The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Nikita Borisov - University of Illinois at Urbana-Champaign

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Detecting Coordinated Attacks with Traffic Analysis

Nov 10, 2010

PDF Slides PDF
Download: Video Icon MP4 Video Size: 439.5MB  
Watch on Youtube Watch on YouTube


Coordinated attacks, such as botnets, present a major threat to today's computing infrastructures. They are able to evade traditional detection techniques by using zero-day and polymorphic exploits, partitioning misbehavior, and encrypting communications. I will discuss our work that aims to identify coordinated activity itself by analyzing the patterns of network communication and inferring information via the available side information.

First, I will discuss the detection of linked network flows that relay traffic across compromised computers, called stepping stones. We use statistical techniques to locate timing correlation between flows, aided by active perturbation of network delays to insert a specialized pattern, called a watermark. I will show that the use of watermarks provides superior detection performance over passive correlation and present two watermark designs: RAINBOW, a low-overhead watermark for enterprise-level stepping stone detection, and SWIRL, a scalable design that can be used in the wide area.

I will then discuss our work on using community detection to locate groups of computers organized into a structured peer-to-peer topology. Our tool, BotGrep, finds tightly connected components in communication graphs using several graph-theoretic metrics and heuristics. It is designed to scale to very large data sets, allowing large core ISPs to detect previously unknown peer-to-peer botnets.

About the Speaker

Nikita Borisov
Nikita Borisov is an assistant professor at the University of Illinois at Urbana-Champaign. His research interests are network security and online privacy. He is the co-designer of the ``off-the-record'' (OTR) instant messaging protocol and was responsible for the first public analysis of 802.11 security. He is also the recipient of the NSF CAREER award in 2010. Prof. Borisov received his PhD from the University of California, Berkeley in 2005 and a BMath from the University of Waterloo in 1998.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!