by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious - - PowerPoint PPT Presentation

by
SMART_READER_LITE
LIVE PREVIEW

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious - - PowerPoint PPT Presentation

Feb 13, 2024 579 likes •1.06k views

by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new

slide-1
SLIDE 1

by

Bisyron Wahyudi Muhammad Salahuddien

slide-2
SLIDE 2

 Amount of malicious traffic circulating on the Internet is

increasing significantly.

 Increasing complexity and rapid change in hosts and

networks technology suggests that there will be new vulnerabilities.

 Attackers have interest in identifying networks and hosts to

expose vulnerabilities :

  • Network scans
  • Worms
  • Trojans
  • Botnet
slide-3
SLIDE 3

 Complicated methods of attacks

make difficult to identify the real attacks : It is not simple as filtering

  • ut the traffic from some sources

 Security is implemented like an “add

  • n” module for the Internet.
slide-4
SLIDE 4

 Understanding nature behavior of malicious

sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures

 Help the cyber security policy-making process,

and to raise public awareness

 Questions :

  • Do malicious sources generate the attacks uniformly ?
  • Is there any pattern specific i.e. recurrence event ?
  • Is there any correlation between the number of some

attacks over specific time ?

slide-5
SLIDE 5

 Many systems and phenomena (events) are

distributed according to a “power law”

 When one quantity (say y) depends on

another (say x) raised to some power, we say that y is described by a power law

 A power law applies to a system when:

  • large is rare and
  • small is common
slide-6
SLIDE 6

 Collection of System logs from Networked

Intrusion Detection System (IDS)

 The NIDS contains 11 sensors installed in

different core networks in Indonesian ISP (NAP)

 Period : January, 2012 - September, 2012

  • Available fields :

▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID

slide-7
SLIDE 7
slide-8
SLIDE 8

 Two quantities x and y are related by a power

law if y is proportional to x(-c) for a constant c y = .x(-c)

 If x and y are related by a power law, then the

graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log()

 The slope of the log-log plot is the power

exponent c

slide-9
SLIDE 9
slide-10
SLIDE 10

 Destination Port Distribution

  • Monitor destination port for intrusion attempts

 Source IP’s Distribution

  • Look for trends in the source address associated

with intrusions events

  • Group intrusions into port 1434, 1433, 53, and 445
slide-11
SLIDE 11

 Understanding the behavior of malicious

sources over the time

  • Is there any correlation between the number of

attacks over time ?

  • Time series analysis : Power spectrum analysis

and Detrended Fluctuation Analysis (DFA)

slide-12
SLIDE 12
slide-13
SLIDE 13
slide-14
SLIDE 14

0.2 0.4 0.6 0.8 1 1.2 61.235.46.146 194.146.106.106 222.214.216.180 202.155.87.34 116.66.200.18 122.117.233.118 60.12.200.23 124.81.80.67 218.201.192.202 114.57.34.31 124.81.210.230 223.255.225.80 218.56.33.60 114.57.34.199 202.169.52.242 118.97.58.166 76.169.138.246 222.186.13.90 114.59.80.61 60.190.137.138 113.212.116.37 223.255.230.65 223.255.230.74 61.176.192.150 180.214.233.33 223.255.230.68 124.81.254.147 117.102.101.183 223.255.230.29 223.255.230.6 110.5.96.126 103.10.66.70 116.0.151.161 223.255.230.5 202.155.61.80 24.73.139.84 223.255.229.16 223.255.231.21 202.155.64.147 108.18.196.16 223.255.231.18 174.55.200.166

Cumulative Distribution

Cumulative Distribution

slide-15
SLIDE 15

Source IP Counter Cumulative Distribution

61.235.46.146 1136787 0.127079841 124.239.195.131 497699 0.182716922 218.75.49.242 485758 0.237019134 211.141.86.248 315837 0.272326114 202.155.14.117 241850 0.29936219 119.235.24.210 214618 0.323354038 60.190.118.153 148839 0.339992544 61.128.110.96 145968 0.356310104 117.102.102.34 124868 0.370268924

slide-16
SLIDE 16

 Only a few sources are responsible for many

generating malicious traffics

  • These sources attacks on ports 1434 (MS SQL-M),

53 (DNS), 445 (Microsoft DS), 1433(MS SQL-S)

 Argument for a blacklist  Most of sources are generating 1 attack

  • It is not efficient to filtering out these type of

sources

slide-17
SLIDE 17

 Understanding the behavior of malicious

sources over the time

  • Is there any correlation between the number of

attacks over time ?

