Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment

Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftly

Behavioral analysis on IPV4 Malware in both IPV4 and IPv6 Network Environment

Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftl

Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment

Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftly

The Effect of DNS Delays on Worm Propagation in an IPv6 Internet

It is a commonly held belief that IPv6 provides greater security against random-scanning worms by virtue of a very sparse address space. We show that an intelligent worm can exploit the directory and naming services necessary for the functioning of any network, and we model the behavior of such a worm in this paper. We explore via analysis and simulation the spread of such worms in an IPv6 Internet. Our results indicate that such a worm can exhibit propagation speeds comparable to an IPv4 random-scanning worm. We develop a detailed analytical model that reveals the relationship between network parameters and the spreading rate of the worm in an IPv6 world. We also develop a simulator based on our analytical model. Simulation results based on parameters chosen from real measurements and the current Internet indicate that an intelligent worm can spread surprising fast in an IPv6 world by using simple strategies. The performance of the worm depends heavily on these strategies, which in turn depend on how secure the directory and naming services of a network are. As a result, additional work is needed in developing detection and defense mechanisms against future worms, and our work identifies directory and naming services as the natural place to do it

Real-time analysis of aggregate network traffic for anomaly detection

The frequent and large-scale network attacks have led to an increased need for developing techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks, anomalies and to appropriately take action to contain the attacks before they have had time to propagate across the network. In this dissertation, we suggest a technique for traffic anomaly detection based on analyzing the correlation of destination IP addresses and distribution of image-based signal in postmortem and real-time, by passively monitoring packet headers of traffic. This address correlation data are transformed using discrete wavelet transform for effective detection of anomalies through statistical analysis. Results from trace-driven evaluation suggest that the proposed approach could provide an effective means of detecting anomalies close to the source. We present a multidimensional indicator using the correlation of port numbers as a means of detecting anomalies. We also present a network measurement approach that can simultaneously detect, identify and visualize attacks and anomalous traffic in real-time. We propose to represent samples of network packet header data as frames or images. With such a formulation, a series of samples can be seen as a sequence of frames or video. Thisenables techniques from image processing and video compression such as DCT to be applied to the packet header data to reveal interesting properties of traffic. We show that ??scene change analysis?? can reveal sudden changes in traffic behavior or anomalies. We show that ??motion prediction?? techniques can be employed to understand the patterns of some of the attacks. We show that it may be feasible to represent multiple pieces of data as different colors of an image enabling a uniform treatment of multidimensional packet header data. Measurement-based techniques for analyzing network traffic treat traffic volume and traffic header data as signals or images in order to make the analysis feasible. In this dissertation, we propose an approach based on the classical Neyman-Pearson Test employed in signal detection theory to evaluate these different strategies. We use both of analytical models and trace-driven experiments for comparing the performance of different strategies. Our evaluations on real traces reveal differences in the effectiveness of different traffic header data as potential signals for traffic analysis in terms of their detection rates and false alarm rates. Our results show that address distributions and number of flows are better signals than traffic volume for anomaly detection. Our results also show that sometimes statistical techniques can be more effective than the NP-test when the attack patterns change over time