Enhanced jean Algorithm for Attacker Group Recognition

22
Enhanced JEAN Algorithm for Attacker Group Recognition Presented by, K.GopiPriyaDharshini & G.Vivek

Transcript of Enhanced jean Algorithm for Attacker Group Recognition

Page 1: Enhanced jean Algorithm for Attacker Group Recognition

Enhanced JEAN Algorithm for Attacker Group Recognition

Presented by,

K.GopiPriyaDharshini

&

G.Vivek

Page 2: Enhanced jean Algorithm for Attacker Group Recognition

Objective

• To predict or track the sequence of the multistage attack and forecast the possible next stage of attack.

• To classify the attackers based on the behavior and assess danger level of different groups of attackers.

Page 3: Enhanced jean Algorithm for Attacker Group Recognition

Multistage Attack

The sequences of steps that an attacker performs is known as the multistage attack or multistep attack.The hacking strategy includes the following

• Gather information• Probe and scan vulnerability• Gain the initial access• Escalate privilege• Launch planned attack

Page 4: Enhanced jean Algorithm for Attacker Group Recognition

Abstract

• To secure the network it is essential to find the attackers behavior ,the members of the group and their intension.

• Attackers group identification along with the multi-stage attack forecast is the novelty in this proposed work.

Page 5: Enhanced jean Algorithm for Attacker Group Recognition

Methodology

• The technique proposed for detecting the multi stage attack is the Attack Session Graph.Where the X-axis represents the time and the Y-axis represents the Fusion ID(ABC).

• Alert fusion ID(ABC) is based on attributes such as protocol,source port,destination port,source IP,destination IP.

• “A “ denotes the Zone distance between the destination IP and the source IP.

• “B” denotes the network protocol.• “C” indicates the distance between the port number clusters.

Page 6: Enhanced jean Algorithm for Attacker Group Recognition

Continued…..

A=Zone(dest IP)-Zone(srcIP)

B={ 0, in ICMP

1,in TCP session

2,in UDP session

3,otherwise}

C=|Cluster(dest IP)-Cluster(src IP)|

Page 7: Enhanced jean Algorithm for Attacker Group Recognition

JEAN Working

Step 1:Finding the Corresponding Points

Step 2:Calculating the Transformation

Step 3:Weighing the Transformation

Page 8: Enhanced jean Algorithm for Attacker Group Recognition

Block Diagram

Attackers ID Group

Separation

G1

G2

G3

G4

JEAN Algorithm

NonGroup Prediction

Result

Time,Protocol,SourceIP,Destination IP,SourcePort,Destination Port

Page 9: Enhanced jean Algorithm for Attacker Group Recognition

Snapshot

Ping request to identify the live IP addresses

Page 10: Enhanced jean Algorithm for Attacker Group Recognition

Screenshot displaying the port numbers that are open and the services running on the device

Page 11: Enhanced jean Algorithm for Attacker Group Recognition

Scanning of the live IP’s using Nmap tool

Page 12: Enhanced jean Algorithm for Attacker Group Recognition

Topology of the IP addresses

Page 13: Enhanced jean Algorithm for Attacker Group Recognition

Information of the ports that are open and the services that are running on the system

Page 14: Enhanced jean Algorithm for Attacker Group Recognition

Analyzing the alerts using the network sniffing tool

Page 15: Enhanced jean Algorithm for Attacker Group Recognition

The captured alerts are converted into an xml file format from the sniffer tool that is used to generate the Fusion ID

Page 16: Enhanced jean Algorithm for Attacker Group Recognition

The XML file is represented in a table format denoting the time source IP, target IP, source port, destination port and the Fusion ID

Page 17: Enhanced jean Algorithm for Attacker Group Recognition

-800

-600

-400

-200

0

200

400

600

800

Time

Fusion ID

Attack session graph denoting the Time in X-axis and the Fusion ID in Y-axis

Page 18: Enhanced jean Algorithm for Attacker Group Recognition

Prediction value by the JEAN algorithm

Page 19: Enhanced jean Algorithm for Attacker Group Recognition

Conclusion

In this proposed work we were able to Cluster the attackers into groups based on the time and the target.The prediction value for each of these attacker’s group is calculated.

Page 20: Enhanced jean Algorithm for Attacker Group Recognition

References1. A Novel Probabilistic Matching Algorithm for Multi-Stage Attack

Forecasts IEEE Journal on selected areas in communication, vol. 29,NO. 7, august 2011.

2. Network forensics based on fuzzy logic and expert system Computer Communications Volume 32,Issue 17, pp. 1881-1892,November 2009.

3. Alert Correlation for Extracting Attack Strategies International Journal of Network

Security, Vol.3, No.3,PP.244258, Nov. 2006 244.4. High level information fusion for tracking and projection of multistage

cyber attacks ELSEVIER Information Fusion 10 (2009).5. A new multistage approach to detect subtle DDoS attacks Elsevier

mathematical and computer modelling 2012.6. Toward Ensemble Characterization and Projection of Multistage Cyber

Attacks in Proceedings of IEEE ICCCN10, Zurich,Switzerland, August 2-5,2010.

7. Research on complex attack oriented hierarchical alert correlation Elsevier energy procedia 13(2011)

Page 21: Enhanced jean Algorithm for Attacker Group Recognition

8. Projecting Cyber Attacks Through VariableLength Markov ModelsIEEE Transactions on information forensics and security,vol 3,issue 3.

9. Understanding Multistage Attacks by based Visualization of Heterogeneous Event Streams -ACM Journal/Transaction

10.Clustering of Multistage Cyber Attacks using Signfiicant Services In Proceedings of the thirteen IEEE conference, Information fusion ,july 2010.

11. A Comprehensive Approach to Intrusion Detection Alert CorrelationIEEE Transactions on dependable and secure computing, vol. 1,No. 3, july-september 2004.

12. Attack Plan Recognition and Prediction Using Causal NetworksComputer Security Applications Conference.,2004, pp. 370379.

13. Probabilistic Matching and Resemblance Evaluation of Shapes in Trademark Images ACM International Conference on Image and Video Retrieval, pp.533-540, 2007.

14. Multi-Stage Delivery of Malware IEEE 2010 5th International Conference on Malicious and Unwanted Software.

15. Performance Evaluation of Multi-Stage Change Point Detection Scheme against DDoS Attacks by Random Scan Worms IEEE conference 2008,Information and telecommunication technologies.

Page 22: Enhanced jean Algorithm for Attacker Group Recognition

Thank you