The Experts below are selected from a list of 66 Experts worldwide ranked by ideXlab platform
S. Muthukrishnan - One of the best experts on this subject based on the ideXlab platform.
-
DoWitcher: Effective Worm Detection and Containment in the Internet Core
IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications, 2007Co-Authors: S. Ranjan, S. Shah, A. Nucci, M. Munafo, R. Cruz, S. MuthukrishnanAbstract:Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of Packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables Full-Packet Capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw Packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.
-
INFOCOM - DoWitcher: Effective Worm Detection and Containment in the Internet Core
IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications, 2007Co-Authors: S. Ranjan, S. Shah, A. Nucci, M. Munafo, R. Cruz, S. MuthukrishnanAbstract:Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of Packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables Full-Packet Capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw Packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.
S Raynel - One of the best experts on this subject based on the ideXlab platform.
-
WiOpt - Using the IEEE 802.11 Frame Check Sequence as a pseudo random number for Packet sampling in wireless networks
2009 7th International Symposium on Modeling and Optimization in Mobile Ad Hoc and Wireless Networks, 2009Co-Authors: S Raynel, Anthony Mcgregor, Murray A. JorgensenAbstract:Low power devices such as common wireless router platforms are not capable of performing reliable Full Packet Capture due to resource constraints. In order for such devices to be used to perform link-level measurement on IEEE 802.11 networks, a Packet sampling technique is required in order to reliably Capture a representative sample of frames. The traditional Berkeley Packet Filter mechanism found in UNIX-like operating systems does not directly support Packet sampling as it provides no way of generating pseudo-random numbers and does not allow a filter program to keep state between invocations. This paper explores the use of the IEEE 802.11 Frame Check Sequence as a source of pseudo-random numbers for use when deciding whether to sample a Packet. This theory is tested by analysing the distribution of Frame Check Sequences from a large, real world Capture. Finally, a BPF program fragment is presented which can be used to efficiently select Packets for sampling.
-
Using the IEEE 802.11 Frame Check Sequence as a pseudo random number for Packet sampling in wireless networks
Modeling and Optimization in Mobile Ad Hoc and Wireless Networks 2009. WiOPT 2009. 7th International Symposium on, 2009Co-Authors: S Raynel, AH McGregor, M. JørgensenAbstract:Low power devices such as common wireless router platforms are not\ncapable of performing reliable Full Packet Capture due to resource\nconstraints. In order for such devices to be used to perform link-level\nmeasurement on IEEE 802.11 networks, a Packet sampling technique is\nrequired in order to reliably Capture a representative sample of frames.\nThe traditional Berkeley Packet Filter mechanism found in UNLX-like\noperating systems does not directly support Packet sampling as it\nprovides no way of generating pseudo-random numbers and does not allow a\nfilter program to keep state between invocations. This paper explores\nthe use of the IEEE 802.11 Frame Check Sequence as a source of\npseudo-random numbers for use when deciding whether to sample a Packet.\nThis theory is tested by analysing the distribution of Frame Check\nSequences from a large, real world Capture. Finally, a BPF program\nfragment is presented which can be used to efficiently select Packets\nfor sampling.
Jason Smith - One of the best experts on this subject based on the ideXlab platform.
-
Chapter 10 – The Bro Platform
Applied Network Security Monitoring, 2020Co-Authors: Chris Sanders, Jason SmithAbstract:NSM is all about bringing network data together to provide context for detection and analysis. Most NSM systems already integrate the “big three” sources (IDS alerts, session data, Full Packet Capture data), but as we’ve already seen in this book, these are not the only data sources you can use. One particularly rich source of this data is Bro. This chapter will provide a review of the Bro architecture, the Bro language, and several practical cases that demonstrate the truly awesome power of Bro as an IDS and network logging engine.
-
Chapter 5 – Full Packet Capture Data
Applied Network Security Monitoring, 2020Co-Authors: Chris Sanders, Jason SmithAbstract:The type of NSM data with the most intrinsic value to the analyst is Full Packet Capture (FPC) data. FPC data provides a Full accounting for every data Packet transmitted between two endpoints. This chapter begins with an overview of the importance of Full Packet Capture data. We will examine several tools that allow for Full Packet Capture of PCAP data, including Netsniff-NG, Daemonlogger, and Dumpcap. This will lead to a discussion of discuss different considerations for the planning of FPC data storage and maintenance of that data, including considerations for trimming down the amount of FPC data stored.
