Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

(a) Statistics of IDS

(a) Statistics of IDS detected sessions (b) Distribution of IDS alerts Figure 3. Statistics of IDS detected sessions and distribution of IDS alerts. Table 3. Locations of top 10 source IP addresses in Japan IP address Count Location x.x.x.1 1,932,303 Darknet x.x.x.2 530,039 L2 Switch (Unicast Flooding) x.x.x.3 377,599 Darknet x.x.x.4 355,607 L2 Switch (Unicast Flooding) x.x.x.5 170,182 Honeypot (Windows 2k) x.x.x.6 131,115 Darknet x.x.x.7 118,006 No honeypot (MacOS X) x.x.x.8 105,832 Honeypot (Fedora Core) x.x.x.9 100,824 No honeypot x.x.x.10 92,509 Honeypot (Original WinXP) IDS alerts. During the analysis, we first counted the number of sessions (i.e., blue lines in Figure 3(a)) detected by SNS7176 IDS system, and we observed that among the all of 43,043,255 attack sessions, 6,650,335 sessions triggered IDS alerts. Also, the average number of IDS detected sessions in each day was 6,690. In particular, from Figure 3(a), we can see that the number of IDS detected sessions of only 6 days (i.e., 1○ ∼ 6○) is extremely larger than the other days. In our further investigation, as shown in Table 4, we recognized that there were two many P2P connection requests ( 1○), SYN scanning activities for IPv4 IP addresses by a single host ( 2○), SYN flooding attacks to a single spam mail server ( 3○ ∼ 5○) and backscatters from a single host ( 6○). Secondly, we counted how many different types of IDS alerts were recorded in each day (i.e., brown lines in Figure 3(a)), and the accumulation number of different IDS alerts during the observation period (i.e., red lines in Figure 3(a)). From our analysis, we observed that there are 41 unique IDS alerts in each day on average and the total number of unique IDS alerts is 290. From Figure 3(a), we can see that the total number of unique IDS alerts converges to 300 ( 7○). Since we enabled all IDS signatures basically and updated them periodically, it is natural to be increasing gradually. However, The reason why the total number of 30 Table 4. IDS alerts observed during 6 days Date Signature name Count P2P BitTorrent Activity 1,802 P2P Edonkey Start Upload Request 2,867 Too Many SYNs for a TCP Connection 3,011 1○ Emule File Traffic Detected 5,586 P2P eMule Hello 5,369 P2P Emule Kademlia Request 8,100 Too Many SYNs for a TCP Connection 1,341 2○ Out-of-Sequence TCP RST Packet 4,779 Out-of-Sequence TCP SYN Packet 13,859 3○ Too Many SYNs for a TCP Connection 13,364 MS SQL Stack BO 4,685 4○ Too Many SYNs for a TCP Connection 22,223 MS SQL Stack BO 2,508 5○ Too Many SYNs for a TCP Connection 21,285 Unauthenticated OSPF 5,893 Repeated TCP SYN with Diff ISN 6,820 6○ and TTL MS SQL Stack BO 10,264 unique IDS alerts converges to 300 is that the updating support of IDS signatures was suspended in Dec. 2009. In fact, the number of updated IDS signatures was rapidly decreased from several months ago of Dec. 2009. Table 5. Number of five malwares. Count Count Malware Name (One month) (Total) Trojan.Fakealert-532 17,118 22,802 Trojan.Agent-52097 6,803 10,586 HTML.Phishing.Bank-1272 4,205 5,411 Trojan.Goldun-278 2,237 2,237 Trojan.Goldun-280 1,156 1,156

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International