PORTFILER: Port-Level Network Profiling for Self-Propagating Malware Detection

Recent self-propagating malware (SPM) campaigns compromised hundred of thousands of victim machines on the Internet. It is challenging to detect these attacks in their early stages, as adversaries utilize common network services, use novel techniques, and can evade existing detection mechanisms. We propose PORTFILER (PORT-Level Network Traffic ProFILER), a new machine learning system applied to network traffic for detecting SPM attacks. PORTFILER extracts port-level features from the Zeek connection logs collected at a border of a monitored network, applies anomaly detection techniques to identify suspicious events, and ranks the alerts across ports for investigation by the Security Operations Center (SOC). We propose a novel ensemble methodology for aggregating individual models in PORTFILER that increases resilience against several evasion strategies compared to standard ML baselines. We extensively evaluate PORTFILER on traffic collected from two university networks, and show that it can detect SPM attacks with different patterns, such as WannaCry and Mirai, and performs well under evasion. Ranking across ports achieves precision over 0.94 and false positive rates below 8 × 10−4 in the top 100 highly ranked alerts. When deployed on the university networks, PORTFILER detected anomalous SPM-like activity on one of the campus networks, confirmed by the university SOC as malicious. PORTFILER also detected a Mirai attack recreated on the two university networks with higher precision and recall than deeplearning based autoencoder methods.

[1]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[2]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[3]  Blaine Nelson,et al.  Poisoning Attacks against Support Vector Machines , 2012, ICML.

[4]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[5]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Axel Legay,et al.  Detection of Mirai by Syntactic and Behavioral Analysis , 2018, 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE).

[7]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[8]  Zhou Li,et al.  MADE: Security Analytics for Enterprise Threat Detection , 2018, ACSAC.

[9]  Dave Levin,et al.  Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet , 2019, NDSS.

[10]  Juan Caballero,et al.  FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors , 2013, RAID.

[11]  Christian Rossow,et al.  ProVeX: Detecting Botnets with Encrypted Command and Control Channels , 2013, DIMVA.

[12]  Michele Colajanni,et al.  On the effectiveness of machine and deep learning for cyber security , 2018, 2018 10th International Conference on Cyber Conflict (CyCon).

[13]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Vassilios G. Vassilakis,et al.  Ransomware detection and mitigation using software-defined networking: The case of WannaCry , 2019, Comput. Electr. Eng..

[15]  Ananthram Swami,et al.  Malware traffic detection using tamper resistant features , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[16]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[17]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[18]  Bernard W. Silverman,et al.  Density Estimation for Statistics and Data Analysis , 1987 .

[19]  Jun Li,et al.  Detecting smart, self-propagating Internet worms , 2014, 2014 IEEE Conference on Communications and Network Security.

[20]  Jalel Ben-Othman,et al.  An Investigation on Wannacry Ransomware and its Detection , 2018, 2018 IEEE Symposium on Computers and Communications (ISCC).

[21]  Abhilash Sonker,et al.  Rule-Based Network Intrusion Detection System for Port Scanning with Efficient Port Scan Detection Rules Using Snort , 2016 .

[22]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[24]  P. Bühlmann,et al.  Analyzing Bagging , 2001 .

[25]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[26]  Gianluca Stringhini,et al.  BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior , 2020, AsiaCCS.

[27]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[28]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[29]  Teng Joon Lim,et al.  Early Detection Of Mirai-Like IoT Bots In Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis , 2019, Lecture Notes in Networks and Systems.

[30]  Jiyong Jang,et al.  BAYWATCH: Robust Beaconing Detection to Identify Infected Hosts in Large-Scale Enterprise Networks , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[31]  P. J. Green,et al.  Density Estimation for Statistics and Data Analysis , 1987 .

[32]  Blake Anderson,et al.  Enhanced telemetry for encrypted threat analytics , 2016, 2016 IEEE 24th International Conference on Network Protocols (ICNP).

[33]  Gian Antonio Susto,et al.  Explainable Machine Learning in Industry 4.0: Evaluating Feature Importance in Anomaly Detection to Enable Root Cause Analysis , 2019, 2019 IEEE International Conference on Systems, Man and Cybernetics (SMC).

[34]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[35]  William K. Robertson,et al.  Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks , 2013, ACSAC.

[36]  Ivan Martinovic,et al.  MalClassifier: Malware family classification using network flow sequence behaviour , 2018, 2018 APWG Symposium on Electronic Crime Research (eCrime).

[37]  Chang Liu,et al.  Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[38]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[39]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[40]  Cynthia Bailey Lee,et al.  Detection and Characterization of Port Scan Attacks , 2003 .

[41]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[42]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[43]  Jiang Wu,et al.  Effective worm detection for various scan techniques , 2006, J. Comput. Secur..

[44]  Robert A. Bridges,et al.  Automated Behavioral Analysis of Malware: A Case Study of WannaCry Ransomware , 2017, 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA).

[45]  Andreas Hotho,et al.  Detection of slow port scans in flow-based network traffic , 2018, PloS one.

[46]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[47]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.