  • Time series analysis : Power spectrum analysis

and DFA

slide-18
SLIDE 18

 If we analyze the total time series from all

sensors: there are no strong correlation between the number of attacks and time

 Analyzing the time series from each sensor is

  • preferred. The statistical properties for each

sensor is not the same.

slide-19
SLIDE 19

11/27/2012 19

slide-20
SLIDE 20

11/27/2012 20

slide-21
SLIDE 21

11/27/2012 21

slide-22
SLIDE 22

11/27/2012 22

slide-23
SLIDE 23

 The number of attacks behavior over the time

is random

 The result of DFA seems to be divided into

two region of different exponents of Power Law fluctuation.

 There is a bending point, need more

investigation.

slide-24
SLIDE 24
slide-25
SLIDE 25
slide-26
SLIDE 26
slide-27
SLIDE 27

0.2 0.4 0.6 0.8 1 1.2 1434 (ms-sql-m)/udp 6699/udp 1027/udp 1030 (iad1)/udp 35693/udp 18062/udp 12998/udp 10013/udp 64016/udp 1054/udp 1071/udp 9966/udp 8441/udp 1059 (nimreg)/udp 13663/udp 51120/udp 20973/udp 55818/udp 47907/udp 47429/udp 10039/udp 18842/udp 38935/udp 1119/udp 1873/udp 1688/udp 20184/udp 60001/udp 1594/udp 59375/udp 10785/udp 1181/udp 54075/udp 10092/udp 10054/udp 27204/udp 18076/udp 1096/udp 18119/udp 5236 (padl2sim)/udp 1131/udp 1634/udp 1347 (bbn-mmc)/udp 22185/udp

Cumulative Distribution

Cumulative Distribution

slide-28
SLIDE 28

 Only a few ports become target of most attacks  Port 1434 (MS SQL-M), 53 (DNS), 1433 (MS SQL-

S), 445 (microsoft-ds)

Destination Port Counter Cumulative Distribution

1434 (ms-sql-m)/udp 4129135 0.46774675 53 (domain)/udp 1900826 0.683071554 1433 (ms-sql-s)/tcp 891009 0.784004694 445 (microsoft-ds)/tcp 304656 0.818516003 3306/tcp 98583 0.829683446 80 (http)/tcp 78690 0.838597417 80 (http)/udp 65922 0.846065035 34354/tcp 62865 0.853186357 32115/udp 46580 0.85846292

slide-29
SLIDE 29

0.2 0.4 0.6 0.8 1 1.2 SQL probe response overflow attempt … SQL heap-based overflow attempt (1:4990) SQL SA brute force login attempt TDS v7/8 … SQL version overflow attempt (1:2050) SQL Worm propagation attempt (1:2003) BOTNET-CNC Virut DNS request for C&C … BOTNET-CNC Virut DNS request attempt … WEB-MISC Microsoft ASP.NET information … SPYWARE-PUT Torpig bot sinkhole server … BOTNET-CNC Palevo bot DNS request … BOTNET-CNC Palevo bot DNS request for … BOTNET-CNC Trojan.Zeus P2P outbound … ATTACK-RESPONSES Invalid URL (1:1200) BOTNET-CNC Possible host infection - … WEB-PHP Wordpress timthumb.php theme … BOTNET-CNC Torpig bot sinkhole server … SQL sa brute force failed login unicode … DOS Microsoft Windows NAT Helper DNS … POLICY failed mysql login attempt (1:13357) BOTNET-CNC Possible Zeus User-Agent - … MYSQL client authentication bypass … SPECIFIC-THREATS msblast attempt (1:9422) POLICY mysql login attempt from … SQL generic sql update injection attempt - … SHELLCODE x86 OS agnostic fnstenv geteip … MYSQL protocol 41 client authentication … POLICY failed Oracle Mysql login attempt … SQL ping attempt (1:2049) BACKDOOR trojan agent.aarm runtime … BACKDOOR only 1 rat runtime detection - … SPYWARE-PUT Adware download … BOTNET-CNC W32.Dofoil variant outbound … BAD-TRAFFIC BIND named 9 dynamic … POLICY Oracle Mysql login attempt from … WEB-MISC Microsoft ASP.NET information … WEB-CLIENT Portable Executable binary file … NETBIOS DCERPC NCACN-IP-TCP srvsvc … EXPLOIT IBM Tivoli Storage Manager … SQL generic sql insert injection atttempt - … SHELLCODE x86 OS agnostic xor dword … DOS MSDTC attempt (1:1408) SQL union select - possible sql injection … SQL MySQL/MariaDB client authentication … ATTACK-RESPONSES id check returned … BACKDOOR c99shell.php command request … MYSQL Sun MySQL mysql_log … BOTNET-CNC Trojan-… SPECIFIC-THREATS korgo attempt (1:9420) SPECIFIC-THREATS RedKit Repeated …

