Ch. 7 Malicious Software Malware. Malware Terminology
|
|
- Damon Brent Robbins
- 8 years ago
- Views:
Transcription
1 Ch. 7 Malicious Software Malware HW_Ch6, due on 3/11, Wen Review questions 6.2, 6.6, 6.7, 6.9 Problem 6.6, 6.7, 6.8 Hw_Ch7, due on 3/18, Wen Review questions 7.2, 7.3, 7.4, 7.5, 7.6 Problem 7.1, 7.2, 7.3, 7.6 Male-ware? Partially true malicious software exploits system vulnerabilities program fragments that need a host program» e.g. viruses, logic bombs, and backdoors independent self-contained programs run by OS» e.g. worms, bots Actively replicating or not sophisticated threat to computer systems 1 Malware Terminology Backdoor (trapdoor): secret maintenance hooks, privilege/unautherized access Logic bomb: embedded with trigger condition Trojan horse: hidden codes, open access, damage data, compiler Mobile code: java applet, ActiveX, JavaScript, VBScript Virus: execute to infect other codes Worm: replicate itself to other hosts Exploits: codes to certain vulnerability Auto-rooter Kit: to break into other machine remotely Spammer and Flooder programs Keyloggers, Spyware, Adware Rootkit: set of hacker tools to gain root-level accesses Zombie, bot: program activated to attack others Multiple-threat malware: combined several infection methods Nimda: , Windows file share, web servers, web clients 2 1
2 Viruses piece of software that infects other programs modifying them to include a copy of the virus so it executes secretly when a host program is run Spread by contact : floppy, , share, web, etc specific to operating system and hardware taking advantage of their details and weaknesses a typical virus goes through phases of: Dormant Propagation: copy of itself Triggering: system events Execution: benign or harmful 3 Virus Structure components: infection mechanism: enables replication Trigger: event that makes payload activate Payload: what it does, malicious or benign prepended/ postpended/ embedded into a program when infected program invoked, executes virus code, then original program code We can block initial infection or propagation block initial infection is difficult: unkown at first With access control on PCs, less virus bursts seen recently 4 2
3 Sample Virus Structure program V := {goto main; ; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file == ) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } 5 program CV := {goto main; Compression Virus ; subroutine infect-executable := {loop: file:=get-random-executable-file; if (first-line-of-file = ) then goto loop; (1) compress file; (2) prepend CV to file; } main: main-program := {if ask-permission then infect-executable; (3) uncompress rest-of-file; (4) run uncompressed file;} } 6 3
4 Virus Classification Classification by the target to infect and method to conceal itself Based on target boot sector file infector: OS or shell programs macro virus: files interpreted by an application Based on concealment encrypted virus: encrypt with a random key stealth virus polymorphic virus: mutate every infection metamorphic virus: mutate every infection; rewrite self at each iteration; may change behavior 7 Macro Virus became very common in mid-1990s since platform independent infect documents easily spread exploit macro capability of office apps executable program embedded in office doc often a form of macro language Basic New releases of office apps include protection Macro recognized by many anti-virus programs Run scripts in a sandbox to see what happens No longer predominant threat 8 4
5 Viruses more recent development e.g. Melissa exploits MS Word macro in attached doc if attachment opened, the macro is activated sends to all on a user s address list and does local damage then saw versions triggered reading hence much faster propagation In hours, instead of months Much hard to fight 9 Virus Countermeasures Prevention: ideal solution but difficult How to stop flu virus? Over 200 known ones realistically we need: Detection: detection and understand virus Identification: where in an infected program Removal: restore files to original states if detect but can t identify or remove, must discard and replace the infected program 10 5
