DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Network Security Highlights Nick Feamster Georgia Tech.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Service Discrimination and Audit File Reduction for Effective Intrusion Detection by Fernando Godínez (ITESM) In collaboration with Dieter Hutter (DFKI)
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
IDS/IPS Definition and Classification
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
IIT Indore © Neminah Hubballi
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
ACN: RED paper1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking, Vol.1, No. 4, (Aug.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina Mark Crovella Christophe Diot in ACM SIGCOMM 2005 Presented by: Sailesh Kumar.
Cryptography and Network Security Sixth Edition by William Stallings.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.
Firewall in the Internet Security By Dou Wang, Ying Chen, Jiaying Shi School of Computer Science University of Windsor November 2007.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
DDoS flooding attack detection through a step-by-step investigation
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Security System for KOREN/APII-Testbed
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
Network Intrusion Detection System (NIDS)
High Throughput and Programmable Online Traffic Classifier on FPGA Author: Da Tong, Lu Sun, Kiran Kumar Matam, Viktor Prasanna Publisher: FPGA 2013 Presenter:
Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
Snort – IDS / IPS.
Internet Quarantine: Requirements for Containing Self-Propagating Code
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
QianZhu, Liang Chen and Gagan Agrawal
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
James Logan CS526 Dr. Chow April 29, 2009
Intrusion Detection system
Byung-Joon Lee and Youngseok Lee
Hazem Hamed, Adel El-Atawy, Ehab Al-Shaer
Presentation transcript:

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar

2 - Sailesh Kumar - 10/15/2015 Worm Detection n Two well known approaches »Content filtering –Parse packet payload and match against known signatures –On-line => quick detection –Effective for known threats »Anomaly detection –Examine distribution of layer-4 features –Presence of worm disturbs the normal statistical characteristics –Detect such changes by Principal Component Analysis or Residual State Analysis –Off-line => slow detection –Paper claims that such methods are robust which may not be true! Problem Effective only for known threats Parses the entire data stream, not efficient Problem Off-line algorithms Slow

3 - Sailesh Kumar - 10/15/2015 DoWitcher n DoWitcher is a hybrid of these two approaches n Objective »Avoid parsing the payload of all flows »Perform anomaly detection on-line n Solution »First examine layer-4 traffic features to identify an anomaly »Generate a flow filter mask to identify the anomalous flows »Create payload signature of these anomalous flows »Perform payload inspection of the anomalous flows

4 - Sailesh Kumar - 10/15/2015 DoWitcher Architecture Multiple DLAs deployed in network Flow reconstruction Key features extraction Send these information to GLA Sends the policy to DLA, which will begin complete payload extraction Extracts histogram of key features and compute entropies Grouping all entropies into single PMER metric Profile normal traffic and generate alerts in case of deviation Compose policy rule for the worm activity (flow filter)

5 - Sailesh Kumar - 10/15/2015 DoWitcher Architecture n Extract following features »Source ip_address »Source port »Destination ip_address »Destination port »Flow_size n Attack »Scanning – distribution of source_ip will be skewed towards the scanning hosts ip »Scanning – generally the destination port is also skewed –Sapphire worm – destination port 1434 –Code Red worm – destination port 80 –Welchia worm– destination port 135 »Flow_size histogram also gets skewed to flow size used by the worm

6 - Sailesh Kumar - 10/15/2015 Per Feature Entropy Computation n Use entropy to detect changes in feature histogram »Monitor feature X of a set of flows A »M X ( x ) be the frequency distribution of feature X –i.e. number of times we see an element x  X –In time window i, M X i( x ) = { x i} »Empirical probability distribution –P X i( x ) = {p X i( x ) | p X i( x ) = x i/m X }, where m X =∑ x i »Information entropy –Low entropy indicates high probability in few elements (concentrated usage of some port, high traffic from some source) –High entropy indicates a more uniform usage (random scan of destination IP, variable source port) –H X i will be between 0 and, where N X is the maximum number of distinct values of X –Normalize H X i, which is called Relative Uncertainty (RU), H X

7 - Sailesh Kumar - 10/15/2015 PMER Computation n During a worm outbreak, the Relative Uncertainties of at least two of the five features diverges [5]. n Use PMER (Pair-wise Marginal Entropy ratio) »F denotes the set of features (|F|=5) »(X, Y) denotes a pair of different features »Instantaneous ratio between two marginal RUs »Avg. R XY over last N S time windows n PMER is the maximum over all feature-pairs (X, Y ) of the ratio between the marginal RUs (H X, H Y ) and its average computed using the last N S time-windows. »It is max. divergence from normal behavior in all feature-pairs

8 - Sailesh Kumar - 10/15/2015 Profiling n When to alert »Requires profiling normal traffic wait for W samples Compute R W Compute R W R W+1 R W+2 Keep computing Begin operation Report anomaly if Maintain a running average Learn for Tw samples

9 - Sailesh Kumar - 10/15/2015 Flow Filter Mask Generation n In alert what to do »Which flows are misbehaving? »Which features are anomalous? n The R i will tell us which two features are involved »From two, consider only the feature whose RU has decreased –Feature’s histogram is now concentrated around few elements –How to identify these elements? –Relative entropy technique applied to the features histogram –Isolate k dominant elements of the anomalous feature l e.g. k source IP addresses n Once k dominant elements of the anomalous features is identified »Identify k dominant elements of other features ????? »Intersect these and generate the filter »?????

10 - Sailesh Kumar - 10/15/2015 Signature Generation n Flow filters are deployed around the network n Automatic filter generation »Identify two flows that match the flow filter »Extract their payloads »Find Longest Common Subsequence (LCS) »computer and housetent »Signature may be o.*u.*te

11 - Sailesh Kumar - 10/15/2015 Experiments n Very limited

12 - Sailesh Kumar - 10/15/2015 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.