Cumulative Distribution

Cumulative Distribution

slide-30
SLIDE 30

Event Message Counter Cumulative Distribution

SQL probe response overflow attempt (1:2329) 4436014 0.34605762 SQL heap-based overflow attempt (1:4990) 2526867 0.543180888 SQL SA brute force login attempt TDS v7/8 (1:3543) 884743 0.612200521 SQL version overflow attempt (1:2050) 878459 0.680729933 SQL Worm propagation attempt (1:2003) 696421 0.735058389 BOTNET-CNC Virut DNS request for C&C attempt (1:16302) 609160 0.782579533 BOTNET-CNC Virut DNS request attempt (1:16304) 554635 0.825847131 WEB-MISC Microsoft ASP.NET information disclosure attempt (3:17429) 413011 0.858066507 SPYWARE-PUT Torpig bot sinkhole server DNS lookup attempt (1:16693) 208301 0.874316263

slide-31
SLIDE 31

 Exploit for the SQL Server 2000 resolution

service buffer overflow

 The SQL Slammer or Sapphire worm used a

classic Buffer Overflow in the Microsoft SQL Resolution Service that was provided with SQL Server 2000 and MSDE

 It used only a single UDP packet aimed at

port 1434 to spread, causing it to be fast and nearly unstoppable

slide-32
SLIDE 32

11/27/2012 32

slide-33
SLIDE 33

11/27/2012 33

slide-34
SLIDE 34

11/27/2012 34

slide-35
SLIDE 35

 The attacks behavior on port 1434 is random  The result of DFA seems to be divided into

two region of different exponents of Power Law fluctuation

 There is a bending point– further analysis

needed, is there any specific real activities (social, user behavior, etc.) related to this different exponents

slide-36
SLIDE 36

 Blocking adultery sites address (Admin policy)  Authors of viruses, Trojan horses and other malware may

interfere with user DNS for a variety of reasons, including:

  • attempting to block access to remediation resources (such as

system patches, AV updates, malware cleanup tools)

  • attempting to redirect users from legitimate sensitive sites

(such as online banks and brokerages) to rogue web sites run by phishers

  • attempting to redirect users from legitimate sites to malware-

tainted sites where the user can become (further) infected

  • attempting to redirect users to pay-per-view or pay-per-click

websites in an effort to garner advertising revenues

  • attempting to resolve the target for spreading malware
slide-37
SLIDE 37
slide-38
SLIDE 38
slide-39
SLIDE 39
slide-40
SLIDE 40

 The attacks behavior on port 53 is random  The result of DFA seems to be divided into two region

  • f different exponents of Power Law fluctuation

 There is a bending point – further analysis needed, is

there any specific real occasion (social, user behavior, etc.) related to this different exponents

 Peaks appears several times in the short time scales

  • Suggestion :

▪ DNS poisoning ▪ Network scans running by hosts infected by malware or hosts part

  • f bot-net
slide-41
SLIDE 41

 Microsoft-DS Service is used for resource

sharing on Windows 2000, XP, 2003, and

  • ther samba based connections

 This is the port that is used to connect file

shares for example

slide-42
SLIDE 42

1 2 3 4 5 6 7 8 9 10 x 10

5

  • 1
  • 0.5

0.5 1 1.5x 10

4

t (second) yt

slide-43
SLIDE 43
slide-44
SLIDE 44

10 10

1

10

2

10

3

10

4

10

5

10

6

10

7

10

  • 7

10

  • 6

10

  • 5

10

  • 4

10

  • 3

10

  • 2

10

  • 1

 = 0.74937

l F(l)

slide-45
SLIDE 45

 The data shows clear Power Law fluctuations  The exponents of the fluctuation for attacks

targeted port 445 are almost unity

 The attacks on the port 445 seems to have

correlation (possible recurrence event)

 This finding agrees with previous research

done by Uli Harder, “Observing Internet Worm and Virus Attacks with a Small Network Telescope”

slide-46
SLIDE 46
  • Ravindo Tower 17th Floor
  • Kebon Sirih Raya, Kav. 75
  • Central Jakarta, 10340
  • Phone +62 21 3192 5551
  • Fax +62 21 3193 5556
  • office@idsirtii.or.id ; www.idsirtii.or.id