Abstract
Traditional firewalls, Intrusion Detection Systems(IDS) and analytics tools extensively use the “flow” connection concept, consisting of 5-tuples of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content, to give an
understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.
To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.
understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.
To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.
| Original language | English |
|---|---|
| Title of host publication | 16th Annual Conference on Privacy, Security and Trust |
| Subtitle of host publication | August 28-30, 2018, Belfast, Northern Ireland, United Kingdom |
| Publisher | IEEE |
| Number of pages | 5 |
| DOIs | |
| Publication status | Early online date - 01 Nov 2018 |
| Event | Privacy, Security and Trust 2018 - Belfast, United Kingdom Duration: 28 Aug 2018 → 30 Aug 2018 |
Conference
| Conference | Privacy, Security and Trust 2018 |
|---|---|
| Abbreviated title | PST 2018 |
| Country | United Kingdom |
| City | Belfast |
| Period | 28/08/2018 → 30/08/2018 |
Keywords
- 5-tuple flow tables, Zeus botnet, Network Behavioural detection, Next generation firewall