-
PORTFILER: Port-Level Network Profiling for Self-Propagating Malware Detection
Authors:
Talha Ongun,
Oliver Spohngellert,
Benjamin Miller,
Simona Boboila,
Alina Oprea,
Tina Eliassi-Rad,
Jason Hiser,
Alastair Nottingham,
Jack Davidson,
Malathi Veeraraghavan
Abstract:
Recent self-propagating malware (SPM) campaigns compromised hundred of thousands of victim machines on the Internet. It is challenging to detect these attacks in their early stages, as adversaries utilize common network services, use novel techniques, and can evade existing detection mechanisms. We propose PORTFILER (PORT-Level Network Traffic ProFILER), a new machine learning system applied to ne…
▽ More
Recent self-propagating malware (SPM) campaigns compromised hundred of thousands of victim machines on the Internet. It is challenging to detect these attacks in their early stages, as adversaries utilize common network services, use novel techniques, and can evade existing detection mechanisms. We propose PORTFILER (PORT-Level Network Traffic ProFILER), a new machine learning system applied to network traffic for detecting SPM attacks. PORTFILER extracts port-level features from the Zeek connection logs collected at a border of a monitored network, applies anomaly detection techniques to identify suspicious events, and ranks the alerts across ports for investigation by the Security Operations Center (SOC). We propose a novel ensemble methodology for aggregating individual models in PORTFILER that increases resilience against several evasion strategies compared to standard ML baselines. We extensively evaluate PORTFILER on traffic collected from two university networks, and show that it can detect SPM attacks with different patterns, such as WannaCry and Mirai, and performs well under evasion. Ranking across ports achieves precision over 0.94 with low false positive rates in the top ranked alerts. When deployed on the university networks, PORTFILER detected anomalous SPM-like activity on one of the campus networks, confirmed by the university SOC as malicious. PORTFILER also detected a Mirai attack recreated on the two university networks with higher precision and recall than deep-learning-based autoencoder methods.
△ Less
Submitted 24 May, 2022; v1 submitted 27 December, 2021;
originally announced December 2021.
-
Report of the Third Global Experimentation for Future Internet (GEFI 2018) Workshop
Authors:
Mark Berman,
Timur Friedman,
Abhimanyu Gosain,
Kate Keahey,
Rick McGeer,
Ingrid Moerman,
Akihiro Nakao,
Lucas Nussbaum,
Kristin Rauschenbach,
Violet Syrotiuk,
Malathi Veeraraghavan,
Naoaki Yamanaka
Abstract:
The third Global Experimentation for Future Internet (GEFI 2018) workshop was held October 25-26, 2018 in Tokyo, Japan, hosted by the University of Tokyo. A total of forty-four participants attended, representing Belgium, Brazil, China, Denmark, France, Ireland, Japan, the Republic of Korea, and the United States. The workshop employed a mixed format of presentations and open group discussions to…
▽ More
The third Global Experimentation for Future Internet (GEFI 2018) workshop was held October 25-26, 2018 in Tokyo, Japan, hosted by the University of Tokyo. A total of forty-four participants attended, representing Belgium, Brazil, China, Denmark, France, Ireland, Japan, the Republic of Korea, and the United States. The workshop employed a mixed format of presentations and open group discussions to advance multi-national coordination and interoperation of research infrastructure for advanced networking and computer science research.
Major topic areas included: softwareization and virtualization of radios and networks; testbed support for networking experiments; EdgeNet; a federated testbed of elastic optical networks; and reproducibility in experimentation. Workshop goals included both the formulation of specific new research collaborations and strategies for coordination and interoperation of research testbeds.
Workshop outcomes include a variety of new and ongoing collaborative efforts, ranging from an agreement to pursue the development of optical "white boxes" in support of elastic optical testbeds to the identification of strategies for effective use of open-source software and hardware platforms in future research infrastructure.
△ Less
Submitted 9 January, 2019;
originally announced January 2019.
-
High Speed Elephant Flow Detection Under Partial Information
Authors:
Jordi Ros-Giralt,
Alan Commike,
Sourav Maji,
Malathi Veeraraghavan
Abstract:
In this paper we introduce a new framework to detect elephant flows at very high speed rates and under uncertainty. The framework provides exact mathematical formulas to compute the detection likelihood and introduces a new flow reconstruction lemma under partial information. These theoretical results lead to the design of BubbleCache, a new elephant flow detection algorithm designed to operate ne…
▽ More
In this paper we introduce a new framework to detect elephant flows at very high speed rates and under uncertainty. The framework provides exact mathematical formulas to compute the detection likelihood and introduces a new flow reconstruction lemma under partial information. These theoretical results lead to the design of BubbleCache, a new elephant flow detection algorithm designed to operate near the optimal tradeoff between computational scalability and accuracy by dynamically tracking the traffic's natural cutoff sampling rate. We demonstrate on a real world 100 Gbps network that the BubbleCache algorithm helps reduce the computational cost by a factor of 1000 and the memory requirements by a factor of 100 while detecting the top flows on the network with very high probability.
△ Less
Submitted 28 September, 2018; v1 submitted 6 January, 2017;
originally announced January 2017.
-
Implementation of PFC and RCM for RoCEv2 Simulation in OMNeT++
Authors:
Qian Liu,
Robert D. Russell,
Fabrice Mizero,
Malathi Veeraraghavan,
John Dennis,
Benjamin Jamroz
Abstract:
As traffic patterns and network topologies become more and more complicated in current enterprise data centers and TOP500 supercomputers, the probability of network congestion increases. If no countermeasures are taken, network congestion causes long communication delays and degrades network performance. A congestion control mechanism is often provided to reduce the consequences of congestion. How…
▽ More
As traffic patterns and network topologies become more and more complicated in current enterprise data centers and TOP500 supercomputers, the probability of network congestion increases. If no countermeasures are taken, network congestion causes long communication delays and degrades network performance. A congestion control mechanism is often provided to reduce the consequences of congestion. However, it is usually difficult to configure and activate a congestion control mechanism in production clusters and supercomputers due to concerns that it may negatively impact jobs if the mechanism is not appropriately configured. Therefore, simulations for these situations are necessary to identify congestion points and sources, and more importantly, to determine optimal settings that can be utilized to reduce congestion in those complicated networks. In this paper, we use OMNeT++ to implement the IEEE 802.1Qbb Priority-based Flow Control (PFC) and RoCEv2 Congestion Management (RCM) in order to simulate clusters with RoCEv2 interconnects.
△ Less
Submitted 11 September, 2015;
originally announced September 2015.