Network traffic monitoring and analysis has several practical implications. It can be used for malicious or legitimate purpose and aimed at improving the quality of communications, enhancing the security of a system or extracting information via side-channels. Such analysis can even deal with the use of encryption and obfuscation and extract meaningful information from huge amounts of Internet traffic. First, tills thesis explores its use to investigate the leakage of information from Skype, a widely used and encrypted VoIP application. VoIP has experienced tremendous growth over the last few years and is now widely used among the public and for business purposes. The security of such VoIP systems is often assumed, creating a false sense of privacy. Experiments have shown that isolated phonemes can be classified and given sentences identified. By using the DTW algorithm, frequently used in speech processing, an accuracy of 60% can be reached. The results can be further improved by choosing specific training data and reach an accuracy of 83% under specific conditions. The initial results being speaker dependent, an approach involving the Kalman filter is proposed to extract the kernel of all training signals. Second, the use of traffic monitoring and analysis for network security is investigated to detect hosts infected with the ZeuS botnet, a recent infamous trojan that steals banking information and one of the most prominent cyber threats to date. Cyber threats are becoming ever more sophisticated, persistent and difficult to detect. As highlighted by recent success stories of malware, such as the ZeuS botnet, current defence solutions are not enough to thwart these threats. Therefore, it is of paramount importance to be able to detect and mitigate these kinds of malware. This work proposes a detailed analysis of the network communications that occur between a bot and its master as part of the command and control traffic. This research identifies six key attributes which provide a reliable way of detecting hosts infected by the Zeus botnet. These discoveries are then used in combination with different machine learning algorithms in order to prove their validity. Finally, the use of IBM QRadar, a commercial SIEM product, to detect ZeuS infected hosts is investigated.
| Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:601445 |
| Date | January 2013 |
| Creators | Dupasquier, Benoit |
| Publisher | Queen's University Belfast |
| Source Sets | Ethos UK |
| Detected Language | English |
| Type | Electronic Thesis or Dissertation |
Page generated in 0.0089 seconds