1 / 30

Research Direction

Research Direction. Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan. Agenda. Introduction Problem Description. Introduction. Worm attacks. Definition

jkwan
Download Presentation

Research Direction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan NTUIM OPLAB

  2. Agenda • Introduction • Problem Description NTUIM OPLAB

  3. Introduction NTUIM OPLAB

  4. Worm attacks • Definition • ‘‘A network worm is a piece of malicious code that propagates over a network without human assistance and can initiate actively attack independently or depending on file-sharing.”─[1] • [1] Kienzle DM and Elder MC. “Recent worms: a survey and trends”, Proceedings of the 2003 ACM workshop on Rapid malcode, October 2003. NTUIM OPLAB

  5. Worm characteristics • Informationcollection: • Collect information about the local or target network. • Probing: • Scans and detects the vulnerabilities of the specified host, determines which approach should be taken to attack and penetrate. • Communication: • Communicate between worm and hacker or among worms. • Attack: • Makes use of the holesgained by scanning techniques to create apropagationpath. • Self-propagating: • Uses various copies ofworms and transfers these copies among differenthosts. NTUIM OPLAB

  6. Decentralized Information Sharing • Cooperative attack detection and countermeasures using decentralized information sharing. • Use of epidemic algorithms to share attack information and achieve quasi-global knowledge about attack behaviors. • [2] Guangsen Zhang and Manish Parashar, “Cooperative detection and protection against network attacks using decentralized information sharing”, Cluster Computing, Volume 13, Number 1, Pages 67-86, 2010. NTUIM OPLAB

  7. Decentralized Information Sharing • Themechanism should be easy to deploy, robust, and highly resilientto failures. • Gossip based mechanisms provide potentially effective solutions that meet these requirements. • Consider dissemination of information in a network to be similar to the spread of a rumor or of an infectious disease in a society. NTUIM OPLAB

  8. Decentralized Information Sharing • If all the nodes in thisdistributed framework have common knowledge aboutthe network attack behaviors,then network attacks can be perfectly detected. • However, achieving common knowledge requires completely synchronized and reliable communication, which is not feasible in a practical distributed system. NTUIM OPLAB

  9. Decentralized Information Sharing • In a distributed decentralized attack detection system, each detection node will only have a partial view of the system. • Using an asynchronous, resilient communication mechanism to share local knowledge, the system can achieve quasi-global knowledge. • With this knowledge, every detection node can acquire sufficient information about attacks and as a result, the attacks can be detected effectively. NTUIM OPLAB

  10. Decentralized Information Sharing • AS level • Overlay network NTUIM OPLAB

  11. Unknown worm behavioral detection • Detecting unknown worm activity in individual computers while minimizing the required set of features collected from the monitored computer. • While all theworms are different, we wanted to find common characteristics by the presence of which it would be possible to detectan unknown worm. • [3] R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown computer worms based on behavioral classification of the host”, Computational Statistics & Data Analysis, Volume 52, Issue 9, Pages 4544-4566, May 2008. NTUIM OPLAB

  12. Worm origin identification • Present the design of a Network Forensic • Alliance (NFA), to allow multipleadministrative domains (ADs)to jointly locate the origin of epidemic spreading attacks. • Can find the origin and the initial propagation paths of aworm attack, either within an intranet or on the Internet asa whole, by performing post-mortem analysis on the traffic records logged by the networks. • [5]Yinglian Xie, Sekar V., Reiter M.K. and Hui Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on  Network Protocols, November 2006. NTUIM OPLAB

  13. Problem Description NTUIM OPLAB

  14. Problem Description • Attacker attributes • Defender attributes • Attack-defense scenarios NTUIM OPLAB

  15. Attacker attributes • Objective • Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes. • Budget • Node compromising • Worm injection NTUIM OPLAB

  16. Attacker attributes • Attack mechanisms • Node compromising • Next hop selection criteria: • Link degree • High link degree ─ information seeking • Link utilization • Low link utilization ─ stealth strategy • Worm injection • Candidate selection criteria: • Link traffic • High link traffic ─ high rate worm injection • Low link traffic ─ low rate worm injection NTUIM OPLAB

  17. Defender attributes • Objective • Protect core nodes • Budget • General defense resources(ex: Firewall, IDS) • Worm profile distribution mechanisms • Worm source identification methods NTUIM OPLAB

  18. Defender attributes • Defense mechanisms • Node protection • Unknown worm detection & profile distribution • Worm origin identification NTUIM OPLAB

  19. Scenarios E F ASnode Core ASnode C Firewall B Profile generation G Type1 worm Type2 worm D I A J H NTUIM OPLAB

  20. Scenarios E Attacker B F ASnode Core ASnode Node compromise C Firewall Profile generation G B Type1 worm D Type2 worm I A Node compromise J attacker H NTUIM OPLAB Attacker A

  21. Scenarios E F ASnode Core ASnode C Firewall Profile generation G B Type1 worm D Type2 worm I A Worm injection Node compromise J attacker H NTUIM OPLAB Attacker A

  22. Scenarios E F ASnode Core ASnode C Firewall Profile generation G B Worm propagation Type1 worm D Type2 worm I A J attacker H NTUIM OPLAB Attacker A

  23. Scenarios E F ASnode Core ASnode C Firewall Profile generation G B Type1 worm D Type2 worm I A J attacker H NTUIM OPLAB Attacker A

  24. Scenarios E F ASnode Core ASnode Node compromise C Firewall Profile generation G B Type1 worm D Type2 worm I A J attacker H NTUIM OPLAB Attacker A

  25. Scenarios E F Profile distribution ASnode Core ASnode C Firewall Profile generation G Worm origin identification B Worm origin identification D Type1 worm I A Type2 worm J Attacker H NTUIM OPLAB Attacker A Detect unknown worm behavior

  26. Scenarios E F ASnode Worm injection Core ASnode C Firewall Profile generation G B Type1 worm D Type2 worm I A J attacker H NTUIM OPLAB Attacker A

  27. Scenarios E F ASnode Core ASnode Worm propagation C Firewall Profile generation G B Type1 worm D Type2 worm I A J attacker H NTUIM OPLAB Attacker A

  28. Profile distribution Scenarios Detect unknown worm behavior E F Worm origin identification ASnode Core ASnode C Firewall Profile generation Worm origin identification G B D Type1 worm I A Type2 worm J attacker H NTUIM OPLAB Attacker A

  29. Scenarios E F ASnode Core ASnode C Firewall Profile generation G B Type1 worm D Type2 worm I A J attacker H NTUIM OPLAB Attacker A

  30. Thanks for your listening NTUIM OPLAB

More Related