Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Slides:

Advertisements

Similar presentations

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

Advertisements

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Applying Genetic Algorithms to Decision Making in Autonomic Computing Systems Authors: Andres J. Ramirez, David B. Knoester, Betty H.C. Cheng, Philip K.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Stealth Probing: Efficient Data- Plane Security for IP Routing Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford.

Multipath Routing CS 522 F2003 Beaux Sharifi. Agenda Description of Multipath Routing Necessity of Multipath Routing 3 Major Components Necessary for.

Lecture 11 Intrusion Detection (cont)

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

BotNet Detection Techniques By Shreyas Sali

1 Secure Cooperative MIMO Communications Under Active Compromised Nodes Liang Hong, McKenzie McNeal III, Wei Chen College of Engineering, Technology, and.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.

1 / 18 Fariba alamshahi Secure Routing and Intrusion Detection in Ad Hoc Networks Supervisor: Mr.zaker Translator: fariba alamshahi.

What is FORENSICS? Why do we need Network Forensics?

INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION INTRUSION DETECTION.

Honeypot and Intrusion Detection System

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Autonomous Replication for High Availability in Unstructured P2P Systems Francisco Matias Cuenca-Acuna, Richard P. Martin, Thu D. Nguyen

Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

A Survey of Spectrum Sensing Algorithm for Cognitive Radio Applications YaGun Wu netlab.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Cryptography and Network Security (CS435) Part One (Introduction)

Improving Throughput in Multihop Wireless Networks Zongpeng Li and Baochun Li, Senior Member, IEEE IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 55,

Distributed Databases

Ad Hoc Network.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.

Security Issues in Distributed Sensor Networks Yi Sun Department of Computer Science and Electrical Engineering University of Maryland, Baltimore County.

A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.

1 On the Performance of Internet Worm Scanning Strategies Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.

Network Security Introduction

Research Direction Introduction

Volunteer-based Monitoring System Min Gyung Kang KAIST.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor: Frank, Yeong-Sung Lin Presented by Hui-Yu, Chung 2011/11/22.

2016/3/13 1 Peer-to-peer system-based active worm attacks: Modeling, analysis and defense Wei Yu, Sriram Chellappan, Xun Wang, Dong Xuan Computer Communications.

By: Keith Reiter COSC 356. Today’s Agenda Introduction Types of firewalls Firewall Access Rules Firewall Logging Who needs a firewall Summary.

Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.

Epidemic Profiles and Defense of Scale-Free Networks L. Briesemeister, P. Lincoln, P. Porras Presented by Meltem Yıldırım CmpE

In the name of God.

SIEM Rotem Mesika System security engineering

Worm Origin Identification Using Random Moonwalks

Home Internet Vulnerabilities

Presented by Hermes Y.H. Liu

Research Progress Report

DATA RETRIEVAL IN ADHOC NETWORKS

Intrusion Detection system

CSE551: Introduction to Information Security

Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan

Research Direction Introduction

Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan

Introduction to Internet Worm

Presentation transcript:

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB

Agenda Introduction Problem Description 2010/10/212NTUIM OPLAB

Introduction 2010/10/213NTUIM OPLAB

Worm attacks Definition ◦ ‘‘A network worm is a piece of malicious code that propagates over a network without human assistance and can initiate actively attack independently or depending on file- sharing.” ─ [1] ◦ [1] Kienzle DM and Elder MC. “Recent worms: a survey and trends”, Proceedings of the 2003 ACM workshop on Rapid malcode, October /10/214NTUIM OPLAB

Worm characteristics Information collection: ◦ Collect information about the local or target network. Probing: ◦ Scans and detects the vulnerabilities of the specified host, determines which approach should be taken to attack and penetrate. Communication: ◦ Communicate between worm and hacker or among worms. Attack: ◦ Makes use of the holes gained by scanning techniques to create a propagation path. Self-propagating: ◦ Uses various copies of worms and transfers these copies among different hosts. 2010/10/21NTUIM OPLAB5

Decentralized Information Sharing Cooperative attack detection and countermeasures using decentralized information sharing. Use of epidemic algorithms to share attack information and achieve quasi- global knowledge about attack behaviors. ◦ [2] Guangsen Zhang and Manish Parashar, “Cooperative detection and protection against network attacks using decentralized information sharing”, Cluster Computing, Volume 13, Number 1, Pages 67-86, /10/21NTUIM OPLAB6

