Network security is an important task of network management. One threat to network security is the malware (malicious software), such as Code Red (2001), Mydoom (2004), Koobface (2008) and “Here you are” (2011). Modelling their propagation dynamics is essential to predict their potential damages and develop countermeasures.
By now, our group has published a series of high-quality papers on modelling the propagation of malwares. It is mandatory to provide accurate and realistic propagation models before we convincingly doing research to investigate the defence strategies against modern malwares. We have divided the whole research of malware modelling into three stages: 1) modelling; 2) defence strategy; 3) locating the origin. In the stage 2, we will focus on where to defend, when to defend and how many nodes in the network needed to be defended. Our recent research has concerned this stage. In the future, we will also investigate the methods to locate the origins of malware propagation. This problem has long been important but difficult to be solved. Currently, there are no techniques to effectively trace the origins. That is why FBI has not caught any of those worm authors who created most dangerous malwares and made great detriments to the world.
Classified by the propagation mechanism of malwares, current research includes the propagation modelling on scanning worms (techniques that scan vulnerabilities in the Internet and infect the victims) and topological worms (infect victims found in local information of compromised computers). A typical example of scanning worms is Code Red worm. Besides, Koobface worm spreading in Facebook is a typical case of topological worms. Moreover, classified by the propagation media, current research also includes the propagation modelling on IP network, online social network, Email network, mobile network.
IP traceback is to find the origin of an IP packet on the Internet without relying on the source IP address field. Due to the trusting nature of the IP protocol, the source IP address of a packet is not authenticated. As a result, the source address in an IP packet can be falsified (IP address spoofing). Spoof IP packets can be used for different attacks. The problem of finding the source of a packet is called the IP traceback problem. IP Traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. Most existing approaches to this problem have been tailored toward DDoS attack detection.
We propose a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has wide appllications for other security systems.
Traffic classification is the process to classify network traffic into a set of categories according to the applications which generate them. It is the basis of numerous network activities, from security monitoring to intrusion detection, and from Quality of Service to Lawful Interception.
There are mainly three approaches in this filed: port-number based, payload based and statistical characteristics based. Due to the ineffectiveness and privacy issues caused by the first two, which are to inspect each packet’s header or payload, research community are focused on the statistical features based approach in recent years. Statistical features based approach collects the statistical features of a group of packets, and has been approved to be effective and efficient. Most importantly, it can benefit from the work of Machine Learning. Nevertheless, there are still some problems left unsolved in statistical characteristics based technique, for example, how to use some amount of training data to achive high accuracy.
Our main research is therefore focused on the statistical characteristics based traffic classification using maching learning algorithms.
We have received funding from the Australian government, universities, and our industry partners. The ARC projects that we have received in the last five years are listed as follows.
Wanlei Zhou and Yang Xiang
ARC Discovery Project DP140103649, 2014-2016.
Yang Xiang, Wanlei Zhou, Vijay Varadharajan, and Jonathan Oliver
ARC Linkage Project LP120200266, 2012-2015.
Bernard F. Rolfe, Peter D. Hodgson, Maria Forsyth, Yong Xiang, Matthew C. Doolan, and Michael P. Pereira
ARC Linkage Projects LP120100239, 2012-2014.
Yong Xiang and Yue Rong
ARC Discovery Projects DP110102076, 2011-2013.
Wanlei Zhou and Yang Xiang
ARC Linkage Project LP100100208, 2010-2012.
Wanlei Zhou and Robin Doss
ARC Linkage Project LP100100816, 2010-2012.
Yang Xiang, Wanlei Zhou, and Yong Xiang
ARC Discovery Project DP1095498, 2010-2012.
Yong Xiang and Hieu Trinh
ARC Discovery Project DP0773446, 2007-2009.
Wanlei Zhou and Yang Xiang
Accurate and efficient network traffic classification based on our latest research outcomes.