Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.

Slides:



Advertisements
Similar presentations
Implementing a Highly Available Network
Advertisements

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
CCNA 1 v3.1 Module 11 Review.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Traffic Engineering With Traditional IP Routing Protocols
UNITS meeting September 30, 2004 Network Security Roger Safian
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
The MS Blaster worm Presented by: Zhi-Wen Ouyang.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Computer Security and Penetration Testing
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.
TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Towards Highly Reliable Enterprise Network Services via Inference of Multi-level Dependencies Paramvir Bahl, Ranveer Chandra, Albert Greenberg, Srikanth.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
1. There are different assistant software tools and methods that help in managing the network in different things such as: 1. Special management programs.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 19 PCs on the Internet.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
1 Computer Networks DA Chapter 1-3 Introduction.
Honeypot and Intrusion Detection System
Examining TCP/IP.
Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
--Harish Reddy Vemula Distributed Denial of Service.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
I-Path : Network Transparency Project Shigeki Goto* Akihiro Shimoda*, Ichiro Murase* Dai Mochinaga**, and Katsushi Kobayashi*** 1 * Waseda University **
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
CCNA4 v3 Module 6 v3 CCNA 4 Module 6 JEOPARDY K. Martin.
Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Connecting to the Network Introduction to Networking Concepts.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.
1 Microsoft Windows 2000 Network Infrastructure Administration Chapter 4 Monitoring Network Activity.
Getting Connected Overview Getting Connected Overview.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Security System for KOREN/APII-Testbed
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Role Of Network IDS in Network Perimeter Defense.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Voice Performance Measurement and related technologies
A quick intro to networking
Securing the Network Perimeter with ISA 2004
Binary Lesson 5 Classful IP Addresses
DDoS Attack Detection under SDN Context
Intrusion Detection Systems (IDS)
i-Path : Network Transparency Project
Firewalls Jiang Long Spring 2002.
Intrusion Detection system
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
Computer Networks DA2402.
Presentation transcript:

Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research Workshop Masaki Ishiguro *1) Shigeki Goto *2) Hironobu Suzuki *2) Ichiro Murase *1) *1) Mitsubishi Research Institute, Inc *2) Waseda University

Mitsubishi Research Institute, Inc Outline 1.Introduction –Goal and Motivations –Background history –System overview 2.A Threat evaluation method –Evaluation approach –Calculation method 3.Experiment Results –MS SQL Incident –Windows File share Incident 4.Conclusion and Future work

Mitsubishi Research Institute, Inc Our Goal and Motivations Several internet monitoring systems are deployed. newFind “new” threats without human resources Threats occur anytime, System never sleeps, running 24 hours/7 days Find threats from huge amount of data Access the report in anytime from anywhere

Mitsubishi Research Institute, Inc Background History 1999 CLSCAN –“pretty print” tool for syslog of my router 2001, 2 WCLSCAN concept appeared –In a paper “Internet security analysis using packet filter log, SEA software symposium 2001” –Before The Internet Storm Center (2001,3) 2002 WCLSCAN project was started –Wide area version of clscan 2003 The early version of WCLSCAN –“threat calculation using Bayesian estimation” unit was added to WCLSCAN 2004,4 Alert and Information providing with 4 sensor boxes 2005,9 Official site , A Threat Evaluation Methods (Today’s Topic)

Mitsubishi Research Institute, Inc Our Internet Monitoring System Sensor WCLSCAN Data Server Malicious Packets SQL The Internet Encrypted data Log DB Time-Series Access Frequency Graph Analysis Threat Evaluation Threat Levels Graphs mn128,may,13,05:40:11,111/tcp mn128,may,13,10:12:55,111/tcp mn128,may,13,10:13:04,111/tcp mn128,may,13,12:35:05,111/tcp mn128,may,13,12:35:05,111/tcp, mn128,may,13,20:25:27,111/tcp, mn128,may,13,20:25:30,111/tcp,

Mitsubishi Research Institute, Inc Monitored Data ftp dns Date/Time of Packet (Year, Month, Day,Time) Protocol Type ( TCP, UDP, ICMP ) Source IP Address Source Port Destination IP Address Destination Port

Mitsubishi Research Institute, Inc Related Work Macro-Analysis (Population-based) Micro-Analysis (Behavior-based) Temporal Features Analysis Spatial Features Analysis Bayesian Estimation [1] Wavelet Analysis Frequency deviation score Auto-Correlation Analysis Port Correlations Graph Analysis Frequent Port and IP Extraction Destination port sequence mining Destination Entropy Source Entropy 2] Infection Rate Estimation by Kalman Filter [3] Anomaly Component analysis

Mitsubishi Research Institute, Inc Evolution of Threat Evaluation Approach Statistical analysis of Malicious Packet Counts Unique Source IP Address (Infected hosts) Analysis of Graph Structure –Consideration of vulnerability of destination ports as well as increase of unique source addresses

Mitsubishi Research Institute, Inc Example of distribution of source IP addresses Octet 1 Octet 2 Octet 3 Octet 2 Octet 3 Octet 4

Mitsubishi Research Institute, Inc Relationship 1 Vulnerability of a destination port is higher if it receive packets from many different source addresses with higher threat level. Relationship2 Threat level of a source address is high if it sends more packets to vulnerable destination ports. Relation between Threats and Vulnerability Source IP Address Destination Ports ( IP’s×ports ) Sensor IP Addresses: xxx.xxx.xxx.220 Sensor IP Addresses: xxx.xxx.xxx.225 Threats Vulnerability

Mitsubishi Research Institute, Inc Threat Calculation Method Threat Vector (source) Vulnerability Vector (dest.) Relationship 1 Relationship2 Eigenvalue Equations W: weight matrix

Mitsubishi Research Institute, Inc Experiment1: Port1433 Incident (MS SQL) 2005/7

Mitsubishi Research Institute, Inc Experiment2: Port 139 Incident (File Share) 2005/6

Mitsubishi Research Institute, Inc Conclusion and Future Works 1.We proposed a new threat evaluation method based on structure of access graph which are quite different from traditional methods based on the number of malicious packets. 2.We demonstrated examples that our method responds better than the number of malicious packets Future Works: 1.Optimization of edge weights of access graph 2.Optimization of Unit time of our graph analysis 3.Evaluation of Strength and weakness of our method depending on the types of incidents

Mitsubishi Research Institute, Inc WCLSCAN OFFICIAL SITE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.