Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Published byMagnus Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB."— Presentation transcript:

1 Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB

2 Agenda Introduction Problem Description 2010/10/212NTUIM OPLAB

3 Introduction 2010/10/213NTUIM OPLAB

4 Worm attacks Definition ◦ ‘‘A network worm is a piece of malicious code that propagates over a network without human assistance and can initiate actively attack independently or depending on file- sharing.” ─ [1] ◦ [1] Kienzle DM and Elder MC. “Recent worms: a survey and trends”, Proceedings of the 2003 ACM workshop on Rapid malcode, October 2003. 2010/10/214NTUIM OPLAB

5 Worm characteristics Information collection: ◦ Collect information about the local or target network. Probing: ◦ Scans and detects the vulnerabilities of the specified host, determines which approach should be taken to attack and penetrate. Communication: ◦ Communicate between worm and hacker or among worms. Attack: ◦ Makes use of the holes gained by scanning techniques to create a propagation path. Self-propagating: ◦ Uses various copies of worms and transfers these copies among different hosts. 2010/10/21NTUIM OPLAB5

6 Decentralized Information Sharing Cooperative attack detection and countermeasures using decentralized information sharing. Use of epidemic algorithms to share attack information and achieve quasi- global knowledge about attack behaviors. ◦ [2] Guangsen Zhang and Manish Parashar, “Cooperative detection and protection against network attacks using decentralized information sharing”, Cluster Computing, Volume 13, Number 1, Pages 67-86, 2010. 2010/10/21NTUIM OPLAB6

7 Decentralized Information Sharing The mechanism should be easy to deploy, robust, and highly resilient to failures. Gossip based mechanisms provide potentially effective solutions that meet these requirements. Consider dissemination of information in a network to be similar to the spread of a rumor or of an infectious disease in a society. 2010/10/21NTUIM OPLAB7

8 Decentralized Information Sharing If all the nodes in this distributed framework have common knowledge about the network attack behaviors, then network attacks can be perfectly detected. However, achieving common knowledge requires completely synchronized and reliable communication, which is not feasible in a practical distributed system. 2010/10/21NTUIM OPLAB8

9 Decentralized Information Sharing In a distributed decentralized attack detection system, each detection node will only have a partial view of the system. Using an asynchronous, resilient communication mechanism to share local knowledge, the system can achieve quasi- global knowledge. With this knowledge, every detection node can acquire sufficient information about attacks and as a result, the attacks can be detected effectively. 2010/10/21NTUIM OPLAB9

10 Decentralized Information Sharing ◦ AS level ◦ Overlay network 2010/10/2110NTUIM OPLAB

11 Unknown worm behavioral detection Detecting unknown worm activity in individual computers while minimizing the required set of features collected from the monitored computer. While all the worms are different, we wanted to find common characteristics by the presence of which it would be possible to detect an unknown worm. ◦ [3] R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown computer worms based on behavioral classification of the host”, Computational Statistics & Data Analysis, Volume 52, Issue 9, Pages 4544-4566, May 2008. 2010/10/21NTUIM OPLAB11

12 Worm origin identification Present the design of a Network Forensic Alliance (NFA), to allow multiple administrative domains (ADs) to jointly locate the origin of epidemic spreading attacks. Can find the origin and the initial propagation paths of a worm attack, either within an intranet or on the Internet as a whole, by performing post-mortem analysis on the traffic records logged by the networks. [5]Yinglian Xie, Sekar V., Reiter M.K. and Hui Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on Network Protocols, November 2006. 2010/10/21NTUIM OPLAB12

13 Problem Description 2010/10/2113NTUIM OPLAB

14 Problem Description Attacker attributes Defender attributes Attack-defense scenarios 2010/10/2114NTUIM OPLAB

15 Attacker attributes Objective ◦ Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. Budget ◦ Node compromising ◦ Worm injection 2010/10/21NTUIM OPLAB15

16 Attacker attributes Attack mechanisms ◦ Node compromising  Next hop selection criteria:  Link degree  High link degree ─ information seeking  Link utilization  Low link utilization ─ stealth strategy ◦ Worm injection  Candidate selection criteria:  Link traffic  High link traffic ─ high rate worm injection  Low link traffic ─ low rate worm injection 2010/10/21NTUIM OPLAB16

17 Defender attributes Objective ◦ Protect core nodes Budget ◦ General defense resources(ex: Firewall, IDS) ◦ Worm profile distribution mechanisms ◦ Worm source identification methods 2010/10/21NTUIM OPLAB17

18 Defender attributes Defense mechanisms ◦ Node protection ◦ Unknown worm detection & profile distribution ◦ Worm origin identification 2010/10/21NTUIM OPLAB18

19 Scenarios 2010/10/21NTUIM OPLAB19 Firewall AS node Core AS node Profile generation Type1 worm Type2 worm G D J I F C E A B H

20 Scenarios 2010/10/21NTUIM OPLAB20 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker B Attacker A attacker Node compromise Profile generation

21 Scenarios 2010/10/21NTUIM OPLAB21 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Node compromise Attacker A attacker Worm injection Profile generation

22 Scenarios 2010/10/21NTUIM OPLAB22 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Worm propagation Profile generation

23 Scenarios 2010/10/21NTUIM OPLAB23 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Profile generation

24 Scenarios 2010/10/21NTUIM OPLAB24 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Node compromise Profile generation

25 Scenarios 2010/10/21NTUIM OPLAB25 Firewall AS node Core AS node Profile generation Type1 worm Type2 worm G D J I F C E A B H Attacker A Attacker Detect unknown worm behavior Profile distribution Worm origin identification

26 Scenarios 2010/10/21NTUIM OPLAB26 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Worm injection Profile generation

27 Scenarios 2010/10/21NTUIM OPLAB27 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Worm propagation Profile generation

28 Scenarios 2010/10/21NTUIM OPLAB28 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Detect unknown worm behavior Profile distribution Worm origin identification Profile generation Worm origin identification

29 Scenarios 2010/10/21NTUIM OPLAB29 Firewall AS node Core AS node Type1 worm Type2 worm G D J I F C E A B H Attacker A attacker Profile generation

30 Thanks for your listening 2010/10/21NTUIM OPLAB30

Download ppt "Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB."

Similar presentations

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.

Research Direction Introduction Advisor : Frank, Y.S. Lin Presented by Yu Pu Wu.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Applying Genetic Algorithms to Decision Making in Autonomic Computing Systems Authors: Andres J. Ramirez, David B. Knoester, Betty H.C. Cheng, Philip K.

Applying Genetic Algorithms to Decision Making in Autonomic Computing Systems Authors: Andres J. Ramirez, David B. Knoester, Betty H.C. Cheng, Philip K.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.

1-1 CMPE 259 Sensor Networks Katia Obraczka Winter 2005 Security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Stealth Probing: Efficient Data- Plane Security for IP Routing Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford.

Stealth Probing: Efficient Data- Plane Security for IP Routing Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford.
Multipath Routing CS 522 F2003 Beaux Sharifi. Agenda Description of Multipath Routing Necessity of Multipath Routing 3 Major Components Necessary for.

Multipath Routing CS 522 F2003 Beaux Sharifi. Agenda Description of Multipath Routing Necessity of Multipath Routing 3 Major Components Necessary for.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.

Scientific Computing Department Faculty of Computer and Information Sciences Ain Shams University Supervised By: Mohammad F. Tolba Mohammad S. Abdel-Wahab.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.

Similar presentations

Ads by Google