Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.

Slides:



Advertisements
Similar presentations
Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Describing Quantitative Variables
Saeed Ebrahimijam Spring 2013 Faculty of Business and Economics Department of Banking and Finance Doğu Akdeniz Üniversitesi FINA417.
In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang
Chapter 5. Methods and Philosophy of Statistical Process Control
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Chapter 10 Quality Control McGraw-Hill/Irwin
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Software Quality Control Methods. Introduction Quality control methods have received a world wide surge of interest within the past couple of decades.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Introduction to Hypothesis Testing
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
MAE 552 Heuristic Optimization Instructor: John Eddy Lecture #16 3/1/02 Taguchi’s Orthogonal Arrays.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.
Department Of Computer Engineering
Saeed Ebrahimijam SPRING Faculty of Business and Economics Department of Banking and Finance Doğu Akdeniz Üniversitesi FINA417.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University MATHEMATICAL ANALYSIS OF.
SoundSense: Scalable Sound Sensing for People-Centric Application on Mobile Phones Hon Lu, Wei Pan, Nocholas D. lane, Tanzeem Choudhury and Andrew T. Campbell.
Reading Report 14 Yin Chen 14 Apr 2004 Reference: Internet Service Performance: Data Analysis and Visualization, Cross-Industry Working Team, July, 2000.
NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
09/07/2004Peer-to-Peer Systems in Mobile Ad-hoc Networks 1 Lookup Service for Peer-to-Peer Systems in Mobile Ad-hoc Networks M. Tech Project Presentation.
IIT Indore © Neminah Hubballi
STAT02 - Descriptive statistics (cont.) 1 Descriptive statistics (cont.) Lecturer: Smilen Dimitrov Applied statistics for testing and evaluation – MED4.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Results.
MAKING DECISIONS IN THE FACE OF VARIABILITY TWSSP Wednesday.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Dividing the Pizza An Advanced Traffic Billing System An Advanced Traffic Billing System Christopher Lawrence Burke The University of Queensland.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
A performance evaluation approach openModeller: A Framework for species distribution Modelling.
© 2010 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Jeremy Kackley, James Jacobs, Paulus Wahjudi and Jean Gourd.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Distributed Denial of Service Attacks
Systems Analysis and Design in a Changing World, Fourth Edition
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
TOWARDS A FLEXIBLE DATA PROCESSING AND REPORTING STRUCTURE FOR PACKET CAPTURE FILES V 3.0.
Cryptography and Network Security Sixth Edition by William Stallings.
Scaling Networks with Network Address Translation Scaling Networks with Network Address Translation Solutions for IPv4 Security and Scalability ECPI College.
CHAPTER 7 STATISTICAL PROCESS CONTROL. THE CONCEPT The application of statistical techniques to determine whether the output of a process conforms to.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Library Online Resource Analysis (LORA) System Introduction Electronic information resources and databases have become an essential part of library collections.
Role Of Network IDS in Network Perimeter Defense.
Active Learning for Network Intrusion Detection ACM CCS 2009 Nico Görnitz, Technische Universität Berlin Marius Kloft, Technische Universität Berlin Konrad.
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
1 INTRODUCTION TO COMPUTER GRAPHICS. Computer Graphics The computer is an information processing machine. It is a tool for storing, manipulating and correlating.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
By: Samuel Oswald Hunter Supervisor: Mr Barry Irwin
The Devil and Packet Trace Anonymization
Villanova Technical Analysis Group
Roland Kwitt & Tobias Strohmeier
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
Jonathan Griffin Andy Norman Jamie Twycross Matthew Williamson
Presentation transcript:

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER TRAINING TO AID IN NETWORK INCIDENT IDENTIFICATION

I NTRODUCTION Introduction Background Problem Statement Approach Results Conclusion Questions

B ACKGROUND Network Telescopes (aka Darknets) What are they ? Network telescopes are monitors that log traffic that is destined for a certain IP space on which no legitimate hosts belong. We can conclude that traffic received is either malicious in nature or due to incorrect configuration. Why ? Network telescopes provide a way of observing the anomalous traffic on the Internet. This is useful for researchers studying the trending of malicious activity on the Internet. Allowing for early warning systems to be devised to allow suitable reactions to current attacks/incidents. Who The majority of the research is conducted by CAIDA. Other research institutions include the Internet Motion Sensor, Team Crymu and an assortment of other universities. The majority of the research in network telescopes focuses on building scalable frameworks to allow for efficient querying of information from network telescopes, anomaly monitoring and Internet mapping

