An Analysis on Distribution of Malicious Packets and Threats over the Internet
|
|
- Julia Riley
- 8 years ago
- Views:
Transcription
1 An Analysis on Distribution of Malicious Packets and Threats over the Internet Masaki Ishiguro Mitsubishi Research Institute 3-6 Otemachi 2-Chome, Chiyoda-ku, Tokyo, Japan Shigeki Goto Waseda University 3-4- Okubo Shinjuku-ku, Tokyo, Japan Ichiro Murase Mitsubishi Research Institute 3-6 Otemachi 2-Chome, Chiyoda-ku, Tokyo, Japan Hironobu Suzuki Waseda University 3-4- Okubo Shinjuku-ku, Tokyo, Japan ABSTRACT Internet worms pose great threats for computer systems connected to the Internet. Malicious packets sent by Internet worms or port-scan activities can be captured by monitoring ports of IP addresses where any network service is provided. We present an analysis of distribution of malicious packets over the Internet and show evaluation of Internet threats. Several methods have been proposed for detecting threats over the Internet based on monitoring malicious packets. Most of these methods apply statistical methods to timeseries frequencies of malicious packets. We proposes a method for evaluating threats on the Internet based on graph defined by the sources and destinations of monitored malicious packets. In order to evaluate threats, we formulate two relationships between threats of the worms and vulnerability of ports of network services and apply Eigenvalue problem to derive threat levels of network ports. We applied our method to working examples monitored during the period of worm outbreaks to show the effectiveness of our method. Categories and Subject Descriptors C.2.3 [Computer-Communication Networks]: Network Operations Network Monitoring General Terms Measurement Keywords Internet Monitoring, Computer Worms, Internet Threat, Malicious Packets. INTRODUCTION In recent years, threats caused by Internet worms have been increasing. Malicious packets sent from activities such as Internet worm infections, DDoS attacks, or port scans can be monitored on the Internet. Internet monitoring systems monitor these malicious packets to detect threats over the Internet. While Intrusion Detection Systems (IDS) monitor within the local network to detect intrusion or misuses, Internet Monitoring Systems monitor several IP addresses outside local network in the Internet. Several threat detection methods based on statistical method applied to time-series frequencies of malicious packets or extraction of characteristic access patterns have been proposed. In this paper, we present an analysis of distribution of source addresses of malicious packets and then present a threat evaluation method based on spacial structure of graph formed by source and destination of monitored packets in the Internet. In order to quantify the level of threat in the Internet, we apply an eigenvalue problem to the graph of malicious packets based on Google page rank method[7]. The remainder of this paper is organized as follows: We describe related work in section 2. Then we present the Internet monitoring system in section 3. In section 4, we present an analysis of distribution of malicious packets. Then we propose a threat evaluation method experimental results in section 5 and section 6. Finally we summarize our results and future works in section RELATED WORK Internet Monitoring Systems for threat detection are classified into two categories: The first one monitors every packets without making any response which is called passive monitoring, while the other monitors packets and sends back some response packets in some extent in order to observe actions of senders which are called active monitoring. The former includes CAIDA telescope[6], Internet Storm Center[], Internet Motion Sensor[4], JPCERT/CC, ISDAS[4], WCLSCAN[3], DShield[]. The latter includes the work by Princeton University[8] and Honeypot[9] by Honeynet Project.
