Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCAV: Evaluation of Parallel Coordinates Attack Visualization

Published bySuharto Hermawan Modified over 5 years ago

Similar presentations

Presentation on theme: "PCAV: Evaluation of Parallel Coordinates Attack Visualization"— Presentation transcript:

1 PCAV: Evaluation of Parallel Coordinates Attack Visualization
Hyunsang Choi, Heejo Lee {realchs, Computer and Communication Security Laboratory Korea University, Korea Hello everyone. My name is choi hyun sang and I’m the member of computer communications and security laboratory of Korea university. The topic of my presentation is attack visualization on parallel coordinates. The presentation will take about 20 minutes and have questions after the presentation OK let’s start the presentation. Joint Workshop between Security Research Labs in Korea and Japan, Kyushu University, Kyushu, Japan, Feb 7 – Feb 9, 2006

2 Contents 1. Overview 2. Main Idea of PCAV 3. Visualization
4. Algorithm of PCAV 5. Evaluation

3 Introduction Propose anomaly-based real-time monitoring
Overview Main Idea Visualization Algorithm Evaluation PCAV (Parallel Coordinates Attack Visualization) Propose anomaly-based real-time monitoring system with visualization approach Anomaly detection Visualization approach Real-time monitoring Early detection So, the main purpose of this research is to detect the various types of internet attacks as soon as possible to response to the attack. Here, the internet attacks includes internet worn, Distributed denial of service attack and other scanning activities. We will propose a new real-time anomaly detection system by using visualization system.

4 Characteristics: Internet Attacks
Overview Main Idea Visualization Algorithm Evaluation <H.Kim et.al.,IEEE Networks 2004> Large scale Internet attacks Worm Source spoofed DDoS attack Scanning activities Important Characteristics One-to-many relationship In this slide you can see common characteristics of Internet attacks have that is one to many relations. In this picture, in figure a., this is an typical situation of ddos attack. An attacker tries to attack on a certain victim by using several masters that Command to the zombie agents, so called botnet. Zombies flow over the attack traffic to the victim. In this scenario, there are one destination (that is victim) And many sources (that is zombies) and figure b, this represents internet worm propagation. There are infected machines and internet worm in the infected machine operate self -propagation to many random destinations. So, there are one source that is infected machine and many destination that is random destination. Other scanning activities also has the one to many relations.

5 Selected Parameters What we visualize
Overview Main Idea Visualization Algorithm Evaluation What we visualize Selected 4 main parameters in TCP/IP header field IP header TCP header You can see the selected four parameters in this slide We found the important common characteristics of internet attacks in previous slide. So, we must decide that what we visulze. We selected some parameters in tcp/ip header fields to visuallize the characteristics. We take four parameter that is source ip destination ip and total length in ip header and destination port in tcp header. We considering the ttl and tcp flags which will apply to options.

6 Destination IP address
Flow instead of Packet Overview Main Idea Visualization Algorithm Evaluation Aggregated input data instead of raw traffic Source port Destination port ... Source IP address Destination IP address Data Header Packet Flow We use Flow for input data instead of packet because of system performance and compatibility with legacy routers. . Proto type of our system used Cisco Netflow version 5. Internet

7 Benefits of Visualization
Overview Main Idea Visualization Algorithm Evaluation Intuitive B Come up with new hypotheses Deal large noisy data easily A C Visualization higher degree of confidence The basic concept and benefits of visualization is described as follows. Visualization images can be obtained from raw data using computer graphics techniques and algorithms. From this image, valuable insights can be acquired. The main benefits of visualization is that we can deal with highly inhomogeneous And noisy data with a intuitive way. E D Faster

8 Fig. 7. Rescaled attack graphs
Parallel Coordinates Overview Main Idea Visualization Algorithm Evaluation How we draw flows on parallel coordinates Input flow: Source address < > Destination address < > Destination port <80> Average packet length <1240> 65000 1500 1240 80 This demo represents how to visualize the data on parallel coordinates. There are now four coordinates and bottom is minimum and top is maximum value. When an input flow are coming each values are pointed on each coordinates and it is connected by line. One line means one flow data. c. Host scan d. Port scan Fig. 7. Rescaled attack graphs

9 Attack Graphs from Real Traffic
Overview Main Idea Visualization Algorithm Evaluation 1. Worm Graph - Slammer 2. DDoS attack 3. Hostscan 4. Portscan You can see four sample types of graph here with visualizing each internet attacks from real traffic data. The first graph is that internet worm. There are one infected machine and many random destination. Worm usually uses one destination port so called vulnerability and Has same packet length. Second graph is ddos attack graph. There are one victim who is under attack and many distributed zombie attack machines. DDoS also uses one Destination port and have minimum packet length.

10 Attack Signatures Overview Main Idea Visualization Algorithm Evaluation Graphical signatures and divergences and packet length of implied attack Several internet attacks are distinguishable by it’s graph pattern. The patterns are shown at the table and their coordinates divergences are represented. We can call the graph patterns as a signature. A signature discriminates each internet attacks.

