Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware
|
|
- Clementine Watkins
- 5 years ago
- Views:
Transcription
1 Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware Evan Cooke, Z. Morley Mao, Farnam Jahanian *University of Michigan DSN 2006
2 Self-Propagating Malware Worms & Botnets (Source: Microsoft Antimalware Team Report, June 2006) Self-propagating malware highly distributed: Many attackers Many vulnerable systems Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
3 Locating Vulnerable Hosts Address n (e.g., 2 32 ) Step 1: A host becomes infected Step 3: Remote host is infected and then begins the scanning process Step 2: Infected host scans through address space Vulnerable hosts looking for vulnerable hosts Address 0 Scanning processing typically modeled as uniform random process Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
4 Internet Detection Systems Due to distributed nature of attacks: detection systems rely on threat invariants: Static byte sequence Certain TCP/UDP ports Rate of successful/failed connection attempts Detection systems leverage these invariants When a parameter becomes abnormal then alert (e.g. prevalence of byte sequence in Autograph/EarlyBird/Polygraph) Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
5 Hotspots Goal today is to challenge assumptions behind many of these prevalence-based detection approaches: Challenge the long held idea that worm propagation is a uniform process Demonstrate how threat propagation exhibits hotspots (non-uniform targeting behavior) Implications: Detection systems may not alert due to hotspots Distributed detection systems may fail due to hotspots Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
6 Impact of Non-Uniformity on Detection A simple illustration: Will Alert Won t Alert Detection Threshold Non-uniformity impacts prevalence-based detection systems: B,C,E,F will not alert! Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
7 Root Causes of Non-Uniformity We define a hotspot as deviation from uniform propagation behavior We define two major classes of hotspots: 1. Algorithmic Factors - Host-centric, programmatic influences that impact threat propagation 2. Environmental Factors - External network influences that impact threat propagation Hotspots are often not intentional Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
8 Empirical Evidence of Hotspots We now empirically demonstrate algorithmic and environmental factors: Use data from: Internet Motion Sensor - collection of 11 distributed darknet sensors ranging in size from a /25 (CIDR notation, 128 addresses) to a /8 (16 million addresses) Live Botnet Monitors - monitored router on large academic network for the specific C&C signatures of Agobot/Phatbot, rbot/sdbot, and Ghost-Bot Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
9 Algorithmic Factors Host-centric, programmatic influences that impact threat propagation. Hit-lists: pre-programmed lists of target addresses stored in the threat payload or obtained from a remote server. Pseudo-Random Number Generators (PRNGs): target address generation functions that are easily biased by a poor source of entropy or a poor implementation. Local Preference: a bias for nearby addresses that is typically deliberately designed into a propagation algorithm Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
10 Hit-lists Botnet operators intentionally bias propagation toward vulnerable host Sample of captured propagation commands: Bot Command Detected ipscan r.r.r.r dcom2 ipscan s.s.s.s dcom2 ipscan 24.s.s.s dcom2 ipscan s.s dcom2 ipscan s.s.s lsass ipscan s.s webdav3 Scan Type Global Random Global Seq. Local 24/8 Seq. Local 69.27/16 Seq. Local /8 Seq. Local /16 Seq Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
11 PRNG: Blaster Worm Hotspots Number of unique Blaster infected source IPs by /24 across 6 IMS darknet sensors Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
12 PRNG: Blaster Worm We analyzed the decompiled source code: Blaster worm uses GetTickCount() to seed random number generator GetTickCount() returns number of ms since boot time, zero each reboot. Blaster worm design to restart on reboot using registry This spike Hotspots in Blaster scanning distribution correlated with boot times 4-5 minutes corresponds to 2.3 min boot time Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
13 PRNG: Slammer Worm Error in PRNG generator causes short cycles for certain seed values Certain random seeds have short cycles => hotspots Observed Slammer scanning patterns for individual hosts Hotspot in aggregate slammer propagation Host A Host B Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
14 Environmental Factors External network influences that impact threat propagation. Network topology: latency, bandwidth, and other network factors that impact the rate at which an infection can progress. Routing and filtering policy: firewalls and other policy devices that restrict reachability to a target address. Network failures and misconfigurations: dropped packets, mangled packets, and failures that impact success of an infection Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