2 Most of threat detection methods are based on statistical analysis on time-series frequencies of monitored packets of individual network port. Thottan proposed auto-regression model method which computationally learns and predict change of time-series frequencies of packets and make statistical test to detect threats in the Internet[3]. Ishiguro proposed detection method based on Bayesian estimation to the deviation between time-series frequencies and their trends[3]. Zou proposed a method for detecting evolution of Internet worm activities based on virus infection model in epidemics and Kalman filter[5]. Telecom-ISAC/Japan is working on extracting characteristic access patterns based on correlation of source and destination information of monitored packets. In the area of active monitoring, evaluation of likelihood of Internet worm infection by monitoring failure or success of TCP connection[2]. Kompella proposed the number of differences between monitored FIN packets and SYN packets[5]. All of them focus on the number of packets monitored in stead of structure of graph formed by monitored packets. This paper proposes a new method which takes into account a structure of graph. 3. INTERNET MONITORING SYSTEM Our threat evaluation method uses packet information such as access time, packet source, packet destination monitored by passive Internet monitoring system. We define packets monitored at IP addresses where any network services is given to be malicious packets, because there would not be any legitimate packet comming to such IP address for normal network services. These malicious packets include worms infection activities, DDoS back-scatters, port-scans etc. evaluation method are summarized in Table Table : Monitoring data Packet Access Time(Date,Time) Protocol Type (TCP, UDP, ICMP) Source IP Address Source Port Number Destination IP Address Destination Port Number 4. DISTRIBUTION OF MALICIOUS PACK- ETS There are several types of infection strategies of Internet worms. Rajab showed that local-preference infection strategies which scans local IP addresses (i.e. /6 network) with higher probability are more efficient than uniform-random IP address scanning strategies[]. We present an analysis on distribution of source IP addresses of malicious packets to capture the characteristics of worms infection activities. 4. Distance Distribution of Source Addresses We measured the ratio of packets for every distance of sources and destinations. Figure 2 shows a complimentary distribution of packets for each type of protocols for the data during April st to 3th in 25. Vertical axis shows the ratio of packets and horizontal axis shows the distance of source and destination IP address in bits. The distance can be calculated by the number of bits which consecutive upper bits of source and destination are the same. The longer the same bits from upper bits between source and destination addresses, the closer the source packet is sent from. Figure shows structure of our Internet monitoring system. Internet.8 TCP UDP ICMP No DoS Backscatter Random Malicious Port Access Sensor Sensor Sensor Sensor Encrypted data Log Data Server Threat Detector/ Visualizer SQL Ratio of packets IP address in bit Figure : Internet monitoring system The system consists of multiple Sensors, a Log data server, and a Threat detector/visualizer. Sensors are deployed at several IP addresses and captures arriving packets. Information of packets captured at sensors is transferred to the log data server via an secure channel. The threat detector/visualizer analyse monitored packets data and detect threat in the Internet. Data to be analyzed by our threat Figure 2: Packet ratio by bit distance(protocols) The plots labeled TCP, UDP, ICMP means complimentary distributions for each protocols packets. No DoS Backscatter means a complimentary distribution of packets whose source ports are not well-known ports. Packets from well-known ports are considered to be backscatter of DoS attacks, since it usually monitored when response packets to DoS attack packets with spoofed source IP addresses to wellknown service are sent. The plot labeled Random means
3 a theoretical complimentary distribution for packets which are sent uniform-randomly from every source addresses. The plots of TCP, UDP, and ICMP show complimentary distribution of source addresses are biased toward close distance between source and destinations, since the plots are positioned higher than Random. This means source of packets monitored are biased to close distance compared with uniform-random distribution. We observed the same tendency for data of other periods. We investigated the tendency of these 3 types of distribution for various periods and sensors and found that distributions are stable throughout the different period for each sensor and are different from sensor to sensor for the type of Figure 5 and 6. Increase of the number of source addresses of monitored packets may indicate spreading of worms. Therefore we may be able to evaluate a threat by calculating increase of distribution of source addresses by using, for example, information entropy etc. We can extend this idea to the distribution of destination addresses as well as source addresses to evaluate threats in the Internet in the following section. Figure 3 shows complimentary distributions for each types of destination ports for the same period of data as before. The plot labeled Random is the same as before. The other three plots shows the complimentary distributions for destination ports 35/TCP, 445/TCP, and 433/TCP. This graph also shows the source of these packets are biased to close distance compared with uniform-random distribution. Ratio of packets port 35/TCP port 445/TCP port 433/TCP Random octet:2 Sensor 2.2 octet: IP address in bit Figure 4: Distribution in st,2nd octet space Figure 3: Packet ratio by bit distance (Ports) Bias of distribution can be explained by the local-preference infection strategies of worms such as CodeRed, Nimda, Sasser as explained in [2]. 4.2 Spacial Distribution of Source Addresses We present spacial distribution of source addresses of malicious packets in Figure 4 to Figure 6 for the data of month in April 26. In order to capture spacial distributions of source addresses, we select two octets of IP addresses for each graph, i.e. {st octet, 2nd octet}, {2nd octet, 3rd octet}, {3rd octet, 4th octet} for Figure 4 to 6 respectively. Then we map the number of packets in the position of twodimensional space determined by two selected octets and represent it by gray-scale density. Figure 4 to 6represent respectively the overall Internet space, /8 network space, /6 network space which contains a target sensor. Each dot in Figure 4 to 6 represent respectively /6 network, /24 network and a single IP address. We use only TCP packets since source address of TCP packets are usually not spoofed. octet:3 Sensor 2 octet:2 Figure 5: Distribution in 2nd,3rd octet space