6 Anti-Virus Evolution virus and antivirus tech have both evolved early viruses simple code, easily removed As viruses become more complex, so must the countermeasures Four generations First: specific signature scanners Second: not specific signatures, but heuristics» Fragments of codes; integrity check with secret keys Third: memory-resident program to identify actions using activity traps» No needs for signatures or segments heuristics Fourth: combination packages» Scanner, activity traps, access control 11 Advanced Anti-virus: Generic Decryption runs executable files through GD scanner As polymorphic viruses need to decrypt itself, we can detect such events using CPU emulator to interpret instructions» not real runs, not real damages virus scanner to check known virus signatures emulation control module to manage process lets virus decrypt itself in interpreter periodically scan for virus signatures issue is to take time to interpret and scan tradeoff chance of detection vs time delay 12 6
7 Digital Immune System Goal: Fast response to spread via (1) and (2) mobile programs Developed by IBM and refined by Symantec (1) find suspicious code; (2) send to analysis machine; (3) emulate in a safe environment and generate prescription P; (4), (5), and (6) distribute P; (7) send P to other subscribers to stop spread 13 Behavior-Blocking Software Blocking before spread, in real-time, without signatures or heuristics Monitor: attempts to modify files, disks, programs, system settings, scripting /im, initiating communications 14 7
8 Worms Actively replicating program that propagates over net using , remote exec, remote login has phases like a virus: dormant, propagation, triggering, execution Different in propagation phase: searches for other systems, connects to it, copies self to it and runs may disguise itself as a system process concept seen in Brunner s Shockwave Rider implemented by Xerox Palo Alto labs in 1980 s Search idle systems to run programs 15 Morris Worm one of best know worms released by Robert Morris in 1988 various attacks on UNIX systems cracking password file to use login/password to logon to other systems exploiting a bug in the finger protocol exploiting a bug in sendmail if succeed have remote shell access sent bootstrap program to copy worm over 16 8
9 Worm Propagation Model Why phases? How should we deal with it? 17 Recent Worm Attacks Code Red July 2001 exploiting MS IIS bug probes random IP address, does DDoS attack consumes significant net capacity when active 360,000 servers in 14 hours Code Red II variant includes backdoor SQL Slammer, jan 2003, attacks MS SQL Server compact and very rapid spread, 10 minutes Mydoom mass-mailing worm that appeared in 2004 installed remote access backdoor in infected systems 1000 times per minutes, 100M infected msg in 36hrs Search-worm using DNS or google to spread P2P-based worm: Storm worm Worms for Smart phones; MMS 18 9
10 Worm Technology Multiplatform: Win, UNIX multi-exploit: Web servers, browsers, , file sharing, IM, and other net app ultrafast spreading: prepare a hit-list Polymorphic: each instance is generated on-fly Metamorphic: change appearance and behavior patterns transport vehicles of large-scale attacks zero-day exploit: unknown before the worm is launched 19 Worm Countermeasures overlaps with anti-virus techniques once a worm on system, A/V can detect it worms also cause significant net activity No existing techniques can satisfy all requirements Generality to various of worms Timeliness to quickly respond Resiliency to evasion Minimal denial-of-service cost:» not overload the protected system Transparency: not require to change existing systems Global and local coverage: deal with both external and internal spreads 20 10
11 worm defense approaches signature-based worm scan filtering Generate worm scanning signature: Autograph, Polygraph, Earlybird Slow respond to polymorphic worms filter-based worm containment Examine worm content signature at hosts: Vigilante, Shield payload-classification-based worm containment Examine packets in net, look for control and data flow struc. threshold random walk scan detection Detect scanners quickly rate limiting Limit the # of connections in a period; not for slow worms rate halting Blocking outgoing traffic when exceeding a threshold Proper recovery scheme needed 21 Host-based Proactive Worm Containment (PWC) Agent monitors outgoing scan activity & detect surge: (1) issue an alert; (2) block outgoing conn.; (3) alert manager; (4) start relaxation analysis Manger propagates an alert to other Host act on an alert by blocking outgoing ports & start relaxation analysis Relaxation analysis: check if outgoing conn. in a window exceeds a threshold. If so, blocking until the #conn. below the theshold in a window PWC Agent at a host PWC Manager 22 11
12 Network Based Worm Defense Ingress and egress monitor Sensors deployed to capture worms, e.g., honeypot Send alert to correlation server Analysis in a protected environment, sandbox Test suspicious codes on applications and find vulnerability Generate patch and update hosts 23 Rootkits set of programs installed for admin access malicious and stealthy changes to host O/S may hide its existence subverting report mechanisms on processes, files, registry entries etc types: Persistent: activate at system boot memory-based: no persistent code on the system User Mode: Intercept calls to APIs (application program interface) and modified returned results kernel mode: intercept native API calls in kernel mode installed by user via trojan or intruder on system range of countermeasures needed RootkitRevealer: compare the results using API and the results not though API 24 12
13 Rootkit System Table Modification Modify system call table Modify system call table target Redirect system call table 25 Bots and Botnets Bot, Zombie, Drone -- a infected system controlled by an attacker remotely Botnet: a set of bots controlled by an attacker Use of Botnet: DoS, Spam, identity theft, keylogging, spreading malware, etc. Bot characteristics: remote control facility» via Internet Relay Chat (IRC), HTTP, DNS, Google, blog, etc spreading mechanism» attack software, vulnerability scanning» scanning strategy: random, hit-list, topological, local subnet various counter-measures applicable Destruct during its formation Take out control center 26 13
14 Spamming Botnets Name Est. Bot # Spam Capacity Conficker 9,000, billion/day Kraken 495,000 9 billion/day Srizbi 450, billion/day Bobax1 85,000 9 billion/day Rustock 150, billion/day Cutwail 125, billion/day 27 Most commonly used Bot families (2006) some slides modified from Usman Jafarey talk Agobot (aka Forbot, Phatbot, Urxbot, Rxbot, Rbot) Most sophisticated Open source 20,000 lines C/C++ code IRC-based command/control Window/Linux Large collection of target exploits: remote buffer overflow Key features:» Password Protected IRC Client control interface» Remotely update and remove the installed bot» Execute programs and commands» Port scanner used to find and infect other hosts» DDoS attacks used to takedown networks Packet sniffer, Keylogger, Polymorphic code, Rootkit installer Information harvest: Addresses, Software Product Keys, Passwords SMTP Client: Spam, Spreading copies of itself HTTP client: Click Fraud, DDoS Attacks 28 14
15 SDBot Simpler than Agobot, 2,000 lines C code Non-malicious at base Utilitarian IRC-based command/control Easily extended for malicious purposes Scanning DoS Attacks Sniffers Information harvesting Encryption 29 SpyBot <3,000 lines C code Possibly evolved from SDBot»Similar command/control engine»no attempts to hide malicious purposes GT Bot Functions based on mirc scripting capabilities HideWindow program hides bot on local system Features» Port scanning, DoS attacks, exploits for RPC and NetBIOS 30 15
16 Botnet basics Variance in codebase size, structure, complexity, implementation Convergence in set of functions Possibility for defense systems effective across bot families Bot families extensible Agobot likely to become dominant A new area, very little known; many research is going on 31 Botnet Control All of the above use IRC for command/control Disrupt IRC, disable bots Sniff IRC traffic for commands Shutdown channels used for Botnets IRC operators play central role in stopping botnet traffic Automated traffic identification required Future botnets may move away from IRC New directions: HTTP, p2p, DNS, search engine, blogs, news forum Move to P2P communication Storm worm detected in early 2007 probably the largest botnets, 10M up! Traffic fingerprinting still useful for identification 32 16
17 Bot Host control Fortify system against other malicious attacks Disable anti-virus software Harvest sensitive information PayPal, software keys, etc. Economic incentives for botnets Stresses need to patch/protect systems prior to attack Stronger protection boundaries required across applications in OSes 33 Propagation Horizontal scans Single port across address range Vertical scans Single IP across range of ports Current scanning techniques simple Fingerprinting to identify scans Future methods Flash, more stealthy Source code examination Propagation models 34 17
