challenges in experimenting
play

Challenges in Experimenting with Botnet Detection Systems Adam - PowerPoint PPT Presentation

Nov 12, 2023 •327 likes •767 views

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

  1. Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1

  2. Alice has developed a new botnet detector!!! What should the evaluation show? Alice's Detector August 8th, 2011 CSET-2011 2

  3. Ideal Alice deploys her detector live on her local network Alice is provided with a list of hosts that are botnet infected Alice deploys her detector on various other networks Academic, Residential, Corporate, etc. Alice records traces of each deployment Improve detector in the lab Readily available to other researchers August 8th, 2011 CSET-2011 3

  4. Realities Production-ready deployment? Ground truth of botnet infections? Deployment on various networks? Record trace and replay experiment? Traces available to other researchers? August 8th, 2011 CSET-2011 4

  5. T aking a Step Back August 8th, 2011 CSET-2011 5

  6. Many Challenges Multiple Administrative Focus on Academic Domains Networks Network Heterogeneity Scale Multimorbidity Mixing Artifacts Privacy False Postives & Negatives Controlled Environments Artifact Overfitting Repeatability Botnet Overfitting Comparability Lack of Verification August 8th, 2011 CSET-2011 6

  7. privacy August 8th, 2011 CSET-2011 7

  8. We have to worry about privacy, but the botnet authors don't! August 8th, 2011 CSET-2011 8

  9. Can we do better together? August 8th, 2011 CSET-2011 9

  10. Discussion/T opics/Questions Experimental Ideals vs. Realities Not just botnet detectors ... Raw Materials of the Experiment Sharing and Obtaining Traces Botnet and Background Traces Can we do better via collaboration? August 8th, 2011 CSET-2011 10

  11. Presentation Outline Ideal vs. Reality Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 11

  12. Alice has developed a new botnet detector!!! What should the evaluation show? Alice's Detector August 8th, 2011 CSET-2011 12

  13. Ideal vs. Reality Alice deploys her detector live on her Production-ready deployment? local network Alice is provided with list of hosts that are botnet infected Ground truth of botnet infections? Alice deploys her detector on other Deployment on various various networks networks? Corporate, Residential, Corporate, etc. Record trace and replay Alice records traces of each experiment? deployment Improve detector in the lab Readily available to other researchers Traces available to other researchers? August 8th, 2011 CSET-2011 13

  14. Evaluation Realities Performance Realistic Settings Network Heterogeneity Multiple Administrative Domains Modernity Comparability Lack of Ground T ruth & Repeatability Overfitting Privacy August 8th, 2011 CSET-2011 14

  15. Pitfalls Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 15

  16. Overlay Methodology v v v Internet v v v v Anonymizer v Network Trace August 8th, 2011 CSET-2011 16

  17. Replay and Evaluate Network Trace Detected 2 Bots! v v v v v v v v v v Collected Background Independently Trace is Sensitive August 8th, 2011 CSET-2011 17

  18. Prevalence in the Literature [13] [49] [15] [36] [46] [47] Overlay [41] [23] [6] Methodology [7] [28] [25] [24] [14] Other [20] [14] [45] Methodology [36] [11] [5] * See paper for references. August 8th, 2011 CSET-2011 18

  19. Advantages of Overlay Methodology v v v v v v v v v v Ground Truth August 8th, 2011 CSET-2011 19

  20. Pitfalls Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 20

  21. Obtaining Traces Realism Merging of Botnet and Background trace should be realistic August 8th, 2011 CSET-2011 21

  22. Collecting Botnet Traces v August 8th, 2011 CSET-2011 22

  23. Realistic Embedding Residential ISP ? SPAM! v v v v v v v v v v August 8th, 2011 CSET-2011 23

  24. Mixing Artifacts v v v v v v v v v v v v DHCP August 8th, 2011 CSET-2011 24

  25. Multimorbidity v v v v v v v v v v v v v v August 8th, 2011 CSET-2011 25

  26. Obtaining Traces Realism Merging of Botnet and Background trace should be realistic Representativeness Reflect diversity in network scenarios August 8th, 2011 CSET-2011 26

  27. Focus on Academic Networks v v v v v v v v v v Corporate Business State University August 8th, 2011 CSET-2011 27

  28. Prevalence in the Literature At Least One Academic Traces Other Trace [13] [49] [15] [28] [25] [24] Overlay [36] [46] [47] [14] Methodology [41] [23] [6] [7] Other [20] [14] [45] [36] [11] [5] Methodology * See paper for references. August 8th, 2011 CSET-2011 28

  29. Scale v v v v v v v v v v v v vv v v vv v v v v v v v v v v v v v v v vv v v v v v v v v v v v v v v vv v v v v v v v v v vv v v v v v v v v v vv v vv v v v vv v v v v v v v v v v v v v v v v v v v v vv v v v vv v v v v v v v v vv v v v vv v v v v v v v v v v v v v v v vv v v v v v v v v v v v v v v v vv v v v v v v v v v vv v v v v v v v v v v v v v vv v v vv v v v v v v v v vv v v vv v v vv v v v v v v v v v v v v v v v v v v v v v vv vv vv v v v v v v v v v v v v vv vv August 8th, 2011 CSET-2011 29

  30. Obtaining Traces Realism Merging of Botnet and Background trace should be realistic Representativeness Reflect diversity in network scenarios Performance False postives and negatives August 8th, 2011 CSET-2011 30

  31. Lack of Verification v v v v v v v v v August 8th, 2011 CSET-2011 31

  32. Example From the Literature T aMD “ ” We suspect that the reason not every bot in the botnet was detected is due to the randomness in our choice of selected internal hosts to which the malware traffic was assigned, such that a selected internal host that was also contacting other suspicious subnets (not relevant to the botnet) is likely to bias the dimension reduction and clustering algorithm. August 8th, 2011 CSET-2011 32

  33. privacy August 8th, 2011 CSET-2011 33

  34. Sharing Traces v v v v v v v v v v Is the experiment independently repeatable? Can we do apples to apples comparison? August 8th, 2011 CSET-2011 34

  35. What can be done? Experimental Challenges Overlay Methodology Pitfalls Obtaining Traces Sharing Traces What can be done? August 8th, 2011 CSET-2011 35

  36. Observations Much of these challenges stem from difficulties in sharing and obtaining realistic data sets. Similar to problems faced by researchers studying large scale distributed systems ---> PlanetLab August 8th, 2011 CSET-2011 36

  37. Can we do better together? A PlanetLab for Botnet Detection? August 8th, 2011 CSET-2011 37

  38. Strawman Distributed Evaluation PlanetLab-like nodes on participating networks Cannot communicate network traces outside of network Researchers Deploy Detector Code on Nodes Reports are reviewed and declassified by sys-admins Researcher can test and debug on local node Incentives Sys-Admins gain access to bleeding edge detectors, for FREE! Researchers gain insight into usefulness of reports or “ground truth” August 8th, 2011 CSET-2011 38

  39. Address Challenges Performance Realistic Settings Network Heterogeneity Lack of Ground Truth Multiple Administrative Domains Modernity Comparability & Repeatability Overfitting Privacy August 8th, 2011 CSET-2011 39

  40. Huge Deployment Challenges Privacy Accountability August 8th, 2011 CSET-2011 40

  41. Conclusions T aking a step back Overlay Methodology Literature Review And, its pitfalls Ideal is hard Can we do better Ideal vs. Reality together? Privacy! PlanetLab for Sharing and Obtaining realistic traces Botnet detectors? August 8th, 2011 CSET-2011 41

  42. Backup August 8th, 2011 CSET-2011 42

Recommend

Experimenting on the World Wide Web Ulf-Dietrich Reips University of Tbingen, Germany Contact:

Experimenting on the World Wide Web Ulf-Dietrich Reips University of Tbingen, Germany Contact:

Reips, U.-D. (1996, October). Experimenting in the World Wide Web. Paper presented at the 1996 Society for Computers in Psychology conference, Chicago. Current e-mail address: ureips@genpsy.unizh.ch Experimenting on the World Wide Web

602 views • 22 slides
Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the

Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the

Pushing the boundaries of the SEP experimenting with new modes of research evaluation in the Dutch academic landscape Dr. Thed van Leeuwen Centre for Science and Technology Studies (CWTS), Leiden University Annual NARMA Meeting Lillestrom ,

528 views • 37 slides
Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi

Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi

I zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Experimenting Smarter not Harder zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA - Taguchi Methods Stella Q"vmd BAE SYSTEMS ISMOR 1 1 1 The Problem Developed

127 views • 10 slides
Experimenting with Flexible D2D Communications in Current and Future LTE networks: A D2D Radio

Experimenting with Flexible D2D Communications in Current and Future LTE networks: A D2D Radio

Experimenting with Flexible D2D Communications in Current and Future LTE networks: A D2D Radio Technology Primer & Software Modem Implementation May, 18 th , 2017, Oulu-Finland Presented by: Dr. Antonis Gotsis, Feron Technologies P.C.

