Review Study on Techniques for Network worm Signatures Automation
|
|
- Candace Blake
- 8 years ago
- Views:
Transcription
1 Review Study on Techniques for Network worm Signatures Automation 1 Mohammed Anbar, 2 Sureswaran Ramadass, 3 Selvakumar Manickam, 4 Syazwina Binti Alias, 5 Alhamza Alalousi, and 6 Mohammed Elhalabi 1, 3,3,4,6 National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, {anbar,sures,selva,syazwina}@nav6.org 5 School of Computer and Communication Engineering, Universiti Malaysia Perlis, Perlis, Malaysia, g @studentmail.unimap.edu.my Abstract The network worm signature is a specific string that exists in the packet payload. This string will be used by signature based IDSs such as Snort (Snort) to compare it with the existing signatures in the database, if there is a match found in signatures database, worm can be detected, and otherwise the network worm cannot be detected. This paper presents a review study on network worms signature automation techniques. This study will first define the network worm and worm signatures. Furthermore, it will discuss the severity of presence the network worm in the network. The network propagation and activation schemas will be discussed. In addition, this article explores the current techniques to automate signatures for network worms. 1. Introduction Keywords: Network worm, Worm signature, Intrusion Detection System (IDS) A network worm is a self-propagating, self-duplicating malicious code that spread without human intervention in computer networks and attacks vulnerable hosts and services. Network worms are typically classified based on two attributes: methods used to spread and the techniques used to exploit vulnerabilities. Meanwhile, network worms have destructive effects in the network topology, resources and service [1-7]. Therefore, many researchers attention have been grabbed to propose techniques to automate signatures for network worms. According to Li, Salour & Su [8] the life cycle of a network worm after its release typically includes four phases: target finding or scanning, network worm transferring, network worm activation, and infection. The network worm is active on the network during target finding; network worm transferring and can be detected by network-based intrusion detection systems (NIDSs). The activities in the last two phases (activation and infection) are limited to local machines and are harder to detect by NIDSs because the network worm activities are more focused on individual computers rather than on the entire network. In contrast, the activities in the first two phases (scanning and transferring) are easier to detect because network worm activities are centered on the network, such as the existence of abnormal traffic generated from scanning. Figure 1shows the typical location of NIDS in the network. Figure 1. The typical location of NIDS in the network Advances in information Sciences and Service Sciences(AISS) Volume5, Number17, December
2 Similar to a computer virus or other malicious codes, a network worm has a signature that can be used by IDS in the detection phase. Automated signature generation for new attacks is extremely difficult due to three reasons. First, in order to create an attack signature, we must identify and isolate attack traffic from legitimate traffic. Automatic identification of new worms is critical, which is the foundation of other defense measures. Second, the signature generation must be general enough to capture all attack traffic of certain type while at the mean time specific enough to avoid overlapping with the content of normal traffic in order to reduce false-positives. This problem has so far been handled in an ad-hoc way based on human judgment. Third, the defense system must be flexible enough to deal with the polymorphism in the attack traffic. Otherwise, worms may be programmed to deliberately modify themselves each time they replicate and thus fool the defense system [9]. The packets that were used to transfer malicious code from the sender to the destination have specific patterns and noticeable behaviors. After the malicious code infects the destination host, this new host will act in the same manner as the host that infected it. 2. The severtiy of worms The severity of network worms depends on the propagation process, wherein network scanning is initiated to determine the vulnerability of the host and services. Network scanning will degrade network performance and consume bandwidth and resource (CPU and memory) by making the network machines busy due to the requests that are received and responded in the scanner machine. Once a network worm infects a network, it will automatically begin to propagate, which will cause great destruction throughout the network due to network congestion. This will create unnecessary traffic, which serves only network worm propagation. Figure 2 shows the worm propagation process. 3. Network Worm Propagation Schemes Figure 2. Worm propagation As reported by Weaver et al. [5], there are three network worm propagation schemes which are as follows (1) self-carried (2) embedded (3) second channel. Self-carried network worms are actively transmit itself to the target host (the network worms are fully transmitted to the target during the initial connection), second channel network worms need second communication channel, in this scheme, the network worm communicates with the victim machine using original channel then the victim machine connects back to the infecting machine using another channel to download the network worm payload. The embedded propagation scheme is very stealthy and it s done by append the payload after, or replace, legitimate traffic to hide itself. No anomalous events will be triggered, and it is hard for anomaly-based detection systems to detect. In addition to the three propagation schemes discussed, 9