Existing body of research The majority of the research in network telescopes focuses on building scalable frameworks to allow for efficient querying of information from network telescope nodes, anomaly monitoring and internet mapping. Little focus is put

B ACKGROUND Simple Network Diagram of a Network Telescope Bradley Cowie Network Telescope Structure As there are no legitimate hosts on the IP space assigned to the network telescope. It can be assumed that all traffic received is either malicious, anomalous or due to incorrect configuration

Problem Statement Overall : To aid in the analysis of the traffic received by network telescope by constructing and evaluating a number of metrics. These metrics should aid in in the analysis and decision making process of identifying network incidents. Why ? Network telescopes provide a large quantity of information for analysts to consider. Especially if all the various divisions are considered such as the number of ports for UDP and TCP. It is quite possible that this can lead to information overload and poor decision making. For this particular talk : To consider a number of ways to identify network incidents in network telescope datasets Why ? In order to evaluate the usefulness of the metrics at identifying incidents we need to identify where incidents occur in our datasets.

Approaches Two main approaches are detailed : Automated approach : Identification through mathematical modelling Identification through deviations from normality Manual Approach Through observation

Automated Approach Identification through mathematical modelling : It has been established that for certain cases mathematical models describe the growth in infected hosts due to viral infections. It is conceivable that a system could be constructed to identify these sorts of models. Attempted System : A naive implementation to this technique was attempted by constructing a feed-forward network that had been optimized for shape identification. Said system was modified from a neural network that was designed to identify shapes.

Unique Hosts for Port 445

Automated Approach Results : Due to the complex nature of the traffic received said system failed to produce any results of significance. The highly fluxuating nature of the number of unique source IP’s is illustrated in the graph below. Conclusions : A more complex approach is required to identify growth types using network telescope data in an automated sense.

Identification through deviations from normality Overview : This approach attempts to define normal values for measures and then identify where these values are grossly exceeded. The definition of grossly exceeds is tricky. One approach to this is make use of bands that define the upper and lower limits that we expect a quantity. One way to approach this is to make use of Bollinger Bands. The upper band is defined as Moving Average + kσ with the lower band defined as Moving Average - kσ.

Bollinger bands for Port 445

Identification through deviations from normality Standard Bollinger bands unfortunately don’t seem to identify major incidents such as the outbreak of Conficker. Further there are far too many signals generated. Investigating each of these would be lengthy. We need to optimize the parameters (K and the length of the moving of average). This comes back to our original problem... Alternatively we can attempt to identify incidents by observation. This is an adhoc type process that involves considering a number of statistics and noticing anomalies by hand. These “incidents” are then verified by comparing them against CVE and the wildlist to see if such an incident occurred during that time frame. This work is still currently in progress...

Line graph of traffic observed (as counts) This graph shows the trend of packets counts received between January 2006 and September It illustrates how the nature of traffic received changed due to the spread of the Conficker virus (October 2008)

Ratio’s of total traffic (TCP) The ratio that each of the top 4 ports and other ports make up of the total traffic for the years is shown. Between 2008 and 2009 there is a shift from other ports making up the most traffic to port 445.

Manual Approach This follows the reverse of the methodology taken in the automated approach. Here the researcher attempt to find a list of know vulnerabilities/exploits/viruses in the datasets. A sample of this is identifying DDoS attacks. Often DDoS based attacks spoof IP address as the source IP’s to there attacks. Thus it is possible to observe these sorts of attacks when an attacker happens to spoof IP’s that belong to the network telescope. This causes ICMP type 11 messages to be returned to the network telescope. This work is still currently in progress...

Appearance of ICMP type 11 traffic Plot depicting the sudden appearance of ICMP Type 11 Traffic during the 17th and 18th of February It is suspected that this is DDoS backscatter.

Conclusion Some preliminary work has been completed to classify some incidents in our network telescope dataset. Further work is needed to create a well defined set of data points defining the occurrences of incidents in the data. Future work : Application of technical analysis indicators to the datasets Optimization of metrics using neural networks and GA’s

Questions and comments ?