Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP
•Download as PPTX, PDF•
2 likes•923 views
Pattern-based techniques are capable to detect predefined patterns and in the case of discover of new vulnerability or attack techniques, one must wait until new software updates to be release. Behaviors-based techniques can also be used to detect in abnormality of user behavior and thus be used as a technique to validate or protect authenticity of user in case of identity thief.
Recommended
More Related Content
Similar to Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP
Similar to Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP (20)
More from Amir Razmjou
Recently uploaded
Recently uploaded (20)
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP
- 1. Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP Amir Razmjou
- 2. Pattern-based Techniques and Today’s Cybersecurity Challenges • Protocols specifications evolve more rapidly • Vendor-Specific, Closed Standard Protocols. • Network traffic verification against protocol specifications does not always account for legitimate traffic, – XML XXE Attacks – FTP Bounce Attacks • Unknown attacks. • That abnormality to user interactions account for changes.
- 3. Sequential Pattern Mining • It is similar to the frequent item sets mining, but with consideration of ordering. • Sequential Pattern Mining is useful in many application. – Customer shopping sequences: – Medical treatments, natural disasters (e.g., earthquakes), science & eng. processes, stocks and markets, etc. • Useful for extraction of knowledge from semi- structured data (i.e. XML)
- 4. What is sequence database and sequential pattern mining • A sequence database consists of ordered elements or events where each element is an unordered set of items. SID sequences 10 <a(abc)(ac)d(cf)> 20 <(ad)c(bc)(ae)> 30 <(ef)(ab)(df)cb> 40 <eg(af)cbc> TID itemsets 10 a, b, d 20 a, c, d 30 a, d, e 40 b, e, f
- 5. Sequential Shopping Cart Transaction 1 biscuits Sequence1 biscuits Sequence2 biscuits Sequence3 snack Sequence4 baking needs frozen foods frozen foods salads cake fruit frozen foods chickens fruit baking needs beef snack Transaction 2 baking needs cake pet food cake baking needs lamb vegetables snack chickens pet food electrical salads Transaction 3 snack snack lamb brushware salads chickens salads salads beef chickens Transaction 5 chickens electrical brushware
- 6. Sample FTP Flow Welcome to Microsoft FTP Server 3.4 USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS <password> 230 Guest login ok, access restrictions apply. TYPE I 200 Type set to I. CWD xfig 250 CWD command successful.
- 8. Resulting Dataset Source Destination APP Signature COMMAND CODE 4.251.189.14:33257 131.243.1.10:21 custom1 USER 331 4.251.189.14:33257 131.243.1.10:21 custom1 PASS 230 4.251.189.14:33257 131.243.1.10:21 custom1 REST 350 4.251.189.14:33257 131.243.1.10:21 custom1 TYPE 200 4.251.189.14:33257 131.243.1.10:21 custom1 CWD 250 4.251.189.14:33257 131.243.1.10:21 custom1 TYPE 200 140.114.97.25:33983 131.243.1.10:21 custom1 USER 331 140.114.97.25:33983 131.243.1.10:21 custom1 PASS 230 140.114.97.25:33983 131.243.1.10:21 custom1 SYST 215 140.114.97.25:33983 131.243.1.10:21 custom1 CWD 550 53.55.176.50:10011 131.243.1.10:21 custom1 USER 331 53.55.176.50:10011 131.243.1.10:21 custom1 PASS 230 53.55.176.50:10011 131.243.1.10:21 custom1 FEAT 500 53.55.176.50:10011 131.243.1.10:21 custom1 SYST 215 53.55.176.50:10011 131.243.1.10:21 custom1 PWD 257
- 9. Result Sequence Rules [1] <{USER}{PASS,230}{TYPE,200}{PASV,227}{RETR,150}> 6391 [2] <{USER}{PASS,230}{TYPE,200}{SIZE,213}{RETR,150}> 4853 [3] <{USER,331}{PASS}{TYPE,200}{PASV,227}{RETR,150}> 6391 [4] <{USER,331}{PASS}{TYPE,200}{SIZE,213}{RETR,150}> 4853 [5] <{USER,331}{PASS,230}{CWD,250}{TYPE,200}{150}> 4872 [6] <{USER,331}{PASS,230}{TYPE}{PASV,227}{RETR,150}> 6391 [7] <{USER,331}{PASS,230}{TYPE}{SIZE,213}{RETR,150}> 4853 [8] <{USER,331}{PASS,230}{TYPE,200}{PASV}{RETR,150}> 6392 [9] <{USER,331}{PASS,230}{TYPE,200}{PASV,227}{RETR}> 7927 [10] <{USER,331}{PASS,230}{TYPE,200}{PASV,227}{150}> 8342 [11] <{USER,331}{PASS,230}{TYPE,200}{SIZE}{RETR,150}> 5062 [12] <{USER,331}{PASS,230}{TYPE,200}{SIZE,213}{RETR}> 4893
- 10. Abnormal Flows USER, 331 , PASS, 230, PORT, 200, 500, QUIT, 221, 220, PWD, 257, SYST, 215, CWD, 550, PASV, 227, TYPE, SIZE,213, RETR, 150, 226, MDTM, 250, LIST, 421, ABOR,533, Udd20dfd1U, U15030ab9U, U54668fafU, Udb6ef1c3U, U7694531dU, PORTQUIT, U07c4edf9U, U8855979dU, Uab12679fU, Uc2ca1083U, U5b79257aU, U5f561953U, Ud4a28da8U wu2616121 custom1 wu2616120 proftpdrc2 general172125 general8 msftp4 msftp sunos41 sunos56 other general5 vxworks54 WarFTPd167 • Commands in unmatched flows • Signatures of FTP servers in unmatched flows 7%
- 11. Sequence Size and Support
- 12. References • Almulhem, A., & Traore, I. (2007). Mining and detecting connection-chains in network traffic. IFIP International Federation for Information Processing, 238, 47–57. http://doi.org/10.1007/978-0-387-73655-6_4 • Bronson, B. J. (2004). Protecting Your Network from ARP Spoofing-Based Attacks, 1–5. • Scigocki, M., & Zander, S. (2013). Improving Machine Learning Network Traffic Classification with Payload-based Features, (November), 1–7. • Zander, S., Zander, S., