Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.

Published byMyrtle Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research."— Presentation transcript:

1 Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research Workshop Masaki Ishiguro *1) Shigeki Goto *2) Hironobu Suzuki *2) Ichiro Murase *1) *1) Mitsubishi Research Institute, Inc *2) Waseda University

2 Mitsubishi Research Institute, Inc Outline 1.Introduction –Goal and Motivations –Background history –System overview 2.A Threat evaluation method –Evaluation approach –Calculation method 3.Experiment Results –MS SQL Incident –Windows File share Incident 4.Conclusion and Future work

3 Mitsubishi Research Institute, Inc Our Goal and Motivations Several internet monitoring systems are deployed. newFind “new” threats without human resources Threats occur anytime, System never sleeps, running 24 hours/7 days Find threats from huge amount of data Access the report in anytime from anywhere http://www.wclscan.org

4 Mitsubishi Research Institute, Inc Background History 1999 CLSCAN –“pretty print” tool for syslog of my router 2001, 2 WCLSCAN concept appeared –In a paper “Internet security analysis using packet filter log, SEA software symposium 2001” –Before The Internet Storm Center (2001,3) 2002 WCLSCAN project was started –Wide area version of clscan 2003 The early version of WCLSCAN –“threat calculation using Bayesian estimation” unit was added to WCLSCAN 2004,4 Alert and Information providing with 4 sensor boxes 2005,9 Official site WWW.WCLSCAN.ORG 2007, A Threat Evaluation Methods (Today’s Topic)

5 Mitsubishi Research Institute, Inc Our Internet Monitoring System Sensor WCLSCAN Data Server Malicious Packets SQL The Internet Encrypted data Log DB Time-Series Access Frequency Graph Analysis Threat Evaluation Threat Levels Graphs mn128,may,13,05:40:11,111/tcp mn128,may,13,10:12:55,111/tcp mn128,may,13,10:13:04,111/tcp mn128,may,13,12:35:05,111/tcp mn128,may,13,12:35:05,111/tcp, mn128,may,13,20:25:27,111/tcp, mn128,may,13,20:25:30,111/tcp,

6 Mitsubishi Research Institute, Inc Monitored Data ftp dns Date/Time of Packet (Year, Month, Day,Time) Protocol Type ( TCP, UDP, ICMP ) Source IP Address Source Port Destination IP Address Destination Port

7 Mitsubishi Research Institute, Inc Related Work Macro-Analysis (Population-based) Micro-Analysis (Behavior-based) Temporal Features Analysis Spatial Features Analysis Bayesian Estimation [1] Wavelet Analysis Frequency deviation score Auto-Correlation Analysis Port Correlations Graph Analysis Frequent Port and IP Extraction Destination port sequence mining Destination Entropy Source Entropy 2] Infection Rate Estimation by Kalman Filter [3] Anomaly Component analysis

8 Mitsubishi Research Institute, Inc Evolution of Threat Evaluation Approach Statistical analysis of Malicious Packet Counts Unique Source IP Address (Infected hosts) Analysis of Graph Structure –Consideration of vulnerability of destination ports as well as increase of unique source addresses

9 Mitsubishi Research Institute, Inc Example of distribution of source IP addresses Octet 1 Octet 2 Octet 3 Octet 2 Octet 3 Octet 4

10 Mitsubishi Research Institute, Inc Relationship 1 Vulnerability of a destination port is higher if it receive packets from many different source addresses with higher threat level. Relationship2 Threat level of a source address is high if it sends more packets to vulnerable destination ports. Relation between Threats and Vulnerability Source IP Address Destination Ports ( IP’s×ports ) Sensor IP Addresses: xxx.xxx.xxx.220 Sensor IP Addresses: xxx.xxx.xxx.225 Threats Vulnerability

11 Mitsubishi Research Institute, Inc Threat Calculation Method Threat Vector (source) Vulnerability Vector (dest.) Relationship 1 Relationship2 Eigenvalue Equations W: weight matrix

12 Mitsubishi Research Institute, Inc Experiment1: Port1433 Incident (MS SQL) 2005/7

13 Mitsubishi Research Institute, Inc Experiment2: Port 139 Incident (File Share) 2005/6

14 Mitsubishi Research Institute, Inc Conclusion and Future Works 1.We proposed a new threat evaluation method based on structure of access graph which are quite different from traditional methods based on the number of malicious packets. 2.We demonstrated examples that our method responds better than the number of malicious packets Future Works: 1.Optimization of edge weights of access graph 2.Optimization of Unit time of our graph analysis 3.Evaluation of Strength and weakness of our method depending on the types of incidents

15 Mitsubishi Research Institute, Inc WCLSCAN OFFICIAL SITE WWW.WCLSCAN.ORG

Download ppt "Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research."

Similar presentations

Implementing a Highly Available Network

Implementing a Highly Available Network
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 24 Network Management: SNMP.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
UNITS meeting September 30, 2004 Network Security Roger Safian

UNITS meeting September 30, 2004 Network Security Roger Safian
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
The MS Blaster worm Presented by: Zhi-Wen Ouyang.

The MS Blaster worm Presented by: Zhi-Wen Ouyang.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.
TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Towards Highly Reliable Enterprise Network Services via Inference of Multi-level Dependencies Paramvir Bahl, Ranveer Chandra, Albert Greenberg, Srikanth.

Towards Highly Reliable Enterprise Network Services via Inference of Multi-level Dependencies Paramvir Bahl, Ranveer Chandra, Albert Greenberg, Srikanth.

Similar presentations

Ads by Google