Comparative Analysis of Behavioral Classification of Computer Networks and Early Warning System for Worm Detection

Similar documents
A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks

Intelligent Worms: Searching for Preys

Second-generation (GenII) honeypots

Edge Configuration Series Reporting Overview

IDS / IPS. James E. Thiel S.W.A.T.

DDoS Protection Technology White Paper

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Firewall Firewall August, 2003

Effective Worm Detection for Various Scan Techniques

Introduction of Intrusion Detection Systems

Security Toolsets for ISP Defense

Application Security Backgrounder

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Cisco IPS Tuning Overview

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Traffic Monitoring : Experience

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Development of a Network Intrusion Detection System

Chapter 9 Firewalls and Intrusion Prevention Systems

Managing Latency in IPS Networks

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Networking for Caribbean Development

Intrusion Forecasting Framework for Early Warning System against Cyber Attack

Honeypot as the Intruder Detection System

Firewalls and Intrusion Detection

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

Chapter 4 Firewall Protection and Content Filtering

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Network Instruments white paper

Taxonomy of Intrusion Detection System

Banking Security using Honeypot

Chapter 4 Firewall Protection and Content Filtering

Multifaceted Approach to Understanding the Botnet Phenomenon

SPAM FILTER Service Data Sheet

Intelligent. Data Sheet

co Characterizing and Tracing Packet Floods Using Cisco R

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Intrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com

HoneyBOT User Guide A Windows based honeypot solution

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Flashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

How To Prevent DoS and DDoS Attacks using Cyberoam

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Coimbatore-47, India. Keywords: intrusion detection,honeypots,networksecurity,monitoring

Intrusion Detection in AlienVault

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Internet Security Firewalls

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

NSC E

Applied Security Lab 2: Personal Firewall

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

GregSowell.com. Mikrotik Security

F-SECURE MESSAGING SECURITY GATEWAY

Network Threat Behavior Analysis Monitoring Guide. McAfee Network Security Platform 6.1

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Malware Protection II White Paper Windows 7

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Verizon Firewall. 1 Introduction. 2 Firewall Home Page

SECURITY FLAWS IN INTERNET VOTING SYSTEM

Content-ID. Content-ID URLS THREATS DATA

Project 4: (E)DoS Attacks

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

CMS Operational Policy for Firewall Administration

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Firewalls, Tunnels, and Network Intrusion Detection

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Multi-phase IRC Botnet and Botnet Behavior Detection Model

Firewalls & Intrusion Detection

About Firewall Protection

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

Securing the system using honeypot in cloud computing environment

Transcription:

International Journal of Computer Applications (975 8887) Comparative Analysis of Behavioral Classification of Computer Networks and Early Warning System for Worm Detection Olabode O Department of Computer Science Federal University of Technology Akure,Nigeria Adebayo O.T Department of Computer Science Federal University of Technology Akure,Nigeria Iwasokun G.B Department of Computer Science Federal University of Technology Akure,Nigeria ABSTRACT The effort required for detecting worm that threaten the reliability and stability of network resources is in the process of advancing, demanding increasingly sophisticated resources. A worm is a self-propagating program that infects other hosts based on a known vulnerability in network hosts. The spread of active worms does not need any human interaction. There is a growing demand for effective techniques to detect the presence of worms and to reduce the worms spread. Worms have become a major threat to the Internet due to their ability to rapidly, compromise large numbers of computers. This work presents a comparative analysis of behavioural classification of networks (BCN) and early warning system (EWS) to determine which one performs better in computer worm detection. Keywords BCN,EWS, Response Time, Net Packet. INTRODUCTION Nowadays, excellent technology (i.e., anti-worms software packages) exists for detecting and eliminating known malicious codes. Typically, anti-worms software packages inspect each file that enters the system, looking for known signs (signatures) which uniquely identify an instance of known malicious codes. Nevertheless, anti-worms technology is based on prior explicit knowledge of worm code signatures and cannot be used for detecting unknown worm codes. Following the appearance of a new worm, a patch is provided by the operating system provider (if needed) and the antiworm vendors update their signature-base accordingly. This solution is not perfect since worms propagate very rapidly and by the time local anti-worm software tools have been updated, very expensive damage would have been inflicted by the worm. 2. RELATED WORKS In area of worm early detection techniques, [3] proposed a Kalman filter-based detection algorithm. This approach detects the trend of illegitimate scans to a large unused IP space. [6] proposed a victim counter-based detection algorithm that tracks the increased rate of new infected hosts. Worm alerts are output when anomaly events occur consecutively over a certain number of times. [2] proposed to use ICMP Destination Unreachable messages collected at border routers to infer worm activities. This approach is based on threshold-based anomaly detection. Researchers have also used honeypots to distract attackers, early warnings about new attack techniques and in-depth analysis of an adversary s strategies []. In [5] researchers used honeypots inside a university to detect infected machines behind a firewall. This augmented an existing IDS and sometimes provided earlier warnings of compromised machines. 3. Behavioral Classification Of Network (BCN) To Detect Unknown Computer Worm 3.. System Architecture Packets moving across and through the network forms traffic on the network, the activities of these packets and how it affects the network forms the basis on which the BCN works. The network monitor performs utility check on the network to determine the state and performance of the network and to alert any outbreak of computer worm. This is where the strength of BCN lies. The setup of the system architecture enables the measurement of some network parameters and saved the values in the database, as worm is propagated through the network, and for further identification of worm attack using instance based learning technique. 3.2 Database Design The database model design for this system is a data model that is capable of efficiently representing the data stored by the system. The Packets table store network packet captured, the Time of capture and every packets stored is given a unique number as id. The network_metric table store the network parameter values for the packets identified by Packet_ID related to the Packets table, each set of network parameter value is identified by a unique number called ID. 3.3 RESULT OUTPUT The values of the network parameters N p, are log or saved in the database at a particular time interval T for a given size of network S T. The average default values are obtained before it is subsequently subjected to different worm activities. T d is the time observed at the deviation ( ) from the normal average network parameter values for the particular network size S d. 3.4 SYSTEM APPLICATION Figure. and figure 2. show the interface of the application system designed to captured network traffic and parameter from the network. The application is executed on one of the

International Journal of Computer Applications (975 8887) systems that forms the VM ware team while the worm-scanactivities is ongoing on the net due to the execution of NWS on the same machine or another. The controls and menu in the application system is disabled when it is started, to enable the control click on the FILE menu and select the ENABLE option. The EXIT option terminates the application. To keep record of all network parameter at specific time interval select the Save Activities option from Activity menu. The Network Summary control found in the group of activity control; display the list of available network interface in the system (operating system level) for creating a network connection. The names of the interfaces are displayed on the activity analysis panel, while the characteristics of each interface are displayed in the Network Packet Flow panel. The Response Time control determines the network response time to particular host before the activity of the worm on the network. The response time is displayed on the activity analysis panel. Throughput control determines the throughput of the network before the worm activity on the network. The host the request is sent to and the average throughput is displayed on the activity analysis panel, while the packet sent and reply information is displayed on the Network Packet Flow panel. To display the network packet traffic and other parameter of the network, use the Net Packet control, the packet traffic is given a number and it s displayed on Network Packet Flow panel and the details (such as source/destination IP, checksum, protocol version, hop limit, etc. ) of each shown in activity analysis panel. Figure. shows the interface of the system application on startup with all the menus and controls disabled. Figure 2. is a screen shot of the system interface showing the network traffic captured in network packet flow panel and the list of available network interface. The activities of the network captured by the system application is logged in a file called activities.buk located in a folder created called log in the windows my document folder. The log file (activities.buk) can be viewed with any text editor (such as notepad, notepad++, WordPad). 4. WORM EARLY WARNING SYSTEM (EWS) Internet-worm early warning (EWS) system is deployed at the main gateway of enterprise network at the gateway or a monitor station [3]. The basic idea is to sample the internet scan activities by monitoring a portion of the IPv4 address space behind the gateway. The system detects potential worm outbreak by analyzing the pattern of increase in external scan sources and comparing their similarity. It captures the common signature from those sources in order to assist human analysis or automatically reconfigure a filtering device to block them. Let A be the monitored address space, which is separated from the rest of the Internet by a gateway. The primary task of WEW is to profile all external scan sources from the Internet. To do so, a naive approach is to keep track of all inbound TCP SYN packets [3]. If the number of SYN packets from an external host exceeds a threshold value within a period of time, the host is thought to be scanning. Monitor outbound TCP RESET packets, which indicate failed inbound connection attempts, where the worm scans for and then infects certain types of web servers. A connection attempt fails if the destination host does not exist or the destination port is not open. Specifically, if a SYN packet is sent to an existing host with the destination port closed, a TCP RESET packet will be returned; if a SYN packet is sent to a non-existing host, an ICMP hostunreachable packet is returned. Consequently, most random connections made by a worm scan will fail, which also implies that the scan rate can be roughly measured by the rate of failed connections. A normal user does not persistently cause connection failures to different destination addresses at a high rate. Therefore, by monitoring TCP RESET and ICMP host-unreachable packets, we can set worm scan sources apart from normal users. Assume the monitored address space A is densely populated. Outbound TCP RESET packets will be the main form of response to failed inbound connections. Examining RESET packets alone at the gateway will suffice the detection of external worm scan sources. Specifically, when WEW detects the number of RESET packets to an external host exceeds a threshold value within a period of time, it reports the host as a likely scan source [4] 5. SYSTEM EVALUATION OF BEHAVIORAL CLASSIFICATION OF NETWORK BCN AND WORM EARLY WARNING SYSTEM (EWS). EWS is capable of issuing a warning at an average of 25seconds for an infected system on the network, from the result in table 2 and table 3,BCN is capable of issuing a warning at an average of sec. The table below shows the outcome, using equation. for both systems at different network size. 6. CONCLUSION Anti-worms software packages exist for detecting and eliminating known malicious codes but cannot be used for detecting unknown worm codes. Our BCN is capable of issuing a warning at an average of seconds for an infected system on the network. It takes longer time for EWS to detect worm than BCN. 2