1.15k views • 25 slides
An Lightweight Infrastructure to Support Experimenting with Heterogeneous Transformations An

An Lightweight Infrastructure to Support Experimenting with Heterogeneous Transformations An

An Lightweight Infrastructure to Support Experimenting with Heterogeneous Transformations An Application of .NET Wolfgang Lohmann, Gnter Riedewald, Thomas Zhlke University of Rostock, Germany 31.5.2006 .Net Technologies 2006 1 Outline

541 views • 33 slides
Outline Introduction Variation Among Batches Variation Within Batches Experimenting

Outline Introduction Variation Among Batches Variation Within Batches Experimenting

Dennis R. Buckmaster Purdue University Agricultural & Biological Engineering Outline Introduction Variation Among Batches Variation Within Batches Experimenting on the farm How Example analysis Summary 1 Goals of

583 views • 22 slides
Experimenting Cognitive Radio Communication on FIT/CorteXlab Tanguy Risset and the FIT Team:

Experimenting Cognitive Radio Communication on FIT/CorteXlab Tanguy Risset and the FIT Team:

FIT/CorteXlab Experiment examples Links with R2Lab Conclusion Experimenting Cognitive Radio Communication on FIT/CorteXlab Tanguy Risset and the FIT Team: Leonardo Cardoso, Jean-Marie Gorce, Guillaume Villemaud, Florin Hutu, Matthieu Imbert,

512 views • 36 slides
Simulation for Experimenting HPC Systems Martin Quinson (Nancy University, France) et Al. Nancy,

Simulation for Experimenting HPC Systems Martin Quinson (Nancy University, France) et Al. Nancy,

Simulation for Experimenting HPC Systems Martin Quinson (Nancy University, France) et Al. Nancy, June 3 2010 Scientific Computation Applications Physics Nobel Price 1996 Classical Approaches in science and engineering Georges Smoot 1.

716 views • 53 slides
Experimenting along the road to 5G Adding adaptability to access networks Prof Luiz DaSilva

Experimenting along the road to 5G Adding adaptability to access networks Prof Luiz DaSilva

FUTEBOL Federated Union of Telecommunications Research Facilities for an EU-Brazil Open Laboratory Experimenting along the road to 5G Adding adaptability to access networks Prof Luiz DaSilva Trinity College Dublin WRNP Campos do Jordo, 7-8

557 views • 18 slides
Bioinformatics Vocabulary Processing, analyzing, experimenting with data Where does the

Bioinformatics Vocabulary Processing, analyzing, experimenting with data Where does the

Bioinformatics Vocabulary Processing, analyzing, experimenting with data Where does the data come from? How do we get it? What does it mean? What do we do with it? From nucleotide to protein to gene Identification is

452 views • 24 slides
Experimenting with quinoa: the Indian experience By: Atul Bhargava, Sudhir Shukla and Deepak Ohri

Experimenting with quinoa: the Indian experience By: Atul Bhargava, Sudhir Shukla and Deepak Ohri

International Quinoa Conference 2016: Quinoa for Future Food and Nutrition Security in Marginal Environments Dubai, 6-8 December 2016 www.quinoaconference.com Experimenting with quinoa: the Indian experience By: Atul Bhargava, Sudhir Shukla and

336 views • 30 slides
Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP

Samba, Quo Vadis? Experimenting with languages the Cool Kids use Kai Blin Samba Team SambaXP 2017 2017-05-03 Intro M.Sc. in Computational Biology Ph.D. in Microbiology Samba Team member 2/45 Overview Programming

776 views • 45 slides
Experimenting with Matrix federation over Yggdrasil Bachelor Semester Project Timothe Floure

Experimenting with Matrix federation over Yggdrasil Bachelor Semester Project Timothe Floure

