1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
COEN 252: Computer Forensics Router Investigation.
Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
A Study of Mass- mailing Worms By Cynthia Wong, Stan Bielski, Jonathan M. McCune, and Chenxi Wang, Carnegie Mellon University, 2004 Presented by Allen.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Honeypot, Botnet, and Security Measurement
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
The Security Aspect of Social Engineering Justin Steele.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 9 Intermediate TCP/IP/ Access Control Lists (ACLs)
I-Path : Network Transparency Project Shigeki Goto* Akihiro Shimoda*, Ichiro Murase* Dai Mochinaga**, and Katsushi Kobayashi*** 1 * Waseda University **
Linux Networking and Security
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Security with Honeyd By Ryan Olsen. What is Honeyd? ➲ Open source program design to create honeypot networks. ➲ What is a honeypot? ● Closely monitored.
Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.
DoS/DDoS attack and defense
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Security System for KOREN/APII-Testbed
Role Of Network IDS in Network Perimeter Defense.
© 2002, Cisco Systems, Inc. All rights reserved..
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)
i-Path : Network Transparency Project
Session 3 Response Measure
Firewalls Jiang Long Spring 2002.
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Presentation transcript:

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Black Hole sprott.physics.wisc.edu/pickover/embed.jpg

Dark IP An IP address which is not assigned nor used It is actually allocated to a machine which does not respond to any incoming packets. Dark IP No response Incoming

4 Dark IP Sensor Box (Dark IP) Firewall Accept all incomming packets Block all outgoing packets PC Anomaly packets No response Attacker logging

5 Example: Observation System with Physical Sensors Sensor Web, Image, Sound Statistics Data Database & Analysis Server log data Alert Information Distributed Sensors The Internet Firewall

6 Packets captured by Dark IP Port Scanning or Host Scanning Backscatter packets of DDoS (Distributed DoS) Various configuration mistakes

7 Backscatter of DDoS Attackers TARGET IP address : X.X.X.X DDoS Packets destination: TARGET Source IP Address: Spoofed IP Address Back Scatter Packets destination: Spoofed IP Address Source: TARGET Internet other hosts/servers

8 Virtual Sensors Normal Servers No service offered Unused IP space Normal Hosts Mutual Communications One-way Access Virtual Sensors Attackers Netflow packets

9 Pros and Cons Pros  No need for physical sensors  Analyze thousands of Virtual Sensors simultaneously  Covers a wide variety of traffic on a target Router Cons  Target router should have Netflow function  Accuracy degraded due to Netflow sampling  Some errors in locating Virtual Dark IP

10 Netflow v5 Start Time2006/3/10 12:31:15SrcIP X.X.X. XDstIPY.Y.Y.Y End Time2006/3/10 12:31:18SrcMask/24DstMask/24 Protocol6SrcPort23221DstPort20 TOS80SrcAS1000DstAS2000 Flags10SrcIFFa 1/0DstIFFa 0/0 Packets1200 KBytes6400 IP X.X.X.X /24 port IP Y.Y.Y.Y /24 port 20 Fa 1/0Fa 0/0 AS 1000AS 2000 Netflow v5 record export Host AHost B

11 Flow Capture and Analysis Process Flow-tools Virtual Sensor Detection Algorithm Flow Attributes virtual sensors Netflow Database virtual sensors candidates Anomaly Packets Collector Results Output Netflow Router

12 Locating Virtual Sensors—Algorithm Virtual Sensor Candidates Virtual Sensors Senders List (cache) Not seen or Not communicating

13 Parameters – Life Time

14 Parameters – Limit timer

15 Experiment — Configuration An malicious host Intermediate Router (Target of flow-observation) Wide area network A worm infected host Anomaly packets Scanning packets Autonomous System APAN-JP

16 Comparison – Port 135/tcp

17 Comparison – Port 135/tcp

18 Comparison – Port 445/tcp

19 Comparison – Port 1026/udp

20 Comparison – Port 22/tcp

21 Comparison – Port 80/tcp

22 Conclusion Virtual Dark IP New method for flow-based analysis  Not need for physical sensors Verified certain similarity between Virtual Sensors and Physical Sensors  Real comparison is planned Sensors at the same place and the same time

23 Thank you!

24 Extra Slides

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.