Detecting Remote Attacks

Han, Wang-tzu

30 July 2004

With the advanced technology, our life has improved, however, it also brings the new model of crime events. Because the intrusion technique and intrusion tools are developed day by day, many computer crimes such as overstep system authority, intrusion events, computer crime, and network attack incidents are happening everywhere and everyday. In fact, those kinds of animus attack behaviors are troublesome problems. Staffs of network management may have to read security advisory, which is sent out by security organization. For example, they have to subscribe advisories for Computer Emergency Response Team or security mail list to continuously accumulate their security information. In addition, in the security protect system, they may need to spend huge fund to purchase firewall system, intrusion detection system, antivirus system and other related security protect systems. These attack behaviors have been evolved from one computer attacked to heavy attack by new intrusion model such as worm to proceed large scale spread attacking recently. Furthermore, each attack use different communication protocol and port, which is aimed at the system vulnerability, it is not easy to detect these attacks. If we can observe the variation of network traffic to detect the unusual hosts, for controlling the usage of network or occurring extraordinary phenomenon, it could help network managers to discover and solve network attack problems in time. Lately, many intrusion events have been happened increasingly, and the denial-of-service has become the most serious network event of the Computer Crime and Security Survey of FBI/CSI in 2003. Therefore, in various attacking types, we choose vulnerability scan and denial-of-service as our research direction. This research extend to develop IPAudit[16], a network traffic monitor system, which is to detect hosts flows traffic of the local area network. We establish network attack rules by using data miningclassification (C4.5) to analyze attack data, and we estimate the correctness percentage of classification. This study also uses different attack applications for the same attack type to process the cross experiment. The result has shown that the technology of data mining classification (C4.5) can help us to forecast efficiently the same attack type events.

Data mining

classification

network traffic analysis

vulnerability scan

Denial-of-service

Software Vulnerability Assessment : local search methods / Undersökning av sårbarhet i Mjukvara : lokala söknings metoder

Martinsson, Roy

January 2006

In this thesis, we analyse different ways of detecting application vulnerabilities on installed software. Based on this research, a prototype will be developed that will validate these findings. The prototype will analyse only known vulnerabilities collected from a database and matched with locally collected data.

Information Security

Vulnerability Scan

Software Update

Computer Sciences

Datavetenskap (datalogi)

Explaining change : Comparing network snapshots for vulnerability management

Persson, Andreas, Landenstad, Lukas

January 2018

Background. Vulnerability management makes it easier for companies to find, manage and patch vulnerabilities in a network. This is done by scanning the network for known vulnerabilities. The amount of information collected during the scans can be large and prolong the analysis process of the findings. When presenting the result of found vulnerabilities it is usually represented as a trend of number of found vulnerabilities over time. The trends do not explain the cause of change in found vulnerabilities.  Objectives. The objective of this thesis is to investigate how to explain the cause of change in found vulnerabilities, by comparing vulnerability scanning reports from different points in time. Another objective of this thesis is to create an automated system that connects changes in vulnerabilities to specific events in the network. Methods. A case study was conducted where three reports, from vulnerability scans of Outpost24's internal test network, were examined in order to understand the structure of the reports and mapping them to events. To complement the case study, an additional simulated test network was set up in order to conduct self defined tests and obtain higher accuracy when identifying the cause of change in found vulnerabilities. Results. The observations done in the case study provided us with information on how to parse the data and how to identify the cause of change with a rule-based system. Interpretation of the data was done and the changes were grouped into three categories; added, removed or modified. After conducting the test cases, the results were then interpreted to find signatures in order to identify the cause of change in vulnerabilities. These signatures were then made into rules, implemented into a proof-of-concept tool. The proof of concept tool compared scan reports in pairs in order to find differences. These differences were then matched with the rules and if it did not match any rule, the change in the report was flagged as an ''unexplained'' change. The proof-of-concept tool was then used to investigate the cause of change between the reports from the case study. The framework was validated by evaluating the rules gathered from the simulated test network on the data from the case study. Furthermore, a domain expert verified that the identified causes were accurate by manually comparing the vulnerability reports from the case study. Conclusions. It is possible to identify the cause of change in found vulnerabilities from vulnerability scan reports by constructing signatures for events and use these signatures as rules. This can also be implemented automatically, as a software, in order to identify the cause of change faster than manual labor. / Bakgrund. Sårbarhetshantering underlättar arbetet för företag att hitta, hantera och korrigera sårbarheter i ett nätverk. Det görs genom att skanna nätverket efter kända sårbarheter. Mängden information som samlas under skanningar kan vara stor och medföra till att analysprocessen av upptäckterna försenas. Resultaten av de upptäckta sårbarheterna brukar vanligtvis presenteras som en trend av antalet funna sårbarheter över ett tidsintervall. Trenderna förklarar dock inte andledningen till de funna sårbarheterna. Syfte. Målet med denna avhandling är att undersöka hur det är möjligt att identifiera anledningen till skillnaden i funna sårbarheter genom att jämföra sårbarhetsrapporter från olika tidpunkter. Ett andra mål är att utveckla ett automatiskt system som kopplar skillnaderna i funna sårbarheter till specifika händelser i nätverket. Metod. En fallstudie utfördes där tre sårbarhetsrapporter, från Outpost24s interna testnätverk, undersöktes för att få förståelse kring strukturen av rapporterna samt för att koppla upptäckter i rapporterna till händelser. För att komplementera fallstudien satte vi upp ett nytt, simulerat testnätverk för att kunna utföra egna tester samt för att uppnå en högre precision vid identifiering av förändringar. Resultat. Utifrån fallstudien fick vi förståelse för hur vi skulle tolka informationen från rapporterna samt för hur man kan ge orsak till förändring genom ett regelbaserad system. Informationen från rapporterna tolkades och förändringarna delades in i tre olika kategorier; tillagda, borttagna eller modifierade. Utifrån testerna från det simulerade nätverket byggdes signaturer som identifierar orsak till föränding av funna sårbarheter. Signaturerna användes sedan för att göra regler, vilka implementerades i ett konceptverktyg. Konceptverktyget jämförde sårbarhetsrapporter i par för att upptäcka skillnader. De identifierade skillnaderna försökte sedan matchas ihop med reglerna och skulle skillnaden inte matcha någon regel så flaggas skillnaden som ''oförklarad''. Konceptverktyget användes slutligen för att finna orsak till förändringar i rapporterna från fallstudien. Ramverket validerates genom att utvärdera hur reglerna byggda utifrån det simulerade nätverket presterade för fallstudien. En domänexpert verifierade att händelserna som presenterades och orsaken till förändringarna var korrekta genom att analysera sårbarhetsrapporterna från fallstudien manuellt. Slutsatser. Det är möjligt att identifiera orsak till förändringar i upptäckta sårbarheter i sårbarhetsrapporter genom att identifiera signaturer för händelser, och använda dessa signaturer i ett reglerbaserat system. Systemet är också möjligt att implementera automatiskt, i form av mjukvara, för att kunna identifiera orsaken till förändring snabbare än om det skulle gjorts manuellt.

Vulnerability management

comparing

vulnerability scan reports

cause of change

decision support system

Sårbarhetshantering

jämförelse

sårbarhetsskanning

sårbarhetsrapport

orsak till förändring

Computer Sciences

Datavetenskap (datalogi)