- Title
- Classification of network information flow analysis (CONIFA) to detect new application versions
- Creator
- Azab, Ahmad
- Date
- 2015
- Type
- Text; Thesis; PhD
- Identifier
- http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/97576
- Identifier
- vital:10237
- Identifier
- http://library.federation.edu.au/record=b2676969
- Abstract
- Monitoring network traffic to identify applications or services is vital for internet service providers, network engineers and law enforcement agencies. The identification of applications enables network traffic to be prioritized, sophisticated plans for network infrastructure to be developed and facilitates the work of law enforcement agencies. Voice over IP (VoIP) and malware services are important to be classified because of the reliance by both legitimate users and cybercriminals respectively on these services. This dissertation addresses the detection of these services, represented by Skype application voice calls traffic and Zeus application command and control traffic. Three major approaches have been used to fulfil the classification goal, which are port-based, deep packet inspection and the use of the statistical features in conjunction with the machine learning algorithms. The latter approach addressed many of the limitations of the first two. However, the existing approach still contains many limitations. The detection of new versions by analysing and building the classifier on an old version was not deeply discussed for the machine learning approach. However, not all the statistical values are similar for different versions for Skype voice calls and Zeus command and control traffic. This is because Skype uses different codecs for different versions and Zeus uses different malware builders for different versions. While some approaches, aside from the machine learning approach, tackled the detection of the different versions, none of them maintain all the characteristics supported by the machine learning approach in terms of providing online classification capability and supporting various transport and application protocols, without the need to access different device’s traffic, access packet’s content or monitor different phase’s traffic. This research study aims to tackle this gap by proposing a novel framework called Classification of Network Information Flow Analysis (CONIFA). CONIFA addresses the detection of different untrained versions for a targeted application (Skype voice calls and Zeus command and control traffic) with a low detection time by analysing and building the classifier on a different single version in a systematic and well-defined approach, providing online classification capability and supporting various transport and application protocols, without the need to access different device’s traffic, access packet’s content or monitor different phase’s traffic. CONIFA is not limited to a specific application and could be extended to other types of applications. CONIFA utilizes the concepts of cost sensitive algorithms and different feature combinations for building the classifiers, unlike the machine learning approach that utilizes cost insensitive algorithms and a single feature combination. The outputs of the first phase are two classifiers, lenient and strict, that are used by the next phase to detect the untrained versions of a targeted application as well as to reduce the error rate. CONIFA results, for detecting the untrained version of Skype voice calls and Zeus C&C traffic, supported this approach in providing a better detection performance compared to the previous approach. While the previous approach was not able to reliably detect new versions of VoIP, CONIFA was able to consistently detect a previously unseen version. For the botnet detection, the previous approach had a good efficacy at the network level. However, CONIFA outperformed this approach in detecting a new version of a known piece of malware.; Doctor of Philosophy
- Publisher
- Federation University Australia
- Rights
- Copyright (c) Ahmad Azab
- Rights
- Open Access
- Rights
- This metadata is freely available under a CCO license
- Subject
- Network information flow analysis; CONIFA; Application versions
- Full Text
- Thesis Supervisor
- Stranieri, Andrew
- Hits: 1681
- Visitors: 1918
- Downloads: 266
Thumbnail | File | Description | Size | Format | |||
---|---|---|---|---|---|---|---|
View Details Download | SOURCE1 | Australian Digital Thesis | 3 MB | Adobe Acrobat PDF | View Details Download |