4 octet:4 Sensor 2 count/hour /9 : 5/9 2: 5/2 : 5/2 2: 5/2 : time 5/2 2: 5/22 : port 433 port 2 port 8 port 83 port 8 5/22 2: Figure 7: Time-series access frequencies by ports 5/23 : octet:3 for convenience and the right-hand side of the graph indicate destination port of the packets. Figure 6: Distribution in 3rd,4th octet space 5. THREAT EVALUATION We present a threat evaluation method which takes advantage of structure of graph of monitored packets. First we compare the traditional method for threat detection and our graph method and then we describe the way to calculate threat in the Internet. 5. Relation between Threats and Vulnerabilities In this paper, we consider Internet worm which is highly contagious to be threat in the Internet. Highly contagious worms search effectively hosts with vulnerable ports and this kind of vulnerable hosts exist more than other kinds in the Internet. We propose a method for evaluating threat that a port of host is posed in the Internet by those contagious worms. Most of malicious packets monitored by Internet monitoring system are those from worms. We evaluate threat in the Internet based on access graph formed by source and destination of malicious packets. Traditional threat detection system based on time-series frequencies of malicious packets. Figure 7 shows time-series frequencies of monitored packets for each port(top five ports). The horizontal axis indicates time and the vertical axis indicates frequency of packets (access frequencies). Threat detection methods based on time-series frequencies of packets do not make use of spacial structure of access relations between source and destination of packets. Figure 8 shows an access graph formed by relation of source and destination of same data of packets. The left-hand side of the graph indicates source IP addresses which are renumbered Source IP Addresses (Renumbered) Figure 8: Access graph between sources and destinations The data in this example was obtained during the period when SPIDA worm was active. As seen in the Figure 8, there are many access packets from many source addresses to ports 433 (MS SQL), port 2 (ftp), port 8 (http). In order to evaluate threat based on this access graph, we consider two kinds of relationship: one is that the more vulnerable a port is, the more access packets received from highly contagious worms. The other is that the higher a contagious worm is, the more it accesses vulnerable ports. These relationship can be restated as follows: Relation between threat and vulnerability: Relationship Vulnerability of a destination port is high if it gets access from many different source address with high threat level. We can assume that source IP address of most TCP access from worms are not spoofed, because it has to create connection to that target host. Therefore, we use only TCP packets for the analysis Destination Port Numbers
5 Relationship 2 Threat level of a source address is high if it sends more packets to vulnerable destination ports. Edge We show how to evaluate threats in the Internet based on these relationship by using simple examples. Figure 9 shows relationship between source and destination of monitored packets. Arrows from left to right indicates an existence of an access from a left node to a right node. s4 d4 d5 s Edge Access Sources d6 Access Destinations s2 Figure : Relation between source s and several destinations d s3 Edge Access Sources Access Destinations Figure 9: Relation between destination d and several sources First, we define a vulnerability of a destination based on the relationship. We assume all source nodes are assigned tentative threat level. Vulnerability of the destination d in the figure is defined by a weighted sum of threat of source nodes connected by edges. Weight of edges is defined in Section 5.2. Access Sources Access Destinations Next in Figure, we define a threat level of a source based on the relationship 2. We assume destination nodes are assigned tentative vulnerability. Threat of a source node s4 in the figure is defined by a weighted sum of vulnerability of destination nodes connected by edges in the same way. In the former relationship, threat level of source nodes are assumed to be given in order to define vulnerability of destination nodes. In the latter relationship, vulnerability of destination nodes are assumed to be given in order to define threat of source nodes. By starting arbitrary initial values of threats and vulnerability and applying above two relations interchangeably, convergent values indicate threats and vulnerabilities of source and destination nodes. 5.2 Calculation Method We apply Eigen equation method to access graph we described in the previous section in order to evaluate threat in the Internet. Figure shows access graph formed by relationship between source and destination of monitored packets. Source nodes represent IP addresses and destination nodes represent port numbers. Arrows represent access from source to destination of a monitored packet. Monitored packets comes from outside the sensors to the Figure : Internet A Graph of Malicious Packets on the sensors. Since nodes of source and destination does not overlap, the access graph is a bipartite graph. We define a vector t to be a tuple of threat levels of source nodes i and a vector v to be a tuple of threat levels of destination nodes as follows: t = (t,t 2,,t n) () v = (v,v 2,,v m) (2) We call t a source threat vector and v a destination threat vector. First, threat level v j of destination j is defined as a weighted sum of threat level t i of source i, based on the relationship
6 in Section5 (Equation 3). v = c (w,t + w 2,t 2+,,w n,t n) (3) v m = c (w,mt + w 2,mt 2+,,w n,mt n) Acoefficientc is fixed by solving an Eigen equation and described later. The weights are assigned to the edge connecting from source i to destination j depending on how much an access from source i affects destination j. Since accesses from the different source suggest highly contiguous worm than repeated access from the same source, we define w i,j as follows: we consider two continuing observation terms, the former term and the latter term. If any access from source i to destination j exists in the latter term and no access in the former term, the weight is defined as. Otherwise the weight is define as. Next, threat level t i of source i is defined as a weighted sum of threat level v j of source j, based on the relationship 2 in Section 5 (Equation 4). t = c 2(w,v + w,2v 2+,,w,mv m) (4) t n = c 2(w n,v + w n,2v 2+,,w n,mv m) Acoefficientc 2 is fixed by solving an Eigen equation and described later. Equation 3 defines relationship to calculate destination threat vector v from source threat vector t. On the other hand, Equation 4 defines relationship to calculate source threat vector t from destination threat vector v in inverse way. Starting from an arbitrary initial vectors of v and t and applying the above two equations interchangeably, we can obtain convergent threat vector for v and t. These convergent vectors can be calculated by solving Eigen equation. We define a access matrix composed of weights w i,j of graph edge from source i to destination j in Equation 5. t = c 2 W n m v (7),where the matrix t W is a transposed matrix of W. m n under matrices indicate number of rows and columns. By transforming above equation, we can obtain the following Eigen value equations. v = c c 2 t WW m m v (8) t = c c 2W t W n n t (9) Equation eq:eigen shows that the destination threat vector v is an eigen vector of a square matrix ( t WW )ofsizem m m for an eigen value c c 2. Equation eq:eigen2 shows that the destination threat vector t is an eigen vector of a square matrix (W t W )ofsizen for an eigen value n n c c 2. According to the theorem of Perron-Frobenius, if every elements of t WW, W t W are positive, all elements of a dominant eigen vector for the largest eigen value are positive. m m n n Therefore, in this case, source and destination threat vectors can be obtained uniquely. In the Internet, since we can assume a very little random noise packets can be monitored at all IP addresses, we can add a small quantity δ( ) to all elements of an access matrix W. Therefore, all elements of eigen vectors obtained by solving the eigen equation 8 are positive. 6. EXPERIMENTS We evaluate our method by applies working examples obtained by Internet threat monitoring system. Since it is difficult to tell threat in the Internet, we assume the period when critical warnings were issued to be in high threat. 6. MS SQL Incident Target data for evaluation is obtained in the period where JPCERT/CC Alert JPCERT-AT-6 was issued regarding MS SQL vulnerability on port 433. This incident occurred during July 9th, 25 to 3th. W = w, w,2 w,m w 2, w 2,2 w 2,m.. w n, w n,2 w n,m C A (5) We apply our method to these 5-days monitored data for 4 times as described in Figure 2. We use a pair of -day data every time: one day for the former period and other day for the latter period. By using 2-day data every time, we can calculate access matrix defined in Section 5.2. Equation 3 and Equation 4 are defined by using the access matrix W as follows: v = c t W m n t (6) Table 2 shows top ten list of ports threat for each day. port column means port numbers. count column means number of access during a period. threat column means threat level evaluated by our method. In the Table 2, threat level of the incident port (i.e. port 433) increases.32,.3,.233,.33 from July to 3
7 4th evaluation the former half the latter half 3rd evaluation the former half the latter half 2st evaluation the former half the latter half st evaluation the former half the latter half Data period st day 2nd day 3rd day 4th day 5th day Figure 2: Data usage for experiment Table 2: Top list of threat levels for the port 433 incident July July July 2 July 3 port count threat port count threat port count threat port count threat accordingly. The rank increases as 5th, 4th, 3rd, 2nd during this period. Figure 3 shows time-series change of threat level for top 5 ports..8.7 In Table 2, port 2345(Amitis.B backdoor) on July, port 9898 (Win32.Dabber.B worm) on July 2, port 2745 (Agobot bot worm that uses Bagle worm backdoor) on July 3 shows high threat level even if access count is small compared to other ports. This result cannot be derived by threat detection method based on access count. threat index port 35 port 433 port 445 port 2745 port Windows File Share Incident The next data for experiment is those obtained in the period when IPA(Information Technology Promotion Agency, Japan) issued an alert on Window file share vulnerability on port 39. The period of this incident started from June 8, 25 to June 2. In this experiment, we applied our method in the same way as the previous experiment in that we applied our method for each 2-day data.. 7/ 7/ 7/2 7/3 date Figure 3: Time-series threat levels for the port 433 incident On July 3th, threat level of port 433 exceeds that of port 445, even the access count is smaller than that of port 445. On the contrary, if we look at count columns, rank increases as 4th, 4th, 3rd, 3rd which is slow compared to our threat level. From these experiments, we can say that our method responds well to the critical incident compared with the access count in the period of incident outbreak, Table 3 shows top ports with highest threat levels. In this experiment, threat of the vulnerable port 39 increases as.29,.55,.8,.6 and ranks increases 2th, 33th, 4th, 3rd. Figure 4 shows time-series threat level of top 5 ports. This experiment also shows relatively high increase of threat of vulnerable port compared with other ports. 7. CONCLUSION We presented an analysis of distribution of source addresses of malicious packets. Increase of the number of source addresses may indicate worm spreading and we suggested change of distribution may be used for detecting threats.