18 Exploits and Attacks Agobot Has the most elaborate set Several scanners, various flooding mechanisms for DDoS SDBot None in standard UDP/ICMP packet modules usable for flooding Variants include DDoS SpyBot NetBIOS attacks UDP/TCP/ICMP SYN Floods, similar to SDBot Variants include more GTBot RPC-DCOM exploits ICMP Floods, variants include UDP/TCP SYN floods 35 Countermeasures Required for protection Host-based anti-virus Network intrusion detection Prevention signatures sets Future Threats More bots capable of launching multiple exploits Current Damages DDoS highlight danger of large botnets Large-scale spamming campaigns show the longterm damage Increased ID-theft 36 18
19 Code Delivery shell encoders for distribution Malware packaged in a single script Agobot separates exploits from delivery Exploit vulnerability: remote Buffer overflow Open shell on host Then, Upload binary via HTTP or FTP Encoder can be used across multiple exploits Streamlines codebase NIDS/NIPS need knowledge of shell codes and perform simple decoding NIDS incorporate follow-up connection detection for exploit/delivery separation prevention 37 Obfuscation Hide details of network transmissions Only slightly provided by encoding Same key used in encoding --> signature matching Polymorphism: generate random encodings, evades signature matching Agobot» POLY_TYPE_XOR» POLY_TYPE_SWAP (swap consecutive bytes)» POLY_TYPE_ROR (rotate right)» POLY_TYPE_ROL (rotate left) NIDS/Anti-virus eventually need to develop protection against polymorphism 38 19
20 Deception Detection evasion once installed a.k.a. rootkits Agobot Debugger tests VMWare tests Anti-virus process termination Pointing DNS for anti-virus to localhost Shows merging between botnets/trojans/etc. Honeynet monitors must be aware of VM attacks Better tools for dynamic malware analysis Improved rootkit detection/anti-virus as deception improves 39 The Zombie Roundup Paper
21 Dramatic Escalation 41 Rise of Zombies We discuss 42 21
22 Botnet example 43 Botnet history and structure 44 22
23 Botnet: bad and big some botnets have over 1 million bots Some cut into smaller ones to sell separately 60,000 bots per day in 2007 and 2008, [symantec] One estimation: one out four home PCs are bots Difficult to measure, trace, and take down 45 Botnet measurements: operators 46 23
24 Botnet measurements: honeypots 47 Detect and stop Botnet 48 24
25 Prevent infection 49 Detecting communication 50 25
26 Detecting future bot communication 51 Advanced Detection 52 26
27 Detecting behaviour 53 Disrupting botnet 54 27
28 Paper summary 55 28
Computer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin Lab 2: - prepare
More informationMalicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis
Malicious Software Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationCryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software
Cryptography and Network Security Chapter 21 Fifth Edition by William Stallings Chapter 21 Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature:
More informationMalicious Software. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Viruses and Related Threats
Malicious Software Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Outline Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus
More informationCS 356 Lecture 9 Malicious Code. Spring 2013
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationCS549: Cryptography and Network Security
CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared
More informationMalware. Björn Victor 1 Feb 2013. [Based on Stallings&Brown]
Malware Björn Victor 1 Feb 2013 Ask Sofia if anything is unclear/too difficult with the lab. Coordinate meetings between you? BadStore: demo version New York Times, Wall Street Journal attacks from China,
More informationACS-3921/4921-050 Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security
ACS-3921/4921-050 Computer Security And Privacy Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security ACS-3921/4921-050 Slides Used In The Course A note on the use of these slides: These
More informationMALICIOUS SOFTWARE CHAPTER 21-1. 21.1 Types Of Malicious Software. Backdoor Logic Bomb Trojan Horses Mobile Code Multiple-Threat Malware. 21.
