An study of the concepts necessary to create, as well as the implementation of, a flexible data processing and reporting engine for large datasets.

Similar documents
Worldwide Detection of Denial of Service (DoS) Attacks

The UCSD Network Telescope

DENIAL OF SERVICE ATTACKS

Rob Sherwood Bobby Bhattacharjee Ryan Braud. University of Maryland. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse p.

A Software Tool for Network Intrusion Detection

Denial of Service, Traceback and Anonymity

Automated Analysis and Aggregation of Packet Data

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Tracking Global Threats with the Internet Motion Sensor

A Baseline Numeric Analysis of Network Telescope Data for Network Incident Discovery

ONE of the problems faced when dealing with large

Empirical Models of TCP and UDP End User Network Traffic from Data Analysis

Overview of nicter - R&D project against Cyber Attacks in Japan -

Configuring Flood Protection

AutoFocus: A Tool for Automatic Traffic Analysis. Cristian Estan, University of California, San Diego

A Rendezvous-based Paradigm for Analysis of Solicited and Unsolicited Traffic

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

0x1A Great Papers in Computer Security

Darknet Traffic Monitoring using Honeypot

CSC 574 Computer and Network Security. TCP/IP Security

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

On the Effectiveness of Distributed Worm Monitoring

3-4 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

Toward Understanding Distributed Blackhole Placement

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Detecting Distributed Denial-of. of-service Attacks by analyzing TCP SYN packets statistically. Yuichi Ohsita Osaka University

Detecting Specific Threats

DDoS PREVENTION TECHNIQUE

Internet Protocol and Transmission Control Protocol

Internet Control Message Protocol

Chapter 8 roadmap. Network Security

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

IDS: Signature Detection

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Fast and Evasive Attacks: Highlighting the Challenges Ahead

AN INTRODUCTION TO ARP SPOOFING

Darknet Traffic Analysis by Using Source Host Classification

Outwitting the Witty Worm Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event

CS 161 Computer Security

Analysis of Country-wide Internet Outages Caused by Censorship

"Dark" Traffic in Network /8

Spoofer Location Detection Using Passive Ip Trace back

DDoS Testing with XM-2G. Step by Step Guide

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

Honeypots observations and their usefulness

Improving Machine Learning Network Traffic Classification with Payload-based Features

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Understanding the Internet

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Chapter 7. Denial of Service Attacks

Background Traffic to Network /8

Configuring attack detection and prevention 1

Detecting and Alerting TCP IP Packets againt TCP SYN attacks

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Introduction to Netflow

9. Security. Safeguard Engine. Safeguard Engine Settings

CS155 Firewalls. Why Firewalls? Why Firewalls? Bugs, Bugs, Bugs

Unit 4: Firewalls (I)

ELEC5616 COMPUTER & NETWORK SECURITY

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Università degli Studi di Pisa

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Developing the Sensor Capability in Cyber Security

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

Real-Time Attack Monitoring on Telecom Network Using Open-Source Darknet and Honeypot Setup

Distributed Denial of Service (DDoS)

THE "TRIBE FLOOD NETWORK 2000" DISTRIBUTED DENIAL OF SERVICE ATTACK TOOL

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Investigating the Dark Cyberspace: Profiling, Threat-Based Analysis and Correlation

TDC DoS Protection Service Description and Special Terms

Denial of Service and Distributed Denial of Service Attacks

Flow Based Observations from NETIQhome and Honeynet Data

The Reconnaissance Phase

Computer Security: Principles and Practice

Statistical and Visualization Techniques for Streaming Data

Enhancing the Reliability and Accuracy of Passive IP Traceback using Completion Condition

A Review Paper on Network Security Attacks and Defences

Internet-Wide Port Scanners Some history behind the development of high performance port scanners. Things to consider, and necessary preparations

20-CS Cyber Defense Overview Fall, Network Basics

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

Initial results from an IPv6 Darknet

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

DDoS and Traceback 1

Basic Concepts in Intrusion Detection

Configuring attack detection and prevention 1

A System for Characterising Internet Background Radiation Literature Review

Mapping Internet Sensors with Probe Response Attacks

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Firewalls, Tunnels, and Network Intrusion Detection

