Presentation is loading. Please wait.

Presentation is loading. Please wait.

Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi Ltd.

Published byMeryl Oliver Modified over 9 years ago

Similar presentations

Presentation on theme: "Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi Ltd."— Presentation transcript:

1 Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi Ltd.

2 Generation of Malware 1. Single2. Variants A B C 3. Botnet PE WORM WOTR Coordinated Attack

3 Sample of Coordinated Attack PE_VIRUT.AV TROJ_BUZUS.AGB WORM_SWTYMLAI.CD TimeSourse IP AddressMalware Name 0:02:11124.86.***.111 PE_VIRUT.AV 0:03:4867.215.*.206 TROJ_BUZUS.AGB 0:03:4872.10.***.195 WORM_SWTYMLAI.CD Rule

4 Objectives  Discovery of botnet coordinated attacks.  E.g. Botnet A: PE+TROJ+WORM Botnet B: BKDR+TSPY+WORM  Application to efficient malware detection.

5 Our Approach: Honeypot  Sunday TROJ Honeypot 1 PE 1 WO 2 WORM PE

6 Our Approach: Honeypot  Monday Honeypot 1 PE 12 WORM TR TROJ

7 Difficulty of discovering  Coordinated patterns: 2 6 = 64  One week: 7  # of investigations: 448 WeekPE1PE2TROJ1TORJ2WORM1WORM2 Sun321 Mon122133 Tue2212 Wed5321 Thu1143 Fri223 Sat31153 ← 800T ← 2M ← 400M

8 Our Approach: Data mining  Using association analysis ‘Apriori’  Extracting association rules of the form X → Y. E.g. ‘ PE → WORM, TROJ ’  With the minimum support and confidence, we can squeeze many useless rules to be examined.

9 Principle of Algorithm ‘Apriori’  Given minimum values, prune useless rules. Minimum Supp 0.8 Minimum Conf 0.6 Effective Rules

10 Extract of Association Rules X(PE1) → Y(TROJ1 & WORM1)  Supp = |X∩Y| / |N| = 4/7 days 60 %  Conf = |X∩Y| / |X| = 4/5 days 80 % |N| = 7|X| = 5 |X∩Y| = 4 WeekPE1PE2TROJ1TORJ2WORM1WORM2 Sun321 Mon122133 Tue2212 Wed5321 Thu1143 Fri223 Sat31153

11 CCC DATAset 2009  CCC DATAset have observed malware traffic at the Japanese tier-1 backbone under the Cyber Clean Center (CCC).  The malware downloading logs 94 honeypot 1 year (may 1, 2008 – April 30 2009)  The captured packets data 1 honeypot 2 days (March, 13 & 14, 2009)

12 Questions 1. How accurate does Apriori algorithm detect all coordinated attacks? 2. How common were coordinated attacks observed? 3. How long were coordinated attacks performed?

13 Experimental Data The malware downloading logs 001002003004094 2008/05 2008/06 2008/07 2009/02 2009/03 13 14 2009/04 Honeypot ID ( Honey001 ~ 094 ) Experiment 4 Experiment 3 Experiment 1 & 2 The captured packets data Experiment 1 & 2 Association Rules of Malware / DL Servers Experiment 3 Dependency on Honeypot Experiment 4 Lifecycle of Rules of Malware 1 year (365 days)

14 Exp1: Association Rules of Malware  Minimum Supp: 10%, Minimum Conf: 80% A manual pattern can be extracted automatically! No.AntecedentConsequentSuppConf 1 TROJ_ BUZUS.AGB ⇒ WORM_ SWTYMLAI.CD 41.4100 2 WORM_ SWTYMLAI.CD ⇒ TROJ_BUZUS.AG B 46.688.9 3 TROJ_BUZUS.AG B BKDR_ POEBOT.GN ⇒ WORM_ SWTYMLAI.CD 10.3100 4 WORM_ SWTYMLAI.CD BKDR_ POEBOT.GN ⇒ TROJ_BUZUS.AG B 10.3100 5 PE_VIRUT.AVTROJ_ BUZUS.AGB ⇒ WORM_ SWTYMLAI.CD 29.3100 6 PE_VIRUT.AVWORM_ SWTYMLAI.CD ⇒ TROJ_ BUZUS.AGB 29.3100 No.AntecedentConsequentSuppConf 5 PE_ VIRUT.AV TROJ_ BUZUS.AGB ⇒ WORM_ SWTYMLAI.CD 29.3100 6 PE_ VIRUT.AV WORM_ SWTYMLAI.CD ⇒ TROJ_ BUZUS.AGB 29.3100

15 Exp2: Association Rules of DL Servers  Minimum Supp: 10%, Minimum Conf: 50% No.AntecedentConsequentSuppConfCorresponding MW 1114.145.51.166 ⇒ 122.18.195.12341.4100 PE ⇒ PE 2122.18.195.123 ⇒ 114.145.51.16646.688.9 PE ⇒ PE 367.215.1.206 ⇒ 72.10.165.19510.3100 TROJ ⇒ WORM 472.10.166.195 ⇒ 67.215.1.20610.3100 WORM ⇒ TROJ No.AntecedentConsequentSuppConfCorresponding MW 1114.145. 51.166 ⇒ 122.18.19 5.123 41.4100 PE ⇒ PE 2122.18.1 95.123 ⇒ 114.145.5 1.166 46.688.9 PE ⇒ PE The rules are NOT useful

16 Exp3: Dependency on Honeypot 200 rules observed by a single honeypot. 2 common rules observed by 36 honeypots.

17 Exp3: Dependency on Honeypot 200 rules observed by a single honeypot. 2 common rules observed by 36 honeypots. The widely observed rules are likely to be coordinated attacks!

