network security chapter 5 intruders & malicious software slides by h. johnson & s. malladi-...
TRANSCRIPT
Network SecurityNetwork Security
Chapter 5Chapter 5Intruders & Malicious Intruders & Malicious Software Software
Slides by H. Johnson & S. Malladi- Modified & Translated by Sukchatri P.
Outline
•Intruders▫Intrusion Detection Techniques
Statistical Anomaly Rule Based Detection
•Password management▫Password Protection▫Password Selection Strategies
•Recommended Reading and WEB Sites
14/12/2010
2
University of Phayao
Intruders•Three classes of intruders (hackers or
crackers):▫Masquerader- unauthorized individual who
exploits legitimate user’s account (outsider)▫Misfeasor- legitimate user, who misuses his or
her privileges (insider)▫Clandestine user- individual who seizes
supervisory control and uses it to evade auditing or access controls (insider or outsider)
14/12/2010
3
University of Phayao
Intruders
•Clearly a growing publicized problem▫from “Wily Hacker” in 1986/87▫to clearly escalating CERT stats
•May seem benign, but still cost resources•May use compromised system to launch
other attacks
14/12/2010
4
University of Phayao
Intrusion Detection•If intrusion is detected quickly, intruder
can be identified and ejected from system before damage is done
•An effective detection system acts as a deterrent, to prevent intrusions
•Detection enables the collection of information to strengthen the system.
14/12/2010
5
University of Phayao
Intrusion Detection• The goal of an intrusion detection system (IDS) is to
detect that bad things are happening…▫ …just as they start happening (hope so)▫ How is this different from a firewall?
• Successful attack is usually (but not always) associated with an access control violation▫ A buffer overflow has been exploited, and now attack code is
being executed inside a legitimate program▫ Outsider gained access to a protected resource▫ A program or file has been modified▫ System is not behaving “as it should”
14/12/2010
6
University of Phayao
Intrusion Detection Techniques•Objective of intruder is to gain access to the
system or to increase range of privlileges•System maintains a file that associates a
password with each authorized user.•Password file can be protected with:
▫One-way encryption▫Access Control
14/12/2010
7
University of Phayao
Intrusion Techniques
•Aim to increase privileges on system•Basic attack methodology
▫target acquisition and information gathering ▫initial access ▫privilege escalation ▫covering tracks
•Key goal often is to acquire passwords•Then exercise access rights
14/12/2010
8
University of Phayao
Intrusion Techniques• Techniques for guessing passwords:
• Try default passwords.• Try all short words, 1 to 3 characters long.• Try all the words in an electronic
dictionary(60,000).• Collect information about the user’s hobbies,
family names, birthday, etc.• Try user’s phone number, social security
number, street address, etc.• Try all license plate numbers (MUP103).• Use a Trojan horse• Tap the line between a remote user and the
host system.
Prevention: Enforce good password selection (Ij4Gf4Se%f#)
14/12/2010
9
University of Phayao
Profiles of Behavior of Intruders and Authorized Users
14/12/2010
10
University of Phayao
Intrusion Detection•Based on assumption that behavior of
intruder differs from legitimate user•Statistical anomaly detection
▫threshold detection (frequency of events)▫profile based (change in activity of user)
•Rule based detection▫anomaly detection (rules detect deviation in
behavior pattern)▫penetration identification(searches for suspicious
behavior)
14/12/2010
11
University of Phayao
Intrusion Detection•Statistical anomaly attempts to define
normal or expected behavior and are effective against masqueraders.
•Rule based approaches attempt to define proper behavior and are effective against misfeasors
•Combination of both are generally used
14/12/2010
12
University of Phayao
Tools for Intrusion Detection•Statistical Anomaly Detection primarily through
the analysis of audit records using the following metrics:▫Counter: eg. number of login attempts, password failures▫Gauge: value of user connections,applications, messages▫ Interval timer: length of time between events (eg. logins)▫Resource Utilization: quantity of resources consumed (eg.
pages printed, time consumed by program execution)
14/12/2010
13
University of Phayao
Tools for Intrusion Detection•Audit Records - software that collects
information on user activity:▫Subject: action initiators (user or process)▫Action: operation performed▫Object: action receptors ( files, programs,
etc.)▫Exception Condition▫Resource usage▫Time stamp
14/12/2010
14
University of Phayao
Other Measures Used for Intrusion Other Measures Used for Intrusion DetectionDetection
•Login frequency by day and time.•Frequency of login at different locations.•Time since last login.•Password failures at login.•Execution frequency.•Execution denials.•Read, write, create, delete frequency.•Failure count for read, write, create and
delete.
