2. Agenda
Introduction.
What is Malicious traffic.
Malicious traffic types.
Malicious traffic detection and prevention.
Conclusion.
3. Introduction
As the internet become more
mature, management of its resources to
provide guaranteed services is crucial.
The success of the Internet has increased its
vulnerability to misuse and performance
problems.
4. Introduction
It has been frequently abused by people
mostly with hostile intentions.
We have been under various kinds of attacks
such as viruses, worms and commonly a
bunch of spam mails every day.
6. Malicious Traffic
It is hard to detect and distinguish malicious
packet and legitimate packets in the traffic.
The behavior of Internet traffic is very far from
being regular.
Presents large variations in its throughput at
all scales.
7. Malicious Traffic
Any traffic anomalies that occur from hardware
or software failures to internet packets with
maliciously modified options.
Generated from what is called botnets.
9. Malicious Traffic
Monitoring the flow of packets.
Malicious traffic usually exhausts the legitimate
resources by sending a lot of traffic.
Monitoring traffic targeting unused addresses
in the network.
11. Scanners
Single source.
Strikes the same port on many machines.
Different ports on the same machine.
Generates
a lot of flows.
12. Worms
Self-replicating virus that does not alter files
but resides in active memory and duplicates
itself.
CodeRed worm infected 395,000 computers
and resulted in approximately $2.6 billion in
damage.
Results in an increase in service
activity, especially if service is law traffic.
13. Worms
MyTob Worm, 2005
Copies itself as %System%msnmsgs.exe
Adds the value: “MSN” = “msnmsgs.exe” to
IRC Server registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
W32.Mytob@mm runs every time Windows starts
User Zone Server Zone
14. Malicious Spam
Spamming is flooding the network with a huge
amount of unsolicited email messages to force
people to receive them.
Contains malware or links to malicious sites.
15. Backscatter
Email bounces for emails that a person didn’t
send.
Spammer is spoofing the Reply-to field in
email.
When sent to email server, it is bounces to the
reply-to address rather than the sender.
Used to overcome spam filters and in DOS
attacks.
16. DOS, DDOS
Generate a huge amount of adverse traffic to a
target server to make it unavailable.
Attempt to exhaust the resources of the victim.
They are difficult to detect and prevent.
DDOS attacks are simultaneously launched
from several sources destined to the same
target.
18. Malicious traffic Detection and
Prevention
Anomaly detection techniques.
Signature-scan techniques.
Intrusion detection and prevention systems.
QoS metrics.
Tools such as Snort.
Network filters such as ACLs.
Honeypots.
19. Anomaly detection techniques
Differentiates between normal and malicious
traffic by:
Studying the normal behavior of users, resources.
Create patterns for these activities.
Any behavior that deviates from this pattern is
considered malicious.
20. Signature-scan techniques
Uses a database that store signatures.
Passive scan for network traffic, any patterns
match these stored signatures are considered
malicious traffic.
Effective for known attacks.
21. Intrusion detection and prevention
systems
Software or hardware that is designed to
detect and prevent any malicious attack or
activity on the network.
Monitor the network traffic.
Analyze any suspicious event.
Log these events and report them to the
network administrator for actions.
22. QoS metrics
Studying the behavior of the network traffic
under normal and malicious attacks.
Extracting parameters from network traffic.
23. Snort
Open source tool that is used in intrusion
detection systems.
Real time analysis on the network traffic.
Intrusion detection system to monitor the
traffic, analyzes it and inform the network
administrator for suspicious activities.
24. ACLs
Installed in routers and used to match packet
headers against a pre-defined list of rules and
takes pre-defined actions on any matching
packets.
25. Honeypots
“a security resource whose value lies in being
probed, attacked or compromised”
Any attempt to interact with honeypots incurs a
malicious activity or attack.
26. Conclusion
Malicious traffic is any traffic anomalies occurs
from failure in traffic packets that is
intentionally modified for malicious acts.
By studying malicious attacks we can obtain
better understanding of malicious traffic and
how to detect and prevent these attacks.
An increase in the awareness toward the
importance of security will help in mitigation
against internet misuse.
Notas do Editor
threats may range from simple to severe functional and financial damage to the network infrastructure. Adding the legal perspective, these threats should be clearly and carefully identified, analyzed and managed.
data is encapsulated in packets.
Most flows are roughly symmetric at the packet levelWhenever a packet is sent, a packet is received within some reasonable interval (round trip time)This can me measured (and enforced) at the edge router inexpensively
these botnets launch malicious traffic that attacks network hosts and internet service provider (ISPS).
Malicious traffic can be detected by monitoring the network traffic using packet monitoring tools and studying any up normal or suspected behavior in the network. By monitoring the flow of packets, maliciously changed packets can be identified and infected computers can be determined based on its signature. In addition, malicious traffic usually exhausts the legitimate resources by sending a lot of traffic to halt its functionality. Another measurement can be by monitoring traffic targeting unused addresses in the network [3]. Unused addresses should expect a very limited load of traffic not mentioning that no device should be connected to it.
Among all attacks, the denial-of-service (DoS) attack is one ofthe attacks rather difficult to detect and prevent since they exploitregular services, and overwhelm such services with tremendousmalicious traffic.
Anomaly-detection first establishes a normal behavior pattern forusers, programs or resources in the system, and then looks for deviationfrom this behavior.signature-scan techniques passively monitor traffic seen on a network and detect an attack when patterns within the packet match predefined signatures in a database.They are a resource that has no authorized activity, they do not have any production value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. Snort’s open source network-based intrusion detection system (NIDS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. Snort can be configured in three main modes: sniffer, packet logger, and network intrusion detection. the program will monitor network traffic and analyze it against a ruleset defined by the user. The program will then perform a specific action based on what has been identified