15 Network Topology: CodeRedII Significant hotspot in M block Number of unique CodeRedII infected source IPs by /24 across 6 IMS darknet sensors Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
16 Network Topology: CodeRedII The M block is in /8 Many NATs use /16 address space CodeRedII has a bias for local /8 addresses If many CodeRedII infected hosts behind 192- NATs they would prefer /8 Test with quarantined CodeRedII hosts: Similar Hotspot non-192/8 Address Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
17 Network Filtering: Fortune 500 Filtering Top 3 infected Fortune 100 Companies: Total IPs CRII IPs Slammer IPs Banking Company Media Company Logistics Company Top 3 infected Broadband Providers: Total IPs CRII IPs Slammer IPs ISP A ISP B ISP C Blaster IPs Blaster IPs Supposition: many infected hosts inside enterprises However they are behind NATs firewalls (strict outgoing filtering) as compared to ISPs Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
18 Implications of Hotspots Detectors at different addresses may report widely different observations of a threat How does this impact distributed detection? Detection Threshold Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
19 Evaluating the Impact of Hotspots Simulate outbreak of threat with hotspots Investigate impact of algorithmic factors: Construct hit-list worm based on CodeRedII Use empirically observed CodeRedII source IPs as vulnerable population (134,586 IPs) Evaluate hit-lists of 4 sizes: 10 /16s (covering 10.60% of vul pop) 100 /16s (covering 50.49% of vul pop) 1000 /16s (covering 91.33% of vul pop) 4481 /16s (covering 100% of vul pop) Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
20 Impact of Algorithmic Factors Infection rate over time for out hit-list worm with 4 different hit-list sizes Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
21 Impact of Algorithmic Factors Randomly place a /24 detector in each of the 4481 /16 networks with a vulnerable host Each sensor alerts after 5 payloads [Autograph] Less than 5% of detectors alerted with 100-item hit-list But, the 100-item hit-list infected > 50% of the vulnerable population in a few minutes Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
22 Place Sensors Inside Hotspots Implication: must place sensors inside hotspots But, hotspots are very hard to predict! However, we can predict some environmental factors Go back to empirically observed CodeRedII hotspot Place sensors inside /8, / Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
23 Predicting Environment Factors Place 255 detectors inside /8 Simulate CodeRedII-like worm where 15% of hosts are behind NATs 100% of the detectors have alerted before 20% of the vulnerable population is infected! Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
24 Summary & Conclusion Hotspots are everywhere: Every self-propagating threat we have observed is influenced algorithmic or environmental factors We often can t predict hotspots due to complex host and network interactions Can t assume that just because one address was attacked so will another Open Problem: Where do we place detectors? ubiquitously throughout address space? Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
25 Questions & Acknowledgements Questions? Thanks to the ISPs, academic institutions, and organizations for hosting the IMS! Thanks to Jose Nazario, Robert Stone, Rob Malan, and Dug Song at Arbor Networks and Larry Blunk, Bert Rossi, and Manish Karir at Merit Network. And of course our sponsors: For more information on the Internet Motion Sensor: Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware DSN 2006
Toward Understanding Distributed Blackhole Placement
Toward Understanding Distributed Blackhole Placement Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, Farnam Jahanian University of Michigan {emcooke, mibailey, zmao, dwatson, farnam}@umich.edu
More informationTracking Global Threats with the Internet Motion Sensor
Tracking Global Threats with the Internet Motion Sensor Michael Bailey & Evan Cooke University of Michigan Timothy Battles AT&T Danny McPherson Arbor Networks NANOG 32 September 7th, 2004 Introduction
More informationCharacterizing Dark DNS Behavior
Characterizing Dark DNS Behavior Jon Oberheide*, Manish Karir, Z. Morley Mao*, Farnam Jahanian* *University of Michigan Merit Network, Inc. DIMVA 2007 July 12, 2007 Presentation Summary Sell/short/don't
More informationMalware Research at SMU. Tom Chen SMU
Malware Research at SMU Tom Chen SMU tchen@engr.smu.edu www.engr.smu.edu/~tchen Outline About SMU and Me Virus Research Lab Early Worm Detection Epidemic Modeling New Research Interests TC/BT/11-5-04 SMU
More informationSecurity: Worms. Presenter: AJ Fink Nov. 4, 2004
Security: Worms Presenter: AJ Fink Nov. 4, 2004 1 It s a War Out There 2 Analogy between Biological and Computational Mechanisms The spread of self-replicating program within computer systems is just like
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationUTM 5000 WannaCry Technote
UTM 5000 WannaCry Technote The news is full of reports of the massive ransomware infection caused by WannaCry. Although these security threats are pervasive, and ransomware has been around for a decade,
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks Computer Sciences Department University of Wisconsin, Madison Introduction Outline Background Example Attack Introduction to the Attack Basic Probe
More informationThe Evolving Threat of Internet Worms
The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks Why Worm Based Intrusions Relative ease Write once, run everywhere promise can come true Penetration Right past firewalls
More informationThe Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery
The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery Evan Cooke *, Michael Bailey *, Farnam Jahanian *, Richard Mortier *University of Michigan Microsoft Research - 1 - NSDI 2006
More informationDDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH
DDoS Protector Block Denial of Service attacks within seconds Simon Yu Senior Security Consultant CISSP-ISSAP, MBCS, CEH 2012 Check Point Software Technologies Ltd. [PROTECTED] All rights reserved. 2012
More informationDarknet Traffic Monitoring using Honeypot
Darknet Traffic Monitoring using Honeypot 1 Hemal khorasia, 2 Mr. Girish Khilari 1 IT Systems & Network Security, 1 Gujarat Technological University, Ahmedabad, India Abstract - A "Darknet" is a portion
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 D. Moore, G. Voelker, S. Savage Inferring Internet Denial-of-Service Activity (USENIX
More informationVery Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL
Very Fast Containment of Scanning Worms Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL 1 Outline Worm Containment Scan Suppression Hardware Implementation Cooperation
More informationZOMBIE ZOMBIE BOTNET PDF
ZOMBIE ZOMBIE BOTNET PDF ==> Download: ZOMBIE ZOMBIE BOTNET PDF ZOMBIE ZOMBIE BOTNET PDF - Are you searching for Zombie Zombie Botnet Books? Now, you will be happy that at this time Zombie Zombie Botnet
More informationTrend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central
Trend Micro Apex One as a Service / Apex One Best Practice Guide for Malware Protection 1 Best Practice Guide Apex One as a Service / Apex Central Information in this document is subject to change without
More informationThe Changing Internet Ecology: Confronting Security and Operational Challenges by Mining Network Data
The Changing Internet Ecology: Confronting Security and Operational Challenges by Mining Network Data Farnam Jahanian University of Michigan and Arbor Networks Workshop on Mining Network Data (MineNet-05)
More informationModerated by: Moheeb Rajab Background singers: Jay and Fabian
Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background singers: Jay and Fabian 1 Agenda Questions and Critique of Timezones paper Extensions Network Monitoring (recap)
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationAMP-Based Flow Collection. Greg Virgin - RedJack
AMP-Based Flow Collection Greg Virgin - RedJack AMP- Based Flow Collection AMP - Analytic Metadata Producer : Patented US Government flow / metadata producer AMP generates data including Flows Host metadata
More informationA Unified Threat Defense: The Need for Security Convergence
A Unified Threat Defense: The Need for Security Convergence Udom Limmeechokchai, Senior system Engineer Cisco Systems November, 2005 1 Agenda Evolving Network Security Challenges META Group White Paper
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract
More informationBotnet Detection Using Honeypots. Kalaitzidakis Vasileios
Botnet Detection Using Honeypots Kalaitzidakis Vasileios Athens, June 2009 What Is Botnet A Botnet is a large number of compromised computers, controlled by one or more Command-and-Control Servers, the
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationExploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event
Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event Abhishek Kumar (Georgia Tech / Google) Vern Paxson (ICSI) Nicholas Weaver (ICSI) Proc. ACM Internet Measurement Conference
More informationIBM Next Generation Intrusion Prevention System
IBM Next Generation Intrusion Prevention System Fadly Yahaya SWAT Optimizing the World s Infrastructure Oct 2012 Moscow 2012 IBM Corporation Please note: IBM s statements regarding its plans, directions,
More informationTowards Automating Analysis of Large-Scale Honeynet Events
Towards Automating Analysis of Large-Scale Honeynet Events Paper ID 343 ABSTRACT Inspired by the work of Yegneswaran and colleagues on Internet situational awareness [30], we investigate ways to analyze
More informationIBM Zürich Research Laboratory. Billy Goat Overview. James Riordan Diego Zamboni Yann Duponchel IBM Research Zurich Switzerland IBM Corporation
Laboratory Billy Goat Overview James Riordan Diego Zamboni Yann Duponchel IBM Research Zurich Switzerland 2006 IBM Corporation Short Worm Summary Attackers, attacks, worms,... Faster propagation with faster
More informationWorm Detection, Early Warning and Response Based on Local Victim Information
Worm Detection, Early Warning and Response Based on Local Victim Information Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, and George Riley Georgia Institute of Technology ACSAC'04 1
More informationFast Incident Investigation and Response with CylanceOPTICS
Fast Incident Investigation and Response with CylanceOPTICS Feature Focus Incident Investigation and Response Identifying a potential security issue in any environment is important, however, to protect
More informationEnhancing Telescope Imagery
Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event Abhishek Kumar (Georgia Tech / Google) Vern Paxson (ICSI) Nicholas Weaver (ICSI) Proc. ACM Internet Measurement Conference
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationSecurity Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 15M&T
Security Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationCheck Point DDoS Protector Simple and Easy Mitigation
Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an
More informationAutomating Security Response based on Internet Reputation
Add Your Logo here Do not use master Automating Security Response based on Internet Reputation IP and DNS Reputation for the IPS Platform Anthony Supinski Senior Systems Engineer www.h3cnetworks.com www.3com.com
More informationFigure 1: Attempts for /ws/v1/cluster/apps/new-application
ERT Threat Alert DemonBot October 26, 2018 Abstract Radware s Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution
More informationInitial results from an IPv6 Darknet
Initial results from an IPv6 Darknet Matthew Ford, Jonathan Stevens 2 and John Ronan 3 British Telecommunications plc, Networks Research Centre, pp HWP276, PO Box 234, Edinburgh, EH2 9UR, UK 2 British
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationDetect Cyber Threats with Securonix Proxy Traffic Analyzer
Detect Cyber Threats with Securonix Proxy Traffic Analyzer Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Today s Threats Viruses
More informationCisco Cyber Threat Defense Solution 1.0
Cisco Cyber Threat Defense Solution 1.0 Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber
More informationOSSIR. 8 Novembre 2005
OSSIR 8 Novembre 2005 Arbor Networks: Security Industry Leader Arbor s Peakflow products ensure the security and operational integrity of the world s most critical networks Solid Financial Base Sales have
More informationHappy Packets: Some Initial Results
Happy Packets: Some Initial Results RIPE / Manchester, UK 2004.09.22 Randy Bush Timothy G. Griffin Z. Morley Mao Eric Purpus
More informationIntelligent and Secure Network
Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence
More informationFast Detection of Scanning Worm Infections
ast Detection of canning Worm Infections Jaeyeon Jung Arthur W. Berger MIT CAIL Harvard DEA This work is sponsored by the Department of Defense under the Air orce Contract 19628-00-C-0002. Opinions, interpretations,
More informationExample: Simple Forensics
Example: Simple Forensics >>> Pretty sure based on the same domain lookups and http logs. >>> Jul 9 23:04:31 131.243.X.Y A.B.C.D 80 GET elided.ru / curl/7.32.0 200 OK (empty) text/plain >> I am looking
More informationFIREWALL BEST PRACTICES TO BLOCK
Brought to you by Enterprie Control Systems FIREWALL BEST PRACTICES TO BLOCK Recent ransomware attacks like Wanna and Petya have spread largely unchecked through corporate networks in recent months, extorting
More informationWHEN a site receives probes from the Internet whether
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 1, MARCH 2011 175 Towards Situational Awareness of Large-Scale Botnet Probing Events Zhichun Li, Member, IEEE, Anup Goyal, Yan Chen,
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationNational Cyber Security Operations Center (N-CSOC) Stakeholders' Conference
National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference Benefits to the Stakeholders A Collaborative and Win-Win Strategy Lal Dias Chief Executive Officer Sri Lanka CERT CC Cyber attacks
More informationNetwork Traffic Anomaly Detection based on Ratio and Volume Analysis
190 Network Traffic Anomaly Detection based on Ratio and Volume Analysis Hyun Joo Kim, Jung C. Na, Jong S. Jang Active Security Technology Research Team Network Security Department Information Security
More informationSymantec Endpoint Protection 14
Symantec Endpoint Protection Cloud Security Made Simple Symantec Endpoint Protection 14 Data Data Sheet: Sheet: Endpoint Endpoint Security Security Overview Last year, we saw 431 million new malware variants,
More informationArbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA
Arbor Networks Spectrum Wim De Niel Consulting Engineer EMEA wdeniel@arbor.net Arbor Spectrum for Advanced Threats Spectrum Finds Advanced Threats with Network Traffic Unlocks Efficiency to Detect, Investigate,
More informationExample: LBL Forensics
Example: LBL Forensics i dont think this looks good: Sep 20 00:30:37 /USR/SBIN/CRON[24948]: (root) CMD (/usr/share/hctqefttsnlb.p2/.p-2.4a i &> /dev/null) the ".p-2.4a" is one of the Phalanx
More informationIntroduction to Wireshark
1 Introduction to Wireshark By Kitisak Jirawannakool E-Government Agency (Public Organization) 2 Agenda What is Network monitoring? Why we need? About wireshark? Demo Exercises What is Network Monitoring?