14/12/2010
15
University of Phayao
Statistical TestsStatistical Tests•Mean and Standard Deviation- average
behavior and its variability•Multivariate Model- correlation between two
or more variables•Markov Process- establishes transition
probabilities between two or more states•Time Series - focuses on time intervals•Operational Model- judgement of what is
abnormal ( See table p. 303)
14/12/2010
16
University of Phayao
Rule Based DetectionRule Based Detection•Observe events and apply set of rules as to
whether or not they are suspicious, for example:▫Users should not read other user’s files▫Users must not write other’s files▫Users who login after hours usually use files they
used earlier in the day▫Users generally use system commands to open
devices▫Users should not be logged in more than once to
same system▫Users should not make copies of system programs
14/12/2010
17
University of Phayao
The Stages of a Network The Stages of a Network IntrusionIntrusion1. Scan the network to:
• locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers).
2. Run “Exploit” scripts against open ports3. Get access to Shell program which is “suid” (has “root”
privileges).4. Download from Hacker Web site special versions of
systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs.
5. Use IRC (Internet Relay Chat) to invite friends to the feast.
18
14/12/2010
18
University of Phayao
Where are IDS employed?Where are IDS employed?•Host-based intrusion detection
▫Monitor activity on a single host▫Advantage: better visibility into behavior of
individual applications running on the host•Network-based intrusion detection (NIDS)
▫Often placed on a router or firewall▫Monitor traffic, examine packet headers and
payloads▫Advantage: single NIDS can protect many hosts
and look for global patterns
14/12/2010
19
University of Phayao
Distributed Intrusion DetectionDistributed Intrusion Detection•Major issues in design:
▫Need to deal with different audit record formats
▫One of more nodes in network will serve as collection points for data, which must then be transmitted securely
▫Centralized or decentralized architecture can be used
•Requires coordination and cooperation
14/12/2010
20
University of Phayao
Distributed Intrusion Detection Distributed Intrusion Detection SystemSystem•Developed at Univ. of California-Davis:•Host Agent module: collects data on
security events in hosts and transmits to central manager
•LAN monitor agent module: analyzes LAN traffic and reports to central manager
•Central manager module: receives reports and correlates them to detect intrusion
14/12/2010
21
University of Phayao
Distributed Intrusion DetectionDistributed Intrusion Detection
Developed at University of California at Davis
14/12/2010
22
University of Phayao
Distributed Intrusion DetectionDistributed Intrusion Detection14/12/2010
23
University of Phayao
RootKitRootKit• Rootkit is a set of Trojan system binaries
▫ Emerged in 1994, evolved since then • Typical infection path:
▫ Use stolen password or dictionary attack to log in ▫ Use buffer overflow in rdist, sendmail, loadmodule,
rpc.ypupdated, lpr, or passwd to gain root access▫ Download Rootkit by FTP, unpack, compile and install
• Includes a sniffer (to record users’ passwords)• Hides its own presence!
▫ Installs hacked binaries for netstat, ps, ls, du, login▫ Modified binaries have same checksum as originals
Can’t detect attacker’s processes, files or network connections by
running standard UNIX commands!
14/12/2010
24
University of Phayao
Popular IDSPopular IDS• Snort
▫Most popular open-source tool▫Large rule sets for known vulnerabilities
Date: 2005-04-05 Synopsis: the Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various implementations of Telnet […] Programming errors in the telnet client code from various vendors may present an attacker with the opportunity to overflow a fixed length buffer […] Rules to detect attacks against this vulnerability are included in this rule pack
• Bro (www.bro-ids.org) ▫Developed by Vern Paxson at Lawrence Berkeley Labs▫Separates data collection and security decisions
Event Engine distills the packet stream into high-level events describing what’s happening on the network
Policy Script Interpeter uses a script defining the network’s security policy to decide what to do in response
14/12/2010
25
University of Phayao
Detecting Backdoors with NIDS•Look for telltale signs of sniffer and rootkit
activity•Entrap sniffers into revealing themselves
▫Use bogus IP addresses and username/password pairs; open bogus TCP connections, then measure ping times Sniffer may try a reverse DNS query on the planted address;
rootkit may try to log in with the planted username If sniffer is active, latency will increase
▫Clever sniffer can use these to detect NIDS presence!•Detect attacker returning to his backdoor
▫Small packets with large inter-arrival times▫Simply search for root shell prompt “# ” (!!)