3 Botnets have been utilized to propagate network worms, spams, spyware, and launching distributed denial-of-service (DDoS) attacks [8]. A Botnet is a group of compromised hosts under the control of a Botmaster. The communication channel for the Botmaster to issue commands that can be implemented using different protocols such as http or point-to-point (P2P) protocols. However, the majority of Botnets use the Internet Relay chat (IRC) protocol for this purpose[14]. 4. Network Worm Activation Schemes Network worm activation means running network worms under certain condition or schedule. Weaver et al. [15] classified the network worm activation as following: 1. Human activated, this type of network worm activation require human intervention to execute the network worm 2. The network worm activate based on specific activity which is performed by user (such as open CD or bin drive) 3. Activated by a scheduled processes. In scheduled process, network worms are activated by a legitimate automated process which has not been properly secured, such as a legitimate program which automatically updates itself from an infected web server. Self-activated, this kind of network worm can activate without human intervention, and it considers the most dangerous one, this thesis focus on detecting this kind of network worms. 5. Techniques for automating network worm signatures Snort open source network-based intrusion detection system (NIDS) has the ability to perform realtime traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will read network packets and display them on the console. In packet logger mode, the program will log packets to the disk [16]. In intrusion detection mode, Snort has the ability to detect different type of malicious code such as network worm. In case of network worm, Snort is a Signature Based Network Worm Detection (SBWD). In other words, Snort will detect the presence of network worm in the network based on the networm worm signature, Snort checks the incoming packet payload and system log files against the network worm signatures that are already stored in the IDS database. An alert will be triggered when a match is found [16]. Kreibich & Crowcroft [17] developed Honeycomb which aims to generate signature for malicious network traffic automatically and it uses pattern-detection techniques and packet header similarities tests on traffic captured from Honeypots. The traffic that bypass the Honeypot is logged into log file, the log file consist of IP, TCP and UDP header as well as payload data. After protocol analysis, Honeycomb proceeds to the analysis of the reassembled flow content. Honeycomb applies the longest common substring (LCS) algorithm on binary strings that built out the exchanged messages. It does this in two different ways which are horizontal detection and vertical detection. The contents of the signature pool are periodically reported to an output module which implements the actual logging of the signature records. At the moment, there are modules that convert the signature records into Bro [18] or pseudo-snort format, and a module that dumps the signature strings to a file. Figure 3 shows Honeycomb architecture. 10
4 Figure 3. Honeycomb architecture (Kreibich & Crowcroft, 2004). Autograph proposed by [19] is a distributed system for automatically generating network worm signatures for Bro [18] and Snort [16]. Autograph aims to automatically generate signatures for unknown network worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives). Unlike Honeycomb, Autograph s inputs are packet traces from a demilitarized zone (DMZ) that includes benign traffic. Content blocks that match enough suspicious flows are used as input to COPP, an algorithm based on Rabin fingerprints that searches for repeated byte sequences by partitioning the payload into content blocks. Similar to Honeycomb, Autograph generates signatures consisting of a single, contiguous substring of a network worm s payload to match all network worm instances. These signatures, unfortunately, fail to match all polymorphic network worm instances with low false positives and low false negatives. Earlybird is a system proposed by Singh et al [20] for generating signatures to detect network worms based on the assumption that the network worms must generate significant traffic to propagate. This traffic will contain common substring which will transfer from source (attacker) to destinations. Based on this assumption the authors believe that identifying this traffic pattern is sufficient for detecting network worms, for identifying traffic pattern, a content sifting is proposed which work as the follows: (A) for each network packet, the content is extracted and all substrings processed, and (B) each substring is indexed into a log table that increments a count field for a given substring each time it is found. In effect, this table implements a histogram of all observed substrings. To maintain a count of unique source and destination addresses, each