More informationZillya Internet Security User Guide
Zillya Internet Security User Guide Content Download Zillya Internet Security... 4 Installation Zillya Internet Security... 4 System Status... 7 System Scanning... 9 When Zillya Internet Security finds
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationAttack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing
Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing RIPE 50 Stockholm, Sweden Danny McPherson danny@arbor.net May 3, 2005 Agenda What s a bot and what s it used for?
More informationDifferent attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT environment (e.g., Windows vs Linux) Levels of abstraction
More informationSonicWALL UTM Overview. Jon Piro NA Channel SE
SonicWALL UTM Overview Jon Piro NA Channel SE SonicWALL Strengths SonicWALL is in a leadership position across our key markets and gaining share. SonicWALL has a growing, global install base of over 1
More informationClient Health Key Features Datasheet. Client Health Key Features Datasheet
Client Health Key Features Datasheet Client Health Key Features Datasheet Introducing the fastest way to manage endpoint health and security at scale Are you spending countless hours trying to find and
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationNew Software Blade and Cloud Service Prevents Zero-day and Targeted Attacks
New Software Blade and Cloud Service Prevents Zero-day and Targeted Attacks 1 WOULD YOU OPEN THIS ATTACHMENT? Over 90% of targeted emails use malicious file attachments as the payload or infection source
More informationOverview of nicter - R&D project against Cyber Attacks in Japan -
Overview of nicter - R&D project against Cyber Attacks in Japan - Daisuke INOUE Cybersecurity Laboratory Network Security Research Institute (NSRI) National Institute of Information and Communications
More informationEndpoint Protection : Last line of defense?
Endpoint Protection : Last line of defense? First TC Noumea, New Caledonia 10 Sept 2018 Independent Information Security Advisor OVERVIEW UNDERSTANDING ENDPOINT SECURITY AND THE BIG PICTURE Rapid development
More informationHOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS
HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS Danielle M. Zeedick, Ed.D., CISM, CBCP Juniper Networks August 2016 Today s Objectives Goal Objectives To understand how holistic network
More informationSandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees
SandBlast Agent FAQ What is Check Point SandBlast Agent? Check Point SandBlast Agent defends endpoints and web browsers with a complete set of realtime advanced browser and endpoint protection technologies,
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationHerd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist
Herd Intelligence: true protection from targeted attacks Ryan Sherstobitoff, Chief Corporate Evangelist Complexity Web Based Malware Attacks Crimeware Intelligent Botnets Vulnerabilities Worm/ Outbreaks
More information(Im)possibility of Enumerating Zombies. Yongdae Kim (U of Minnesota - Twin Cities)
(Im)possibility of Enumerating Zombies Yongdae Kim (U of Minnesota - Twin Cities) From Gunter Ollmann at Damballa's blog Botnet and DDoS Botnets becoming the major tool for DDoS 5 million nodes Botnet
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationIP Profiler. Tracking the activity and behavior of an IP address. Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP)
Security Intelligence June 2005 IP Profiler Tracking the activity and behavior of an IP address Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP) Page 2 Contents 3 Profiling
More informationIntroduction to Security. Computer Networks Term A15
Introduction to Security Computer Networks Term A15 Intro to Security Outline Network Security Malware Spyware, viruses, worms and trojan horses, botnets Denial of Service and Distributed DOS Attacks Packet
More informationSymantec Endpoint Protection
Overview provides unrivaled security across physical and virtual platforms and support for the latest operating systems-mac OS X 10.9 and Windows 8.1. Powered by Symantec Insight and by SONAR, a single,
More informationAutomated Threat Management - in Real Time. Vectra Networks
