Survey on a PTP approach to provide trust in
network security for misbehavior detection
Neha Pathak
R. S. Apare
Student in Department of Information technology,
Smt.Kashibai Navale College of Engineering
Pune, India
Assistant Professor in Department of Information
Technology, Smt. Kashibai Navale College of Engineering
Pune, India
Neha.pathak59@gmail.com
ABSTRACT— Previous techniques used for analysis of
network security have focused on the action of host node.
Only some has been consider for the detection of malicious
node based on their association with the known malicious
nodes. This method is mostly used in graph analysis and is
known as community detection. This project proposes a
PTP methodology to propagate trust across network. It
also measures the trustworthiness of incoming connection
request. The proposed system gains the prior community
detection and graphical modeling issue with the use of
propagation threat probabilities across the network node.
Method used in this paper enhances previous work by
using constraints that remove the adverse effect of cyclic
propagation. To demonstrate the effectiveness of
probabilistic threat propagation botnet detection,
community detection and malicious web destination has
considered.
Keywords: botnet, blacklist, community detection, graph
algorithms, Network security.
I.
INTRODUCTION
Network Security is a special field of computer networking. It
secures a computer network infrastructure. In Network
security network administrator or system administrator handle
the network operation. They are also responsible for
implementations of the security policy for network
software and hardware. They protect a network and the
resources accessed from unauthorized access. So it secures the
network by protecting and overseeing the network operation.
Network inference is a topology which shows the wiring
diagram of the network. Community detection is an important
application in the field of network inference. It explores the
structure of static association between entities. Example of
community based system is email traffic between employees
of a company, vehicle traffic between physical locations.
In network security, it is critical for the defender to analysis
and detection of malicious node activity. Methods for
detecting unwanted network traffic can be categorized as
signature based intrusion detection system [9] or anomaly
based detection system [3]. Both of the system is based to
analyze the activity of the individual network node rather than
the interaction between nodes. Due to the increase of botnets a
newer detection technique have developed which view the
network host activity to detect the infective behavior of nodes.
The behaviors of multiple nodes can be aggregate to perform
ravi.apare@gmail.com
spatial anomaly [3] detection which considers the relationship
of a node with other nodes.
In many situations network defenders were able to identify
known malicious nodes, either the use of previous detection
methods in internal network or from blacklists in external
nodes [6]. Using these methods an analysis can be performed
to identify host communication with the known malicious
nodes on network traffic. Previous work has shown that
malicious activity is local in the network space and form
communities of maliciousness. By using locality of host that
communicate with each other or share common resources, it
can be leveraged for the detection of malicious nodes. For
example botnet try to leverage a common command and
control infrastructure while malicious web websites try to host
by service providers.
Method for the detection of malicious nodes on a network,
independent of their own activities, by leveraging the fact that
malicious activity tries to be localized. If a tip node of known
maliciousness or their collection is given then proposed
system perform graph analysis to compute the threat
probability of neighboring nodes. Method work iterative until
a Statistical probability of threat is not computed for each
node of a graph. In the probabilistic threat propagation (PTP)
the probability of a node being malicious is proportional to the
level of maliciousness of its neighbor nodes.
II.
RELATED WORK
Paper [1] presents method to detect malicious and infected
node in the monitored and external Internet. In this paper a
probabilistic threat propagation (PTP) method is used which
detect botnets and malicious web destination. A Method
present in this paper produces statistical probabilities rather
than rank ordered lists. An iterative propagation is used which
allows for asymmetric weighting factors. Paper apply threat
propagation to the application of detecting malicious web
domains and proactively expanding blacklists, strictly through
DNS resolutions. Now it’s not relying on registration
properties or URL analysis. The intuition behind PTP method
is to accurately calculate the thread level at each node and also
provenance of the threat also needs to be tracked. So the level
of threat at each node is equal to weighted sum of threat of
neighboring nodes. The level of threat discounted those nodes
received from the nodes of interest.
Paper [2] shows that by using a single peer to peer method if a
bot is detected in a network then it is possible to detect other
member of the same network. In a paper a simple method is
presented to identify member host from known peer nodes, of
an unstructured P2P botnet in a network. Method provides a
list of hosts ordered by a degree of certainty that belong to the
same P2P botnet as discovered node belong. Method
represents that peers of a P2P botnet communicate with other
peers to receive command and update. In spite of some
different bots may communicate with other peer bot. Paper
shows that for P2P botnets in unstructured topology where
bots randomly select peers for communication it is rarely high
probability that bots communicate with external bot during a
given time window. In other words there is a significant
probability a pair of bots within a network have a mutual
contact.
In this Paper [3] a Botnet Sniffer method is given to detect
botnet C&C problem. A proposed approach uses network
based anomaly detection to identify botnet C&C channels in a
local area network without the knowledge of signature or
C&C server addresses. This detection approach can identify
both the C&C servers and infected hosts or bots in the
network. This approach is based on the observation of the preprogrammed activities related to C&C. a bots within the same
botnet will likely show the spatial-temporal correlation and
similarity.
Paper [4] presents conditional random fields method to build
probabilistic models to segment and label sequence data.
Methods provide several advantages over Markov models [5]
and stochastic grammars for such tasks. Conditional random
fields also avoid a limitation of label biased problem present
in maximum entropy Markov models (MEMMs) and other
Markov models using directed graphical models. Paper used
iterative estimation algorithms for conditional random fields.
In paper [6] a novel approach is present to detect activity
based communities by propagating membership in between
the neighboring nodes. To show utility of a method a local
implementation is used. These local implementations are
checked for community detection by given starting node and
then apply it to on two varied data set. There are two methods
were used for membership propagation: Static membership
and dynamic membership. Static membership utilizes
information of tip node into a community which demonstrates
the improvement over baseline method. In Dynamic
membership propagation method nodes membership
probability vary over time.
In this Paper [7] a method is used which constructs the
blacklists for large scale security log sharing infrastructure.
Method Used in this paper uses Page ranking scheme. The
ranking scheme measures how closely related an attack source
is to a contributor. This is using the attacker’s history and the
contributor’s recent log production patterns. This method
works in three stages. First stage which is called prefiltering
stage where the security alerts supplied by sensors across the
Internet are preprocessed. This removes known noises in the
alert collection. The preprocessed data are then fed into two
parallel engines. One rank is used for each contributor, the
attack sources according to their relevance to that contributor.
The second stage scores the sources using a severity that
measures their maliciousness. The relevance ranking and the
severity score are combined at the last stage to generate a final
blacklist for each contributor.
In Paper [8] an Intrusion Detection System is presented for a
network. According to paper the problem of IDS can be
addressed by scanning and harvesting attack. A harvesting
attack is exploitation where an attacker initiates
communications with multiple hosts to control and reconfigure
them. While in a scanning attack, the attacker’s
communication with multiple hosts is an attempt to determine
what services they are running. In this paper an alternative
method is used to evaluate IDS focus to frustrate the attacker
goals. In order to do this, model captures the attacker’s payoff
over an observable attack space. The observable attack spaces
represent a set of Attacks an attacker can conduct. An
observable attack spaces can be defined the number of
addresses to which they (nodes) communicate in a sample
period. After evaluation of OAS a payoff function is applied to
this detection surface.
This paper [9] presents a method called EMBER (Extreme
Malicious Behavior view ER). Which analysis and display a
malicious activity at the city level. This system uses a metric
called Standardized Incidence Rate (SIR) which is the number
of host’s show malicious behavior per 100,000 present hosts.
These metrics were relies on available data that (1) Maps IP
addresses to geographic locations (2) Provides current city
populations and (3) Provides computer usage penetration
rates.
In this Paper [10] a Snort system is presented which is used to
detect Network Intrusion Detection in small and large network
system. This tool can be deploying to monitor small TCP/IP
networks and detect suspicious network traffic an attacks
present in network. It can also provide administrators to
enough data to make decisions on the action of suspicious
activity. Snort is a cost efficient tool.
In this Paper [11] a Probabilistic Misbehavior Detection
Scheme (iTrust) were presented which could reduce the
detection overhead effectively. Method firstly introduced data
forwarding evidences for general misbehavior detection. The
proposed framework is not only detect various misbehaviors
But also a compatible to other routing protocols. Secondly it
introduced a probabilistic misbehavior detection scheme by
adopting the Inspection Game. This game theoretical analysis
demonstrates that the cost of misbehavior detection could be
significantly reduced without compromising performance.
Paper also discussed how to correlate a user’s trust level to the
detection probability. Thirdly it uses extensive analysis to
demonstrate the effectiveness and the efficiency of the iTrust.
In this Paper to represent data Security the RSA algorithm and
Hash function were used for User Authentication.
TABLE I
ANALYSIS OF EXISTING SYSTEMS
Sr. No.
Paper Name
1.
