Académique Documents
Professionnel Documents
Culture Documents
1
OVERVIEW
■ Scope and objective
■ Introduction
■ Literature Review – Botnets and Related Work
■ Methodologies – Autoencoders and Main stages
■ Empirical Evaluation
■ Discussion and Results
■ Conclusion
■ References
2
SCOPE AND OBJECTIVE
3
SCOPE AND OBJECTIVE
4
INTRODUCTION
5
WHAT ARE BOTNETS ?
■ Logical
connection of
Internet-
connected devices
■ Eg. Computers,
smartphones, IoT
devices
■ Security is
breached and
control ceded to a
third-party
6
BOTNET INFECTIONS
9
BOTNET ARCHITECTURE
10
BOTNETS - OPERATIONAL STEPS
■ Propagation
■ Infection
■ C&C Communication
■ Execution of Attacks
11
BOTNETS - OPERATIONAL STEPS
12
RELATED WORK – BOTNET DETECTION
METHODS
13
RELATED WORK
14
RELATED WORK
15
RELATED WORK
■ Detection Approaches
Host-based
Network-based
16
RELATED WORK
17
RELATED WORK
18
RELATED WORK
Heterogeneity Tolerance
Open World
Efficiency
19
METHODOLOGY
New data
•For each device •Detects anomalies
•Train on benign •Autoencoder •Device
traffic applied to new compromised
data of an IoT
device
Deep •Possibly infected
Anomalies
autoencoders
20
AUTOENCODERS
■ Unsupervised ANN
■ Learns to compress and encode data
■ Learns to reconstruct data back from coded
representation to a representation, as close as
to the original input
21
AUTOENCODERS
22
AUTOENCODERS
■ Reduces data dimensions – ignore noise in
data
■ Components:
Encoder
Bottleneck
Decoder
Reconstruction loss
■ Back propagation – reduce reconstruction loss
23
AUTOENCODERS
24
AUTOENCODERS FOR ANOMALY
DETECTION
■ Requires co-related input data
■ Encoding depends on co-related features
■ Train a autoencoder on a data set
Pass an image from that data set- reconstruction error
is low
Pass a random image/anomaly – reconstruction error
is high
25
AUTOENCODERS FOR ANOMALY
DETECTION
26
AUTOENCODERS FOR ANOMALY
DETECTION
27
AUTOENCODERS FOR ANOMALY
DETECTION
28
PROPOSED DETECTION METHOD
29
PROPOSED DETECTION METHOD
30
PROPOSED DETECTION METHOD
■ Data Collection:
Capture raw traffic data
pcap format
Using port mirroring on the switch
Collected immediately following installation
31
PROPOSED DETECTION METHOD
■ Feature Extraction:
Packet arrives – behavioral snapshot of hosts and
protocols
Obtain packet’s context by extracting 115 traffic
statistics over several temporal windows
32
PROPOSED DETECTION METHOD
33
PROPOSED DETECTION METHOD
Extract same set of 23 features from five time windows of
the most recent 100ms, 500ms, 1.5 sec, 10sec, and 1min
34
PROPOSED DETECTION METHOD
37
PROPOSED DETECTION METHOD
38
PROPOSED DETECTION METHOD
■ Continuous monitoring:
Apply optimized model to vectors extracted from
continuously observed packets to mark as benign or
anomalous
Majority vote on a sequence (length of ws*) of marked
instances – detect if entire stream is benign or anomalous
Issue alert on detection of anomalous stream
39
EMPIRICAL EVALUATION
Mirai BASHLITE
■ Lab setup –
Replicate
organizational
data flow
■ Collect traffic
data from 9
IoT devices
40
EMPIRICAL EVALUATION
■ Botnets deployed
BASHLITE – set a C&C server
41
EMPIRICAL EVALUATION
■ Attacks executed
BASHLITE attacks
1) Scan: Scanning the network for vulnerable device
2) Junk: Sending spam data
3) UDP: UDP flooding
4) TCP: TCP flooding
5) COMBO: Sending spam data and opening a
connection to a specified IP address and port
42
EMPIRICAL EVALUATION
Mirai Attacks
1) Scan: Automatic scanning for vulnerable devices
2) Ack: Ack flooding
3) Syn: Syn flooding
4) UDP: UDP flooding
5) UDP plain: UDP flooding with fewer options, optimized for higher
PPS
43
RESULTS AND DISCUSSION
44
RESULTS AND DISCUSSION
45
RESULTS AND DISCUSSION
46
RESULTS AND DISCUSSION
47
RESULTS AND DISCUSSION
48
CONCLUSION
■ Autoencoders for most IoT devices in a test set
obtained a zero FPR
■ Difficulty in capturing normal traffic behavior
varies among IoT devices and maybe
correlated with
Device’s capabilities
Network communications it normally produces
■ A solid predictability score can be leveraged by
large organizations 49
REFERENCES
■ N-BaIoT : Network-based Detection of IoT Botnet Attacks Using Deep
Autoencoders
Yair Meidan, Michael Bohadana, Yael Mathov, Yisroel Mirsky, Dominik Breitenbacher,
Asaf Shabtai, and Yuval Elovici
IEEE PERVASIVE COMPUTING, VOL. 13, NO. 9, JULY-SEPTEMBER 2018
■ Kitsune: An Ensemble of Autoencoders for Online Network Intrusion
Detection
Yisroel Mirsky, Tomer Doitshman, Yuval Elovici and Asaf Shabtai Ben-Gurion University of the
Negev
arXiv:1802.09089v2 [cs.CR] 27 May 2018
50
REFERENCES
51
THANK YOU
■ANY QUESTIONS ?
52