8 Table 3: Top list of threat levels for the port 39 incident June 9 June June June 2 port count threat port count threat port count threat port count threat threat index. port 35 port 445 port 39 port port /9 6/ 6/ 6/2 date Figure 4: Time-series threat levels for the port 39 incident Extending the concept of distribution of source addresses of malicious packets, we proposed a threat evaluation method based on graph formed by relation between source and destination of monitored malicious packets. Traditional threat detection methods are based on time-series frequencies packets. Our method is different from traditional method in that it make use of spacial structure of graph to quantify the level of threats. We applied eigenvalue problem to evaluate threat in the Internet. By applying our method to the working example observed by the Internet monitoring system, threat level calculated by our method respond better to critical incident compared with frequencies of packets. As a future work, strength and weakness of our method to several type of incident should be clarified. 8. REFERENCES [] DShield.org. Distributed intrusion detection system. [2] M. Ishiguro, M. Ito, Y. Toda, and H. Suzuki. Characteristics of malicious packets by port monitoring on the internet(in japanese). In Computer Security Symposium 25, 25. [3] M. Ishiguro, H. Suzuki, I. Murase, and H. Ohno. Internet threat detection system using bayesian estimation. In 6th Annual FIRST Conference on Computer Security Incident Handling, 24. [4] JPCERT/CC. internet scan data acquisition system (isdas). [5] R. R. Kompella, S. Singh, and G. Varghese. On scalable attack detection in the network. In 4th ACM SIGCOMM conference on Internet measurement, pages 87 2, 24. [6] D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Network telescopes: Technical report. Technical report, CAIDA, 24. [7] L. Page, S. Brin, R. Motwani, and T. Winograd. The pagerank citation ranking: Bringing order to the web. Technical report, Stanford Digital Library Technologies Project, 998. [8] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proceedings of ACM Internet Measurement Conference, 24. [9] T.H.Project.Toolsforhoneynets. [] M. A. Rajab, F. Monrose, and A. Terzis. On the effectiveness of distributed worm monitoring. In 4th USENIX Security Symposium, pages , 25. [] SANS Institute. Internet storm center. [2] S. Schechter, J. Jung, and A. W. Berger. Fast detection of scanning worm infections. In 7th International Symposium on Recent Advances in Intrusion, 24. [3] M. Thottan and C. Ji. Anomaly detection in ip networks. IEEE TRANSACTIONS ON SIGNAL PROCESSING, 5(8), August 23. [4] University of Michigan. Internet motion sensor (ims). [5] C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for internet worms. In the th ACM conference on Computer and communications security, pages 9 99, 23.
highly predictive blacklisting
J i a n Z h a n g, P h i l l i p P o r r a s, a n d Johannes Ullrich highly predictive blacklisting Jian Zhang is an assistant professor in the department of computer science at Louisiana State University.