table entry also maintains two lists, containing IP addresses that are searched and potentially updated each time a substring count is incremented. Sorting this table on the substring count and the size of the address lists will produce the set of likely network worm traffic. Earlybird, also like Honeycomb and Autograph, generates signatures consisting of a single, contiguous substring of a network worm s payload to match all network worm instances. These signatures, however, fail to match all polymorphic network worm instances with low false positives and low false negatives. A double-honeynet is another system aims to detect new network worms automatically, the proposed system consists of two honeynets namely honetpot1 and honeynet 2. Gate translator at the edge router between the local network and the internet is deployed to detect the unwanted inbound connections and forwards them to Honeynet 1, once Honeynet 1 is compromised, the network worm will attempt to make outbound connections. Each honeynet is associated with an Internal Translator implemented in router that separates the Honeynet from the rest of the network. The internal translator 1 intercepts all outbound connections from honeynet 1 and redirects them to honeynet 2. Honeynet 2 will capture the packets that make outbound connections, and hence the Double-honeynet forwards only packets that make outbound connections. If the Honeynet 2 captures enough instances of network worm payloads, the internal 11
5 translator 2 will automatically forwarded to the signature generator which generates signatures, it receives the packet payloads captured by double-honeynet. These packets are checked by the protocol classifier which classifies packets in terms of different protocols (TCP/UDP) and port numbers. Then the Known-network worms filter component filters out known-network worm samples and pass the remaining samples (unknown network worms) to the Signature Generation Algorithms component which extracts all the distinct tokens in the samples. Then it clusters the distinct tokens according to their similarity. The set of tokens in each cluster is used as a signature for that cluster. The total number of the signatures is equals the total number of clusters [21]. Figure 4 shows double Honeynet system architecture. Table1 shows a summary of techniques for automating network worm signatures. Figure 4. Double Honeynet system architecture Table1: A summary of techniques for automating network worm signatures. Approach Description Disadvantage Honeycomb approach aims to generate signature for malicious network traffic automatically and it Kreibich & Fail to match all polymorphic uses pattern-detection techniques Crowcroft, 2004 network worm instances and packet header similarities tests on traffic captured from Honeypots Kim & Karp, 2004 Singh, Estan, Varghese, & Savage, 2004 Proposed an Autograph which aims to automatically generate signatures for unknown network worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level Proposed an Earlybird system for generating signatures to detect network worms based on the assumption that the network worms must generate significant traffic to propagate. This traffic will contain common substring which will transfer from source (attacker) to destinations Fail to match all polymorphic network worm instances Fail to match all polymorphic network worm instances 12
6 6. Conclusion This paper has highlighted the severity of presence the network worm in the network. Then the existing approach for worm signature automations are explored and advantages and drawbacks for each approach are highlighted, the existing approaches which are used to generate network worm signature are unfortunately fail to match all polymorphic network worm instances (because the signature of polymorphic network worm keep on changing every time it send from source to destination and proposed approaches based on generating static signature for detected worm ) [22]. 7. Acknowledgment This research is supported by National Advanced IPv6 Center of Excellence (NAv6), Universiti Sains Malaysia (USM). 8. References [1] S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in Your Spare Time," in USENIX Security Symposium, 2002, pp [2] D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Internet quarantine: Requirements for containing self-propagating code," in INFOCOM Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, 2003, pp [3] S. Chen and Y. Tang, "Slowing down internet worms," in Distributed Computing Systems, Proceedings. 24th International Conference on, 2004, pp [4] C. Kruegel and G. Vigna, "Anomaly detection of web-based attacks," in Proceedings of the 10th ACM conference on Computer and communications security, 2003, pp [5] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the slammer worm," Security & Privacy, IEEE, vol. 1, pp , [6] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks," in Proceedings of the 7th USENIX Security Symposium, 1998, pp [7] M. W. Eichin and J. A. Rochlis, "With microscope and tweezers: An analysis of the internet virus of november 1988," in Security and Privacy, Proceedings., 1989 IEEE Symposium on, 1989, pp [8] P. Li, M. Salour, and X. Su, "A survey of internet worm detection and containment," Communications Surveys & Tutorials, IEEE, vol. 10, pp , [9] Y. Tang and S. Chen, "Defending against internet worms: A signature-based approach," in INFOCOM