Presentation is loading. Please wait.

Presentation is loading. Please wait.

Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid.

Published bySilvester Adams Modified over 9 years ago

Similar presentations

Presentation on theme: "Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid."— Presentation transcript:

1 Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid

2 Kikuchi Laboratory Tokai University Outlines 1. Botnet attack 2. PrefixSpan method 3. Results and Analysis 4. Conclusion

3 Kikuchi Laboratory Tokai University Botnet

4 Honeypots Kikuchi Laboratory Tokai University  CCC DATA set 2009 consist of the access log of attack to 94 honeypots in 1 year (may 1, 2008 – April 30 2009).  This research observes one of honeypot runs on Windows XP+SP1

5 Kikuchi Laboratory Tokai University Coordinated attack TROJ_QHOST.WT BKDR_POEBOT.AHP PE_VIRUT.AV TSPY_ONLINEG.OPJ TSPY_KOLABC.CHTROJ_AGENT.AGSB

6 Sequential pattern  It is difficult to find sequential pattern of attacks in the access log of attacks manually. Kikuchi Laboratory Tokai University Sequence_idSequence 100 101 102 103 104

7 Objective  Discover the frequent sequential attack pattern on CCC DATA set 2009 Kikuchi Laboratory Tokai University

8 Method  PrefixSpan data mining algorithm 1 to discover the frequent sub-sequences as patterns in a sequence database.  Example: Given a sequence database and minimum support threshold 2 Kikuchi Laboratory Tokai University 1) J. Pei, et al., ``PrefixSpan: Mining Sequential Patterns by Prefix-Projected Growth'‘, in Proc. of The 17th Int'l Conf. on Data Engineering, pp.215-224, 2001. Sequence_idSequence 100 101 102 103 104

9 Method (count) Kikuchi Laboratory Tokai University Seq. Database Projected Database Sequential Patterns :5 :2 :4 :5 :5, :5, :5, :2, and :2

10 Method (count) Kikuchi Laboratory Tokai University Seq. Database Projected Database Sequential Patterns :5 :2 :4 :5 :5, :5, :5, :2, and :2

11 Method (count) Sequential Patterns :5, :5, :2, :4 :2 :4 :2 Kikuchi Laboratory Tokai University

12 Pre-Processing Data Kikuchi Laboratory Tokai University

13 sequential 2-Pattern of malware attack Kikuchi Laboratory Tokai University length serial

14 sequential 3-Pattern of malware attack Kikuchi Laboratory Tokai University

15 Distribution of attacks of duplicate 3-pattern Kikuchi Laboratory Tokai University

16 Distribution of attacks of non-duplicate 3-pattern Kikuchi Laboratory Tokai University (P3.4) TROJ_QHOST.WT, WORM_HAMWEQ.AP, BKDR_POEBOT.AHP (P3.29) TSPY_ONLINEG.OPJ, TROJ_QHOST.WT, BKDR_POEBOT.AHP (P3.30) BKDR_RBOT.CZO, WORM_HAMWEQ.AP, TROJ_QHOST.WT A (P3.21) PE_VIRUT.AV BKDR_SDBOT.BU BKDR_VANBOT.HI (P3.27) BKDR_SCRYPT.ZHB BKDR_SDBOT.BU BKDR_VANBOT.HI (P3.49) BKDR_SCRYPT.ZHB PE_VIRUT.AV BKDR_SDBOT.BU B (P3.7) PE_VIRUT.AV WORM_SWTYMLAI.CD TSPY_KOLABC.CH (P3.10) PE_VIRUT.AV TSPY_KOLABC.CH WORM_SWTYMLAI.CD c (P3.37) PE_VIRUT.AV TSPY_KOLABC.CH TROJ_AGENT.AGSB D 20 days25 days26 days8 days

17 Distribution of time interval of the 3-pattern Kikuchi Laboratory Tokai University Time interval is a time difference between the first and last malware infections in the same sequential pattern at the honeypot.