More information2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks
2-5 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks A darknet is a set of globally announced unused IP addresses and using it is a good way to monitor
More information2 Technologies for Security of the 2 Internet
2 Technologies for Security of the 2 Internet 2-1 A Study on Process Model for Internet Risk Analysis NAKAO Koji, MARUYAMA Yuko, OHKOUCHI Kazuya, MATSUMOTO Fumiko, and MORIYAMA Eimatsu Security Incidents
More informationIntrusion Forecasting Framework for Early Warning System against Cyber Attack
Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting
More informationA Double-Filter Structure Based Scheme for Scalable Port Scan Detection
A Double-Filter Structure Based Scheme for Scalable Port Scan Detection Shijin Kong 1, Tao He 2, Xiaoxin Shao 3, Changqing An 4 and Xing Li 5 Department of Electronic Engineering, Tsinghua University,
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationA study of denial of service attacks on the Internet p.1/39
A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 A study of denial of service attacks on the Internet p.1/39 Outline
More informationOfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010
OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010 What is Trend Micro OfficeScan? Trend Micro OfficeScan Corporate Edition protects campus networks from viruses, Trojans, worms, Web-based
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationCourse Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
More informationA guide to using the Policy Hit Accounting Tool to display a graphical representation of policy hits on the network
Policy Hit Accounting Tool Guide A guide to using the Policy Hit Accounting Tool to display a graphical representation of policy hits on the network Introduction Enterasys policy-enabled infrastructure
More informationStatistical Methods for Network and Computer Security p.1/43
Statistical Methods for Network and Computer Security David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 Statistical Methods for Network and Computer Security p.1/43 A Few
More informationJoint Entropy Analysis Model for DDoS Attack Detection
2009 Fifth International Conference on Information Assurance and Security Joint Entropy Analysis Model for DDoS Attack Detection Hamza Rahmani, Nabil Sahli, Farouk Kammoun CRISTAL Lab., National School
More informationIntelligent Worms: Searching for Preys
Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School
More informationBotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol
More informationIncident Informa.on Exchange in Darknet Monitoring System dra9- suzuki- mile- darknet- 00
Incident Informa.on Exchange in Darknet Monitoring System dra9- suzuki- mile- darknet- 00 Mio Suzuki Cybersecurity Laboratory Network Security Research Institute National Institute of Information and Communications
More informationInternet Worms, Firewalls, and Intrusion Detection Systems
Internet Worms, Firewalls, and Intrusion Detection Systems Brad Karp UCL Computer Science CS 3035/GZ01 12 th December 2013 Outline Internet worms Self-propagating, possibly malicious code spread over Internet
More informationHoneyd Detection via Packet Fragmentation
Honeyd Detection via Packet Fragmentation Jon Oberheide and Manish Karir Networking Research and Development Merit Network Inc. 1000 Oakbrook Drive Ann Arbor, MI 48104 {jonojono,mkarir}@merit.edu Abstract
More informationTunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc
Tunisia s experience in building an ISAC Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc 1 Agenda Introduction ISAC objectives and benefits Tunisian approach SAHER system
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN ABSTRACT Muraleedharan N and Arun Parmar Centre for Development of Advanced Computing (C-DAC) Electronics City, Bangalore, India {murali,parmar}@ncb.ernet.in
More informationReview Study on Techniques for Network worm Signatures Automation
Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1,
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationΕΠΛ 674: Εργαστήριο 5 Firewalls
ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationNFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag
NFSEN - Update 13th TF-CSIRT Meeting 23. September 2004 Malta Peter Haag 2004 SWITCH NFSEN ( NetFlow Sensor ) 12th TF-CSIRT Meeting Hamburg: 2004 SWITCH 2 NFSEN http://www.terena.nl/tech/task-forces/tf-csirt/meeting12/nfsen-haag.pdf
More informationMacroscopic Network Virus Statistics
NetSec2005 1 Macroscopic Network Virus Statistics Xinguang,Xiao 1 ; Bing,Wu 2 ; Yongliang,Qiu 3 ;Xiaobing,Zhang 4 (1 2 3: Antiy Labs Harbin P.O.Box 898 150001; 4: Harbin Institute of Technology Harbin
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationNetwork TrafficBehaviorAnalysisby Decomposition into Control and Data Planes
Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Basil AsSadhan, Hyong Kim, José M. F. Moura, Xiaohui Wang Carnegie Mellon University Electrical and Computer Engineering Department
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationThe Evolution of Information Security at Wayne State University
The Evolution of Information Security at Wayne State University Nathan W. Labadie ab0781@wayne.edu Sr. Systems Security Specialist Wayne State University A Bit of Background Covers mid-2000 to present.