Automated Threat Management - in Real Time Security investment has traditionally been in two areas Prevention Phase Active Phase Clean-up Phase Initial Infection Key assets found in the wild $$$$ $$$ $$
More informationHOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL
HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE
More informationWhite Paper. Why IDS Can t Adequately Protect Your IoT Devices
White Paper Why IDS Can t Adequately Protect Your IoT Devices Introduction As a key component in information technology security, Intrusion Detection Systems (IDS) monitor networks for suspicious activity
More informationOn Instant Messaging Worms, Analysis and Countermeasures
COMP 4108 Presentation - Sept 20, 2005 On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer Science Carleton University, Canada Goals of this talk Discuss a few IM
More informationMalware models for network and service management
Malware models for network and service management Jérôme François, Radu State, Olivier Festor To cite this version: Jérôme François, Radu State, Olivier Festor. Malware models for network and service management.
More informationPerimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN
T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN Perimeter Defenses Enterprises need to take their security strategy beyond stacking up layers of perimeter defenses to building up predictive
More informationStandard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.
Standard Categories for Incident Response Teams Definitions V2.1 February 2018 Standard Categories for Incident Response (definitions) V2.1 1 Introduction This document outlines categories that Incident
More informationA Self-Learning Worm Using Importance Scanning
A Self-Learning Worm Using Importance Scanning Zesheng Chen and Chuanyi Ji Communication Networks and Machine Learning Group School of Electrical and Computer Engineering Georgia Institute of Technology,
More informationDigital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS
Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS Digital Forensics Readiness: PREPARE BEFORE AN INCIDENT HAPPENS 2 Digital Forensics Readiness The idea that all networks can be compromised
More informationA Firewall Network System for Worm Defense in Enterprise Networks
1 A Firewall Network System for Worm Defense in Enterprise Networks Cliff C. Zou, Don Towsley, Weibo Gong {czou,gong}@ecs.umass.edu, towsley@cs.umass.edu Univ. Massachusetts, Amherst Technical Report:
More informationSmartSiren: Virus Detection and Alert for Smartphones. Jerry Cheung, Starsky Wong, Hao Yang and Songwu Lu MOBISYS 2007
SmartSiren: Virus Detection and Alert for Smartphones Jerry Cheung, Starsky Wong, Hao Yang and Songwu Lu MOBISYS 2007 Premise Smartphones have become increasingly popular. So have viruses for smartphones
More informationMcAfee Labs Threat Advisory FakeAlert System Defender
McAfee Labs Threat Advisory FakeAlert System Defender June 15, 2011 Summary FakeAlert System Defender Trojan is software that masquerades as a legitimate security application purely to make money for its
More informationJaal: Towards Network Intrusion Detection at ISP Scale
Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil, A. Atya, E. Paplexakis, S. Krishnamurthy, KK. Ramakrishnan University of California Riverside T. Jaeger Penn State University
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationA Framework for Attack Patterns Discovery in Honeynet Data
DIGITAL FORENSIC RESEARCH CONFERENCE A Framework for Attack Patterns Discovery in Honeynet Data By Olivier Thonnard, Marc Dacier Presented At The Digital Forensic Research Conference DFRWS 2008 USA Baltimore,
More informationSSL Automated Signatures
SSL Automated Signatures WilliamWilsonandJugalKalita DepartmentofComputerScience UniversityofColorado ColoradoSprings,CO80920USA wjwilson057@gmail.com and kalita@eas.uccs.edu Abstract In the last few years
More informationHillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis
Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Keywords: Intelligent Next-Generation Firewall (ingfw), Unknown Threat, Abnormal Parameter, Abnormal Behavior,
More information