Transcript View/Open
Traffic Analysis of Campus Network for Classification of Broadcast Data 47th Annual National Convention of Computer Society of India Presented By: Raman Singh [email protected] University Institute of Engineering and Technology Panjab University, Chandigarh Panjab University Campus Courtesy: Google Maps Experiment Setup Sub-network used for Capturing network traffic of three boys hostels of Panjab University-Campus Area Network (PU-CAN) Short PU-CAN Profile Managed campus network of Panjab University. Uses proxy server, firewall and all other precautions against security threats. Proxy Server: Squid Server Firewall: FireBox Hardware Firewall Router Make: Cisco Switches Make: D-Link Access Points Make: Senao, Belkin, D-Link,TP-Link Server Specifications HP Proliant ML Server ( Xeon Processor, 8 GB RAM, 250 GB Hard Disk) Operating System : Fedora 14 Data Capturing Tool : ◦ Tcpdump (www.tcpdump.org) ◦ Wireshark (www.wireshark.org) Microsoft Office Excel 7.0 Duration of Pilot Study : 22 days Methodology • Network Traffic Capture tcpdump • Conversion - pcap to csv Wireshark Microsoft Office - Excel • Manually Classification Methodology Broadcast data used for investigation Computers use broadcast for knowing name and IPs of other computers,ARP, DHCP, DNS etc. Unnecessary broadcast creates network congestion and degrades bandwidth availability Methodology After manual investigation of captured data, four classes are classified: Total Broadcast Data Genuine Broadcast Identified Malicious Broadcast Unidentified Suspected Broadcast Result Discussion Result Discussion Three Networks are discovered: Result Discussion Results Discussion Networks identified after study are: 1. Official 172.16.40.0/22 network (33.91%) 1. Network of miss-configured IPs 169.254.0.0 (3.84%) 2. Unauthorized network of series 192.168.11.0(8.90%) 3. Un-resolved IPs (53.33%) Results Discussion Need to minimize the remaining 66% (approx) suspected malicious data. For this purpose intelligent infrastructure may provide help to design the models. Two unauthorized network found which operates on official infrastructure, So Network traffic profiling is required to discover these types of unauthorized profiles. Some hosts also broadcasts with both IP addresses of IPv4 and IPv6, However official network supports only IPv4. We can say that normality of a network is matter of discussion. Conclusion and Countermeasures Malicious activities discussed are common but these goes un-noticed which makes it a serious issue. Most of firewalls and Intrusion Detection Systems consider these patterns normal due to which a lot of bandwidth goes for un-productive traffic. Various countermeasures suggested by researchers but main problem is to detect these patterns. Machine learning algorithms are required to be developed with relevance feedback from network administrator to find out exact threat for that particular network. Conclusion and Countermeasures Normality is matter of discussion. Interactive security countermeasures are required. Intelligent network infrastructure needs to be developed with integration of artificial intelligence and machine learning. References Abdun Naser Mahmood, Christopher Leckie and Parampalli Udaya, "An Efficient Clustering Scheme to Exploit Hierarchical Data in Network Traffic Analysis", IEEE Transactions On Knowledge and Data Engineering,Vol. 20, No. 6,June 2008, pp 752-767. Liu Yingqiu, Li Wei and Li Yunchun,"Network Traffic Classification Using K-means Clustering", Second International Multisymposium on Computer and Computational Sciences, Iowa City, IA, 13-15 Aug. 2007, pp 360 - 365. Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya, "Internet Traffic Behavior Profiling for Network Security Monitoring", IEEE/ACM Transactions On Networking, Vol. 16, No. 6, December 2008, pp 1241-1252. Daniele Apiletti, Elena Baralis, Tania Cerquitelli and Vincenzo D’Elia, "Characterizing network traffic by means of the NETMINE framework", Elsevier's Journal of Computer Networks, Volume 53, Issue 6, 23 April 2009, pp 774789. Hamid Farvaresh and Mohammad Mehdi Sepehri, "A data mining framework for detecting subscription fraud in telecommunication", Elsevier's Journal of Engineering Applications of Artificial Intelligence,Volume 24, Issue 1, February 2011, pp 182-194. Xin Li and Zhi-Hong Deng, "Mining frequent patterns from network flows for monitoring network", Elsevier's Journal of Expert Systems with Applications, Volume 37, Issue 12, December 2010, pp 8850-8860. P. Ravisankar,V. Ravi, G. Raghava Rao and I. Bose, "Detection of financial statement fraud and feature selection using data mining techniques", Elsevier's Journal of Decision Support Systems, Volume 50, Issue 2, January 2011, pp 491-500. Ming-Yang Su, "Using clustering to improve the KNN-based classifiers for online anomaly network traffic identification", Journal of Network and Computer Applications, Volume 34, Issue 2, March 2011, pp 722-730. Jeffrey Ermana, Anirban Mahantib, Martin Arlitta,c, Ira Cohenc and Carey Williamsona, "Offline/realtime traffic classification using semi-supervised learning", Elsevier's Journal of Performance Evaluation, Volume 64, Issues 9-12, October 2007, pp 1194-1213. References Francesco Palmieri and Ugo Fiore, "A nonlinear, recurrence-based approach to traffic classification", Elsevier's Journal of Computer Networks, Volume 53, Issue 6, 23 April 2009, pp 761-773. Li-Yen Chang and Hsiu-Wen Wang, "Analysis of traffic injury severity: An application of non-parametric classification tree techniques", Elsevier's Journal of Accident Analysis And Prevention,Volume 38, Issue 5, September 2006, pp 1019-1027. Jose Luis Garcia-Dorado, Jose Alberto Hernandez, Javier Aracil, Jorge E. Lopez de Vergara and Sergio LopezBuedo, "Characterization of the busy-hour traffic of IP networks based on their intrinsic features", Elsevier's Journal of Computer Networks, Volume 55, Issue 9, 23 June 2011, pp 2111-2125. Tao Qin , Xiaohong Guan, Wei Li Pinghui Wang and Qiuzhen Huang, "Monitoring abnormal network traffic based on blind source separation approach", Elsevier's Journal of Network and Computer Applications, Volume 34, Issue 5, September 2011, pp 1732-1742. W. Tavernier, D. Papadimitriou, D. Colle, M. Pickavet and P. Demeester, "Packet loss reduction during rerouting using network traffic analysis", Springer's Journal of Telecommunication Systems, Online First™, 23 August 2011,No.of pages 19. Fedora 14, "http://www.cyberciti.biz/tips/fedora-14-download-cd-dvd-iso.html", last seen on 1 July, 2012. Tcpdump, "http://www.tcpdump.org/\#latest-release", last seen on 4 July, 2012. Wireshark, "http://www.wireshark.org/download.html", last seen on 4 July, 2012. Won Kim n, Ok-RanJeong, Chulyun Kim and Jungmin So, “The dark side of the Internet : Attacks, costs and responses”, Elsevier’s Journal of Information Systems, Volume 36, Issue 3, May 2011, pp 675-705 THANK YOU