by
play

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious - PowerPoint PPT Presentation

Feb 13, 2024 •579 likes •1.05k views

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new

  1. by Bisyron Wahyudi Muhammad Salahuddien

  2.  Amount of malicious traffic circulating on the Internet is increasing significantly.  Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities.  Attackers have interest in identifying networks and hosts to expose vulnerabilities :  Network scans  Worms  Trojans  Botnet

  3.  Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources  Security is implemented like an “add on” module for the Internet.

  4.  Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures  Help the cyber security policy-making process, and to raise public awareness  Questions :  Do malicious sources generate the attacks uniformly ?  Is there any pattern specific i.e. recurrence event ?  Is there any correlation between the number of some attacks over specific time ?

  5.  Many systems and phenomena (events) are distributed according to a “power law”  When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law  A power law applies to a system when:  large is rare and  small is common

  6.  Collection of System logs from Networked Intrusion Detection System (IDS)  The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP)  Period : January, 2012 - September, 2012  Available fields : ▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID

  8.  Two quantities x and y are related by a power law if y is proportional to x (-c) for a constant c y =  .x (-c)  If x and y are related by a power law, then the graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log(  )  The slope of the log-log plot is the power exponent c

  10.  Destination Port Distribution  Monitor destination port for intrusion attempts  Source IP’s Distribution  Look for trends in the source address associated with intrusions events  Group intrusions into port 1434, 1433, 53, and 445

  11.  Understanding the behavior of malicious sources over the time • Is there any correlation between the number of attacks over time ?  Time series analysis : Power spectrum analysis and Detrended Fluctuation Analysis (DFA)

  14. 0.6 0.2 0.4 0.8 1.2 0 1 61.235.46.146 194.146.106.106 222.214.216.180 202.155.87.34 116.66.200.18 122.117.233.118 60.12.200.23 124.81.80.67 218.201.192.202 114.57.34.31 124.81.210.230 223.255.225.80 218.56.33.60 114.57.34.199 202.169.52.242 118.97.58.166 76.169.138.246 Cumulative Distribution 222.186.13.90 114.59.80.61 60.190.137.138 113.212.116.37 223.255.230.65 223.255.230.74 61.176.192.150 180.214.233.33 223.255.230.68 124.81.254.147 117.102.101.183 223.255.230.29 223.255.230.6 110.5.96.126 103.10.66.70 116.0.151.161 223.255.230.5 202.155.61.80 24.73.139.84 223.255.229.16 223.255.231.21 202.155.64.147 108.18.196.16 223.255.231.18 174.55.200.166 Distribution Cumulative

  15. Cumulative Source IP Counter Distribution 61.235.46.146 1136787 0.127079841 124.239.195.131 497699 0.182716922 218.75.49.242 485758 0.237019134 211.141.86.248 315837 0.272326114 202.155.14.117 241850 0.29936219 119.235.24.210 214618 0.323354038 60.190.118.153 148839 0.339992544 61.128.110.96 145968 0.356310104 117.102.102.34 124868 0.370268924

  16.  Only a few sources are responsible for many generating malicious traffics  These sources attacks on ports 1434 (MS SQL-M), 53 (DNS), 445 (Microsoft DS), 1433(MS SQL-S)  Argument for a blacklist  Most of sources are generating 1 attack  It is not efficient to filtering out these type of sources

  17.  Understanding the behavior of malicious sources over the time • Is there any correlation between the number of attacks over time ?  Time series analysis : Power spectrum analysis and DFA

  18.  If we analyze the total time series from all sensors: there are no strong correlation between the number of attacks and time  Analyzing the time series from each sensor is preferred. The statistical properties for each sensor is not the same.

  19. 11/27/2012 19

  20. 11/27/2012 20

  21. 11/27/2012 21

  22. 11/27/2012 22

  23.  The number of attacks behavior over the time is random  The result of DFA seems to be divided into two region of different exponents of Power Law fluctuation.  There is a bending point, need more investigation.