18 Kikuchi Laboratory Tokai University Sequential attack pattern based on source IP address and timestamp Pattern based on IP Address IP pattern codeIP Pattern A1S1 A2S1 S2 A3S1S2S1 A4S1S2 A5S1S2S3 Pattern based on Timestamp Time pattern codeTime pattern E1T1 E2T1 T2 E3T1T2 E4T1T2T3

19 Kikuchi Laboratory Tokai University Sequential attack pattern by source IP address and timestamp (count) A4E1 : 10% A4E4 : 90% A5E4 : 20% A5E5 : 80% TROJ_QHOST.WT BKDR_POEBOT.AHP PE_VIRUT.AV TSPY_ONLINEG.OPJ TSPY_KOLABC.CHTROJ_AGENT.AGSB

20 Confidence of sequential attack pattern  How strong the n-pattern coordinated attack, if (n-1)-pattern, a subsequence of n-pattern occur  where n is the length of pattern and m is the length of subsequence of n-pattern www.themegallery.com Company Name for n > 1 and m = (n-1), Conf(n-pattern) = Supp(n-pattern) Supp(m-pattern)

21 Confidence of 3-pattern Kikuchi Laboratory Tokai University

22 Conclusion Kikuchi Laboratory Tokai University  PrefixSpan method sufficiently discover all sequential attack patterns.  Coordinated attacks are performed by multiple sequential attack patterns within certain short time interval.  The sequential pattern of coordinated attack tends to change all the time.  This result gives several behaviors useful for alerting threats of botnets attacks.

23

Download ppt "Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid."

Similar presentations

PREFIXSPAN ALGORITHM Mining Sequential Patterns Efficiently by Prefix- Projected Pattern Growth al113301m@student.etf.rs.

PREFIXSPAN ALGORITHM Mining Sequential Patterns Efficiently by Prefix- Projected Pattern Growth
Rule Discovery from Time Series Presented by: Murali K. Kadimi.

Rule Discovery from Time Series Presented by: Murali K. Kadimi.
Sequential Patterns & Process Mining Current State of Research Edgar de Graaf LIACS.

Sequential Patterns & Process Mining Current State of Research Edgar de Graaf LIACS.
Zhou Zhao, Da Yan and Wilfred Ng

Zhou Zhao, Da Yan and Wilfred Ng
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Edi Winarko, John F. Roddick

Edi Winarko, John F. Roddick
Rakesh Agrawal Ramakrishnan Srikant

Rakesh Agrawal Ramakrishnan Srikant
Our New Progress on Frequent/Sequential Pattern Mining We develop new frequent/sequential pattern mining methods Performance study on both synthetic and.

Our New Progress on Frequent/Sequential Pattern Mining We develop new frequent/sequential pattern mining methods Performance study on both synthetic and.
Multi-dimensional Sequential Pattern Mining

Multi-dimensional Sequential Pattern Mining
Sequential Pattern Mining

Sequential Pattern Mining
Temporal Pattern Matching of Moving Objects for Location-Based Service GDM Ronald Treur14 October 2003.

Temporal Pattern Matching of Moving Objects for Location-Based Service GDM Ronald Treur14 October 2003.
Temporal Data Mining Claudio Bettini, X.Sean Wang and Sushil Jajodia Presented by Zhuang Liu.

Temporal Data Mining Claudio Bettini, X.Sean Wang and Sushil Jajodia Presented by Zhuang Liu.
Association Rule Mining (Some material adapted from: Mining Sequential Patterns by Karuna Pande Joshi)‏

Association Rule Mining (Some material adapted from: Mining Sequential Patterns by Karuna Pande Joshi)‏
2/8/00CSE 711 data mining: Apriori Algorithm by S. Cha 1 CSE 711 Seminar on Data Mining: Apriori Algorithm By Sung-Hyuk Cha.

2/8/00CSE 711 data mining: Apriori Algorithm by S. Cha 1 CSE 711 Seminar on Data Mining: Apriori Algorithm By Sung-Hyuk Cha.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Mining Association Rules between Sets of Items in Large Databases presented by Zhuang Wang.

Mining Association Rules between Sets of Items in Large Databases presented by Zhuang Wang.
A Short Introduction to Sequential Data Mining

A Short Introduction to Sequential Data Mining
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
What Is Sequential Pattern Mining?

What Is Sequential Pattern Mining?
Association Rules. 2 Customer buying habits by finding associations and correlations between the different items that customers place in their “shopping.

Association Rules. 2 Customer buying habits by finding associations and correlations between the different items that customers place in their “shopping.

Similar presentations

Ads by Google