After many research efforts, Network Intrusion Detection Systems still have much room for improvement. This paper proposes a novel method for automatic and timely analysis of traffic generated by large networks, which is able to identify malicious external hosts even if their activities do not raise any alert by existing defensive systems. Our proposal focuses on periodic communications, since our experimental evaluation shows that they are more related to malicious activities, and it can be easily integrated with other detection systems. We highlight that periodic network activities can occur at very different intervals ranging from seconds to hours, hence a timely analysis of long time-windows of the traffic generated by large organizations is a challenging task in itself. Existing work is primarily focused on identifying botnets, whereas the method proposed in this paper has a broader target and aims to detect external hosts that are likely involved in any malicious operation. Since malware-related network activities can be considered as rare events in the overall traffic, the output of the proposed method is a manageable graylist of external hosts that are characterized by a considerably higher likelihood of being malicious compared to the entire set of external hosts contacted by the monitored large network. A thorough evaluation on a real large network traffic demonstrates the effectiveness of our proposal, which is capable of automatically selecting only dozens of suspicious hosts from hundreds of thousands, thus allowing security operators to focus their analyses on few likely malicious targets.
Identifying malicious hosts involved in periodic communications / Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro. - 2017-(2017), pp. 1-8. ((Intervento presentato al convegno 16th IEEE International Symposium on Network Computing and Applications, NCA 2017 tenutosi a Cambridge, MA, USA nel October 30th, 2017.
Data di pubblicazione: | 2017 |
Data di prima pubblicazione: | ott-2017 |
Titolo: | Identifying malicious hosts involved in periodic communications |
Autore/i: | Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro |
Autore/i UNIMORE: | |
Digital Object Identifier (DOI): | http://dx.doi.org/10.1109/NCA.2017.8171326 |
Codice identificativo Scopus: | 2-s2.0-85046449249 |
Codice identificativo ISI: | WOS:000426971900002 |
Nome del convegno: | 16th IEEE International Symposium on Network Computing and Applications, NCA 2017 |
Luogo del convegno: | Cambridge, MA, USA |
Data del convegno: | October 30th, 2017 |
Volume: | 2017- |
Pagina iniziale: | 1 |
Pagina finale: | 8 |
Citazione: | Identifying malicious hosts involved in periodic communications / Apruzzese, Giovanni; Marchetti, Mirco; Colajanni, Michele; GAMBIGLIANI ZOCCOLI, Gabriele; Guido, Alessandro. - 2017-(2017), pp. 1-8. ((Intervento presentato al convegno 16th IEEE International Symposium on Network Computing and Applications, NCA 2017 tenutosi a Cambridge, MA, USA nel October 30th, 2017. |
Tipologia | Relazione in Atti di Convegno |
File in questo prodotto:
File | Descrizione | Tipologia | |
---|---|---|---|
main.pdf | Articolo principale | Post-print dell'autore (bozza post referaggio) | Open Access Visualizza/Apri |

I documenti presenti in Iris Unimore sono rilasciati con licenza Creative Commons Attribuzione - Non commerciale - Non opere derivate 3.0 Italia, salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris