Behavioral Anomaly Detection of Malware on Home Routers
|
|
- Sylvia Bradford
- 5 years ago
- Views:
Transcription
1 Behavioral Anomaly Detection of Malware on Home Routers Ni An, Alex Duff, Gaurav Naik, Michalis Faloutsos, Steven Weber, Spiros Mancoridis CAE Tech Talk 10/19/2017
2 Our team Ni An Alex Duff Gaurav Naik Michalis Faloutsos Steven Weber Spiros Mancoridis October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 2
3 Malware Conference 2017 October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 3
4 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 4
5 Internet of Things (IoT) they re here October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 5
6 IoT s obligation to security and privacy Connected devices [are] collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal companies are investing billions of dollars in this growing industry; they should also make appropriate investments in privacy and security. The stakes are too high to do otherwise. Edith Ramirez Former Chairwoman Federal Trade Commission Ramirez E (2015) Privacy and the IoT: navigating policy issues, International consumer electronics show, Las Vegas. Chamberlain A (2017) Special theme on privacy and the Internet of things, Springer Journal on Personal and Ubiquitous Computing, August, October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 6
7 The difficulty of securing the IoT The primary challenge involving the IoT is twofold. First of all, the vast increase in the number of network-enabled devices, which increase the range of possible avenues of attack. Secondly, because many devices that are part of the IoT are themselves vulnerable, they may provide hackers with an easy route to launch on attack on an otherwise secured network. Delgado R (September 22, 2017) Dealing with the endpoint security weaknesses of the Internet of Things, IoTnews. October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 7
8 Malware on the IoT October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 8
9 Basic facts about Mirai malware Malware that turns networked Linux devices into remotely controlled bots (botnet) These bots scan for IoT devices and home network routers and seek to control them via default username/passwords Mirai bots may be remotely controlled for DDoS attacks Mirai botnet first detected August 2016 Krebs On Security attack September 2016 Dyn DNS provider attack October 2016 Known to have infected at least ~500k devices October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 9
10 Behavioral anomaly detection Traditional Anti-virus (AV) approach to malware detection: Modern machine-learning based approach to malware detection: Maintain a list of hashes (signatures, fingerprints) of known malware Drawbacks: Difficult to maintain / update (zero day vulnerabilities) Hashes are imperfect capture of malware (compilation artifacts) Malware designed to adapt to avoid signature-based detection (polymorphism) Advantages: Does not require sensors, behavior monitoring, or baseline behavior Monitor behavior through sensors (features), establish ``normal behavior baseline, and seek to detect anomalies (abnormal behavior) Drawbacks: May be difficult to find the right features Need reliable normal baseline Errors: false positive and missed detections Advantages: Does not require a malware library (less vulnerable to zero day attacks, and polymorphic malware) October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 10
11 Talk overview Question: how well can IoT malware (like Mirai) be detected on IoT-like devices (like home routers), using behavioral anomaly detection (specifically system call analysis)? Sensors: system calls on the home router Features: system-call n-grams Detection: three standard approaches Principal Component Analysis (PCA) One-class Support Vector Machine (SVM) Unseen n-gram detector Intuition: because IoT devices have relatively simple functionality, their normal behavior is easier to characterize, and as such abnormal behavior should be easier to detect. October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 11
12 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 12
13 A Mirai mugshot from VirusShare October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 13
14 Malware used in this project Five different malware binaries: Mr. Black (one variant) Mirai (four variants) 32-bit ELF binaries compiled for ARM architecture Different AV platforms label binaries with different names Malware binaries downloaded from VirusShare October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 14
15 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 15
16 Experimental setup MAWI Client 1 MAWI Client 2 MAWI Client 3 TCP traffic 1 TCP traffic 2 TCP traffic 3 Emulated router (Linux ARM VM) System call sensor built upon ftrace Internet Kernel function system call logs October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 16
17 Network traffic No home router network traffic archive known to us Instead, use (filtered) network backbone traffic from MAWI (Measurement and Analysis of Wide-area Internet, Selected 9 distinct MAWI pcap (packet capture) files, each roughly 15 minutes in duration Found a source IP address / port with HTTP (80) / HTTPS (443) traffic in most of file, and retained only traffic to/from that user Translated the user s IP network address to (private IP network address often used by home routers) Combined these 9 traffic files by forming all possible subsets of size <= 4 (255 distinct combinations) October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 17
18 Number of TCP packets 255 distinct network traffic files 5 # Pcap file index October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 18
19 Home router virtual machine VM: used QEMU (Quick Emulator, qemu.org) open source hypervisor Chosen for its support of ARM architecture Router: used LEDE (Linux Embedded Development Environment, lede-project.org), an open source firmware project Fork of the OpenWrt project Used a customized ARM router firmware Customization includes turning on ftrace to enable system call monitoring October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 19
20 LEDE configuration for QEMU ARM VM October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 20
21 LEDE configuration: enable ftrace ftrace is a tracing framework in the Linux kernel that can be used to record system calls October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 21
22 LEDE config: heimdall s syscall-trace utility heimdall is a malware / anomaly detection utility written by Alex Duff. Includes syscall-trace utility for archiving and filtering the system calls recorded by ftrace October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 22
23 Home router kernel system calls home router kernel includes 379 distinct system calls System calls were recorded for each of the 255 traffic traces System call trace length statistics: Average trace length: 113,464 Maximum trace length: 127,484 Minimum trace length: 46,052 System call diversity statistics Distinct 1-grams (system call): 80 (21.1% of 379) Distinct 2-grams: 2,298 (1.60% of 379^2) Distinct 3-grams: 13,522 (0.02% of 379^3) October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 23
24 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 24
25 PMF of system call bi-grams Distinct bi-grams from traffic traces: 2,298 Count occurrence of each bi-gram, normalize, sort Repeat with syscalls under MrBlack malware, using same order PMF of clean bi-grams PMF of bi-grams of traces infected by MrBlack P (a) Training traces (b) Traces infected by MrBlack October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 25 (c)
26 CDF of system call bi-grams i v-1 1 Clean Mirai-v1 Mirai-v2 0.8 Mirai-v3 Mirai-v4 Mr. Black Distributional differences among Mirai variants Some Mirai variants have disbns close to the clean disbn. 0.9 (d) Bi-gram CDFs October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 26
27 Syscall bi-gram distribution distance A distribution distance measure quantifies the distance between two PMFs Jenson-Shannon divergence (JSD): JSD p, q = 1 KLD pԡz + 1 KLD qԡz 2 2 z 1 (p + q) is the average of (p,q) 2 KLD pԡr σ i p i log p(i) is the Kullback-Leibler divergence r(i) between PMFs (p,r) KLD is the increase in entropy from using the wrong distribution when making a code JSD shows Mirai-v{1,2,3} similar distance from clean, and ten-times closer than MrBlack MrBlack Mirai-v1 Mirai-v2 Mirai-v3 Mirai-v4 JSD October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 27
28 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 28
29 Data preprocessing System call trace truncation: Truncate a system call trace to fragments of length L (e.g., 1000) Bag-of-n-gram (e.g., 1,2,3): n-gram: a sequence of system call numbers appearing in a small window of length n Bag-of-n-gram model: the sum of the one-hot vectors of n-grams in appearing in a system-call fragment x i = (1,1,1,2,1,1) 2-gram 192, , 6 1 6, 5 1 5, 5 2 5, , 6 1 Freq. October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 29
30 TF-IDF transformation Term-frequency inverse document frequency Here: terms are n-grams, documents are syscall fragments Matrix X: rows are syscall fragment indices, columns are n-gram indices X i,j counts the number of occurrences of n-gram j in fragment i of N i : X i,j > 0 counts the number of chunks in which n-gram j occurs TF-IDF transformation of X TF IDF X i,j = TF X i,j IDF(X i,j ) TF X i,j = 1 + log X i,j, X i,j > 0 0, X i,j = 0 IDF X i,j = 1 + log 1+N 1+ i :X i,j >0 Intuition: TF compresses range of X, IDF increases weight of rare n-grams Final step: standardize each feature vector to unit norm October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 30
31 Training, testing, cross-validation Approach: 5-fold cross-validation Divide the 255 clean call-traces (one per traffic file) into 5 samples, each sample with 51 call-traces For each (of 5) clean sample: Training: omitting the clean sample, use the remaining four clean samples for training Testing: add one of the five malware traces to the omitted clean sample, use the combined trace for testing Classify each fragment in testing as either normal or abnormal Classify each call-trace as abnormal if one or more fragments is classified as abnormal Repeat each experiment five times and average Repeat for each of the five malware samples October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 31
32 Performance metrics True positive rate TPR = # of infected traces labeled abnormal # of infected traces fraction of malware samples we captured False alarm rate FAR = # of clean traces labeled abnormal # of clean traces fraction of clean samples labeled as malware October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 32
33 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 33
34 Malware detection algorithms Three standard semi-supervised learning approaches to detection SSL: labeled examples of normal, no labeled examples of abnormal, in training Alg. #1: Principal Component Analysis (PCA) Alg. #2: One-class Support Vector Machine (1SVM) Alg. #3: Naïve anomaly detector (NAD) using unseen n-grams October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 34
35 { { Alg. #1: Principal Component Analysis (PCA) PCA is a standard approach to embedding a collection of points (rows of X) into a lower dimensional subspace PCA-based statistical anomaly detection labels points as (ab)normal if the distance from the point to the subspace is (above) below a specified threshold x i x i (residual) Ŝ ˆx i x T i V (k ) N V (k ) T N x i : Principal subspace October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 35
36 Alg. #2: One-class Support Vector Machine (1SVM) Training: find a hyperplane that has the largest margin separating the training dataset from the origin. Testing: label point x as normal if w T x > a normal if, sweep a for ROC Training Test Anomalies Test Normal w w Support vector Separation hyperplane: w T φ(x) = 0 Inversely proportional to the margin Upper-bounds the fraction of outliers in the training set 1 min w,ξ,ρ 2 wt w + 1 σ νn i=1 N ξ i ρ Subject to w T φ x i ρ ξ i and ξ i 0. A training sample Bias term Penalty term for error October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 36
37 Alg. #3: Naïve anomaly detector (NAD) using unseen n-grams Training: build a normal dictionary D, consisting of all n-grams that appears in the training system call traces Testing: N A = of n-grams that are not in D If N A > τ A, label fragment as abnormal otherwise, label the fragment as normal. October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 37
38 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 38
39 Alg. #1: Principal Component Analysis (PCA) Fig.1. ROC curves of PCA-SAD with L = 1000, n = 2 October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 39
40 Alg. #2: One-class Support Vector Machine (1SVM) Fig.2. ROC curves of one-class SVM with PNS, L = 3000, n = 2 October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 40
41 Alg. #3: Naïve anomaly detector (NAD) using unseen n-grams Fig.3. ROC curves of NAD with L = 1000, n = 2 October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 41
42 System calls in infected traces Malware name Example of system-calls appearing ONLY in infected traces MrBlack 19 (lseek), 78 (gettimeofday), 94 (fchmod), 120 (clone), 191 (vfork), 207 (fchown32), 289 (send), 338 (set_robust_list) Mirai-v1 Mirai-v2 Mirai-v3 Mirai-v4 1(exit), 55 (fcntl), 78 (gettimeofday), 208 (setresuid32) 78 (gettimeofday), 120 (clone), 208(setresuid32) 1(exit), 55 (fcntl), 78 (gettimeofday) 43 (times), 78 (gettimeofday), 120 (clone), 141 (getdents) 10/20/2017 Drexel University Isaac L. Auerbach Cybersecurity Institute 42
43 Distribution of 1-grams PMF of One-grams infected by Mirai (v4) 0PMF One-grams infected by Mr. Black PMF of clean One-grams 0PMF of infected by Mirai (v1) 0PMF of of One-grams infected by M 10 0 PMF of clean One-grams PMF of One-grams infected by Mirai (v1) (v1) PMF of of One-grams infected by Mirai (v2) PMF of One-grams infected by Mirai (v3) PMF of One-grams infected by Mirai (v4) PMF of One-grams infected by Mirai (v3) 10 0PMF of One-grams infected by Mirai (v4) PMF of One-grams infected by Mr. 0PMF of One-grams infected by Mirai (v3) 0PMF of One-grams infected by Mirai (v4) (v4) 10/20/ Drexel -6 University Isaac L. Auerbach Cybersecurity Institute PMF of One-grams infected by Mr. Black
44 Impact of L, n on detection accuracy October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 44
45 Impact of L, n on detection accuracy PCA-SAD and one-class SVM with partial n-gram space are sensitive to the change of L; as L increases, the detection accuracy increases. L has negligible impact on the NAD and the oneclass SVM with complete n-gram space The superiority of the NAD and the one-class SVM with complete n-gram space shows the importance of the information of the new n- grams caused by the malware A larger n does not necessarily result in a higher detection accuracy October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 45
46 Agenda Motivation Malware Experiment setup System call distribution Training, testing, metrics Malware detection algorithms Experimental results Conclusions and future work October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 46
47 Limitations of the analysis Emulated home router s behavior is relatively simple: the router s functionality is restricted to relaying traffic Botnet malware not able to connect to a command and control (C&C) server within the VM October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 47
48 Conclusion and future work Syscall-based behavioral anomaly detection algorithms can effectively detect previously unknown malware on home routers The one-class SVM using the complete 2-gram space and the NAD achieve best detection Future work #1: joint syscall and traffic analysis Future work #2: investigate benefit of shared training across multiple home routers October 19, 2017 CAE Tech Talk - Drexel U. Isaac L. Auerbach Cybersecurity Institute 48
Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks. Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer
Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer The Beautiful World of IoT 06.03.2018 garcia@tk.tu-darmstadt.de
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationBotnets Behavioral Patterns in the Network
Botnets Behavioral Patterns in the Network Garcia Sebastian @eldracote Hack.Lu 2014 CTU University, Czech Republic. UNICEN University, Argentina. October 23, 2014 How are we detecting malware and botnets?
More informationSecurity: Internet of Things
Security: Internet of Things Based on Trusted Flows Kyle Haefner Background - What is IoT Security? Security of the Internet of Things is just security at a larger scale -- Steve Lovaas Colorado State
More informationOne-class Classification to Detect Botnets in IoT devices
One-class Classification to Detect Botnets in IoT devices Vitor Hugo Bezerra 1, Victor G. Turrisi da Costa 1, Sylvio Barbon Junior 1, Rodrigo Sanches Miani 2, Bruno Bogaz Zarpelão 1 1 Computer Science
More informationBagging for One-Class Learning
Bagging for One-Class Learning David Kamm December 13, 2008 1 Introduction Consider the following outlier detection problem: suppose you are given an unlabeled data set and make the assumptions that one
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationCOSC160: Detection and Classification. Jeremy Bolton, PhD Assistant Teaching Professor
COSC160: Detection and Classification Jeremy Bolton, PhD Assistant Teaching Professor Outline I. Problem I. Strategies II. Features for training III. Using spatial information? IV. Reducing dimensionality
More informationUnderstanding the Mirai Botnet
Understanding the Mirai Botnet Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi Michalis Kallitsis!, Deepak
More information10/14/2017. Dejan Sarka. Anomaly Detection. Sponsors
Dejan Sarka Anomaly Detection Sponsors About me SQL Server MVP (17 years) and MCT (20 years) 25 years working with SQL Server Authoring 16 th book Authoring many courses, articles Agenda Introduction Simple
More informationClassification of Log Files with Limited Labeled Data
Classification of Log Files with Limited Labeled Data Stefan Hommes, Radu State, Thomas Engel University of Luxembourg 15.10.2013 1 Motivation Firewall log files store all accepted and dropped connections.
More informationJaal: Towards Network Intrusion Detection at ISP Scale
Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil, A. Atya, E. Paplexakis, S. Krishnamurthy, KK. Ramakrishnan University of California Riverside T. Jaeger Penn State University
More informationState of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager
State of the Internet Security Q2 2017 Mihnea-Costin Grigore Security Technical Project Manager Topics 1. Introduction 2. DDoS Attack Trends 3. Web Application Attack Trends 4. Spotlights 5. Resources
More informationFraud Detection using Machine Learning
Fraud Detection using Machine Learning Aditya Oza - aditya19@stanford.edu Abstract Recent research has shown that machine learning techniques have been applied very effectively to the problem of payments
More informationIoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense
IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense DDoS Attacks Increasing in Size, Frequency & Complexity Arbor Networks WISR XII Largest attack
More informationApplication Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks
Application Security Rafal Chrusciel Senior Security Operations Analyst, F5 Networks r.chrusciel@f5.com Agenda Who are we? Anti-Fraud F5 Silverline DDOS protection WAFaaS Threat intelligence & malware
More informationCisco Firepower with Radware DDoS Mitigation
Cisco Firepower with Radware DDoS Mitigation Business Decision Maker Presentation Eric Grubel VP Business development, Radware February 2017 DDoS in the news French hosting firm flooded with 1 Tbps traffic
More informationEvaluating Classifiers
Evaluating Classifiers Reading for this topic: T. Fawcett, An introduction to ROC analysis, Sections 1-4, 7 (linked from class website) Evaluating Classifiers What we want: Classifier that best predicts
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationBehavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure
Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure Chun-Ying Huang chuang@ntou.edu.tw Assistant Professor Department of Computer Science and Engineering National
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationCasting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou,
Casting out Demons: Sanitizing Training Data for Anomaly Sensors Angelos Stavrou, Department of Computer Science George Mason University Joint work with Gabriela Cretu, Michael E. Locasto, Salvatore J.
