Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm
description
Transcript of Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm
Honeynet-based Collaborative Defense using
Improved Highly Predictive Blacklisting Algorithm
Xi’an JiaoTong University
Xiaobo Ma, Jiahong Zhu, Zhiyu Wan, Jing Tao, Xiaohong Guan, Qinghua Zheng
2
OutlinesOutlines
IntroductionIntroduction
OverviewOverview
AlgorithmAlgorithm
ExperimentExperiment
ConclusionConclusion
3
OutlinesOutlines
IntroductionIntroduction
OverviewOverview
AlgorithmAlgorithm
ExperimentExperiment
ConclusionConclusion
4
IntroductionIntroduction
Background
Internet attacks:
complicated & changing
Traditional defense:
passive & delay
Completely proactive defense:
impossible
Relatively proactive defense:
less delay
5
IntroductionIntroduction
Related work
GWOL (Global Worst Offender Listing)
LWOL (Local Worst Offender Listing)
HPB (Highly Predictive Blacklisting )
HPB’s central idea:
– personalized blacklists for each contributor
– log-sharing system
– correlation between attackers and contributors
6
IntroductionIntroduction
Motivation
Limitations of HPB:
Dependent on data contributors
Single metric of attacker’s severity
Fixed size of blacklists
To solve the problems:
HCDF (honeynet-based collaborative defense framework)
7
IntroductionIntroduction
Central Idea
HCDF’s advantages:
Honeynet
Multiple metrics of attacker’s severity
Varying size of blacklists
HCDF’s goal:
Blacklists with high hit rate and defense rate
Reduce time delay in defending new attackers
8
OutlinesOutlines
IntroductionIntroduction
OverviewOverview
AlgorithmAlgorithm
ExperimentExperiment
ConclusionConclusion
9
HCDF OverviewHCDF Overview
AttackAttack
Attack trafficAttack traffic
Schematic Diagram of HCDFSchematic Diagram of HCDFTraining processTraining process
10
HCDF OverviewHCDF Overview
IHPBIHPB
High High similaritysimilarity
BlacklistsBlacklists
IHPB algorithm processIHPB algorithm process
11
HCDF OverviewHCDF Overview
Defense(Testing) processDefense(Testing) process
12
OutlinesOutlines
IntroductionIntroduction
OverviewOverview
AlgorithmAlgorithm
ExperimentExperiment
ConclusionConclusion
IHPB AlgorithmIHPB Algorithm
Data preparation
An attack event:
1. attacker IP
2. victim’s subnet address
3. port
4. duration
5. total packet size
IHPB AlgorithmIHPB Algorithm
Relevance Ranking
An attack event:
1. attacker IP
2. victim’s subnet address
3. port
4. duration
5. total packet size
v1 v2 v3 v4
a1 ◎ ◎
a2 ◎ ◎
a3 ◎ ◎ ◎
a4 ◎ ◎
Attacker-Victim Matrix
IHPB AlgorithmIHPB Algorithm
Relevance Ranking
1. attacker IP
2. victim’s subnet address
K=ranki{[(I-αW)-1-I]B}
B v1 v2 v3 v4
a1 0 1 0 1
a2 1 0 0 1
a3 0 1 1 1
a4 1 0 1 0
Attacker-Victim Matrix
W v1 v2 v3 v4
v1 1 0 1/4 1/6
v2 0 1 1/4 1/3
v3 1/4 1/4 1 1/6
v4 1/6 1/3 1/6 1
IHPB AlgorithmIHPB Algorithm
Relevance Ranking
1. attacker IP
2. victim’s subnet address
K=ranki{[(I-αW)-1-I]B}
Relevance Ranking
K(i,j): the relevance rank of attacker aj in subnet vi
K v1 v2 v3 v4
a1 2 1 3 1
a2 4 3 4 2
a3 1 2 1 3
a4 3 4 2 4
IHPB AlgorithmIHPB Algorithm
Attacker Severity
Metrics of attacker’s severity
1. attacker IP
2. victim’s subnet address
3. port
4. duration
5. total packet size
F(j): final severity of attacker aj
I(a): amount of unique subnetsP(a): amount of unique ports
T(a): average duration of all attacks
B(a): average packet size in all attacks
IHPB AlgorithmIHPB Algorithm
Subnet Vulnerability
Metrics of subnet vulnerability
1. attacker IP
2. victim’s subnet address
3. port
4. duration
5. total packet size
G(i): final vulnerability of victim vi
P(v): amount of unique ports
T(v): average duration of all attacks
B(v): average packet size in all attacks
I(v): amount of unique attackers
IHPB AlgorithmIHPB Algorithm
Final Blacklist
Relevance ranking – K(i,j)
Attacker Severity – F(j)
Subnet Vulnerability – G(i)
Blacklisting:
1. F(i,j) = K(i,j) – βF(j)
2. larger G(i) – larger L(i). (L: length of blacklists)
3. smallest F(i,j) & L(i) – final blacklist
20
OutlinesOutlines
IntroductionIntroduction
OverviewOverview
AlgorithmAlgorithm
ExperimentExperiment
ConclusionConclusion
Experiment and Evaluation Experiment and Evaluation
Evaluation MetricsDefense Rate (DR)
Hit Rate (HR)
Collaborative Defense Rate (CDR)
Collaborative Missing Rate (CMR)
Experiment and Evaluation Experiment and Evaluation
Experiment Results
Time (hour)
%
0 2 4 6 8 100
10
20
30
40
50
60
IHPBHPBLWOLGWOL
Hit Rates of Four Blacklists
Experiment and Evaluation Experiment and Evaluation
Experiment Results
Time (hour)
%
Defense Rate of Four Blacklists
0 1 2 3 4 5 6 7 8 9
5
10
15
20
25
GWOLLWOLIHPBHPB
Experiment and Evaluation Experiment and Evaluation
Experiment Results
Time (hour)
%
CDRs of GWOL, HPB and IHPB
0 2 4 6 8 100
5
10
15
20
25
30
GWOLIHPBHPB
Experiment and Evaluation Experiment and Evaluation
Experiment Results
Time (hour)
%
CMRs of GWOL, HPB and IHPB
0 2 4 6 8 100
5
10
15
20
25
GWOLIHPBHPB
26
OutlinesOutlines
IntroductionIntroduction
OverviewOverview
AlgorithmAlgorithm
ExperimentExperiment
ConclusionConclusion
27
Conclusion & Future WorkConclusion & Future Work
27
ConclusionsHoneynets provide abundant and accurate attack data
IHPB algorithm generates highly personalized and predictive blacklists
IHPB’s high collaborative defense rate and capability shows the great application value of HCDF
Future Work
More algorithms in HCDF with shorter training time and generate dynamic blacklists more timely
Thank you!