Jan Jusko

A memory efficient privacy preserving representation of connection graphs

Connection graphs are often used for network traffic classification and P2P networks analysis. With the appearance of Software Defined Networks (SDN), a novel approach to proactive distributed network management based on multiagent paradigm, there is a need to develop specialized graph representations. Once transmitted between elements of SDN network, they provide answers to specific queries while protecting other information about the graph. In this paper we propose one such graph representation based on Bloom Filters and show that it provides considerable reduction of required memory and strong privacy while keeping low false positive rate that does not have negative impact on its intended use.

Using Behavioral Similarity for Botnet Command-and-Control Discovery

Malware authors and operators typically collaborate to achieve the optimal profit. They also frequently change their behavior and resources to avoid detection. The authors propose a social similarity metrics that exploits these relationships to improve the effectiveness and stability of the threat propagation algorithm typically used to discover malicious collaboration. Furthermore, they propose behavioral modeling as a way to group similarly behaving servers, enabling extension of the ground truth thats so expensive to obtain in the field of network security. The authors also show that seeding the threat propagation algorithm from a set of coherently behaving servers (instead of from a single known malicious server identified by threat intelligence) makes the algorithm far more effective and significantly more robust, without compromising the precision of findings.

Identifying peer-to-peer communities in the network by connection graph analysis

SUMMARY In this paper we present a unified solution to identify peer-to-peer (P2P) communities operating in the network. We propose an algorithm that is able to progressively discover nodes cooperating in a P2P network and to identify that P2P network. Starting from a single known node, we can easily identify other nodes in the P2P network, through the analysis of widely available and standardized IPFIX (NetFlow) data. Instead of relying on the analysis of content characteristics or packet properties, we monitor connections of known nodes in the network and then progressively discover other nodes through the analysis of their mutual contacts. We show that our method is able to discover cooperating nodes in many P2P networks and present the real computational requirements of the algorithm on a large network. The use of standardized input data allows for easy deployment onto real networks. Copyright

Revealing Cooperating Hosts by Connection Graph Analysis

In this paper we present an algorithm that is able to progressively discover nodes cooperating in a P2P network. Starting from a single known node, we can easily identify other nodes in the peer-to-peer network, through the analysis of widely available and standardized IPFIX (NetFlow) data. Instead of relying on the analysis of content characteristics or packet properties, we monitor connections of known nodes in the network and then progressively discover other nodes through the analysis of their mutual contacts. We show that our method is able to discover all cooperating nodes in many P2P networks. The use of standardized input data allows for easy deployment onto real networks. Moreover, because this approach requires only short processing times, it scales very well in larger and higher speed networks.

Identifying Skype nodes by NetFlow-based graph analysis

In this paper we present an algorithm that is able to progressively discover nodes of a Skype overlay P2P network. Starting from a single, known Skype node, we can easily identify other Skype nodes in the network, through the analysis of widely available and standardized IPFIX (NetFlow) data. Instead of relying on the analysis of content characteristics or packet properties, we monitor connections of known Skype nodes in the network and then progressively discover other nodes through the analysis of their mutual contacts. We show that our results are comparable to the methods using more complex data analytics. The use of standardized input data allows for easy deployment onto real networks. Moreover, because this approach requires only short processing times, it scales very well in larger and higher speed networks.

Game Theoretical Model for Adaptive Intrusion Detection System

We present a self-adaptation mechanism for network intrusion detection system based on the use of game-theoretical formalism. The key innovation of our method is a secure runtime definition and solution of the game and real-time use of game solutions for immediate system reconfiguration. Our approach is suited for realistic environments where we typically lack any ground truth information regarding traffic legitimacy/maliciousness and where the significant portion of system inputs may be shaped by the attacker in order to render the system ineffective. Therefore, we rely on the concept of challenge insertion: we inject a small sample of simulated attacks into the unknown traffic and use the system response to these attacks to define the game structure and utility functions. This approach is also advantageous from the security perspective, as the manipulation of the adaptive process by the attacker is far more difficult.

Identifying skype nodes in the network exploiting mutual contacts

In this paper we present an algorithm that is able to progressively discover nodes of a Skype overlay P2P network. Most notably, super nodes in the network core. Starting from a single, known Skype node, we can easily identify other Skype nodes in the network, through the analysis of widely available and standardized IPFIX (NetFlow) data. Instead of relying on the analysis of content characteristics or packet properties of the flow itself, we monitor connections of known Skype nodes in the network and then progressively discover the other nodes through the analysis of their mutual contacts.

Game Theoretical Adaptation Model for Intrusion Detection System - Demo Paper

We present a self-adaptation mechanism for Network Intrusion Detection System which uses a game-theoretical mechanism to increase system robustness against targeted attacks on IDS adaptation. This system has been used to ensure the robustness of commercially provided software used by clients throughout the world. It is particularly important to prevent the long-term persistence of advanced attackers operating in the compromised networks by relying on the game-theoretical mechanism to ensure the long-term diversity of the detection boundary.