14/12/2010
26
University of Phayao
Attacks on Network-Based IDS•Overload NIDS with huge data streams, then
attempt the intrusion▫Bro solution: watchdog timer
Check that all packets are processed by Bro within T seconds; if not, terminate Bro, use tcpdump to log all subsequent traffic
•Hide malicious data, split into multiple packets▫NIDS does not have full TCP state and does not
always understand every command of receiving application
▫Simple example: send “ROB<DEL><BS><BS>OT”, receiving application may reassemble to “ROOT”
14/12/2010
27
University of Phayao
Detecting Attack Strings•Want to detect “USER root” in packet stream•Scanning for it in every packet is not enough
▫Attacker can split attack string into several packets; this will defeat stateless NIDS
•Recording previous packet’s text is not enough▫Attacker can send packets out of order
•Full reassembly of TCP state is not enough▫Attacker can use TCP tricks so that certain packets
are seen by NIDS but dropped by the receiving application Manipulate checksums, TTL (time-to-live), fragmentation
14/12/2010
28
University of Phayao
E
TCP Attacks on NIDSInsertion attack
NIDS
U S R r X o o t
Insert packet with
bogus checksum
EU S R r
X
o o t
Dropped
E
TTL attack
NIDS
U S R r
X
o o t
EU S R r
X
o o t
10 hops 8 hops
TTL=20
TTL=12
Short TTL to ensure this packet
doesn’t reach destination
TTL=20Dropped (TTL
expired)
14/12/2010
29
University of Phayao
Intrusion Detection SummaryIntrusion Detection Summary• No bullet-proof solutions, constant arms race• Increasing diversity of traffic = challenge for NIDS
▫ Lots of anomalous, but benign junk ▫ Vern Paxson on stuff they’ve seen on a DMZ:
Storms of 10,000+ FIN or RST packets due to TCP bugs Horrible fragmentation TCPs that acknowledge data that was never sent TCPs that retransmit different data from what was sent
• False alarms are THE problem for IDS▫“The Boy Who Cried Wolf” (base-rate fallacy)▫Can’t flag every anomaly as an attack
14/12/2010
30
University of Phayao
Storing UNIX Passwords
•UNIX passwords were kept in in a publicly readable file, etc/passwords.
•Now they are kept in a “shadow” directory and only visible by “root”.
14/12/2010
31
University of Phayao
Password Management•Frontline of defense against intruders is the
password system:•User ID - determines if user is authorized to
gain access, and determines the privileges accorded to user
•Password authenticates the ID of the individual
14/12/2010
32
University of Phayao
Managing Passwords•Need policies and good user education •Ensure every account has a default password •Ensure users change the default passwords to
something they can remember •Protect password file from general access•Set technical policies to enforce good
passwords ▫minimum length (>6) ▫require a mix of upper & lower case letters,
numbers, punctuation ▫block know dictionary words
14/12/2010
33
University of Phayao
Managing Passwords•May reactively run password guessing tools
▫note that good dictionaries exist for almost any language/interest group
•May enforce periodic changing of passwords •Have system monitor failed login attempts, &
lockout account if see too many in a short period
•Need to educate users and get support •Balance requirements with user acceptance •Be aware of social engineering attacks
14/12/2010
34
University of Phayao
Proactive Password Checking•Most promising approach to improving
password security•Allow users to select own password•But have system verify it is acceptable
▫simple rule enforcement (see previous slide)▫compare against dictionary of bad passwords▫use algorithmic (markov model or bloom
filter) to detect poor choices
14/12/2010
35
University of Phayao
UNIX Password System▫User selects password ( 5-8 characters)▫Converted to 56 bit value used as key to
encryption routine- crypt 3- based on DES▫ Modified using a 12 bit “salt” value- related to
time at which password was assigned prevents duplicates from being visible in
password file increases length of password prevents use of hardware implementation of DES
▫Output encrypted 25 times more
14/12/2010
36
University of Phayao
UNIX Password Scheme
Loading a new password
14/12/2010
37
University of Phayao
UNIX Password Scheme
Verifying a password file
14/12/2010
38
University of Phayao
Threats to Password Files
•Encryption scheme is designed to discourage guessing but▫users can gain access on a machine using a
guest account and run a password guessing program or “cracker”