CHAPTER MALICIOUS SOFTWARE 21.1 Types Of Malicious Software 21.2 Viruses Backdoor Logic Bomb Trojan Horses Mobile Code Multiple-Threat Malware The Nature of Viruses Viruses Classification Virus Kits Macro
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 2 Systems Threats and Risks Objectives Describe the different types of software-based attacks List types of hardware attacks Define
More informationIntroduction To Security and Privacy Einführung in die IT-Sicherheit I
Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de http://www.uni-siegen.de/fb5/itsec/
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationIntruders and viruses. 8: Network Security 8-1
Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds
More informationSecurity Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs
Security Engineering Part III Network Security Intruders, Malware, Firewalls, and IDSs Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer
More informationNetwork Incident Report
To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationSECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning
SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor
More informationCIT 480: Securing Computer Systems. Malware
CIT 480: Securing Computer Systems Malware Topics 1. Anti-Virus Software 2. Virus Types 3. Infection Methods 4. Rootkits 5. Malware Analysis 6. Protective Mechanisms 7. Malware Factories 8. Botnets Malware
More informationANTIVIRUS BEST PRACTICES
ANTIVIRUS BEST PRACTICES Antivirus Best Practices 1. Introduction This guideline covers the basics on Antivirus Software and its best practices. It will help to have an overall understanding of the subject
More informationOverview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
More informationBotNets- Cyber Torrirism
BotNets- Cyber Torrirism Battling the threats of internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot Statistics Suggest Assimilation
More informationDDoS Attacks & Mitigation
DDoS Attacks & Mitigation Sang Young Security Consultant ws.young@stshk.com 1 DoS Attack DoS & DDoS an attack render a target unusable by legitimate users DDoS Attack launch the DoS attacks from various
More informationSecurity workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013
Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a
More informationE-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications
Learning objectives E-commerce Security Threats and Protection Mechanisms. This lecture covers internet security issues and discusses their impact on an e-commerce. Nov 19, 2004 www.dcs.bbk.ac.uk/~gmagoulas/teaching.html
More informationGlobal Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team
Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team The Internet is in the midst of a global network pandemic. Millions of computers
More information10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
More informationComputer Security Threats
Computer Security Threats Based on the content of Chapter 14 Operating Systems: Internals and Design Principles, 6/E William Stallings Sistemi di Calcolo (II semestre), Roberto Baldoni Sensitive economic
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationSymantec enterprise security. Symantec Internet Security Threat Report April 2009. An important note about these statistics.
Symantec enterprise security Symantec Internet Security Threat Report April 00 Regional Data Sheet Latin America An important note about these statistics The statistics discussed in this document are based
More informationTrends in Malware DRAFT OUTLINE. Wednesday, October 10, 12
Trends in Malware DRAFT OUTLINE Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,
More informationAnnouncements. Lab 2 now on web site
Lab 2 now on web site Announcements Next week my office hours moved to Monday 4:3pm This week office hours Wednesday 4:3pm as usual Weighting of papers for final discussion [discussion of listen] Bro:
More informationData Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.
Data Centers Protection from DoS attacks. Trends and solutions Michael Soukonnik, Radware Ltd michaels@radware.com Riga. Baltic IT&T. 21.04.2010 Cybercrime Trends Page 2 Types of DoS attacks and classical
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationIntegrated Protection for Systems. João Batista Joao_batista@mcafee.com Territory Manager
Integrated Protection for Systems João Batista Joao_batista@mcafee.com Territory Manager 2 McAfee Overview Proven Expertise And what it means to you Proof of Expertise Impact of Expertise 1 17 100 300
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park
21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenDcaDon
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationWHITE PAPER. Understanding How File Size Affects Malware Detection
WHITE PAPER Understanding How File Size Affects Malware Detection FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationCybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com
Cybercrime: evoluzione del malware e degli attacchi Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com About Palo Alto Networks We are the network security company World-class
More informationInternet Worms, Firewalls, and Intrusion Detection Systems
Internet Worms, Firewalls, and Intrusion Detection Systems Brad Karp UCL Computer Science CS 3035/GZ01 12 th December 2013 Outline Internet worms Self-propagating, possibly malicious code spread over Internet
More informationMalware B-Z: Inside the Threat From Blackhole to ZeroAccess
Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and
More informationCEH Version8 Course Outline
CEH Version8 Course Outline Module 01: Introduction to Ethical Hacking Information Security Overview Information Security Threats and Attack Vectors Hacking Concepts Hacking Phases Types of Attacks Information
More informationMalware: Malicious Software
Malware: Malicious Software 10/21/2010 Malware 1 Viruses, Worms, Trojans, Rootkits Malware can be classified into several categories, depending on propagation and concealment Propagation Virus: human-assisted
More informationThreats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1
Threats and Attacks Modifications by Prof. Dong Xuan and Adam C. Champion Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to:
More informationCisco RSA Announcement Update
Cisco RSA Announcement Update May 7, 2009 Presented by: WWT and Cisco Agenda Cisco RSA Conference Announcements Collaborate with Confidence Overview Cisco s Security Technology Differentiation Review of
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationSpyware. Michael Glenn Technology Management Michael.Glenn@Qwest.com. 2004 Qwest Communications International Inc.