IxLoad-Attack TM : Network Security Testing

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

CSC 4900 Computer Networks: Security Protocols (2)

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Configuring Anomaly Detection

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Transcription:

An study of the concepts necessary to create, as well as the implementation of, a flexible data processing and reporting engine for large datasets. Ignus van Zyl 1 Statement of problem Network telescopes observe millions of packets of Internet traffic through the monitoring of unused IP address space Moore et al. [2004]. The data gathered by these telescopes is important to the study of Internet Background RadiationPang et al. [2004] and also more specifically to the monitoring and study of potentially malicious IP traffic across the internet Irwin [2011]. With increasingly large datasets being created by telescopes across multiple studies, the distribution of analysis results through the scientific community could be improved by creating a flexible yet standardised reporting engine Irwin [2013]. Such a standardised reporting format will also provide researchers with an overview of trends in the analysed data-sets. 2 Objective of research To utilize data analysis techniques to process large packet capture datasets, and to create output in the style of a report that succinctly summarises the key trends and characteristics of the data-sets. Such an engine should be flexible with the data it can process. This engine should also aim to offer customisable report formats, as well as suitable high level statistical and graphical representations of the target data-set. 3 Background information on subject material 3.1 Network Telescope A network telescope is some part of assigned and address routed IP space. The IP addresses are used but not utilized by any host system Moore et al. [2004]. Any traffic received can be defined as unsolicited Moore et al. [2004]. 1

3 Background information on subject material 2 Studying traffic captured by these telescopes provide researchers with interesting insights into network security events such as denial-of-service attacks, Internet worm packets and network scanning attempts Moore et al. [2004]. Network telescopes do not respond to requests, nor send traffic within the IP address block that it observes. The telescope does not record packet data outside of the observed net block Du and Yang [2011]. 3.2 Internet Background Radiation Internet Background Radiation is the formal term given to unsolicited Internet traffic that is sent to unused IP addresses [Pang et al., 2004]. This traffic can be charecterised as non-productive as the packets are destined for unused addresses and servers that are not running [Pang et al., 2004]. This traffic can consist of a number of different packets, including but not limited to: denial-of-service backscatter, network scans, worm infection attempts and corrupted packets Pang et al. [2004]. The purpose of network telescopes is to capture this radiation; which can then be subject to further analysis. 3.3 Measured Network Telescope traffic A typical network telescope will collect both relevant and irrelevant traffic. One task of telescope data-set analysis is to sort packets so that those that offer no intelligible information can be identified and ignored. The packets worth analysing can be grouped as follows: Active Traffic Active traffic can be determined to be packets which are expected to elicit a response when processed by the TCP/IP stack of the receiving host [Irwin, 2011]. TCP packets that have the SYN flag set, indicating that a response is expected, are counted for analysis purposes. TCP packets that have the ACK or RST flags set could be the result of backscatter traffic. Backscatter traffic could be the result of the monitered address being used in spoof packets as part of a security attack [Irwin, 2013]. ICMP traffic packets that attempt to elicit any response will also be analysed [Harder et al., 2006, Irwin, 2011]. Since UDP traffic is stateless, no expectations for initiation or response can be inferred from the headers. As such, deeper analysis of the UDP payload is required to determine if the UDP traffic is active [Irwin, 2011]. Passive Traffic Passive traffic is traffic that, when processed by the TCP/IP stack of the receiving host will give no legitimate response. It is considered unlikely that

