1 / 15

Analyses on Distribution of Malicious Packets and Threats over the Internet

Analyses on Distribution of Malicious Packets and Threats over the Internet. August 27-31, 2007 APAN Network Research Workshop Masaki Ishiguro *1) Shigeki Goto *2) Hironobu Suzuki *2) Ichiro Murase *1). *1) Mitsubishi Research Institute, Inc. * 2) Waseda University. Outline.

ojohn
Download Presentation

Analyses on Distribution of Malicious Packets and Threats over the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research Workshop Masaki Ishiguro*1)Shigeki Goto *2) Hironobu Suzuki*2) Ichiro Murase*1) *1) Mitsubishi Research Institute, Inc *2) Waseda University

  2. Outline • Introduction • Goal and Motivations • Background history • System overview • A Threat evaluation method • Evaluation approach • Calculation method • Experiment Results • MS SQL Incident • Windows File share Incident • Conclusion and Future work

  3. Our Goal and Motivations • Several internet monitoring systems are deployed. • Find “new” threats without human resources • Threats occur anytime, System never sleeps, running 24 hours/7 days • Find threats from huge amount of data • Access the report in anytime from anywhere http://www.wclscan.org

  4. Background History • 1999 CLSCAN • “pretty print” tool for syslog of my router • 2001, 2 WCLSCAN concept appeared • In a paper “Internet security analysis using packet filter log , SEA software symposium 2001” • Before The Internet Storm Center (2001,3) • 2002 WCLSCAN project was started • Wide area version of clscan • 2003 The early version of WCLSCAN • “threat calculation using Bayesian estimation” unit was added to WCLSCAN • 2004,4 Alert and Information providing with 4 sensor boxes • 2005,9 Official site WWW.WCLSCAN.ORG • 2007, A Threat Evaluation Methods (Today’s Topic)

  5. Our Internet Monitoring System Sensor Encrypted data Sensor SQL Time-Series Access Frequency WCLSCAN Data Server Malicious Packets Sensor ・・・ Graph Analysis Log DB Sensor The Internet Threat Evaluation mn128,may,13,05:40:11,111/tcp mn128,may,13,10:12:55,111/tcp mn128,may,13,10:13:04,111/tcp mn128,may,13,12:35:05,111/tcp mn128,may,13,12:35:05,111/tcp, mn128,may,13,20:25:27,111/tcp, mn128,may,13,20:25:27,111/tcp, mn128,may,13,20:25:30,111/tcp, Threat Levels Graphs

  6. ftp dns Monitored Data

  7. Related Work Spatial Features Analysis Temporal Features Analysis Bayesian Estimation [1] Wavelet Analysis Frequency deviation score Port Correlations Macro-Analysis (Population-based) Auto-Correlation Analysis Source Entropy2] Infection Rate Estimation by Kalman Filter[3] Destination Entropy Anomaly Component analysis Graph Analysis Micro-Analysis (Behavior-based) Destination port sequence mining Frequent Port and IP Extraction

  8. Evolution of Threat Evaluation Approach • Statistical analysis of Malicious Packet Counts • Unique Source IP Address (Infected hosts) • Analysis of Graph Structure • Consideration of vulnerability of destination ports as well as increase of unique source addresses

  9. Example of distribution of source IP addresses Octet 2 Octet 3 Octet 1 Octet 2 Octet 4 Octet 3

  10. Relation between Threats and Vulnerability Relationship 1 Vulnerability of a destination port is higher if it receive packets from many different source addresses with higher threat level. Relationship2 Threat level of a source address is high if it sends more packets to vulnerable destination ports. Threats Vulnerability Sensor IP Addresses: xxx.xxx.xxx.220 Sensor IP Addresses: xxx.xxx.xxx.225 Source IP Address Destination Ports(IP’s×ports)

  11. Threat Calculation Method Threat Vector (source) W: weight matrix Vulnerability Vector (dest.) Relationship 1 Relationship2 Eigenvalue Equations

  12. Experiment1: Port1433 Incident (MS SQL) • 2005/7

  13. Experiment2: Port 139 Incident (File Share) • 2005/6

  14. Conclusion and Future Works • We proposed a new threat evaluation method based on structure of access graph which are quite different from traditional methods based on the number of malicious packets. • We demonstrated examples that our method responds better than the number of malicious packets Future Works: • Optimization of edge weights of access graph • Optimization of Unit time of our graph analysis • Evaluation of Strength and weakness of our method depending on the types of incidents

  15. WCLSCAN OFFICIAL SITE WWW.WCLSCAN.ORG

More Related