Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Traditional firewalls, Intrusion Detection Systems(IDS) and analytics tools extensively use the “flow” connection concept, consisting of 5-tuples of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content, to give an
understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.
To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.
LanguageEnglish
Title of host publication16th Annual Conference on Privacy, Security and Trust
Subtitle of host publicationAugust 28-30, 2018, Belfast, Northern Ireland, United Kingdom
Publisher IEEE
Number of pages5
DOIs
Publication statusEarly online date - 01 Nov 2018
EventPrivacy, Security and Trust 2018 - Belfast, United Kingdom
Duration: 28 Aug 201830 Aug 2018

Conference

ConferencePrivacy, Security and Trust 2018
Abbreviated titlePST 2018
CountryUnited Kingdom
CityBelfast
Period28/08/201830/08/2018

Fingerprint

Intrusion detection
Computer system firewalls
Communication
Metadata
Expert systems
Bandwidth
Network protocols
Processing
Malware
Internet of things
Botnet

Keywords

  • 5-tuple flow tables, Zeus botnet, Network Behavioural detection, Next generation firewall

Cite this

Hagan, M., Kang, B., McLaughlin, K., & Sezer, S. (2018). Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection. In 16th Annual Conference on Privacy, Security and Trust: August 28-30, 2018, Belfast, Northern Ireland, United Kingdom IEEE . https://doi.org/10.1109/PST.2018.8514165
Hagan, Matthew ; Kang, BooJoong ; McLaughlin, Kieran ; Sezer, Sakir. / Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection. 16th Annual Conference on Privacy, Security and Trust: August 28-30, 2018, Belfast, Northern Ireland, United Kingdom. IEEE , 2018.
@inproceedings{23588367be0e4576bbfe0a2c2acd2cec,
title = "Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection",
abstract = "Traditional firewalls, Intrusion Detection Systems(IDS) and analytics tools extensively use the “flow” connection concept, consisting of 5-tuples of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content, to give an understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.",
keywords = "5-tuple flow tables, Zeus botnet, Network Behavioural detection, Next generation firewall",
author = "Matthew Hagan and BooJoong Kang and Kieran McLaughlin and Sakir Sezer",
year = "2018",
month = "11",
day = "1",
doi = "10.1109/PST.2018.8514165",
language = "English",
booktitle = "16th Annual Conference on Privacy, Security and Trust",
publisher = "IEEE",

}

Hagan, M, Kang, B, McLaughlin, K & Sezer, S 2018, Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection. in 16th Annual Conference on Privacy, Security and Trust: August 28-30, 2018, Belfast, Northern Ireland, United Kingdom. IEEE , Privacy, Security and Trust 2018, Belfast, United Kingdom, 28/08/2018. https://doi.org/10.1109/PST.2018.8514165

Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection. / Hagan, Matthew; Kang, BooJoong; McLaughlin, Kieran; Sezer, Sakir.

16th Annual Conference on Privacy, Security and Trust: August 28-30, 2018, Belfast, Northern Ireland, United Kingdom. IEEE , 2018.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection

AU - Hagan, Matthew

AU - Kang, BooJoong

AU - McLaughlin, Kieran

AU - Sezer, Sakir

PY - 2018/11/1

Y1 - 2018/11/1

N2 - Traditional firewalls, Intrusion Detection Systems(IDS) and analytics tools extensively use the “flow” connection concept, consisting of 5-tuples of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content, to give an understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.

AB - Traditional firewalls, Intrusion Detection Systems(IDS) and analytics tools extensively use the “flow” connection concept, consisting of 5-tuples of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content, to give an understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.

KW - 5-tuple flow tables, Zeus botnet, Network Behavioural detection, Next generation firewall

U2 - 10.1109/PST.2018.8514165

DO - 10.1109/PST.2018.8514165

M3 - Conference contribution

BT - 16th Annual Conference on Privacy, Security and Trust

PB - IEEE

ER -

Hagan M, Kang B, McLaughlin K, Sezer S. Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection. In 16th Annual Conference on Privacy, Security and Trust: August 28-30, 2018, Belfast, Northern Ireland, United Kingdom. IEEE . 2018 https://doi.org/10.1109/PST.2018.8514165