Decentralized Information Sharing The mechanism should be easy to deploy, robust, and highly resilient to failures. Gossip based mechanisms provide potentially effective solutions that meet these requirements. Consider dissemination of information in a network to be similar to the spread of a rumor or of an infectious disease in a society. 2010/10/21NTUIM OPLAB7

Decentralized Information Sharing If all the nodes in this distributed framework have common knowledge about the network attack behaviors, then network attacks can be perfectly detected. However, achieving common knowledge requires completely synchronized and reliable communication, which is not feasible in a practical distributed system. 2010/10/21NTUIM OPLAB8

Decentralized Information Sharing In a distributed decentralized attack detection system, each detection node will only have a partial view of the system. Using an asynchronous, resilient communication mechanism to share local knowledge, the system can achieve quasi- global knowledge. With this knowledge, every detection node can acquire sufficient information about attacks and as a result, the attacks can be detected effectively. 2010/10/21NTUIM OPLAB9

Decentralized Information Sharing ◦ AS level ◦ Overlay network 2010/10/2110NTUIM OPLAB

Unknown worm behavioral detection Detecting unknown worm activity in individual computers while minimizing the required set of features collected from the monitored computer. While all the worms are different, we wanted to find common characteristics by the presence of which it would be possible to detect an unknown worm. ◦ [3] R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown computer worms based on behavioral classification of the host”, Computational Statistics & Data Analysis, Volume 52, Issue 9, Pages , May /10/21NTUIM OPLAB11

Worm origin identification Present the design of a Network Forensic Alliance (NFA), to allow multiple administrative domains (ADs) to jointly locate the origin of epidemic spreading attacks. Can find the origin and the initial propagation paths of a worm attack, either within an intranet or on the Internet as a whole, by performing post-mortem analysis on the traffic records logged by the networks. [5]Yinglian Xie, Sekar V., Reiter M.K. and Hui Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the th IEEE International Conference on Network Protocols, November /10/21NTUIM OPLAB12

Problem Description 2010/10/2113NTUIM OPLAB

Problem Description Attacker attributes Defender attributes Attack-defense scenarios 2010/10/2114NTUIM OPLAB

Attacker attributes Objective ◦ Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. Budget ◦ Node compromising ◦ Worm injection 2010/10/21NTUIM OPLAB15

Attacker attributes Attack mechanisms ◦ Node compromising  Next hop selection criteria:  Link degree  High link degree ─ information seeking  Link utilization  Low link utilization ─ stealth strategy ◦ Worm injection  Candidate selection criteria:  Link traffic  High link traffic ─ high rate worm injection  Low link traffic ─ low rate worm injection 2010/10/21NTUIM OPLAB16

Defender attributes Objective ◦ Protect core nodes Budget ◦ General defense resources(ex: Firewall, IDS) ◦ Worm profile distribution mechanisms ◦ Worm source identification methods 2010/10/21NTUIM OPLAB17

Defender attributes Defense mechanisms ◦ Node protection ◦ Unknown worm detection & profile distribution ◦ Worm origin identification 2010/10/21NTUIM OPLAB18

Scenarios 2010/10/21NTUIM OPLAB19 Firewall AS node Core AS node Profile generation Type1 worm Type2 worm G D J I F C E A B H

Scenarios 2010/10/21NTUIM OPLAB20 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker B Attacker A attacker Node compromise Profile generation

Scenarios 2010/10/21NTUIM OPLAB21 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Node compromise Attacker A attacker Worm injection Profile generation

Scenarios 2010/10/21NTUIM OPLAB22 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Worm propagation Profile generation

Scenarios 2010/10/21NTUIM OPLAB23 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Profile generation

Scenarios 2010/10/21NTUIM OPLAB24 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Node compromise Profile generation

Scenarios 2010/10/21NTUIM OPLAB25 Firewall AS node Core AS node Profile generation Type1 worm Type2 worm G D J I F C E A B H Attacker A Attacker Detect unknown worm behavior Profile distribution Worm origin identification

Scenarios 2010/10/21NTUIM OPLAB26 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Worm injection Profile generation

Scenarios 2010/10/21NTUIM OPLAB27 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Worm propagation Profile generation

Scenarios 2010/10/21NTUIM OPLAB28 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Detect unknown worm behavior Profile distribution Worm origin identification Profile generation Worm origin identification

Scenarios 2010/10/21NTUIM OPLAB29 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Profile generation

Thanks for your listening 2010/10/21NTUIM OPLAB30