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationOne-way Traffic Monitoring with iatmon
One-way Traffic Monitoring with iatmon Nevil Brownlee CAIDA, UC San Diego, and The University of Auckland, New Zealand, nevil@auckland.ac.nz Abstract. During the last decade, unsolicited one-way Internet
More informationHow To Protect Your Network From Attack From A Hacker On A University Server
Network Security: A New Perspective NIKSUN Inc. Security: State of the Industry Case Study: Hacker University Questions Dave Supinski VP of Regional Sales Supinski@niksun.com Cell Phone 215-292-4473 www.niksun.com
More informationThis document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons
This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license. As a provider
More information1. Firewall Configuration
1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets
More informationCharacteristics of Network Traffic Flow Anomalies
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka I. INTRODUCTION One of the primary tasks of network administrators is monitoring routers and switches for anomalous traffic
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationDetecting UDP attacks using packet symmetry with only flow data
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
More informationDenial of Service attacks: analysis and countermeasures. Marek Ostaszewski
Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationMalice Aforethought [D]DoS on Today's Internet
Malice Aforethought [D]DoS on Today's Internet Henry Duwe and Sam Mussmann http://bit.ly/cs538-ddos What is DoS? "A denial of service (DoS) attack aims to deny access by legitimate users to shared services
More informationInferring Internet Denial-of
Inferring Internet Denial-of of-service Activity Geoffrey M. Voelker University of California, San Diego Joint work with David Moore (CAIDA/UCSD) and Stefan Savage (UCSD) Simple Question We were interested
More informationStateful Firewalls. Hank and Foo
Stateful Firewalls Hank and Foo 1 Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation
More informationAggregating Distributed Sensor Data for Network Intrusion Detection
Aggregating Distributed Sensor Data for Network Intrusion Detection JOHN C. McEACHEN, CHENG KAH WAI, and VONDA L. OLSAVSKY Department of Electrical and Computer Engineering Naval Postgraduate School Monterey,
More informationA Case Study in Testing a Network Security Algorithm
A Case Study in Testing a Network Security Algorithm Dr. Carrie E. Gates CA Labs, CA Islandia, NY 11749 carrie.gates@ca.com ABSTRACT Several difficulties arise when testing network security algorithms.
More informationDDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR
Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,
More informationΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science
ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users
More informationEvolution of attacks and Intrusion Detection
Evolution of attacks and Intrusion Detection AFSecurity seminar 11 April 2012 By: Stian Jahr Agenda Introductions What is IDS What is IDS in mnemoic How attacks have changed by time and how has it changed
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationA Brief History of Scanning
A Brief History of Scanning Mark Allman ICSI Berkeley, CA, USA mallman@icir.org Vern Paxson ICSI & LBNL Berkeley, CA, USA vern@icir.org Jeff Terrell UNC-Chapel Hill Chapel Hill, NC, USA jsterrel@unc.edu
More informationEffective Worm Detection for Various Scan Techniques
Effective Worm Detection for Various Scan Techniques Jianhong Xia, Sarma Vangala, Jiang Wu and Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts at Amherst Amherst,
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationKeywords Attack model, DDoS, Host Scan, Port Scan
Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection
More information6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access
OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated IIS Web Servers Group The policies shipped with StormWatch address both application-specific
More informationInternet Management and Measurements Measurements
Internet Management and Measurements Measurements Ramin Sadre, Aiko Pras Design and Analysis of Communication Systems Group University of Twente, 2010 Measurements What is being measured? Why do you measure?