th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, 2005, pp [10] C. C. Zou, W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proceedings of the 9th ACM conference on Computer and communications security, 2002, pp [11] Z. Chen, L. Gao, and K. Kwiat, "Modeling the spread of active worms," in INFOCOM Twenty-Second Annual Joint Conference of the IEEE Computer and Communications. IEEE Societies, 2003, pp [12] D. Moore and C. Shannon, "Code-Red: a case study on the spread and victims of an Internet worm," in Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, 2002, pp [13] J. O. Kephart and S. R. White, "Directed-graph epidemiological models of computer viruses," in Research in Security and Privacy, Proceedings., 1991 IEEE Computer Society Symposium on, 1991, pp [14] G. Gu, R. Perdisci, J. Zhang, and W. Lee, "BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection," 2008, pp [15] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A taxonomy of computer worms," in Proceedings of the 2003 ACM workshop on Rapid malcode, 2003, pp [16] Snort, "A free lightweight network intrusion detection system for UNIX and Windows,"
7 [17] C. Kreibich and J. Crowcroft, "Honeycomb: creating intrusion detection signatures using honeypots," ACM SIGCOMM Computer Communication Review, vol. 34, pp , [18] V. Paxson, "Bro: a system for detecting network intruders in real-time," Computer networks, vol. 31, pp , [19] H. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in USENIX security symposium,2004, p. 19. [20] S. Singh, C. Estan, G. Varghese, and S. Savage, "The earlybird system for real-time detection of unknown worms," Citeseer2003. [21] M. Mohammed, H. Chan, and N. Ventura, "Honeycyber: Automated signature generation for zeroday polymorphic worms,," in Military Communications Conference, MILCOM IEEE, 2008, pp [22] S. Stafford and J. Li, "Behavior-based worm detectors compared," in Recent Advances in Intrusion Detection, 2010, pp
Behaviour Based Worm Detection and Signature Automation
Journal of Computer Science 7 (11): 1724-1728, 2011 ISSN 1549-3636 2011 Science Publications Behaviour Based Worm Detection and Signature Automation 1 Mohammed Anbar, 1 Selvakumar Manickam, 2 Al-Samarraie
More informationAnnouncements. Lab 2 now on web site
Lab 2 now on web site Announcements Next week my office hours moved to Monday 4:3pm This week office hours Wednesday 4:3pm as usual Weighting of papers for final discussion [discussion of listen] Bro:
More informationKeywords Intrusion detection system, honeypots, attacker, security. 7 P a g e
HONEYPOTS IN NETWORK SECURITY Abhishek Sharma Research Scholar Department of Computer Science and Engineering Lovely Professional University (Punjab) - India Abstract Computer Network and Internet is growing
More informationDetecting Bots with Automatically Generated Network Signatures
Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,
More informationThe Second International Conference on Innovations in Information Technology (IIT 05)
HoneyAnalyzer Analysis and Extraction of Intrusion Detection Patterns & Signatures Using Honeypot Urjita Thakar Reader, Department of Computer Engineering, Shri G.S. Institute of Technology and Science
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationSymptoms Based Detection and Removal of Bot Processes
Symptoms Based Detection and Removal of Bot Processes 1 T Ravi Prasad, 2 Adepu Sridhar Asst. Prof. Computer Science and engg. Vignan University, Guntur, India 1 Thati.Raviprasad@gmail.com, 2 sridharuce@gmail.com
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationIntelligent Worms: Searching for Preys
Intelligent Worms: Searching for Preys By Zesheng Chen and Chuanyi Ji ABOUT THE AUTHORS. Zesheng Chen is currently a Ph.D. Candidate in the Communication Networks and Machine Learning Group at the School
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationDefending Against Internet Worms: A Signature-Based Approach
Defending Against Internet Worms: A Signature-Based Approach Yong Tang Shigang Chen Department of Computer & Information Science & Engineering University of Florida, Gainesville, FL 32611-612, USA {yt1,
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationBotnet Detection by Abnormal IRC Traffic Analysis
Botnet Detection by Abnormal IRC Traffic Analysis Gu-Hsin Lai 1, Chia-Mei Chen 1, and Ray-Yu Tzeng 2, Chi-Sung Laih 2, Christos Faloutsos 3 1 National Sun Yat-Sen University Kaohsiung 804, Taiwan 2 National
More informationA Real-Time Network Traffic Based Worm Detection System for Enterprise Networks
A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks Long-Quan Zhao 1, Seong-Chul Hong 1, Hong-Taek Ju 2 and James Won-Ki Hong 1 1 Dept. of Computer Science and Engineering,
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationZero-Day Attack Signatures Detection Using Honeypot
Zero-Day Attack Signatures Detection Using Honeypot Reshma R. Patel Information Technology Department, L. D. College of Engineering, Ahmedabad, India Chirag S. Thaker Information Technology Department,
More informationCSE331: Introduction to Networks and Security. Lecture 15 Fall 2006
CSE331: Introduction to Networks and Security Lecture 15 Fall 2006 Worm Research Sources "Inside the Slammer Worm" Moore, Paxson, Savage, Shannon, Staniford, and Weaver "How to 0wn the Internet in Your
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationCSE331: Introduction to Networks and Security. Lecture 18 Fall 2006