  27. 0.2 0.4 0.6 0.8 1.2 0 1 1434 (ms-sql-m)/udp 6699/udp 1027/udp 1030 (iad1)/udp 35693/udp 18062/udp 12998/udp 10013/udp 64016/udp 1054/udp 1071/udp 9966/udp 8441/udp 1059 (nimreg)/udp 13663/udp 51120/udp 20973/udp 55818/udp Cumulative Distribution 47907/udp 47429/udp 10039/udp 18842/udp 38935/udp 1119/udp 1873/udp 1688/udp 20184/udp 60001/udp 1594/udp 59375/udp 10785/udp 1181/udp 54075/udp 10092/udp 10054/udp 27204/udp 18076/udp 1096/udp 18119/udp 5236 (padl2sim)/udp 1131/udp 1634/udp 1347 (bbn-mmc)/udp 22185/udp Distribution Cumulative

  28. Destination Port Counter Cumulative Distribution 1434 (ms-sql-m)/udp 4129135 0.46774675 53 (domain)/udp 1900826 0.683071554 1433 (ms-sql-s)/tcp 891009 0.784004694 445 (microsoft-ds)/tcp 304656 0.818516003 3306/tcp 98583 0.829683446 80 (http)/tcp 78690 0.838597417 80 (http)/udp 65922 0.846065035 34354/tcp 62865 0.853186357 32115/udp 46580 0.85846292  Only a few ports become target of most attacks  Port 1434 (MS SQL-M), 53 (DNS), 1433 (MS SQL- S), 445 (microsoft-ds)

  29. 0.2 0.4 0.6 0.8 1.2 0 1 SQL probe response overflow attempt … SQL heap-based overflow attempt (1:4990) SQL SA brute force login attempt TDS v7/8 … SQL version overflow attempt (1:2050) SQL Worm propagation attempt (1:2003) BOTNET-CNC Virut DNS request for C&C … BOTNET-CNC Virut DNS request attempt … WEB-MISC Microsoft ASP.NET information … SPYWARE-PUT Torpig bot sinkhole server … BOTNET-CNC Palevo bot DNS request … BOTNET-CNC Palevo bot DNS request for … BOTNET-CNC Trojan.Zeus P2P outbound … ATTACK-RESPONSES Invalid URL (1:1200) BOTNET-CNC Possible host infection - … WEB-PHP Wordpress timthumb.php theme … BOTNET-CNC Torpig bot sinkhole server … SQL sa brute force failed login unicode … Cumulative Distribution DOS Microsoft Windows NAT Helper DNS … POLICY failed mysql login attempt (1:13357) BOTNET-CNC Possible Zeus User-Agent - … MYSQL client authentication bypass … SPECIFIC-THREATS msblast attempt (1:9422) POLICY mysql login attempt from … SQL generic sql update injection attempt - … SHELLCODE x86 OS agnostic fnstenv geteip … MYSQL protocol 41 client authentication … POLICY failed Oracle Mysql login attempt … SQL ping attempt (1:2049) BACKDOOR trojan agent.aarm runtime … BACKDOOR only 1 rat runtime detection - … SPYWARE-PUT Adware download … BOTNET-CNC W32.Dofoil variant outbound … BAD-TRAFFIC BIND named 9 dynamic … POLICY Oracle Mysql login attempt from … WEB-MISC Microsoft ASP.NET information … WEB-CLIENT Portable Executable binary file … NETBIOS DCERPC NCACN-IP-TCP srvsvc … EXPLOIT IBM Tivoli Storage Manager … SQL generic sql insert injection atttempt - … SHELLCODE x86 OS agnostic xor dword … DOS MSDTC attempt (1:1408) SQL union select - possible sql injection … SQL MySQL/MariaDB client authentication … ATTACK-RESPONSES id check returned … Distribution Cumulative BACKDOOR c99shell.php command request … MYSQL Sun MySQL mysql_log … BOTNET-CNC Trojan- … SPECIFIC-THREATS korgo attempt (1:9420) SPECIFIC-THREATS RedKit Repeated …

  30. Cumulative Event Message Counter Distribution SQL probe response overflow attempt (1:2329) 4436014 0.34605762 SQL heap-based overflow attempt (1:4990) 2526867 0.543180888 SQL SA brute force login attempt TDS v7/8 (1:3543) 884743 0.612200521 SQL version overflow attempt (1:2050) 878459 0.680729933 SQL Worm propagation attempt (1:2003) 696421 0.735058389 BOTNET-CNC Virut DNS request for C&C attempt (1:16302) 609160 0.782579533 BOTNET-CNC Virut DNS request attempt (1:16304) 554635 0.825847131 WEB-MISC Microsoft ASP.NET information disclosure attempt (3:17429) 413011 0.858066507 SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt (1:16693) 208301 0.874316263

  31.  Exploit for the SQL Server 2000 resolution service buffer overflow  The SQL Slammer or Sapphire worm used a classic Buffer Overflow in the Microsoft SQL Resolution Service that was provided with SQL Server 2000 and MSDE  It used only a single UDP packet aimed at port 1434 to spread, causing it to be fast and nearly unstoppable

  32. 11/27/2012 32

  33. 11/27/2012 33

  34. 11/27/2012 34

  35.  The attacks behavior on port 1434 is random  The result of DFA seems to be divided into two region of different exponents of Power Law fluctuation  There is a bending point – further analysis needed, is there any specific real activities (social, user behavior, etc.) related to this different exponents

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
CSSE132 Introduc0on to Computer Systems 18 : Alignment,

CSSE132 Introduc0on to Computer Systems 18 : Alignment,

Adapted from Carnegie Mellon 15-213 CSSE132 Introduc0on to Computer Systems 18 : Alignment, Pointers, Bounds April 9, 2013 1 Today Structures Alignment

605 views • 43 slides
Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen

Code-Red: a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeff Brown November, 2002 IMW {dmoore, cshannon} @ caida.org www.caida.org Outline What is the Code-Red worm? Detection Host

495 views • 35 slides
Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When you run it, the Greeks creep out and slaughter your system Lecture 12 Page 1 CS 236 Online Basic Trojan Horses A program you pick up somewhere

581 views • 23 slides
Machine-Level Programming V: Advanced Topics 15-213:

Machine-Level Programming V: Advanced Topics 15-213:

Carnegie Mellon Machine-Level Programming V: Advanced Topics 15-213: Introduc0on to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy Bryant &

738 views • 53 slides
Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative

Four Grand Challenges in Trustworthy Computing Why Grand Challenges? Inspire creative thinking Encourage thinking beyond the incremental Some important problems require multiple approaches over long periods of time Big

677 views • 52 slides
Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background singers: Jay and Fabian 1 Agenda Questions and Critique of Timezones paper Extensions Network Monitoring (recap) Post-Mortem Analysis

666 views • 40 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t

Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t

1 Software and Web Security deel 1 deel 1 sws1 About this course: people Erik Poll P t Peter Schwabe S h b Pol van Aubel Ko Stoffelen Ko Stoffelen sws1 2 About this course: topics & goals g Standard

943 views • 48 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

CSE 127: Computer Security Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage When is a program secure? When it does exactly what it should? Not more Not less But how do we know what

1.42k views • 119 slides
WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The

WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The

WEIRDS Status Update Murray Kucherawy <superuser@gmail.com> The Story So Far WHOIS is a rudimentary protocol that originated in the early days of

268 views • 5 slides
Hyperconverged Infrastructure Internet as a global system Seamless integration of compute,

Hyperconverged Infrastructure Internet as a global system Seamless integration of compute,

Hyperconverged Infrastructure Internet as a global system Seamless integration of compute, network and storage Performance vs. Layering New technologies New Applications CSci8211: Introduction 1 Subjects

682 views • 50 slides
M 3 AAWG @ LACNIC Update: Developing an Anti-Abuse Community Jesse Sowell, PhD Special Advisor to

M 3 AAWG @ LACNIC Update: Developing an Anti-Abuse Community Jesse Sowell, PhD Special Advisor to

M 3 AAWG @ LACNIC Update: Developing an Anti-Abuse Community Jesse Sowell, PhD Special Advisor to M 3 AAWG Cybersecurity Fellow at Stanford Center for International Security and Cooperation 27 September 2016 LACNIC 26, San Jose, Costa Rica

398 views • 23 slides
ABSTRACT zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA quality of service

ABSTRACT zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA quality of service

ABSTRACT zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA quality of service zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA QoS that they require. zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA they receive the end-to-end