18 Exp4: Lifecycle of Rules of Malware

19 Lifecycle of coordinated attacks 26.3 days

20 Conclusions  We have proposed an automated method to detect the association rule of malware for coordinated attacks.  We have showed that our proposed method can extract all coordinate attacks correctly.  We have shown the strong correlation between PE, TROJ and WORM from our experiment.  The widely observed rules are likely to be coordinated attacks.  The duration of coordinated attacks is very short.

21

22 Experiment 3: Dependency on Honeypot  Num. of slots: 3 and over, Minimum Conf: 80% No.AntecedentConsequentHoney 1TROJ_BUZUS.AGB ⇒ WORM_SWTYMLAI.C D 36 2WORM_SWTYMLAI.C D ⇒ TROJ_BUZUS.AGB36 3TROJ_BUZUS.AGBBKDR_VANBOT.GN ⇒ WORM_SWTYMLAI.C D 12 4WORM_SWTYMLAI.C D BKDR_VANBOT.GN ⇒ TROJ_BUZUS.AGB12 5TROJ_DLOADR.CBK ⇒ UNKNOWN8 6WORM_SWTYMLAI.C D PE_VIRUT.AV ⇒ TROJ_BUZUS.AGB7 7 PE_VIRUT.AV ⇒ WORM_SWTYMLAI.C D 7 No.AntecedentConsequentHoney 1TROJ_ BUZUS.AGB ⇒ WORM_ SWTYMLAI.CD 36 2WORM_ SWTYMLAI.CD ⇒ TROJ_ BUZUS.AGB 36 6WORM_ SWTYMLAI.CD PE_ VIRUT.AV ⇒ TROJ_ BUZUS.AGB 7 7TROJ_ BUZUS.AGB PE_ VIRUT.AV ⇒ WORM_ SWTYMLAI.CD 7

23 Experiment 4: Lifecycle of Rules of Malware  Num. of slots: 3 and over, Minimum Conf: 80% MWAntecedentConsequent PEPE_ VIRUT.AV WORM_ SWTYMLAI.CD ⇒ TSPY_ KOLABC.CH TROJTROJ_ BUZUS.AGB ⇒ WORM_ SWTYMLAI.CD WO RM TSPY_ KOLABC.CH ⇒ WORM_ SWTYMLAI.CD Not TROJ but TSPY appeared!

Download ppt "Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada, Hitachi Ltd."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
10 -1 Lecture 10 Association Rules Mining Topics –Basics –Mining Frequent Patterns –Mining Frequent Sequential Patterns –Applications.

10 -1 Lecture 10 Association Rules Mining Topics –Basics –Mining Frequent Patterns –Mining Frequent Sequential Patterns –Applications.
Modeling Data the different views on Data Mining.

Modeling Data the different views on Data Mining.
1 2345678 9101112131415 16171819202122 23/3024/312526272829 SUN MON TUE WED THU FRI SAT JANUARY 2011 February 2011 SMTWTFS 12345 6789101112 13141516171819.

/3024/ SUN MON TUE WED THU FRI SAT JANUARY 2011 February 2011 SMTWTFS
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,

Internet Observation with ISDAS: How long does a worm perform scanning? Tomohiro Kobori , Hiroaki Kikuchi (Tokai Univ, Japan) Masato Terada (Hitachi, Ltd.,
Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid.

Frequent Sequential Attack Patterns of Malware in Botnets Nur Rohman Rosyid.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG 124862 Supervisor : AP. Dr. Mohamed Othman.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Kazuya Kuwabara, Hiroaki Kikuchi, Tokai University Masato Terada and Masashi Fujiwara, Hitachi Ltd.,

Kazuya Kuwabara, Hiroaki Kikuchi, Tokai University Masato Terada and Masashi Fujiwara, Hitachi Ltd.,
Modeling Data the different views on Data Mining.

Modeling Data the different views on Data Mining.
Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada,

Apriori–PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks Masayuki Ohrui, Hiroaki Kikuchi, Tokai University Masato Terada,
5 Day Forecast 84 72 73 67 80 70 70 66 74 69 Mon Tues Wed Thu Fri.

5 Day Forecast Mon Tues Wed Thu Fri.
…your name….

…your name….
GANTT CHARTS Example Example Example Example text Tasks Example 1

GANTT CHARTS Example Example Example Example text Tasks Example 1
Mon – 2Tue – 3Wed – 4Thu - 5Fri - 6Sat - 7Sun - 8 Mon – 9Tue – 10Wed – 11Thu - 12Fri – 13Sat – 14Sun -15 Mon – 16Tue – 17Wed – 18Thu - 19Fri – 20Sat –

Mon – 2Tue – 3Wed – 4Thu - 5Fri - 6Sat - 7Sun - 8 Mon – 9Tue – 10Wed – 11Thu - 12Fri – 13Sat – 14Sun -15 Mon – 16Tue – 17Wed – 18Thu - 19Fri – 20Sat –
Time Revision.

Time Revision.
JANUARY FEBRUARY MARCH APRIL MAY JUNE JULY AUGUST SEPTEMBER

JANUARY FEBRUARY MARCH APRIL MAY JUNE JULY AUGUST SEPTEMBER

Similar presentations

Ads by Google