1 / 28

Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm

Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm. Xiaobo Ma, Jiahong Zhu, Zhiyu Wan, Jing Tao, Xiaohong Guan, Qinghua Zheng. Xi’an JiaoTong University. Introduction Overview Algorithm Experiment Conclusion. Outlines. Introduction Overview

leif
Download Presentation

Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Honeynet-based Collaborative Defense using Improved Highly Predictive Blacklisting Algorithm Xiaobo Ma, Jiahong Zhu, Zhiyu Wan, Jing Tao, Xiaohong Guan, Qinghua Zheng Xi’an JiaoTong University

  2. Introduction Overview Algorithm Experiment Conclusion Outlines 2

  3. Introduction Overview Algorithm Experiment Conclusion Outlines 3

  4. Introduction • Background • Internet attacks: • complicated & changing • Traditional defense: • passive & delay • Completely proactive defense: • impossible • Relatively proactive defense: • less delay 4

  5. Introduction • Related work • GWOL (Global Worst Offender Listing) • LWOL (Local Worst Offender Listing) • HPB (Highly Predictive Blacklisting ) • HPB’s central idea: • – personalized blacklists for each contributor • – log-sharing system • – correlation between attackers and contributors 5

  6. Introduction • Motivation • Limitations of HPB: • Dependent on data contributors • Single metric of attacker’s severity • Fixed size of blacklists • To solve the problems: • HCDF (honeynet-based collaborative defense framework) 6

  7. Introduction • Central Idea • HCDF’s advantages: • Honeynet • Multiple metrics of attacker’s severity • Varying size of blacklists • HCDF’s goal: • Blacklists with high hit rate and defense rate • Reduce time delay in defending new attackers 7

  8. Introduction Overview Algorithm Experiment Conclusion Outlines 8

  9. HCDF Overview Attack traffic Honeynet Honeynet Honeynet Attack Schematic Diagram of HCDF Training process 9

  10. HCDF Overview IHPB Blacklists Honeynet Honeynet Honeynet High similarity IHPB algorithm process 10

  11. HCDF Overview Honeynet Honeynet Honeynet Defense(Testing) process 11

  12. Introduction Overview Algorithm Experiment Conclusion Outlines 12

  13. Data preparation An attack event: 1. attacker IP 2. victim’s subnet address 3. port 4. duration 5. total packet size IHPB Algorithm

  14. Relevance Ranking An attack event: 1. attacker IP 2. victim’s subnet address 3. port 4. duration 5. total packet size IHPB Algorithm Attacker-Victim Matrix

  15. Relevance Ranking 1. attacker IP 2. victim’s subnet address K=ranki{[(I-αW)-1-I]B} IHPB Algorithm Attacker-Victim Matrix

  16. Relevance Ranking 1. attacker IP 2. victim’s subnet address K=ranki{[(I-αW)-1-I]B} IHPB Algorithm Relevance Ranking K(i,j): the relevance rank of attacker aj in subnet vi

  17. Attacker Severity Metrics of attacker’s severity 1. attacker IP 2. victim’s subnet address 3. port 4. duration 5. total packet size IHPB Algorithm I(a): amount of unique subnets P(a): amount of unique ports T(a): average duration of all attacks B(a): average packet size in all attacks F(j):final severity of attacker aj

  18. Subnet Vulnerability Metrics of subnet vulnerability 1. attacker IP 2. victim’s subnet address 3. port 4. duration 5. total packet size IHPB Algorithm I(v): amount of unique attackers P(v): amount of unique ports T(v): average duration of all attacks B(v): average packet size in all attacks G(i):final vulnerability of victim vi

  19. Final Blacklist Relevance ranking – K(i,j) Attacker Severity – F(j) Subnet Vulnerability – G(i) Blacklisting: 1. F(i,j) = K(i,j) – βF(j) 2. larger G(i) – larger L(i). (L: length of blacklists) 3. smallest F(i,j) & L(i) – final blacklist IHPB Algorithm

  20. Introduction Overview Algorithm Experiment Conclusion Outlines 20

  21. Evaluation Metrics Defense Rate (DR) Hit Rate (HR) Collaborative Defense Rate (CDR) Collaborative Missing Rate (CMR) Experiment and Evaluation

  22. Experiment Results Experiment and Evaluation % Time (hour) Hit Rates of Four Blacklists

  23. Experiment Results Experiment and Evaluation % Time (hour) Defense Rate of Four Blacklists

  24. Experiment Results Experiment and Evaluation % Time (hour) CDRs of GWOL, HPB and IHPB

  25. Experiment Results Experiment and Evaluation % Time (hour) CMRs of GWOL, HPB and IHPB

  26. Introduction Overview Algorithm Experiment Conclusion Outlines 26

  27. Conclusion & Future Work • Conclusions • Honeynets provide abundant and accurate attack data • IHPB algorithm generates highly personalized and predictive blacklists • IHPB’s high collaborative defense rate and capability shows the great application value of HCDF • Future Work • More algorithms in HCDF with shorter training time and generate dynamic blacklists more timely 27 27

  28. Thank you!

More Related