11 PCAV System Design 4 main modules Database Sensor Analyzer Visualizer
Overview Main Idea Visualization Algorithm Evaluation 4 main modules Sensor Analyzer Visualizer Database Database Store flow information – text, image Remarkably compressed (1/2000) Replay flows This is the overview of the PCAV system. A sensor aggregates the network traffic data to the flow data. Sensor can be an Cisco router or software such as nprobe. Sensor generates flow data then analyzer analyze the flow data and if they includes internet attack then it records to the database and passes to the visualizer. Visualizer draw a graphs of all flows and attack flows by using parallel coordinates.

12 Application PCAV 2.0 demo clip
Overview Main Idea Visualization Algorithm Evaluation PCAV 2.0 demo clip This is a proto type of PCAV application demo. Top of the left graphs are parallel coordinates of all input flows and bottom of that graph is attack graph. The system provides rescale mode and rescale mode uses relative maximum and minimum value of input data instead of its absolute value.

13 Algorithm Main algorithm of analyze module
Overview Main Idea Visualization Algorithm Evaluation Main algorithm of analyze module Here you can see the main algorithm of analyzer. If one flow is coming then Flow ID generator make Flow ID which generated from three hash tables. Source IP address, destination IP address and destination port number are inserted each hash table and if the value is new one then return 0 if it is not then return 1. With the Flow ID and average packet length we can distinguish each flow and insert the flow to the each attack queue. If the size of attack queue exceeds certain threshold then Analyzer infers that attack is occurred.

14 Evaluation 1Gbps backbone traffic
Overview Main Idea Visualization Algorithm Evaluation 1Gbps backbone traffic Windows XP (flow generator), 2003 server (PCAV) Pentium-4 PC, 1Gbyte memory (about 100MB memory use) Here you can see the main algorithm of analyzer. If one flow is coming then Flow ID generator make Flow ID which generated from three hash tables. Source IP address, destination IP address and destination port number are inserted each hash table and if the value is new one then return 0 if it is not then return 1. With the Flow ID and average packet length we can distinguish each flow and insert the flow to the each attack queue. If the size of attack queue exceeds certain threshold then Analyzer infers that attack is occurred.

15 Stress Test PCAV process 10Gbps traffic with 98% accuracy.
Overview Main Idea Visualization Algorithm Evaluation Here you can see the main algorithm of analyzer. If one flow is coming then Flow ID generator make Flow ID which generated from three hash tables. Source IP address, destination IP address and destination port number are inserted each hash table and if the value is new one then return 0 if it is not then return 1. With the Flow ID and average packet length we can distinguish each flow and insert the flow to the each attack queue. If the size of attack queue exceeds certain threshold then Analyzer infers that attack is occurred. PCAV process 10Gbps traffic with 98% accuracy. (Gigabit network exports about 10,000 flows/s)

16 Multiple Attack Overview Main Idea Visualization Algorithm Evaluation Here you can see the main algorithm of analyzer. If one flow is coming then Flow ID generator make Flow ID which generated from three hash tables. Source IP address, destination IP address and destination port number are inserted each hash table and if the value is new one then return 0 if it is not then return 1. With the Flow ID and average packet length we can distinguish each flow and insert the flow to the each attack queue. If the size of attack queue exceeds certain threshold then Analyzer infers that attack is occurred.

17 False Positive Test False positive Hostscan, DDoS
Overview Main Idea Visualization Algorithm Evaluation False positive Hostscan, DDoS P2P, web traffic (flash crowd, web crawling), game, chatting (MSN), DNS, mail, streaming, etc Length filtering effect (flag) Threshold setting Here you can see the main algorithm of analyzer. If one flow is coming then Flow ID generator make Flow ID which generated from three hash tables. Source IP address, destination IP address and destination port number are inserted each hash table and if the value is new one then return 0 if it is not then return 1. With the Flow ID and average packet length we can distinguish each flow and insert the flow to the each attack queue. If the size of attack queue exceeds certain threshold then Analyzer infers that attack is occurred.

18 False Negative Test False negative Assumption
Overview Main Idea Visualization Algorithm Evaluation False negative Assumption Little increased but ignorable Worm can not be detected without length filtering. Threshold setting Here you can see the main algorithm of analyzer. If one flow is coming then Flow ID generator make Flow ID which generated from three hash tables. Source IP address, destination IP address and destination port number are inserted each hash table and if the value is new one then return 0 if it is not then return 1. With the Flow ID and average packet length we can distinguish each flow and insert the flow to the each attack queue. If the size of attack queue exceeds certain threshold then Analyzer infers that attack is occurred.

19 Summary 1 Main Purpose 2 Effectiveness 3 Future Work Early detection
Real-time monitoring 2 Effectiveness Detect and draw a particular pattern of graph for each attack 3 Future Work Auto-threshold configuration Enhance sampling process

20 Thanks. Tel: +82-2-3290-3208 Fax: +82-2-953-0771
Dept. of Computer Science and Engineering Korea University. Anam-Dong SeoungBuk-Gu, Seoul, KOREA

Download ppt "PCAV: Evaluation of Parallel Coordinates Attack Visualization"

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.

George Varghese (based on Cristi Estan’s work) University of California, San Diego May 2011 Internet traffic measurement: from packets to insight.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google