After many research efforts, Network Intrusion Detection Systems still have much room for improvement. This paper proposes a novel method for automatic and timely analysis of traffic generated by large networks, which is able to identify malicious external hosts even if their activities do not raise any alert by existing defensive systems. Our proposal focuses on periodic communications, since our experimental evaluation shows that they are more related to malicious activities, and it can be easily integrated with other detection systems. We highlight that periodic network activities can occur at very different intervals ranging from seconds to hours, hence a timely analysis of long time-windows of the traffic generated by large organizations is a challenging task in itself. Existing work is primarily focused on identifying botnets, whereas the method proposed in this paper has a broader target and aims to detect external hosts that are likely involved in any malicious operation. Since malware-related network activities can be considered as rare events in the overall traffic, the output of the proposed method is a manageable graylist of external hosts that are characterized by a considerably higher likelihood of being malicious compared to the entire set of external hosts contacted by the monitored large network. A thorough evaluation on a real large network traffic demonstrates the effectiveness of our proposal, which is capable of automatically selecting only dozens of suspicious hosts from hundreds of thousands, thus allowing security operators to focus their analyses on few likely malicious targets.

Identifying malicious hosts involved in periodic communications / Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro. - 2017-:(2017), pp. 11-18. (Intervento presentato al convegno 16th IEEE International Symposium on Network Computing and Applications, NCA 2017 tenutosi a Cambridge, MA, USA nel October 30th, 2017) [10.1109/NCA.2017.8171326].

Identifying malicious hosts involved in periodic communications

Giovanni Apruzzese;Mirco Marchetti;Michele Colajanni
;
Gabriele Gambigliani Zoccoli;Alessandro Guido
2017

Abstract

After many research efforts, Network Intrusion Detection Systems still have much room for improvement. This paper proposes a novel method for automatic and timely analysis of traffic generated by large networks, which is able to identify malicious external hosts even if their activities do not raise any alert by existing defensive systems. Our proposal focuses on periodic communications, since our experimental evaluation shows that they are more related to malicious activities, and it can be easily integrated with other detection systems. We highlight that periodic network activities can occur at very different intervals ranging from seconds to hours, hence a timely analysis of long time-windows of the traffic generated by large organizations is a challenging task in itself. Existing work is primarily focused on identifying botnets, whereas the method proposed in this paper has a broader target and aims to detect external hosts that are likely involved in any malicious operation. Since malware-related network activities can be considered as rare events in the overall traffic, the output of the proposed method is a manageable graylist of external hosts that are characterized by a considerably higher likelihood of being malicious compared to the entire set of external hosts contacted by the monitored large network. A thorough evaluation on a real large network traffic demonstrates the effectiveness of our proposal, which is capable of automatically selecting only dozens of suspicious hosts from hundreds of thousands, thus allowing security operators to focus their analyses on few likely malicious targets.
2017
ott-2017
16th IEEE International Symposium on Network Computing and Applications, NCA 2017
Cambridge, MA, USA
October 30th, 2017
2017-
11
18
Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro
Identifying malicious hosts involved in periodic communications / Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro. - 2017-:(2017), pp. 11-18. (Intervento presentato al convegno 16th IEEE International Symposium on Network Computing and Applications, NCA 2017 tenutosi a Cambridge, MA, USA nel October 30th, 2017) [10.1109/NCA.2017.8171326].
File in questo prodotto:
File Dimensione Formato  
main.pdf

Open access

Descrizione: Articolo principale
Tipologia: Versione dell'autore revisionata e accettata per la pubblicazione
Dimensione 1.67 MB
Formato Adobe PDF
1.67 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Licenza Creative Commons
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11380/1149183
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 16
  • ???jsp.display-item.citation.isi??? 10
social impact