Increasingly system software and user applications are becoming automated and thus many of inter machine communications are not user action driven. Some of these automated communications like OS updates, database synchronization will not pose security threats, while others can have malicious behavior. Automated communications pose a threat to the security of systems if initiated by unwanted programs like keyloggers and Botnets. As these applications are programmed to contact a peer host regularly, most of these communications are periodic in nature. In this chapter we describe a method for detecting periodic communications by analyzing network flows for security monitoring. In particular we use a clustering technique to identify periodic communications between hosts. We experiment with both simulated and real world data to evaluate the efficacy of method.
Top1. Introduction
The global Internet landscape is changing due to growing number users, increasing network bandwidth, intelligent applications and increasing number of mobile user base. Each of these dimensions bring a kind of challenge to the networking community. Accommodating and serving diverse user base with varied demands is a challenge in itself. While the network bandwidth is increasing there are always bandwidth hungry applications which are ready to consume it. For example peer to peer applications may consume lot of bandwidth. Providing a fair access share to all the applications is a problem many ISPs are striving to address. To address and understand all these issues network traffic is monitored and modeled. In this chapter we study a problem which is an implication of intelligent applications in the network.
As applications and machines are becoming intelligent increasingly intermachine communications are getting automated. There are range of applications from system software to user applications which exhibit automated communications. System software like operating system update managers are programmed to contact peer server periodically searching for updates. On the other hand user applications like database system may be taking backup of data every few hours. Internet routers often exchange hello messages to maintain and update update routing tables. While these applications are useful there are other malicious applications like keyloggers which collect user keystrokes and export the collected data periodically to a remote server. A Botnet application or spyware running as a background application may be initiating periodic communications with a peer host. A P2P botnet application running in a host constantly search for peer nodes and anticipate commands from the master under which it is operating. Both useful and malicious applications results into intermachine communication which are not user action driven. Since these communications are not user action driven, a system administrator may be interested in monitoring all the interactions of a host has with the peers and find what is being exchanged and nature of such interactions.
Automated communications can be due to applications which are banned from being used in many organizations like peer to peer applications (Bartlett, 2010) or a port scanning attempt (Treurniet, 2011). A significant portion of these automated communications show periodicity or regularity in their communication (Gates, 2006; Bartlett, 2009). Detection of periodic communications can help identifying these applications whether malicious or otherwise. There are several works in the literature for detecting applications which exhibit regularity in communication. Techniques like Botnet Detection (Qiao, Yang, He, Tang & Zeng, 2013; Yin, Song, Egele, Kruegel & Kirda, 2007; Felix, Joseph & Ghorbani, 2012; Feily, Shahrestani & Ramadass, 2009), Port Scanning Detection (Ertoz et al., 2004; Gates 2006), Anomaly Detection (Kim, Kong, Hong, Chung & Hong, 2004; Xu, Zhang & Bhattacharyya, 2008; Treurniet, 2011; Ertoz et al., 2004; Chandola & Kumar, 2007; Rahbarinia, Perdisci, Lanzi & Li, 2014), Key logger Detection (Ortolani, Giuffrida & Crispo, 2010; Zhu et al., 2011), Peer-to-Peer Application Detection (Iliofotou et al., 2011; Plonka & Barford, 2011; Jaber, Cascella & Barakat, 2012; Sperotto et al., 2010) etc. belong to this category. However there are very few works reported in the literature which are generic and identify common behavior patterns across the spectrum of applications. Identifying periodic communications is important for system security as a range of malicious applications also show periodicity.
In this chapter we describe a technique for identifying periodic communications between hosts by analyzing network flows. We make following specific contributions in this chapter.