657 views • 7 slides
ELEC / COMP 177 Fall 2012 Some slides from Kurose

ELEC / COMP 177 Fall 2012 Some slides from Kurose

ELEC / COMP 177 Fall 2012 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Tuesday, December 11 th 8am-11am Short

897 views • 78 slides
rvores e rvores Binrias Siang Wun Song - Universidade de So Paulo - IME/USP MAC 5710 -

rvores e rvores Binrias Siang Wun Song - Universidade de So Paulo - IME/USP MAC 5710 -

rvores e rvores Binrias Siang Wun Song - Universidade de So Paulo - IME/USP MAC 5710 - Estruturas de Dados - 2008 Siang Wun Song - Universidade de So Paulo - IME/USP rvores e rvores Binrias Referncia bibliogrfica Os slides

794 views • 37 slides
Recursos Humanos I Administrao de Salrios Planos de Benefcios Sociais

Recursos Humanos I Administrao de Salrios Planos de Benefcios Sociais

Recursos Humanos I Administrao de Salrios Planos de Benefcios Sociais Administrao de Salrios Recursos Naturais + Dinheiro Acumulado + Trabalho = Riqueza ou Capital Processo Produtivo = Participao conjunta de

732 views • 38 slides
Control de flujo en TCP Tema 5.- Nivel de transporte en Internet Dr. Daniel Morat Redes de

Control de flujo en TCP Tema 5.- Nivel de transporte en Internet Dr. Daniel Morat Redes de

Clase 20 Control de flujo en TCP Tema 5.- Nivel de transporte en Internet Dr. Daniel Morat Redes de Ordenadores Ingeniero Tcnico de Telecomunicacin Especialidad en Sonido e Imagen, 3 curso Temario 1.- Introduccin 2.- Nivel de

847 views • 26 slides
Introduction to Generalized Stochastic Petri Nets Gianfranco Balbo Dipartimento di Informatica

Introduction to Generalized Stochastic Petri Nets Gianfranco Balbo Dipartimento di Informatica

31/05/2007 7-th International School on Formal Methods for the Design of Computer, Communication and Software Systems: Performance Evaluation Introduction to Generalized Stochastic Petri Nets Gianfranco Balbo Dipartimento di Informatica

1.3k views • 83 slides
Sistemas de Accionamento Electromecnico Comando e proteco de motores Introduo

Sistemas de Accionamento Electromecnico Comando e proteco de motores Introduo

Sistemas de Accionamento Electromecnico Comando e proteco de motores Introduo SISTEMAS de ACCIONAMENTO ELECTROMECNICO, Sistemas capazes de converter energia elctrica Sistemas capazes de converter energia elctrica em energia

782 views • 19 slides
State of the Art / Motivation Many LMS: Blackboard, Luvit, WebCT, Lotus Learning Space,

State of the Art / Motivation Many LMS: Blackboard, Luvit, WebCT, Lotus Learning Space,

ADRIAN: : ADRIAN E E- -Learning Content Production Learning Content Production (creating online exams) (creating online exams) Jos Carlos Ramalho Giovani R. Librelotto Pedro R. Henriques Department of Informatics University of Minho

540 views • 10 slides
A contrastive Approach to Multi-word Term Extraction from Domain-specific Corpora Francesca

A contrastive Approach to Multi-word Term Extraction from Domain-specific Corpora Francesca

A contrastive Approach to Multi-word Term Extraction from Domain-specific Corpora Francesca Bonin, Felice Dell' Orletta, Giulia Venturi and Simonetta Montemagni LREC Malta 2010 Outline Introduction and aims Multiword extraction

505 views • 19 slides
Analisi dei dati ed estrazione di conoscenza Mastering Data Mining Fosca Giannotti Pisa KDD

Analisi dei dati ed estrazione di conoscenza Mastering Data Mining Fosca Giannotti Pisa KDD

Analisi dei dati ed estrazione di conoscenza Mastering Data Mining Fosca Giannotti Pisa KDD Lab, ISTI-CNR & Univ. Pisa http:/ / www-kdd.isti.cnr.it/ DI PARTI MENTO DI I NFORMATI CA - Universit di Pisa anno accadem ico 2 0 0 5 / 2 0 0 6

432 views • 41 slides

More recommend