International Journal of Computer Applications (975 8887) Figure : Application for the system with disabled controls Figure 2: Network Work Simulator(Simulating code red worm) 3

International Journal of Computer Applications (975 8887) Figure 3: Application for the system with enabled controls Table : Normal value for network parameter NETWORK PARAMETER (METRIC) AVG. VALUE NETWORK.42 LATENCY THROUGHPUT.2 BANDWIDTH RESPONSE TIME.25 NETWORK UTILIZATION PACKET LOSS RELIABILITY Table 2: Network parameter value for BCN Metrics Latency Throughput Response Time Time(sec) Network Utilization Packet Loss.42..26 5.8.8 2.4.2.26 5.25.87 Reliability 4

International Journal of Computer Applications (975 8887) 3.42.2.26 5.33.8 4.45.25.26 5.32.86 5.4.23.29 5.63.86 6.5.25.29 5.6.83 7.94 2.63.39 2.78.4 8.94 2.53.44 2.44.4 9.94 2.63.43 2.33.4.94 2.63.43 2.77.4.9.8.7.6.5.4.3.2. 2 3 4 5 6 7 8 9 2 3 4 5 6 7 8 9 Figure 4: Latency 3 2.5 2.5.5 2 3 4 5 6 7 8 9 Figure 5: Response time 5

International Journal of Computer Applications (975 8887).6.4.2.8.6.4.2 2 3 4 5 6 7 8 9 Figure 6: Throughput 7 6 5 4 3 2 2 3 4 5 6 7 8 9 Figure 7 :Network utilization 25 2 5 5 2 3 4 5 6 7 8 9 Figure 8: Packet loss 6

Network size WEW (sec) (average alarm warning) BCN (sec) (average alarm warning) International Journal of Computer Applications (975 8887).8.6.4.2 2 3 4 5 6 7 8 9 Figure 9 :Reliability Table 3. Comparing alarm warning of both systems for worm attack ID 3 83.38 63.33 2 5 38.97 5.56 3 7 94.55 47.78 4 9 25.4 9. 5 2 333.52 253.33 6 5 46.9 36.67 7 2 555.87 422.22 6 5 4 3 2 Series WEW Series2 BCN 3 5 2 7 3 9 4 2 5 5 6 2 7 Figure. graph from table 3. (worm alarm warning for both system for different network size) 7

International Journal of Computer Applications (975 8887) 7. REFERENCES [] Addison W and Lance S 23Honeypots: Tracking Hackers. [2] Berk V.H., Gray R.S., and Bakos G. 23.Using sensor networks and data fusion for early detection of active worms. In Proceedings of the SPIE AeroSense,23. [3] Chen Z, Gao L, and Kwiat K 23 Modeling the spread of active worms. In Proceedings of the IEEE INFOCOM 23, March 23. [4] Shigang Chen, Sanjay Ranka 24 Detecting Internet Worms at Early Stage [5] John L, Richard L, Henry O, Didier C, and Brian C.23. The use of honeynets to detect exploited systems across large enterprise networks. In Proceedings of the 23 IEEE Workshop on Information Assurance. [6] Wu J, Vangala S, Gao L, and Kwiat K 24. An efficient architecture and algorithm for detecting worms with various scan techniques. In Proceedings of the th Annual Network and Distributed System Security Symposium (NDSS 4), February 24. [7] Zou C.C., Towsley D.,Gong W and Cai S 23. Routing worm: A fast, selective attack worm based on ip address information. Technical Report TR-3-CSE-6, Umass ECE Dept., November 23. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information