CAREER award in 2010. Prof. Borisov received his PhD from the University of California, Berkeley in 2005 and a BMath from the University of Waterloo in 1998.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M.
STEW G52 (Suite 050B), West Lafayette Campus. More information...