Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.

Published byRandolph Hutchinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER."— Presentation transcript:

1 Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER TRAINING TO AID IN NETWORK INCIDENT IDENTIFICATION

2 I NTRODUCTION Introduction Background Problem Statement Approach Results Conclusion Questions

3 B ACKGROUND Network Telescopes (aka Darknets) What are they ? Network telescopes are monitors that log traffic that is destined for a certain IP space on which no legitimate hosts belong. We can conclude that traffic received is either malicious in nature or due to incorrect configuration. Why ? Network telescopes provide a way of observing the anomalous traffic on the Internet. This is useful for researchers studying the trending of malicious activity on the Internet. Allowing for early warning systems to be devised to allow suitable reactions to current attacks/incidents. Who The majority of the research is conducted by CAIDA. Other research institutions include the Internet Motion Sensor, Team Crymu and an assortment of other universities. The majority of the research in network telescopes focuses on building scalable frameworks to allow for efficient querying of information from network telescopes, anomaly monitoring and Internet mapping

4 Existing body of research The majority of the research in network telescopes focuses on building scalable frameworks to allow for efficient querying of information from network telescope nodes, anomaly monitoring and internet mapping. Little focus is put

5 B ACKGROUND Simple Network Diagram of a Network Telescope Bradley Cowie Network Telescope Structure As there are no legitimate hosts on the IP space assigned to the network telescope. It can be assumed that all traffic received is either malicious, anomalous or due to incorrect configuration

6 Problem Statement Overall : To aid in the analysis of the traffic received by network telescope by constructing and evaluating a number of metrics. These metrics should aid in in the analysis and decision making process of identifying network incidents. Why ? Network telescopes provide a large quantity of information for analysts to consider. Especially if all the various divisions are considered such as the number of ports for UDP and TCP. It is quite possible that this can lead to information overload and poor decision making. For this particular talk : To consider a number of ways to identify network incidents in network telescope datasets Why ? In order to evaluate the usefulness of the metrics at identifying incidents we need to identify where incidents occur in our datasets.

7 Approaches Two main approaches are detailed : Automated approach : Identification through mathematical modelling Identification through deviations from normality Manual Approach Through observation

8 Automated Approach Identification through mathematical modelling : It has been established that for certain cases mathematical models describe the growth in infected hosts due to viral infections. It is conceivable that a system could be constructed to identify these sorts of models. Attempted System : A naive implementation to this technique was attempted by constructing a feed-forward network that had been optimized for shape identification. Said system was modified from a neural network that was designed to identify shapes.

9 Unique Hosts for Port 445

10 Automated Approach Results : Due to the complex nature of the traffic received said system failed to produce any results of significance. The highly fluxuating nature of the number of unique source IP’s is illustrated in the graph below. Conclusions : A more complex approach is required to identify growth types using network telescope data in an automated sense.

11 Identification through deviations from normality Overview : This approach attempts to define normal values for measures and then identify where these values are grossly exceeded. The definition of grossly exceeds is tricky. One approach to this is make use of bands that define the upper and lower limits that we expect a quantity. One way to approach this is to make use of Bollinger Bands. The upper band is defined as Moving Average + kσ with the lower band defined as Moving Average - kσ.

12 Bollinger bands for Port 445

13 Identification through deviations from normality Standard Bollinger bands unfortunately don’t seem to identify major incidents such as the outbreak of Conficker. Further there are far too many signals generated. Investigating each of these would be lengthy. We need to optimize the parameters (K and the length of the moving of average). This comes back to our original problem... Alternatively we can attempt to identify incidents by observation. This is an adhoc type process that involves considering a number of statistics and noticing anomalies by hand. These “incidents” are then verified by comparing them against CVE and the wildlist to see if such an incident occurred during that time frame. This work is still currently in progress...

14 Line graph of traffic observed (as counts) This graph shows the trend of packets counts received between January 2006 and September 2009. It illustrates how the nature of traffic received changed due to the spread of the Conficker virus (October 2008)

15 Ratio’s of total traffic (TCP) The ratio that each of the top 4 ports and other ports make up of the total traffic for the years 2005-2009 is shown. Between 2008 and 2009 there is a shift from other ports making up the most traffic to port 445.

16 Manual Approach This follows the reverse of the methodology taken in the automated approach. Here the researcher attempt to find a list of know vulnerabilities/exploits/viruses in the datasets. A sample of this is identifying DDoS attacks. Often DDoS based attacks spoof IP address as the source IP’s to there attacks. Thus it is possible to observe these sorts of attacks when an attacker happens to spoof IP’s that belong to the network telescope. This causes ICMP type 11 messages to be returned to the network telescope. This work is still currently in progress...

17 Appearance of ICMP type 11 traffic Plot depicting the sudden appearance of ICMP Type 11 Traffic during the 17th and 18th of February 2008. It is suspected that this is DDoS backscatter.

18 Conclusion Some preliminary work has been completed to classify some incidents in our network telescope dataset. Further work is needed to create a well defined set of data points defining the occurrences of incidents in the data. Future work : Application of technical analysis indicators to the datasets Optimization of metrics using neural networks and GA’s

19 Questions and comments ?

Download ppt "Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER."

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Describing Quantitative Variables

Describing Quantitative Variables
Saeed Ebrahimijam Spring 2013 Faculty of Business and Economics Department of Banking and Finance Doğu Akdeniz Üniversitesi FINA417.

Saeed Ebrahimijam Spring 2013 Faculty of Business and Economics Department of Banking and Finance Doğu Akdeniz Üniversitesi FINA417.
In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang 2006-07-17.

In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang
Chapter 5. Methods and Philosophy of Statistical Process Control

Chapter 5. Methods and Philosophy of Statistical Process Control
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Chapter 10 Quality Control McGraw-Hill/Irwin

Chapter 10 Quality Control McGraw-Hill/Irwin
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Software Quality Control Methods. Introduction Quality control methods have received a world wide surge of interest within the past couple of decades.

Software Quality Control Methods. Introduction Quality control methods have received a world wide surge of interest within the past couple of decades.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Introduction to Hypothesis Testing

Introduction to Hypothesis Testing
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
MAE 552 Heuristic Optimization Instructor: John Eddy Lecture #16 3/1/02 Taguchi’s Orthogonal Arrays.

MAE 552 Heuristic Optimization Instructor: John Eddy Lecture #16 3/1/02 Taguchi’s Orthogonal Arrays.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.

10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.

Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.

Similar presentations

Ads by Google