CSE331: Introduction to Networks and Security Lecture 18 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Attacker
More informationDetecting Zero-Day Attack Signatures using Honeycomb in a Virtualized Network
Detecting Zero-Day Attack Signatures using Honeycomb in a Virtualized Network Reshma R. Patel Information Technology Department, L.D.College of Engineering, Ahmedabad, India. Chirag S. Thaker Information
More informationOn the Performance of SWORD in Detecting Zero-Day-Worm-Infected Hosts
On the Performance of SWORD in Detecting Zero-Day-Worm-Infected Hosts Shad Stafford University of Oregon staffors@cs.uoregon.edu Jun Li University of Oregon lijun@cs.uoregon.edu Toby Ehrenkranz University
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,
More informationIntruders and viruses. 8: Network Security 8-1
Intruders and viruses 8: Network Security 8-1 Intrusion Detection Systems Firewalls allow traffic only to legitimate hosts and services Traffic to the legitimate hosts/services can have attacks CodeReds
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationComputer Worm Attack Using IDS and Trace Back Approaches
Computer Worm Attack Using IDS and Trace Back Approaches Sanjay Misra and Akuboh Victor Uneojo Abstract Computer worms pose a great threat to business enterprise, large/small organization, government agencies
More informationNetwork Intrusion Detection with Semantics-Aware Capability
Network Intrusion Detection with Semantics-Aware Capability Walter Scheirer and Mooi Choo Chuah Lehigh University Dept. of Computer Science and Engineering Bethlehem, PA 18015 USA {wjs3, chuah}@cse.lehigh.edu
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationAn Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets
An Anomaly-based Botnet Detection Approach for Identifying Stealthy Botnets Sajjad Arshad 1, Maghsoud Abbaspour 1, Mehdi Kharrazi 2, Hooman Sanatkar 1 1 Electrical and Computer Engineering Department,
More informationImplementation of Botcatch for Identifying Bot Infected Hosts
Implementation of Botcatch for Identifying Bot Infected Hosts GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationTwo State Intrusion Detection System Against DDos Attack in Wireless Network
Two State Intrusion Detection System Against DDos Attack in Wireless Network 1 Pintu Vasani, 2 Parikh Dhaval 1 M.E Student, 2 Head of Department (LDCE-CSE) L.D. College of Engineering, Ahmedabad, India.
More informationBotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation
BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol
More informationHONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region
HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationVolume 2, Issue 9, September 2014 International Journal of Advance Research in Computer Science and Management Studies
Volume 2, Issue 9, September 2014 International Journal of Advance Research in Computer Science and Management Studies Research Article / Survey Paper / Case Study Available online at: www.ijarcsms.com
More informationDynamic Rule Based Traffic Analysis in NIDS
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 14 (2014), pp. 1429-1436 International Research Publications House http://www. irphouse.com Dynamic Rule Based
More informationCHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM
59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against
More informationThe HoneyNet Project Scan Of The Month Scan 27
The HoneyNet Project Scan Of The Month Scan 27 23 rd April 2003 Shomiron Das Gupta shomiron@lycos.co.uk 1.0 Scope This month's challenge is a Windows challenge suitable for both beginning and intermediate
More informationWORMS : attacks, defense and models. Presented by: Abhishek Sharma Vijay Erramilli
WORMS : attacks, defense and models Presented by: Abhishek Sharma Vijay Erramilli What is a computer worm? Is it not the same as a computer virus? A computer worm is a program that selfpropagates across
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationIntrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)
ISCA Journal of Engineering Sciences ISCA J. Engineering Sci. Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS) Abstract Tiwari Nitin, Solanki Rajdeep
More informationMulti-phase IRC Botnet and Botnet Behavior Detection Model
Multi-phase IRC otnet and otnet ehavior Detection Model Aymen Hasan Rashid Al Awadi Information Technology Research Development Center, University of Kufa, Najaf, Iraq School of Computer Sciences Universiti
More informationNetwork Security Demonstration - Snort based IDS Integration -
Network Security Demonstration - Snort based IDS Integration - Hyuk Lim (hlim@gist.ac.kr) with TJ Ha, CW Jeong, J Narantuya, JW Kim Wireless Communications and Networking Lab School of Information and
More informationAdvancement in Virtualization Based Intrusion Detection System in Cloud Environment
Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,
More informationA SURVEY OF INTERNET WORM DETECTION
1ST QUARTER 2008, VOLUME 10, NO. 1 IEEE COMMUNICATIONS SURVEYS The Electronic Magazine of Original Peer-Reviewed Survey Articles www.comsoc.org/pubs/surveys A SURVEY OF INTERNET WORM DETECTION AND CONTAINMENT
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationA Survey on Honeypot Based Signature Generation Techniques in Computer Network Security