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
More informationBarracuda Intrusion Detection and Prevention System
Providing complete and comprehensive real-time network protection Today s networks are constantly under attack by an ever growing number of emerging exploits and attackers using advanced evasion techniques
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationBotnets: The Advanced Malware Threat in Kenya's Cyberspace
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
More informationNetwork Monitoring Tool to Identify Malware Infected Computers
Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas
More informationContact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:
Malicious software About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for
More informationMalware Trend Report, Q2 2014 April May June
Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...
More informationIntegrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013
Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013 Real data from actual networks 2 2012, Palo Alto Networks. Confidential and Proprietary. 2008: HTTP,
More informationDetection of Hidden Software Functionality
Detection of Hidden Software Functionality Jostein Jensen Master of Science in Communication Technology Submission date: June 2007 Supervisor: Svein Johan Knapskog, ITEM Co-supervisor: Maria B. Line, SINTEF
More informationAttacks from the Inside
Attacks from the Inside Eddy Willems, G Data Righard J. Zwienenberg, Norman Attacks from the Inside. Agenda - Social Networking / Engineering - Where are the threats coming from - Infection vectors - The
More informationHackers: Detection and Prevention
Computer Networks & Computer Security SE 4C03 Project Report Hackers: Detection and Prevention Due Date: March 29 th, 2005 Modified: March 28 th, 2005 Student Name: Arnold Sebastian Professor: Dr. Kartik
More informationIDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow
IDS 4.0 Roadshow Module 1- IDS Technology Overview Agenda Network Security Network Security Policy Management Protocols The Security Wheel IDS Terminology IDS Technology HIDS and NIDS IDS Communication
More informationShellshock. Oz Elisyan & Maxim Zavodchik
Shellshock By Oz Elisyan & Maxim Zavodchik INTRODUCTION Once a high profile vulnerability is released to the public, there will be a lot of people who will use the opportunity to take advantage on vulnerable
More informationLectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003
Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while
More informationComputer Networks & Computer Security
Computer Networks & Computer Security Software Engineering 4C03 Project Report Hackers: Detection and Prevention Prof.: Dr. Kartik Krishnan Due Date: March 29 th, 2004 Modified: April 7 th, 2004 Std Name:
More informationCSE331: Introduction to Networks and Security. Lecture 17 Fall 2006
CSE331: Introduction to Networks and Security Lecture 17 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Summary:
More informationBotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol
More informationHost-based Intrusion Prevention System (HIPS)
Host-based Intrusion Prevention System (HIPS) White Paper Document Version ( esnhips 14.0.0.1) Creation Date: 6 th Feb, 2013 Host-based Intrusion Prevention System (HIPS) Few years back, it was relatively
More informationDetailed Description about course module wise:
Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference
More informationComputer Viruses: How to Avoid Infection
Viruses From viruses to worms to Trojan Horses, the catchall term virus describes a threat that's been around almost as long as computers. These rogue programs exist for the simple reason to cause you
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationPROACTIVE PROTECTION MADE EASY
PROACTIVE PROTECTION AUTHOR: ANDREW NIKISHIN KASPERSKY LAB Heuristic Analyzer Policy-Based Security Intrusion Prevention System (IPS) Protection against Buffer Overruns Behaviour Blockers Different Approaches
More informationCSE534 Fundamentals of Computer Networking
CSE534 Fundamentals of Computer Networking Malware and bots Nick Nikiforakis nick@cs.stonybrook.edu Malware Malware, short for malicious software, is software designed to gain access to confidential information,
More informationMalware: Malicious Code
