7 research outputs found
Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment
Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftly
Behavioral analysis on IPV4 Malware in both IPV4 and IPv6 Network Environment
Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftl
Behavioral Analysis on IPv4 Malware in both IPv4 and IPv6 Network Environment
Malware is become an epidemic in computer net-work nowadays. Malware attacks are a significant threat to networks. A conducted survey shows malware attacks may result a huge financial impact. This scenario has become worse when users are migrating to a new environment which is Internet Protocol Version 6. In this paper, a real Nimda worm was released on to further understand the worm beha-vior in real network traffic. A controlled environment of both IPv4 and IPv6 network were deployed as a testbed for this study. The result between these two scenarios will be analyzed and discussed further in term of the worm behavior. The ex-periment result shows that even IPv4 malware still can infect the IPv6 network environment without any modification. New detection techniques need to be proposed to remedy this prob-lem swiftly
The Effect of DNS Delays on Worm Propagation in an IPv6 Internet
It is a commonly held belief that IPv6 provides greater security against random-scanning worms by virtue of a very sparse address space. We show that an intelligent worm can exploit the directory and naming services necessary for the functioning of any network, and we model the behavior of such a worm in this paper. We explore via analysis and simulation the spread of such worms in an IPv6 Internet. Our results indicate that such a worm can exhibit propagation speeds comparable to an IPv4 random-scanning worm. We develop a detailed analytical model that reveals the relationship between network parameters and the spreading rate of the worm in an IPv6 world. We also develop a simulator based on our analytical model. Simulation results based on parameters chosen from real measurements and the current Internet indicate that an intelligent worm can spread surprising fast in an IPv6 world by using simple strategies. The performance of the worm depends heavily on these strategies, which in turn depend on how secure the directory and naming services of a network are. As a result, additional work is needed in developing detection and defense mechanisms against future worms, and our work identifies directory and naming services as the natural place to do it
Real-time analysis of aggregate network traffic for anomaly detection
The frequent and large-scale network attacks have led to an increased need for
developing techniques for analyzing network traffic. If efficient analysis tools were
available, it could become possible to detect the attacks, anomalies and to appropriately
take action to contain the attacks before they have had time to propagate across the
network.
In this dissertation, we suggest a technique for traffic anomaly detection based on
analyzing the correlation of destination IP addresses and distribution of image-based
signal in postmortem and real-time, by passively monitoring packet headers of traffic.
This address correlation data are transformed using discrete wavelet transform for
effective detection of anomalies through statistical analysis. Results from trace-driven
evaluation suggest that the proposed approach could provide an effective means of
detecting anomalies close to the source. We present a multidimensional indicator using
the correlation of port numbers as a means of detecting anomalies.
We also present a network measurement approach that can simultaneously detect,
identify and visualize attacks and anomalous traffic in real-time. We propose to
represent samples of network packet header data as frames or images. With such a
formulation, a series of samples can be seen as a sequence of frames or video. Thisenables techniques from image processing and video compression such as DCT to be
applied to the packet header data to reveal interesting properties of traffic. We show that
??scene change analysis?? can reveal sudden changes in traffic behavior or anomalies. We
show that ??motion prediction?? techniques can be employed to understand the patterns of
some of the attacks. We show that it may be feasible to represent multiple pieces of data
as different colors of an image enabling a uniform treatment of multidimensional packet
header data.
Measurement-based techniques for analyzing network traffic treat traffic volume
and traffic header data as signals or images in order to make the analysis feasible. In this
dissertation, we propose an approach based on the classical Neyman-Pearson Test
employed in signal detection theory to evaluate these different strategies. We use both of
analytical models and trace-driven experiments for comparing the performance of
different strategies. Our evaluations on real traces reveal differences in the effectiveness
of different traffic header data as potential signals for traffic analysis in terms of their
detection rates and false alarm rates. Our results show that address distributions and
number of flows are better signals than traffic volume for anomaly detection. Our results
also show that sometimes statistical techniques can be more effective than the NP-test
when the attack patterns change over time