Enhanced jean Algorithm for Attacker Group Recognition
-
Upload
vivek-gnanavelu -
Category
Technology
-
view
81 -
download
0
Transcript of Enhanced jean Algorithm for Attacker Group Recognition
Enhanced JEAN Algorithm for Attacker Group Recognition
Presented by,
K.GopiPriyaDharshini
&
G.Vivek
Objective
• To predict or track the sequence of the multistage attack and forecast the possible next stage of attack.
• To classify the attackers based on the behavior and assess danger level of different groups of attackers.
Multistage Attack
The sequences of steps that an attacker performs is known as the multistage attack or multistep attack.The hacking strategy includes the following
• Gather information• Probe and scan vulnerability• Gain the initial access• Escalate privilege• Launch planned attack
Abstract
• To secure the network it is essential to find the attackers behavior ,the members of the group and their intension.
• Attackers group identification along with the multi-stage attack forecast is the novelty in this proposed work.
Methodology
• The technique proposed for detecting the multi stage attack is the Attack Session Graph.Where the X-axis represents the time and the Y-axis represents the Fusion ID(ABC).
• Alert fusion ID(ABC) is based on attributes such as protocol,source port,destination port,source IP,destination IP.
• “A “ denotes the Zone distance between the destination IP and the source IP.
• “B” denotes the network protocol.• “C” indicates the distance between the port number clusters.
Continued…..
A=Zone(dest IP)-Zone(srcIP)
B={ 0, in ICMP
1,in TCP session
2,in UDP session
3,otherwise}
C=|Cluster(dest IP)-Cluster(src IP)|
JEAN Working
Step 1:Finding the Corresponding Points
Step 2:Calculating the Transformation
Step 3:Weighing the Transformation
Block Diagram
Attackers ID Group
Separation
G1
G2
G3
G4
JEAN Algorithm
NonGroup Prediction
Result
Time,Protocol,SourceIP,Destination IP,SourcePort,Destination Port
Snapshot
Ping request to identify the live IP addresses
Screenshot displaying the port numbers that are open and the services running on the device
Scanning of the live IP’s using Nmap tool
Topology of the IP addresses
Information of the ports that are open and the services that are running on the system
Analyzing the alerts using the network sniffing tool
The captured alerts are converted into an xml file format from the sniffer tool that is used to generate the Fusion ID
The XML file is represented in a table format denoting the time source IP, target IP, source port, destination port and the Fusion ID
-800
-600
-400
-200
0
200
400
600
800
Time
Fusion ID
Attack session graph denoting the Time in X-axis and the Fusion ID in Y-axis
Prediction value by the JEAN algorithm
Conclusion
In this proposed work we were able to Cluster the attackers into groups based on the time and the target.The prediction value for each of these attacker’s group is calculated.
References1. A Novel Probabilistic Matching Algorithm for Multi-Stage Attack
Forecasts IEEE Journal on selected areas in communication, vol. 29,NO. 7, august 2011.
2. Network forensics based on fuzzy logic and expert system Computer Communications Volume 32,Issue 17, pp. 1881-1892,November 2009.
3. Alert Correlation for Extracting Attack Strategies International Journal of Network
Security, Vol.3, No.3,PP.244258, Nov. 2006 244.4. High level information fusion for tracking and projection of multistage
cyber attacks ELSEVIER Information Fusion 10 (2009).5. A new multistage approach to detect subtle DDoS attacks Elsevier
mathematical and computer modelling 2012.6. Toward Ensemble Characterization and Projection of Multistage Cyber
Attacks in Proceedings of IEEE ICCCN10, Zurich,Switzerland, August 2-5,2010.
7. Research on complex attack oriented hierarchical alert correlation Elsevier energy procedia 13(2011)
8. Projecting Cyber Attacks Through VariableLength Markov ModelsIEEE Transactions on information forensics and security,vol 3,issue 3.
9. Understanding Multistage Attacks by based Visualization of Heterogeneous Event Streams -ACM Journal/Transaction
10.Clustering of Multistage Cyber Attacks using Signfiicant Services In Proceedings of the thirteen IEEE conference, Information fusion ,july 2010.
11. A Comprehensive Approach to Intrusion Detection Alert CorrelationIEEE Transactions on dependable and secure computing, vol. 1,No. 3, july-september 2004.
12. Attack Plan Recognition and Prediction Using Causal NetworksComputer Security Applications Conference.,2004, pp. 370379.
13. Probabilistic Matching and Resemblance Evaluation of Shapes in Trademark Images ACM International Conference on Image and Video Retrieval, pp.533-540, 2007.
14. Multi-Stage Delivery of Malware IEEE 2010 5th International Conference on Malicious and Unwanted Software.
15. Performance Evaluation of Multi-Stage Change Point Detection Scheme against DDoS Attacks by Random Scan Worms IEEE conference 2008,Information and telecommunication technologies.
Thank you