Malware: Malicious Code UIC 594/Kent Law: Computer and Network Privacy and Security: Ethical, Legal, and Technical Considerations 2007, 2008 Robert H. Sloan Malicious code: Viruses Most famous type of
More informationWildFire Overview. WildFire Administrator s Guide 1. Copyright 2007-2015 Palo Alto Networks
WildFire Overview WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities
More informationDDoS Attacks & Defenses
DDoS Attacks & Defenses DDOS(1/2) Distributed Denial of Service (DDoS) attacks form a significant security threat making networked systems unavailable by flooding with useless traffic using large numbers
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationSECURING APACHE : DOS & DDOS ATTACKS - II
SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,
More informationDetecting Bots with Automatically Generated Network Signatures
Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,
More informationMalicious Network Traffic Analysis
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
More informationDetecting P2P-Controlled Bots on the Host
Detecting P2P-Controlled Bots on the Host Antti Nummipuro Helsinki University of Technology anummipu # cc.hut.fi Abstract Storm Worm is a trojan that uses a Peer-to-Peer (P2P) protocol as a command and
More informationWEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World
Securing Your Web World WEBTHREATS Constantly Evolving Web Threats Require Revolutionary Security ANTI-SPYWARE ANTI-SPAM WEB REPUTATION ANTI-PHISHING WEB FILTERING Web Threats Are Serious Business Your
More informationAbout Botnet, and the influence that Botnet gives to broadband ISP
About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology
More informationChapter 14 Computer Threats
Contents: Chapter 14 Computer Threats 1 Introduction(Viruses,Bombs,Worms) 2 Categories of Viruses 3 Types of Viruses 4 Characteristics of Viruses 5 Computer Security i. Antivirus Software ii. Password,
More informationEvolution of attacks and Intrusion Detection
Evolution of attacks and Intrusion Detection AFSecurity seminar 11 April 2012 By: Stian Jahr Agenda Introductions What is IDS What is IDS in mnemoic How attacks have changed by time and how has it changed
More information1949 Self-reproducing cellular automata. 1959 Core Wars
114 Virus timeline When did viruses, Trojans and worms begin to pose a threat? Most histories of viruses start with the Brain virus, written in 1986. That was just the first virus for a Microsoft PC, though.
More informationSymantec Advanced Threat Protection: Network
Symantec Advanced Threat Protection: Network DR150218C April 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 2.1 Products Tested... 4 2.2. Malware Samples... 5 3.0 How
More informationWORMS HALMSTAD UNIVERSITY. Network Security. Network Design and Computer Management. Project Title:
HALMSTAD UNIVERSITY Network Design and Computer Management Course Title: Network Security Project Title: WORMS Project members: - Tchape Philippe 841122-T099 - Jose Enrique Charpentier 830112-9154 Lecturer:
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 21
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 21 Outline for Today (and Next Time) Containing worms and viruses Detecting viruses and worms Intrusion detection in general Defenses
More informationProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure
More informationRunning code securely An overview of threats and countermeasures
Running code securely An overview of threats and countermeasures Almut Herzog Overview over protective technology for end users anti-virus software anti-spyware personal firewall backup encryption ssl
More informationIntroduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Internet Security Seminar 2013 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion An overview of the paper In-depth analysis of fake Antivirus companies
More informationBotnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario
Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks Founded in 2000 ~150 employees worldwide Peakflow product lines Peakflow SP for service providers Peakflow
More informationLASTLINE WHITEPAPER. In-Depth Analysis of Malware
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
More information[CEH]: Ethical Hacking and Countermeasures
[CEH]: Ethical Hacking and Countermeasures Length Audience(s) Delivery Method : 5 days : This course will significantly benefit security officers, auditors, security professionals, site administrators,
More information