research direction advisor: frank,yeong-sung lin presented by jia-ling pan 2010/10/211ntuim oplab
TRANSCRIPT
![Page 1: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/1.jpg)
Research DirectionResearch Direction
Advisor: Frank,Yeong-Sung LinPresented by Jia-Ling Pan
2010/10/21 1NTUIM OPLAB
![Page 2: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/2.jpg)
AgendaAgenda
IntroductionProblem Description
2010/10/21 2NTUIM OPLAB
![Page 3: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/3.jpg)
IntroductionIntroduction
2010/10/21 3NTUIM OPLAB
![Page 4: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/4.jpg)
Worm attacksWorm attacksDefinition
◦‘‘A network worm is a piece of malicious code that propagates over a network without human assistance and can initiate actively attack independently or depending on file-sharing.”─ [1]
◦ [1] Kienzle DM and Elder MC. “Recent worms: a survey and trends”, Proceedings of the 2003 ACM workshop on Rapid malcode, October 2003.
2010/10/21 4NTUIM OPLAB
![Page 5: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/5.jpg)
Worm characteristicsWorm characteristics Information collection:
◦ Collect information about the local or target network.
Probing: ◦ Scans and detects the vulnerabilities of the
specified host, determines which approach should be taken to attack and penetrate.
Communication:◦ Communicate between worm and hacker or among
worms. Attack:
◦ Makes use of the holes gained by scanning techniques to create a propagation path.
Self-propagating:◦ Uses various copies of worms and transfers these
copies among different hosts.
2010/10/21 NTUIM OPLAB 5
![Page 6: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/6.jpg)
Decentralized Information Decentralized Information SharingSharingCooperative attack detection and
countermeasures using decentralized information sharing.
Use of epidemic algorithms to share attack information and achieve quasi-global knowledge about attack behaviors.◦ [2] Guangsen Zhang and Manish Parashar, “Cooperative
detection and protection against network attacks using decentralized information sharing”, Cluster Computing, Volume 13, Number 1, Pages 67-86, 2010.
2010/10/21 NTUIM OPLAB 6
![Page 7: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/7.jpg)
Decentralized Information Decentralized Information SharingSharingThe mechanism should be easy to
deploy, robust, and highly resilient to failures.
Gossip based mechanisms provide potentially effective solutions that meet these requirements.
Consider dissemination of information in a network to be similar to the spread of a rumor or of an infectious disease in a society.
2010/10/21 NTUIM OPLAB 7
![Page 8: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/8.jpg)
Decentralized Information Decentralized Information SharingSharingIf all the nodes in this distributed
framework have common knowledge about the network attack behaviors, then network attacks can be perfectly detected.
However, achieving common knowledge requires completely synchronized and reliable communication, which is not feasible in a practical distributed system.
2010/10/21 NTUIM OPLAB 8
![Page 9: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/9.jpg)
Decentralized Information Decentralized Information SharingSharingIn a distributed decentralized attack
detection system, each detection node will only have a partial view of the system.
Using an asynchronous, resilient communication mechanism to share local knowledge, the system can achieve quasi-global knowledge.
With this knowledge, every detection node can acquire sufficient information about attacks and as a result, the attacks can be detected effectively.
2010/10/21 NTUIM OPLAB 9
![Page 10: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/10.jpg)
Decentralized Information Decentralized Information SharingSharing
◦AS level◦Overlay network
2010/10/21 10NTUIM OPLAB
![Page 11: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/11.jpg)
Unknown worm behavioral Unknown worm behavioral detectiondetectionDetecting unknown worm activity in
individual computers while minimizing the required set of features collected from the monitored computer.
While all the worms are different, we wanted to find common characteristics by the presence of which it would be possible to detect an unknown worm.◦ [3] R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown
computer worms based on behavioral classification of the host”, Computational Statistics & Data Analysis, Volume 52, Issue 9, Pages 4544-4566, May 2008.
2010/10/21 NTUIM OPLAB 11
![Page 12: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/12.jpg)
Worm origin identificationWorm origin identificationPresent the design of a Network ForensicAlliance (NFA), to allow multiple
administrative domains (ADs) to jointly locate the origin of epidemic spreading attacks.
Can find the origin and the initial propagation paths of a worm attack, either within an intranet or on the Internet as a whole, by performing post-mortem analysis on the traffic records logged by the networks.
[5]Yinglian Xie, Sekar V., Reiter M.K. and Hui Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on Network Protocols, November 2006.
2010/10/21 NTUIM OPLAB 12
![Page 13: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/13.jpg)
Problem DescriptionProblem Description
2010/10/21 13NTUIM OPLAB
![Page 14: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/14.jpg)
Problem DescriptionProblem DescriptionAttacker attributesDefender attributesAttack-defense scenarios
2010/10/21 14NTUIM OPLAB
![Page 15: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/15.jpg)
Attacker attributesAttacker attributesObjective
◦Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes.
Budget◦Node compromising◦Worm injection
2010/10/21 NTUIM OPLAB 15
![Page 16: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/16.jpg)
Attacker attributesAttacker attributesAttack mechanisms
◦Node compromising Next hop selection criteria:
Link degree High link degree ─ information seeking
Link utilization Low link utilization ─ stealth strategy
◦Worm injection Candidate selection criteria:
Link traffic High link traffic ─ high rate worm injection Low link traffic ─ low rate worm injection
2010/10/21 NTUIM OPLAB 16
![Page 17: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/17.jpg)
Defender attributesDefender attributesObjective
◦Protect core nodesBudget
◦General defense resources(ex: Firewall, IDS)
◦Worm profile distribution mechanisms
◦Worm source identification methods
2010/10/21 NTUIM OPLAB 17
![Page 18: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/18.jpg)
Defender attributesDefender attributesDefense mechanisms
◦Node protection◦Unknown worm detection & profile
distribution◦Worm origin identification
2010/10/21 NTUIM OPLAB 18
![Page 19: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/19.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 19
Firewall
AS node
Core AS node
Profile generationType1 wormType2 worm
G
D
J
I
F
C
E
A
B
H
![Page 20: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/20.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 20
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
H
Attacker B
Attacker A
attacker
Node compromise
Node compromise
Profile generation
![Page 21: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/21.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 21
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
H
Node compromise
Attacker A
attacker
Worm injection
Profile generation
![Page 22: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/22.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 22
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Worm propagation
Profile generation
![Page 23: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/23.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 23
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Profile generation
![Page 24: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/24.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 24
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Node compromise Profile
generation
![Page 25: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/25.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 25
Firewall
AS node
Core AS node
Profilegeneration
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
Attacker
Detect unknown worm behavior
Profile distributi
on
Worm origin
identification
Worm origin identification
![Page 26: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/26.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 26
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Worm injection
Profile generation
![Page 27: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/27.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 27
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Worm propagation
Profile generation
![Page 28: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/28.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 28
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Detect unknown worm behavior
Profile distributi
onWorm origin
identification
Profile generationWorm origin identification
![Page 29: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/29.jpg)
ScenariosScenarios
2010/10/21 NTUIM OPLAB 29
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Profile generation
![Page 30: Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB](https://reader033.vdocuments.us/reader033/viewer/2022061614/5697bfe21a28abf838cb4291/html5/thumbnails/30.jpg)
Thanks for your listening
2010/10/21 NTUIM OPLAB 30