▫if opponent can gain access to password file, cracker can be run on another machine
•Cracker programs are getting better and hardware executes them faster…. ( See p. 312)
14/12/2010
39
University of Phayao
Password Capture•Another attack involves password capture
▫watching over shoulder as password is entered ▫using a trojan horse program to collect▫monitoring an insecure network login (eg. telnet,
FTP, web, email) ▫extracting recorded info after successful login
(web history/cache, last number dialed etc) •Using valid login/password can impersonate
user•Users need to be educated to use suitable
precautions/countermeasures
14/12/2010
40
University of Phayao
Password Guessing• One of the most common attacks• Attacker knows a login (from email/web page etc) • Then attempts to guess password for it
▫ try default passwords shipped with systems▫ try all short passwords▫ then try by searching dictionaries of common words▫ intelligent searches try passwords associated with the user
(variations on names, birthday, phone, common words/interests)
▫ before exhaustively searching all possible passwords • Check by login attempt or against stolen password
file • Success depends on password chosen by user• Surveys show many users choose poorly
14/12/2010
41
University of Phayao
Password Selecting Strategies•User education -
▫must be long and complex enough▫many choose password <= 3 characters▫not easily guessable
•Computer-generated passwords - hard to remember
•Reactive password checking- randomly checks, cancels ones that are guessed
•Proactive password checking- check at time of creation, reject any too simple
14/12/2010
42
University of Phayao
Proactive Password Checkers
•Two techniques for rejecting words on a list show promise:
•Markov Model- based on structure of passwords
•Spafford- based on use of a Bloom Filter
14/12/2010
43
University of Phayao
Markov Model 14/12/2010
44
University of Phayao
Markov Model•Resulting model reflects the structure of the
words in a dictionary.▫“Is this a bad password?” becomes▫“Can this string be generated by the Markov
Model?”▫Statistical test can be done to see if the
password is likely and, if so, it is rejected.
14/12/2010
45
University of Phayao
Network Security
Malicious Software
Slides by H. Johnson & S. Malladi- Modified & Translated by Sukchatri P.
Overview•Viruses and Related Threats
▫Malicious Programs▫The Nature of Viruses▫Antivirus Approaches▫Advanced Antivirus Techniques
14/12/2010
47
University of Phayao
Malicious Logic
•Malicious logic is a set of instructions that cause a site’s security policy to be violated.▫Trojan horses▫viruses▫worms
14/12/2010
48
University of Phayao
Viruses and ”Malicious” Programs
• Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing number of computers. They originally spread by people sharing floppy disks. Now they spread primarily over the Internet (a “Worm”).
• Other “Malicious” Programs may be installed by hand on a single machine. They may also be built into widely distributed commercial software packages. These are very hard to detect before the payload activates (Trojan Horses, Trap Doors, and Logic Bombs).
14/12/2010
49
University of Phayao
Taxonomy of Malicious Programs
Need Host Program
Independent
Trapdoors Logic Bombs
TrojanHorses
Viruses Bacteria Worms
Malicious Programs
14/12/2010
50
University of Phayao
Definitions•Virus - code that copies itself into other
programs•A “Bacteria” replicates until it fills all disk
space, or CPU cycles•Payload - harmful things the malicious
program does, after it has had time to spread •Worm - a program that replicates itself across
the network (usually riding on email messages or attached documents (e.g., macro viruses)
•Macro - virus composed of sequence of instructions that are interpreted rather than executed directly
14/12/2010
51
University of Phayao
Definitions•Boot Sector is used to bootstrap a system
or mount a disk- executed when the system “sees” the disk for the first time
•Boot sector infector - virus that inserts itself into the boot sector of a disk
14/12/2010
52
University of Phayao
Definitions•TSR - terminate and stay resident virus -
stays active in memory after the application has terminated
•Stealth viruses - conceal the infection of files
•Polymorphic - viruses that change form each time it inserts itself into a program
14/12/2010
53
University of Phayao
Definitions• Trojan Horse - instructions in an otherwise good
program that cause bad things to happen (sending your data or password to an attacker over the net).
• Logic Bomb - malicious code that activates on an event (e.g., date).
• Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.
• Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.
14/12/2010
54
University of Phayao
Virus Phases
•Dormant phase - the virus is idle•Propagation phase - the virus places an
identical copy of itself into other programs
•Triggering phase – the virus is activated to perform the function for which it was intended
•Execution phase – the function is performed
14/12/2010
55
University of Phayao
Virus ProtectionHave a well-known virus protection program, configured to
scan disks and downloads automatically for known viruses.
Do not execute programs (or "macro's") from unknown
sources (e.g., PS files, Hypercard files, MS Office documents,
Avoid the most common operating systems and email
programs, if possible.
14/12/2010
56
University of Phayao
Virus Structure 14/12/2010
57
University of Phayao
Virus Techniques
•Stealth viruses▫ Infect OS so that infected files appear normal to user
•Macro viruses▫A macro is an executable program embedded in a word
processing document (MS Word) or spreadsheet (Excel)▫When infected document is opened, virus copies itself
into global macro file and makes itself auto-executing (e.g., gets invoked whenever any document is opened)
•Polymorphic viruses▫Viruses that mutate and/or encrypt parts of their code
with a randomly generated key
14/12/2010
58
University of Phayao
Types of Viruses
• Parasitic Virus - attaches itself to executable files as part of their code. Runs whenever the host program runs.
• Memory-resident Virus - Lodges in main memory as part of the residual operating system.
• Boot Sector Virus - infects the boot sector of a disk, and spreads when the operating system boots up (original DOS viruses).
• Stealth Virus - explicitly designed to hide from Virus Scanning programs.
• Polymorphic Virus - mutates with every new host to prevent signature detection.
14/12/2010
59
University of Phayao
Macro Viruses
•Microsoft Office applications allow “macros” to be part of the document. The macro could run whenever the document is opened, or when a certain command is selected (Save File).
•Platform independent.•Infect documents, delete files, generate
email and edit letters.
14/12/2010
60
University of Phayao
Antivirus Approaches1st Generation, Scanners: searched files for any of a
library of known virus “signatures.” Checked executable files for length changes.
2nd Generation, Heuristic Scanners: looks for more general signs than specific signatures (code segments common to many viruses). Checked files for checksum or hash changes.
3rd Generation, Activity Traps: stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).
4th Generation, Full Featured: combine the best of the techniques above.
14/12/2010
61
University of Phayao
Advanced Antivirus Techniques
•Generic Decryption (GD)▫CPU Emulator▫Virus Signature Scanner▫Emulation Control Module
•For how long should a GD scanner run each interpretation?
14/12/2010
62
University of Phayao
Advanced Antivirus Techniques
14/12/2010
63
University of Phayao
Trojans and Viruses
Malware
•Malicious code often masquerades as good software or attaches itself to good software
•Some malicious programs need host programs▫Trojan horses, logic bombs, viruses
•Others can exist and propagate independently▫Worms, automated viruses
•There are many infection vectors and propagation mechanisms
14/12/2010
65
University of Phayao
Trojan Horses
•A trojan horse is malicious code hidden in an apparently useful host program
•When the host program is executed, trojan does something harmful or unwanted▫User must be tricked into executing the host
program▫In 1995, a program distributed as PKZ300B.EXE
looked like a new version of PKZIP… When executed, it formatted your hard drive.