More informationInternet Worm Classification and Detection using Data Mining Techniques
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 17, Issue 3, Ver. 1 (May Jun. 2015), PP 76-81 www.iosrjournals.org Internet Worm Classification and Detection
More informationMonitoring and Analysis of Internet Traffic Targeting Unused Address Spaces
Monitoring and Analysis of Internet Traffic Targeting Unused Address Spaces by Ejaz Ahmed Bachelor of Science in Engineering (University of Eng. & Tech., Pakistan) 2000 Master of Information Science (University
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationTraffic Anomaly Detection and Characterization in the Tunisian National University Network
Traffic Anomaly Detection and Characterization in the Tunisian National University Network Khadija RAMAH 1, Hichem AYARI 2, Farouk KAMOUN 3 2,3 CRISTAL laboratory École Nationale des Sciences de l Informatique
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationMulti-phase IRC Botnet and Botnet Behavior Detection Model
Multi-phase IRC otnet and otnet ehavior Detection Model Aymen Hasan Rashid Al Awadi Information Technology Research Development Center, University of Kufa, Najaf, Iraq School of Computer Sciences Universiti
More informationA Real-Time Network Traffic Based Worm Detection System for Enterprise Networks
A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks Long-Quan Zhao 1, Seong-Chul Hong 1, Hong-Taek Ju 2 and James Won-Ki Hong 1 1 Dept. of Computer Science and Engineering,
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationCONFIGURING TCP/IP ADDRESSING AND SECURITY
1 Chapter 11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11: CONFIGURING TCP/IP ADDRESSING AND SECURITY 2 OVERVIEW Understand IP addressing Manage IP subnetting and subnet masks Understand IP security
More informationJPCERT/CC Internet Threat Monitoring Report [October 1, 2014 - December 31, 2014]
JPCERT-IA-2015-01 Issued: 2015/01/27 JPCERT/CC Internet Threat Monitoring Report [October 1, 2014 - December 31, 2014] 1 Overview JPCERT/CC has placed multiple sensors across the Internet for monitoring
More informationCSE331: Introduction to Networks and Security. Lecture 15 Fall 2006
CSE331: Introduction to Networks and Security Lecture 15 Fall 2006 Worm Research Sources "Inside the Slammer Worm" Moore, Paxson, Savage, Shannon, Staniford, and Weaver "How to 0wn the Internet in Your
More informationRouting Worm: A Fast, Selective Attack Worm based on IP Address Information
Routing Worm: A Fast, Selective Attack Worm based on IP Address Information Cliff C. Zou, Don Towsley, Weibo Gong, Songlin Cai Department of Electrical & Computer Engineering Department of Computer Science
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationExtending Black Domain Name List by Using Co-occurrence Relation between DNS queries
Extending Black Domain Name List by Using Co-occurrence Relation between DNS queries Kazumichi Sato 1 keisuke Ishibashi 1 Tsuyoshi Toyono 2 Nobuhisa Miyake 1 1 NTT Information Sharing Platform Laboratories,
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls
CSE 4482 Computer Security Management: Assessment and Forensics Protection Mechanisms: Firewalls Instructor: N. Vlajic, Fall 2013 Required reading: Management of Information Security (MIS), by Whitman
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More information6WRUP:DWFK. Policies for Dedicated SQL Servers Group
OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated SQL Servers Group The sample policies shipped with StormWatch address both application-specific
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationStochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection
2003 IEEE International Workshop on Information Assurance March 24th, 2003 Darmstadt, Germany Stochastic Protocol Modeling for Anomaly-Based Network Intrusion Detection Juan M. Estévez-Tapiador (tapiador@ugr.es)
More informationHotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware
Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware Evan Cooke, Z. Morley Mao, Farnam Jahanian Department of Electrical Engineering and Computer Science University of Michigan {emcooke,
More informationSurvey on DDoS Attack Detection and Prevention in Cloud
Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationThe Internet Motion Sensor: A Distributed Blackhole Monitoring System
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey, * Evan Cooke, * Farnam Jahanian, * Jose Nazario, David Watson * * Electrical Engineering and Computer Science Department
More informationA Brief History of Scanning
A Brief History of Scanning Mark Allman, Vern Paxson, Jeff Terrell International Computer Science Institute, Lawrence Berkeley National Laboratory (LBNL), University of North Carolina at Chapel-Hill ABSTRACT
More informationSurvey on DDoS Attack in Cloud Environment
Available online at www.ijiere.com International Journal of Innovative and Emerging Research in Engineering e-issn: 2394-3343 p-issn: 2394-5494 Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita
More informationOn Entropy in Network Traffic Anomaly Detection
On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015 Jayro Santiago-Paz, Deni Torres-Roman. 1/19 On Entropy in Network
More informationModule II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University
Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More information2010 Carnegie Mellon University. Malware and Malicious Traffic
Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working
More informationSHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper
SHARE THIS WHITEPAPER Top Selection Criteria for an Anti-DDoS Solution Whitepaper Table of Contents Top Selection Criteria for an Anti-DDoS Solution...3 DDoS Attack Coverage...3 Mitigation Technology...4
More informationA Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationLiterature Review: Network Telescope Dashboard and Telescope Data Aggregation
Literature Review: Network Telescope Dashboard and Telescope Data Aggregation Samuel Oswald Hunter 20 June 2010 1 Introduction The purpose of this chapter is to convey to the reader a basic understanding
More informationA Hybrid Honeypot Architecture for Scalable Network Monitoring
A Hybrid Honeypot Architecture for Scalable Network Monitoring Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian University of Michigan {mibailey, emcooke, dwatson, farnam}@eecs.umich.edu Niels
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More information