More informationIntelligent and Secure Network
Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence
More informationPredictive Indexing for Fast Search
Predictive Indexing for Fast Search Sharad Goel, John Langford and Alex Strehl Yahoo! Research, New York Modern Massive Data Sets (MMDS) June 25, 2008 Goel, Langford & Strehl (Yahoo! Research) Predictive
More informationEvaluating Classifiers
Evaluating Classifiers Reading for this topic: T. Fawcett, An introduction to ROC analysis, Sections 1-4, 7 (linked from class website) Evaluating Classifiers What we want: Classifier that best predicts
More informationNetwork Traffic Measurements and Analysis
DEIB - Politecnico di Milano Fall, 2017 Sources Hastie, Tibshirani, Friedman: The Elements of Statistical Learning James, Witten, Hastie, Tibshirani: An Introduction to Statistical Learning Andrew Ng:
More informationNetwork Traffic Measurements and Analysis
DEIB - Politecnico di Milano Fall, 2017 Introduction Often, we have only a set of features x = x 1, x 2,, x n, but no associated response y. Therefore we are not interested in prediction nor classification,
More informationAutomatic Fatigue Detection System
Automatic Fatigue Detection System T. Tinoco De Rubira, Stanford University December 11, 2009 1 Introduction Fatigue is the cause of a large number of car accidents in the United States. Studies done by
More informationAnti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 11 Date 2018-05-28 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE
ADVANCED, UNKNOWN MALWARE IN THE HEART OF EUROPE AGENDA Network Traffic Analysis: What, Why, Results Malware in the Heart of Europe Bonus Round 2 WHAT: NETWORK TRAFFIC ANALYSIS = Statistical analysis,
More informationUnsupervised Feature Selection for Sparse Data
Unsupervised Feature Selection for Sparse Data Artur Ferreira 1,3 Mário Figueiredo 2,3 1- Instituto Superior de Engenharia de Lisboa, Lisboa, PORTUGAL 2- Instituto Superior Técnico, Lisboa, PORTUGAL 3-
More informationHerd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist
Herd Intelligence: true protection from targeted attacks Ryan Sherstobitoff, Chief Corporate Evangelist Complexity Web Based Malware Attacks Crimeware Intelligent Botnets Vulnerabilities Worm/ Outbreaks
More information( ) 2016 NSFOCUS
NSFOCUS 2016 Q3 Report on DDoS Situation and Trends (2016-10-20) 2016 NSFOCUS Copyright 2016 NSFOCUS Technologies, Inc. All rights reserved. Unless otherwise stated, NSFOCUS Technologies, Inc. holds the
More informationDetect Cyber Threats with Securonix Proxy Traffic Analyzer
Detect Cyber Threats with Securonix Proxy Traffic Analyzer Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100
More informationDetecting Malicious Hosts Using Traffic Flows
Detecting Malicious Hosts Using Traffic Flows Miguel Pupo Correia joint work with Luís Sacramento NavTalks, Lisboa, June 2017 Motivation Approach Evaluation Conclusion Outline 2 1 Outline Motivation Approach
More informationCertified Snort Professional VS-1148
VS-1148 Certified Snort Professional Certification Code VS-1148 Vskills certification for Snort Professional assesses the candidate as per the company s need for network security and assessment. The certification
More informationSoftware Documentation of the Potential Support Vector Machine
Software Documentation of the Potential Support Vector Machine Tilman Knebel and Sepp Hochreiter Department of Electrical Engineering and Computer Science Technische Universität Berlin 10587 Berlin, Germany
More informationCS6375: Machine Learning Gautam Kunapuli. Mid-Term Review
Gautam Kunapuli Machine Learning Data is identically and independently distributed Goal is to learn a function that maps to Data is generated using an unknown function Learn a hypothesis that minimizes
More informationUMSSIA INTRUSION DETECTION
UMSSIA INTRUSION DETECTION INTRUSION DETECTION Sensor1 Event1, Event2 Monitor No intrusion M SensorN Event1, Event2 Alarm! IDS CHARACTERISTICS Characteristics an IDS can be classified/evaluated by: Type
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationAll lecture slides will be available at CSC2515_Winter15.html