Probabilistic Threat
Propagation
for Network Security
Friends of an enemy:
Identifying local members of
peer-to-peer botnets using
mutual contacts
BotSniffer: Detecting Botnet
Command and Control
Channels in Network Traffic
Conditional random fields:
Probabilistic models for
segmenting and labeling
sequence data
Detecting activity-based
communities using dynamic
membership
Propagation
Highly Predictive
Blacklisting
On the Limits of PayloadOblivious
Network Attack Detection
EMBER: A global
perspective on extreme
malicious behavior
Snort:light weight intrusion
Detection for network
A Probabilistic Misbehavior
Detection Scheme toward
Efficient Trust Establishment
in Delay-Tolerant Networks
2
3.
4
5.
6.
7.
8.
9.
10.
III.
Algorithm Used
Attack Type Addressed
Detection
technique
Statistical
probabilities
Malicious and infected
node
Probabilistic threat
propagation
Low
Iterative algorithm
Bot net
Mutual Contacts
Low
Statistical
algorithm
Botnet C&C
Anomaly based
detection
Very low
Iterative parameter
estimation
algorithm
Label bias problem
Conditional
random field
probabilities
Static membership
and dynamic
membership
propagation
Relevance page
ranking
Activity based
Community detection
Temporal analysis
Page ranking
Observable attack
space
Blacklist
Communication in
internet community
Intrusion Detection
System
Not Specified
Malicious misbehavior
Intrusion Detection
EMBER and
visualization
technique
Snort
_
No
Misbehavior of nodes
iTrust system
low
_
Signature Based
analysis
Probabilistic
approach
CONCLUSION
Probabilistic Threat Propagation is an iterative approach
for graph analytic. It determines malicious node in an
observed network by statistical probability. It is difficult
to find threat origin to avoid node threat levels being
increased uniquely depend on their network presence.
PTP outputs approximations of true statistical
probabilities that are easily interpretable by an analyst.
PTP can use in network security for botnet detection and
prediction of malicious domains.
ACKNOWLEDGMENT
I am extremely thankful to my Project guide Prof. R. S.
Apare for suggesting the topic for literature survey and
providing all the assistance needed to complete the
work. He inspired me greatly to work in this area.
False
positive rate
_
Approaches
Consider
association of
node with others
node
Yes
No
Yes
_
Yes
_
Payoff function
_
_
High
No
Yes
_
REFERENCES
[1] Kevin M. Carter, Nwokedi Idika, and William W. Streilein
“Probabilistic Threat Propagation for Network Security”,
IEEE Transactions on Information Forensics and Security,
Sep 2014.
[2] B. Coskun, S. Dietrich, and N. Memon, “Friends of an
enemy: Identifying local members of peer-to-peer botnets
using mutual contacts,” in Proc. 26th Annu. Comput. Security
Appl. Conf., Dec. 2010.
[3]G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting botnet
command and control channels in network traffic,” in Proc.
15th Annu. Network. Distributed. System. Security. (NDSS),
Feb. 2008.
[4] J. D. Lafferty, A. McCallum, and F. C. N. Pereira,
“Conditional random fields: Probabilistic models for
segmenting and labeling sequence data,” in Proc. 8th Int.
Conf. Mach. Learn. (ICML), 2001.
[5] S. Philips, E. Kao, M. Yee, and C. Anderson, “Detecting
activity-based communities using dynamic membership
propagation,” in Proc. IEEE Int. Conf. Acoust., Speech Signal
Process., Mar. 2012.
[6] J. Zhang, P. Porras, and J. Ullrich, “Highly predictive
blacklisting,” in Proc. 17th Conf. Security Symp., 2008
[7] M. P. Collins and M. K. Reiter, “On the limits of payloadoblivious network attack detection,” in Proc. 11th Int. Symp.
Recent Adv. Intrusion Detection (RAID), 2008.
[8] T. Yu, R. Lippmann, J. Riordan, and S. Boyer, “EMBER:
A global perspective on extreme malicious behavior,” in Proc.
7th Int. Symp. Vis. Cyber Security, 2010.
[9] M. Roesch, “SNORT—Lightweight intrusion detection for
networks,” in Proc. 13th LISA Conf., 1999.
[10] Haojin Zhu, Suguo Du, Zhaoyu Gao, Mianxiong Dong
and Zhenfu Cao, “A Probabilistic Misbehavior Detection
Scheme toward Efficient Trust Establishment in DelayTolerant Networks” , IEEE Transactions on Parallel and
Distributed Systems, vol. 25, no. 1, JANUARY 2014
[11] K. M. Carter, N. Idika, and W. W. Streilein,
“Probabilistic threat propagation for malicious activity
detection,” in Proc. IEEE Int. Conf. Acoust., Speech Signal
Process., May 2013.
[12] S. Brin and L. Page, “The anatomy of a large-scale hyper
textual web search engine,” in Proc. 7th Int. Conf. World Wide
Web (WWW), Brisbane, Australia, 1998.