A Survey on Honeypot Based Signature Generation Techniques in Computer Network Security Geetika yadav 1, Ms.Prabhjot Kaur 2 1 M.Tech Student, Department of CSE, B.S.Anangpuria Institute of Technology and
More informationThe Effect of Infection Time on Internet Worm Propagation
The Effect of Infection Time on Internet Worm Propagation Erika Rice The Effect of Infection Time oninternet Worm Propagation p 1 Background Worms are self propagating programs that spread over a network,
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network
More informationIntrusion Detection System using Virtual Honeypots
Intrusion Detection System using Virtual Honeypots Prof. Smita Jawale (Department of Computer Engineering, VCET) Rishi Mehta, Vivek Mahalingam, Niyoshi Mehta (Department of Computer Engineering, VCET,
More informationChapter 15. Firewalls, IDS and IPS
Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationNetwork Incident Report
To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850
More informationHow To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme
Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi
More informationDetecting UDP attacks using packet symmetry with only flow data
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
More informationHow To Protect Your Firewall From Attack From A Malicious Computer Or Network Device
Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationRole of Anomaly IDS in Network
Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationIntrusion Detection System
Intrusion Detection System Time Machine Dynamic Application Detection 1 NIDS: two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet
More informationThe Effects of Filtering Malicious Traffic. under DoS Attacks
The Effects of Filtering Malicious Traffic Chinawat Wongvivitkul IT Security Department Gosoft (Thailand), CP Tower 1 313 Silom Road, Bangkok 10500 Thailand chinawatwon@ gosoft.co.th under DoS Attacks
More informationInternet Worms, Firewalls, and Intrusion Detection Systems
Internet Worms, Firewalls, and Intrusion Detection Systems Brad Karp UCL Computer Science CS 3035/GZ01 12 th December 2013 Outline Internet worms Self-propagating, possibly malicious code spread over Internet
More informationApplication Security Backgrounder
Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationInternet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering
Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationProject Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1
Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationHoneycomb Creating Intrusion Detection Systems
Honeycomb Creating Intrusion Detection Signatures Using Honeypots Christian Kreibich, Jon Crowcroft University of Cambridge Computer Laboratory JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom firstname.lastname
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationIntroduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.
Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall
More informationINTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad
INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion
More informationTaxonomy of Hybrid Honeypots
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore Taxonomy of Hybrid Honeypots Hamid Mohammadzadeh.e.n 1, Masood Mansoori 2 and Roza
More informationA Novel Packet Marketing Method in DDoS Attack Detection
SCI-PUBLICATIONS Author Manuscript American Journal of Applied Sciences 4 (10): 741-745, 2007 ISSN 1546-9239 2007 Science Publications A Novel Packet Marketing Method in DDoS Attack Detection 1 Changhyun
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationFirewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA
Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..
More informationAnalyzing Intrusion Detection System Evasions Through Honeynets
Analyzing Intrusion Detection System Evasions Through Honeynets J.S Bhatia 1, Rakesh Sehgal 2, Simardeep Kaur 3, Siddharth Popli 4 and Nishant Taneja 5 1 Centre for Development of Advanced Computing 2,
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2006 Lecture 21
CIS 551 / TCOM 401 Computer and Network Security Spring 2006 Lecture 21 Outline for Today (and Next Time) Containing worms and viruses Detecting viruses and worms Intrusion detection in general Defenses
More informationTHE ROLE OF IDS & ADS IN NETWORK SECURITY
THE ROLE OF IDS & ADS IN NETWORK SECURITY The Role of IDS & ADS in Network Security When it comes to security, most networks today are like an egg: hard on the outside, gooey in the middle. Once a hacker
More informationHow To Prevent Hacker Attacks With Network Behavior Analysis
E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal
More informationComparing Two Models of Distributed Denial of Service (DDoS) Defences
Comparing Two Models of Distributed Denial of Service (DDoS) Defences Siriwat Karndacharuk Computer Science Department The University of Auckland Email: skar018@ec.auckland.ac.nz Abstract A Controller-Agent
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationSecurity Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs
Security Engineering Part III Network Security Intruders, Malware, Firewalls, and IDSs Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer
More informationFlashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?
Flashback: Internet design goals Security Part Two: Attacks and Countermeasures 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6.
More information