CSC2515 Fall 2015 Introduc3on to Machine Learning Lecture 9: Support Vector Machines All lecture slides will be available at http://www.cs.toronto.edu/~urtasun/courses/csc2515/ CSC2515_Winter15.html Many
More informationArbor WISR XII The Stakes Have Changed. Julio Arruda V1.0
Arbor WISR XII The Stakes Have Changed Julio Arruda V1.0 Overview This presentation provides a quick view of the ATLAS collected information for the year of 2016, then focus in Latin America targeted DDoS,
More informationLink Prediction for Social Network
Link Prediction for Social Network Ning Lin Computer Science and Engineering University of California, San Diego Email: nil016@eng.ucsd.edu Abstract Friendship recommendation has become an important issue
More informationMachine Learning: Think Big and Parallel
Day 1 Inderjit S. Dhillon Dept of Computer Science UT Austin CS395T: Topics in Multicore Programming Oct 1, 2013 Outline Scikit-learn: Machine Learning in Python Supervised Learning day1 Regression: Least
More informationLecture 25: Review I
Lecture 25: Review I Reading: Up to chapter 5 in ISLR. STATS 202: Data mining and analysis Jonathan Taylor 1 / 18 Unsupervised learning In unsupervised learning, all the variables are on equal standing,
More informationInformation Retrieval. (M&S Ch 15)
Information Retrieval (M&S Ch 15) 1 Retrieval Models A retrieval model specifies the details of: Document representation Query representation Retrieval function Determines a notion of relevance. Notion
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationHOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL
HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE
More informationEstimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen
Estimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen Southeast University of China University of Florida Motivation for Persistent Stealthy Spreaders Imagine
More informationProblem 1: Complexity of Update Rules for Logistic Regression
Case Study 1: Estimating Click Probabilities Tackling an Unknown Number of Features with Sketching Machine Learning for Big Data CSE547/STAT548, University of Washington Emily Fox January 16 th, 2014 1
More informationMcPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection
McPAD : A Multiple Classifier System for Accurate Payload-based Anomaly Detection Roberto Perdisci a,b, Davide Ariu c, Prahlad Fogla d, Giorgio Giacinto c, and Wenke Lee b a Damballa, Inc., Atlanta, 30308
More informationCapability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One)
Capability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One) Presented by: Andrew Schmitt Theresa Chasar Mangaya Sivagnanam
More informationLarge scale object/scene recognition
Large scale object/scene recognition Image dataset: > 1 million images query Image search system ranked image list Each image described by approximately 2000 descriptors 2 10 9 descriptors to index! Database
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationIntrusion Detection System using AI and Machine Learning Algorithm
Intrusion Detection System using AI and Machine Learning Algorithm Syam Akhil Repalle 1, Venkata Ratnam Kolluru 2 1 Student, Department of Electronics and Communication Engineering, Koneru Lakshmaiah Educational
More informationA Comparative Study of Locality Preserving Projection and Principle Component Analysis on Classification Performance Using Logistic Regression
Journal of Data Analysis and Information Processing, 2016, 4, 55-63 Published Online May 2016 in SciRes. http://www.scirp.org/journal/jdaip http://dx.doi.org/10.4236/jdaip.2016.42005 A Comparative Study
More informationAnti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 01 Date 2018-08-15 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2018. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationFlow-based Anomaly Intrusion Detection System Using Neural Network
Flow-based Anomaly Intrusion Detection System Using Neural Network tational power to analyze only the basic characteristics of network flow, so as to Intrusion Detection systems (KBIDES) classify the data
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Anomaly-based IDS Pavel Laskov Wilhelm Schickard Institute for Computer Science Taxonomy of anomaly-based IDS Features: Packet headers Byte streams Syntactic events
More informationDeveloping the Sensor Capability in Cyber Security
Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D. +358504385317 tero.kokkonen@jamk.fi JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development
More informationSupervised classification of law area in the legal domain
AFSTUDEERPROJECT BSC KI Supervised classification of law area in the legal domain Author: Mees FRÖBERG (10559949) Supervisors: Evangelos KANOULAS Tjerk DE GREEF June 24, 2016 Abstract Search algorithms
More information3 Feature Selection & Feature Extraction
3 Feature Selection & Feature Extraction Overview: 3.1 Introduction 3.2 Feature Extraction 3.3 Feature Selection 3.3.1 Max-Dependency, Max-Relevance, Min-Redundancy 3.3.2 Relevance Filter 3.3.3 Redundancy
More informationKernel Methods & Support Vector Machines
& Support Vector Machines & Support Vector Machines Arvind Visvanathan CSCE 970 Pattern Recognition 1 & Support Vector Machines Question? Draw a single line to separate two classes? 2 & Support Vector
More informationAn Effective Performance of Feature Selection with Classification of Data Mining Using SVM Algorithm
Proceedings of the National Conference on Recent Trends in Mathematical Computing NCRTMC 13 427 An Effective Performance of Feature Selection with Classification of Data Mining Using SVM Algorithm A.Veeraswamy
More informationUsing a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation
Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation by Frederic Massicotte, Mathieu Couture and Annie De Montigny Leboeuf http://www.crc.ca/networksystems_security/
More informationViewing Capture ATP Status
Capture ATP Viewing Capture ATP Status Configuring Capture ATP Viewing Capture ATP Status Capture ATP > Status About the Chart About the Log Table Uploading a File for Analysis Viewing Threat Reports Capture
More informationSemi-supervised learning and active learning
Semi-supervised learning and active learning Le Song Machine Learning II: Advanced Topics CSE 8803ML, Spring 2012 Combining classifiers Ensemble learning: a machine learning paradigm where multiple learners
More informationFigure 1: Attempts for /ws/v1/cluster/apps/new-application
ERT Threat Alert DemonBot October 26, 2018 Abstract Radware s Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution
More informationFlow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018
Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow
More informationInternet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came
Victoria Ellsworth Dr. Ping Li ICTN 4040 04/11/17 Internet of Things (IoT) Attacks The Internet of Things (IoT) is based off a larger concept; the Internet of Things came from idea of the Internet of Everything.
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Education Services administration course The McAfee Network Security Platform Administration course from McAfee Education Services is an essential
More informationProlexic Attack Report Q4 2011
Prolexic Attack Report Q4 2011 Prolexic believes the nature of DDoS attacks are changing: they are becoming more concentrated and damaging. Packet-per-second volume is increasing dramatically, while attack
More informationContents Machine Learning concepts 4 Learning Algorithm 4 Predictive Model (Model) 4 Model, Classification 4 Model, Regression 4 Representation
Contents Machine Learning concepts 4 Learning Algorithm 4 Predictive Model (Model) 4 Model, Classification 4 Model, Regression 4 Representation Learning 4 Supervised Learning 4 Unsupervised Learning 4
More informationWeka ( )
Weka ( http://www.cs.waikato.ac.nz/ml/weka/ ) The phases in which classifier s design can be divided are reflected in WEKA s Explorer structure: Data pre-processing (filtering) and representation Supervised
More informationAllot IoT Defense Solutions for Enterprises to Ensure IoT Service Continuity. Solution Brief
Allot IoT Defense Solutions for Enterprises to Ensure IoT Service Continuity Solution Brief Contents 1 Allot IoT Defense Solutions for Enterprises to Ensure IoT Service Continuity... 1 2 IoT Service Protection...
More informationWhat Causes My Test Alarm? Automatic Cause Analysis for Test Alarms in System and Integration Testing
The 39th International Conference on Software Engineering What Causes My Test Alarm? Automatic Cause Analysis for Test Alarms in System and Integration Testing Authors: He Jiang 汇报人 1, Xiaochen Li : 1,
More informationCA Host-Based Intrusion Prevention System r8
PRODUCT BRIEF: CA HOST-BASED INTRUSION PREVENTION SYSTEM CA Host-Based Intrusion Prevention System r8 CA HOST-BASED INTRUSION PREVENTION SYSTEM (CA HIPS) BLENDS A STAND-ALONE FIREWALL WITH INTRUSION DETECTION
More informationCS 229 Midterm Review
CS 229 Midterm Review Course Staff Fall 2018 11/2/2018 Outline Today: SVMs Kernels Tree Ensembles EM Algorithm / Mixture Models [ Focus on building intuition, less so on solving specific problems. Ask
More informationAKAMAI THREAT ADVISORY. Satori Mirai Variant Alert
AKAMAI THREAT ADVISORY Satori Mirai Variant Alert Version: V002 Date: December 6, 2017 1.0 / Summary / Akamai, along with industry peers, has identified an updated variant of Mirai (Satori) that has activated
More informationSolutions to prevent IoT devices to be used for DDOS attacks. WISeKey General Business Use
Solutions to prevent IoT devices to be used for DDOS attacks WISeKey General Business Use Solutions to prevent IoT devices to be used for DDOS attacks WISeKey General Business Use Contents 3 Which protections
More informationVirtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader
Virtualization Device Emulator Testing Technology Speaker: Qinghao Tang Title 360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization
More informationOccluded Facial Expression Tracking
Occluded Facial Expression Tracking Hugo Mercier 1, Julien Peyras 2, and Patrice Dalle 1 1 Institut de Recherche en Informatique de Toulouse 118, route de Narbonne, F-31062 Toulouse Cedex 9 2 Dipartimento
More informationDetect & Respond to IoT Botnets AS AN ISP. Christoph Giese Telekom Security; Cyber DefenSe Center
Detect & Respond to IoT Botnets AS AN ISP Christoph Giese Telekom Security; Cyber DefenSe Center Management Summary Mirai hit us hard; IoT Botnets are on the rise and rapidly evolving We developed a three-stage
More informationMcPAD and HMM-Web: two different approaches for the detection of attacks against Web applications
McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications Davide Ariu, Igino Corona, Giorgio Giacinto, Fabio Roli University of Cagliari, Dept. of Electrical and
More informationDet De e t cting abnormal event n s Jaechul Kim
Detecting abnormal events Jaechul Kim Purpose Introduce general methodologies used in abnormality detection Deal with technical details of selected papers Abnormal events Easy to verify, but hard to describe
More informationNetwork Anomaly Detection Using Autonomous System Flow Aggregates
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationGlobal DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop
Global DDoS Measurements Jose Nazario, Ph.D. jose@arbor.net NSF CyberTrust Workshop Quick Outline, Conclusions o Measurements - We re screwed o Observations - We know who o The wrong approach: point solutions
More informationA Taxonomy of Semi-Supervised Learning Algorithms
A Taxonomy of Semi-Supervised Learning Algorithms Olivier Chapelle Max Planck Institute for Biological Cybernetics December 2005 Outline 1 Introduction 2 Generative models 3 Low density separation 4 Graph
More informationIntrusion Detection by Combining and Clustering Diverse Monitor Data
Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction
More informationOPSWAT Metadefender. Superior Malware Threat Prevention and Analysis
OPSWAT Metadefender Superior Malware Threat Prevention and Analysis Agenda What is Metadefender How Metadefender Protects Metadefender Core Features Metadefender Product Family What s New in Metadefender
More informationDetecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a
More informationLogistic Regression: Probabilistic Interpretation
Logistic Regression: Probabilistic Interpretation Approximate 0/1 Loss Logistic Regression Adaboost (z) SVM Solution: Approximate 0/1 loss with convex loss ( surrogate loss) 0-1 z = y w x SVM (hinge),
More informationFrom Correlation to Causation: Active Delay Injection for Service Dependency Detection
From Correlation to Causation: Active Delay Injection for Service Dependency Detection Christopher Kruegel Computer Security Group ARO MURI Meeting ICSI, Berkeley, November 15, 2012 Correlation Engine
More informationTable of Contents. Recognition of Facial Gestures... 1 Attila Fazekas
Table of Contents Recognition of Facial Gestures...................................... 1 Attila Fazekas II Recognition of Facial Gestures Attila Fazekas University of Debrecen, Institute of Informatics
More informationDDOS DETECTION SYSTEM USING C4.5 DECISION TREE ALGORITHM
DDOS DETECTION SYSTEM USING C4.5 DECISION TREE ALGORITHM Santosh Kumar Pydipalli 1, Srikanth Kasthuri 1, Jinu S 1 1 Jr.Telecom Officer, Bharath Sanchar Nigam Limited, Bangalore ---------------------------------------------------------------------***----------------------------------------------------------------------
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationMeasuring Intrusion Detection Capability: An Information- Theoretic Approach
Measuring Intrusion Detection Capability: An Information- Theoretic Approach Guofei Gu, Prahlad Fogla, David Dagon, Wenke Lee Georgia Tech Boris Skoric Philips Research Lab Outline Motivation Problem Why
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract
More information