•Trojans do not replicate▫This is the main difference between worms and
viruses
14/12/2010
66
University of Phayao
Viruses
•Virus propagates by infecting other programs▫Automatically creates copies of itself, but to
propagate, a human has to run an infected program Self-propagating malicious programs are usually called
worms
•Viruses employ many propagation methods▫Insert a copy into every executable (.COM, .EXE)▫Insert a copy into boot sectors of disks
“Stoned” virus infected PCs booted from infected floppies, stayed in memory and infected every floppy inserted into PC
▫Infect TSR (terminate-and-stay-resident) routines By infecting a common OS routine, a virus can always stay
in memory and infect all disks, executables, etc.
14/12/2010
67
University of Phayao
Evolution of Polymorphic Viruses (1)
•Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code)▫Virus writers constantly try to foil scanners
•Encrypted viruses: virus consists of a constant decryptor, followed by the encrypted virus body▫Cascade (DOS), Mad (Win95), Zombie (Win95)▫Relatively easy to detect because decryptor is constant
•Oligomorphic viruses: different versions of virus have different encryptions of the same body▫Small number of decryptors (96 for Memorial viruses); to
detect, must understand how they are generated
14/12/2010
68
University of Phayao
Evolution of Polymorphic Viruses (2)
•Polymorphic viruses: constantly create new random encryptions of the same virus body▫Marburg (Win95), HPS (Win95), Coke (Win32)▫Virus must contain a polymorphic engine for creating
new keys and new encryptions of its body Rather than use an explicit decryptor in each mutation, Crypto
virus (Win32) decrypts its body by brute-force key search
•Polymorphic viruses can be detected by emulation▫When analyzing an executable, scanner emulates CPU
for a bit. Virus will eventually decrypt and try to execute its body, which will be recognized by scanner.
▫This only works because virus body is constant!
14/12/2010
69
University of Phayao
Metamorphic Viruses
•Obvious next step: mutate the virus body, too!•Virus can carry its source code (which
deliberately contains some useless junk) and recompile itself▫Apparition virus (Win32)▫Virus first looks for an installed compiler
Unix machines have C compilers installed by default
▫Virus changes junk in its source and recompiles itself New binary mutation looks completely different!
•Many macro and script viruses evolve and mutate their code▫Macros/scripts are usually interpreted, not compiled
14/12/2010
70
University of Phayao
Metamorphic Mutation Techniques
•Same code, different register names▫Regswap (Win32)
•Same code, different subroutine order▫BadBoy (DOS), Ghost (Win32)▫ If n subroutines, then n! possible mutations
•Decrypt virus body instruction by instruction, push instructions on stack, insert and remove jumps, rebuild body on stack▫Zmorph (Win95)▫Can be detected by emulation because the
rebuilt body has a constant instruction sequence
14/12/2010
71
University of Phayao
Putting It All Together: Zmist
•Zmist was designed in 2001 by Russian virus writer Z0mbie of “Total Zombification” fame
•New technique: code integration▫Virus merges itself into the instruction flow of its
host▫“Islands” of code are integrated into random locations in the host program and linked by jumps▫When/if virus code is run, it infects every available portable executable
Randomly inserted virus entry point may not be reached in a particular execution
14/12/2010
72
University of Phayao
Simplified Zmist Infection Process
Pick a PortableExecutable binary< 448Kb in size
Disassemble, insert space for newcode blocks, generate new binary
Insert mutated virus body• Split into jump-linked “islands”• Mutate opcodes (XORSUB, ORTEST)• Swap register moves and PUSH/POP, etc.
Encrypt virus body byXOR (ADD, SUB) with arandomly generated key,insert mutated decryptor
Insert random garbage instructions usingExecutable Trash Generator
Decryptor must restore host’s registers to preserve host’sfunctionality
Randomly insertindirect call OR jumpto decryptor’s entrypoint OR rely oninstruction flow toreach it
14/12/2010
73
University of Phayao
How Hard Is It to Write a Virus?
•498 matches for “virus creation tool” in Spyware Encyclopedia▫ Including dozens of poly- and metamorphic engines
•OverWriting Virus Construction Toolkit▫"The perfect choice for beginners“
•Biological Warfare Virus Creation Kit▫Note: all viruses will be detected by Norton Anti-
Virus •Vbs Worm Generator (for Visual Basic worms)
▫Used to create the Anna Kournikova worm•Many others
14/12/2010
74
University of Phayao
Thank you
14/12/2010
75
University of Phayao