Experimenting with Matrix federation over Yggdrasil Bachelor Semester Project Timothe Floure Responsible / Prof. Bryan Ford Supervisor / Cristina Basescu EPFL / DEDIS 2020-01-13 Timothe Floure (EPFL / DEDIS) Matrix over Yggdrasil

586 views • 20 slides
BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES

BISHOPS DAY in the Region MESSAGE CELEBRATIONS CHALLENGES CHALLENGES Trust CHALLENGES Urban Ministries CHALLENGES FINDING SHAPE for a CHANGING CHURCH CHALLENGES for GREATER NEW JERSEY 560 congregations 90,697 members

579 views • 15 slides
these paintings, as I feel this effects the overall experience of looking at them. I briefly

these paintings, as I feel this effects the overall experience of looking at them. I briefly

Exhibition 1 For the first exhibition of the Autumn term I was experimenting with different approaches to painting. Some paintings are more abstract than others. This would then help me decide which approach to take for future work/exhibitions.

181 views • 14 slides
Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical

Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical

Challenges & Opportunities for the Challenges & Opportunities for the Pharmaceutical Industry Dr Gino Martini FRPharmS EIPG President Why do I enjoy being an Industrial Pharmacist? Something happened here Sir Alexander Fleming & his

647 views • 46 slides
The technical and mathematical challenges What are the goals that set the challenges? We want

The technical and mathematical challenges What are the goals that set the challenges? We want

The technical and mathematical challenges What are the goals that set the challenges? We want maps that can yield an atomic model with a known accuracy, and we want to visualize conformational variability. We want tomograms of cells in which we

813 views • 37 slides
Innovations in Poverty Policy Herbert M.

Innovations in Poverty Policy Herbert M.

Innovations in Poverty Policy Herbert M. Singer Conference Series ' taubcenter.org.il Experimenting Basic Income (BI) in Finland

512 views • 19 slides
! ! ! Challenges ! From Microcredit to Microfinance ! ! ! ! Challenges ! Consistency -

! ! ! Challenges ! From Microcredit to Microfinance ! ! ! ! Challenges ! Consistency -

! Mutuelle ! ! de microfinance (Qubec) ! ! ! ! Challenges ! From Microcredit to Microfinance ! ! ! ! Challenges ! Consistency - Mission, vision ! Innovation ! Growth and profitability ! Governance ! Access ! Transition !

573 views • 15 slides
Challenges facing all Additional challenges providers for new providers

Challenges facing all Additional challenges providers for new providers

Challenges facing all Additional challenges providers for new providers Delivering Apprenticeship Standards Systems Data End Point Assessment Claims Reports 20% off the job training Audit

809 views • 41 slides
Computational, Statistical, and Mathematical Challenges in Astronomy The Challenges The

Computational, Statistical, and Mathematical Challenges in Astronomy The Challenges The

Christopher J. Miller Asst. Professor, Astronomy Computational, Statistical, and Mathematical Challenges in Astronomy The Challenges The Demand for Higher Precision Science The Hubble Constant The Challenges The Demand for Higher

504 views • 27 slides
Challenges and Opportunities Challenges and Opportunities Presented at the FANRPAN HASSP

Challenges and Opportunities Challenges and Opportunities Presented at the FANRPAN HASSP

Domestication of the Harmonised Seed Security Project (HASSP) through the Food, Agriculture and Natural R Resources Policy Analysis Network(FANRPAN) P li A l i N t k(FANRPAN) Challenges and Opportunities Challenges and Opportunities

676 views • 53 slides
Big Da Big Data ta Challenges Challenges in Delivering Health Coaching Interventions to the

Big Da Big Data ta Challenges Challenges in Delivering Health Coaching Interventions to the

Big Da Big Data ta Challenges Challenges in Delivering Health Coaching Interventions to the Home Holly Jimison, PhD, FACMI Consortium on Technology for Proactive Care College of Computer & Information Science & School of Nursing

551 views • 37 slides
The Need Advances and Challenges Related to The Need, Advances and Challenges Related to

The Need Advances and Challenges Related to The Need, Advances and Challenges Related to

The Need Advances and Challenges Related to The Need, Advances and Challenges Related to Wireless Body Area Network Communications Technology Richard Kramer and Jin Phyo (JP) Rhee Oregon State University What is a hero? What is a hero?

457 views • 41 slides

More recommend