Visible to the public Peer Based Tracking Using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection

TitlePeer Based Tracking Using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection
Publication TypeConference Paper
Year of Publication2018
AuthorsHagan, Matthew, Kang, BooJoong, McLaughlin, Kieran, Sezer, Sakir
Conference Name2018 16th Annual Conference on Privacy, Security and Trust (PST)
Date Publishedaug
ISBN Number
Keywords5-tuple flow tables, Botnet, command and control systems, computer network security, data streaming, expert system rule set, expert systems, flow connection concept, generated metadata, human factors, Indexes, Internet of Things, Intrusion Detection Systems, invasive software, IoT devices, IP networks, malicious behaviours, malicious network threats, Malware, malware detection, meta data, multipeered ZeuS botnet, multiple 5 tuple communications, multituple indexing, network analytics tools, Network Behavioural detection, network traffic analysis, network traffic behaviour, Next generation firewall, next generation firewalls, packet content, peer based tracking, Peer-to-peer computing, privacy, Protocols, pubcrawl, Scalability, single tuple flow types, standard IDS systems, Standards, TCP/IP fields, telecommunication traffic, traditional firewalls, transport protocols, video streaming, Zeus botnet

Traditional firewalls, Intrusion Detection Systems(IDS) and network analytics tools extensively use the `flow' connection concept, consisting of five `tuples' of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content to give an understanding of what is being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, particularly from ``always on'' IoT devices and video and data streaming, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to factors such as the length of time and data required to understand the network traffic behaviour, which cannot be accomplished by observing a single connection. To alleviate this issue, this paper proposes the use of additional, two tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed to detect the presence of a multi-peered ZeuS botnet, which communicates by making multiple connections with multiple hosts, thus undetectable to standard IDS systems observing 5 tuple flow types in isolation. Finally, as the solution is rule based, this implementation operates in realtime and does not require post-processing and analytics of other research solutions. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.

Citation Keyhagan_peer_2018