-
Chapter 4 – Session Data
Applied Network Security Monitoring, 2020Co-Authors: Chris Sanders, Jason SmithAbstract:Session data is the summary of the communication between two network devices. Also known as a conversation or a flow, this summary data is one of the most flexible and useful forms of NSM data. While session data doesn’t provide the level of detail found in Full Packet Capture data, it does have some unique strengths that provide significant value to NSM analysts. In this chapter we will discuss how flows are generated, methods for session data collection, and explore two of the more popular session data analysis solutions, SiLK and Argus. However, before going into detail about the differences between analysis solutions, it’s important to understand the differences between the types of flow data. This book will highlight the most commonly used flow types, NetFlow and IPFIX.
-
Chapter 6 – Packet String Data
Applied Network Security Monitoring, 2020Co-Authors: Chris Sanders, Jason SmithAbstract:This chapter provides an introduction to Packet string (PSTR) data and its usefulness in the NSM analytic process. It defines the qualities of PSTR data and how it can be collected manually or using tools like Httpry or Justniffer. While the collection of PSTR data is simple and its utility is limitless, the concept is fairly new, so there aren’t a ton of organizations utilizing this data type just yet. However, with it having the wide contextual breadth of Full Packet Capture and the speed, small storage footprint, and statistical parsing ability of session data, it is the closest solution you’ll find to a suitable middle ground between FPC and session data that is useful in near real-time and retrospective analysis alike. This chapter also covers tools that can be used to parse and view PSTR data, including Logstash and Kibana.
-
chapter 5 Full Packet Capture data
Applied Network Security Monitoring#R##N#Collection Detection and Analysis, 2014Co-Authors: Chris Sanders, Jason SmithAbstract:The type of NSM data with the most intrinsic value to the analyst is Full Packet Capture (FPC) data. FPC data provides a Full accounting for every data Packet transmitted between two endpoints. This chapter begins with an overview of the importance of Full Packet Capture data. We will examine several tools that allow for Full Packet Capture of PCAP data, including Netsniff-NG, Daemonlogger, and Dumpcap. This will lead to a discussion of discuss different considerations for the planning of FPC data storage and maintenance of that data, including considerations for trimming down the amount of FPC data stored.
S. Ranjan - One of the best experts on this subject based on the ideXlab platform.
-
DoWitcher: Effective Worm Detection and Containment in the Internet Core
IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications, 2007Co-Authors: S. Ranjan, S. Shah, A. Nucci, M. Munafo, R. Cruz, S. MuthukrishnanAbstract:Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of Packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables Full-Packet Capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw Packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.
-
INFOCOM - DoWitcher: Effective Worm Detection and Containment in the Internet Core
IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications, 2007Co-Authors: S. Ranjan, S. Shah, A. Nucci, M. Munafo, R. Cruz, S. MuthukrishnanAbstract:Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of Packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables Full-Packet Capture of only those flows that match the mask, which are then processed by a longest common subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw Packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.
Murray A. Jorgensen - One of the best experts on this subject based on the ideXlab platform.
-
WiOpt - Using the IEEE 802.11 Frame Check Sequence as a pseudo random number for Packet sampling in wireless networks
2009 7th International Symposium on Modeling and Optimization in Mobile Ad Hoc and Wireless Networks, 2009Co-Authors: S Raynel, Anthony Mcgregor, Murray A. JorgensenAbstract:Low power devices such as common wireless router platforms are not capable of performing reliable Full Packet Capture due to resource constraints. In order for such devices to be used to perform link-level measurement on IEEE 802.11 networks, a Packet sampling technique is required in order to reliably Capture a representative sample of frames. The traditional Berkeley Packet Filter mechanism found in UNIX-like operating systems does not directly support Packet sampling as it provides no way of generating pseudo-random numbers and does not allow a filter program to keep state between invocations. This paper explores the use of the IEEE 802.11 Frame Check Sequence as a source of pseudo-random numbers for use when deciding whether to sample a Packet. This theory is tested by analysing the distribution of Frame Check Sequences from a large, real world Capture. Finally, a BPF program fragment is presented which can be used to efficiently select Packets for sampling.