4 Related Work 3 potentially malicious software would use these packets to determine information about the host system Irwin [2011]. Passive traffic is usually the result of scanning activity; which is typically the result of the monitored IP range being spoofed, denial-of-service flooding, misconfiguration of network addresses or mangled and unintelligable packets [Irwin, 2011]. 3.4 Important Statistics and Identifiers The analysis will focus on identifying and quantifying the telescope traffic into statistically relevant information. Such information includes the most observed IP addresses from sending hosts, the most targeted ports on the receiving host, the type of internet traffic, times of traffic activity, geolocation of activity source, frequency of packets from any given IP address, and classifications of overall traffic activity [Harder et al., 2006]. Other relevant statistics include: number of unique source and destination ports; total number of IPv4 and IPv6 packets, as well as total number of bytes [Irwin, 2011]. These statistics will be represented in various formats, including geolocational graphs, time series plots, and tables of statistical analysis [Irwin, 2011]. 4 Related Work The analysis and reporting on of large datasets is by no means an original idea. Much mork has been done, both in the spheres of science and commerce, to mine extremely large datasets. One such example is the WEKA data mining software, which has been in development since 1993. The system aims to provide both machine learning algorithms and data preprocessing tools [Hall et al., 2009]. CAIDA, the cooperative association for internet data analysis, conduct regular measurements of Internet traffic across various networks [cai, 2014]. CAIDA also maintains the USCD network telescope, which observes traffic over a globally routed /8 network, as well as analysing the data collected from these observations [cai, 2012]. CAIDA has also put together an Educational Data Kit that uses data collected from the USCD telescope [Zseby et al., 2014]. PREDICT, the Protected Repository for the Defense of Infrastructure Against Cyber Threats, serves as a large repository of regularly updated network operations data-sets [PRE, 2014]. PREDICT is limited though as the restrictive access policies require researchers to work within certain geographical constraints, such as the continental United States [Irwin, 2011]. 5 Research Approach The first aim in the implementation is to develop a series of scripts to process the captures in the data-sets. The second aim is to build a reporting framework for the selection and formatting of the generated output based

6 Requirements and resources 4 on specialist scripts. From there the focus will be on making the framework more flexible and customisable with regards to the analysis and reporting of different data-sets. 6 Requirements and resources One obvious requirement is access to the datasets created by network telescopes during their surveilance of unused IP space. Useful resources include python libraries that target data mining and analysis. Other useful resources, depending on the eventual direction of the project, could extend as far as space on a web server from which to host a web-based reporting engine. Server space will have to be allocated to host the project report website as well. 7 Progression Timeline Proposal Document - 3 March 2014 Seminar on project - 4 March 2014 Gather relevant articles, conference proceedings. Start implementation Literature Review - 30 May 2014 Seminar - Early August 2014 Website completion - 7 November 2014 Project completion - Mid November 2014 References The USCD network telescope. Online, August 2012. URL http://www. caida.org/projects/network_telescope/. The PREDICT repository. Online, 2014. URL https://www.predict.org/. https://www.predict.org/. Traffic analysis research. Online, February 2014. URL {http://www.caida. org/research/traffic-analysis/}. H. Du and J. Yang. Discovering Collaborative Cyber Attack Patterns Using Social Network Analysis. Social Computing, Behavioral-Cultural Modeling and Prediction. Springer Berlin Heidelberg, March 2011.

7 Progression Timeline 5 M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutermann, and H. Witten, I. The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10 18, June 2009. Uli Harder, Matt W. Johnson, Jeremy T. Bradley, and William J. Knottenbelt. Observing internet worm and virus attacks with a small network telescope. Electronic Notes in Theoretical Computer Scinece, 151(3):47 59, May 2006. Barry Irwin. A FRAMEWORK FOR THE APPLICATION OF NETWORK TELESCOPE SENSORS IN A GLOBAL IP NETWORK. PhD thesis, Rhodes University, January 2011. Barry Irwin. A baseline study of potentially malicious activity across five network telescopes. In 5th International Conference on Cyber Conflict, 2013. David Moore, Colleen Shannon, Geoffrey M Voelker, and Stefan Savage. Network Telescopes: Technical Report. Technical report, Cooperative Association for Internet Data Analysis (CAIDA), Jul 2004. Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. Characteristics of internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 27 40. ACM, 2004. Tanja Zseby, Alistair King, Marina Fomenkov, and KC Claffy. Analysis of unidirectional ip traffic to darkspace with an educational data kit. 2014.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback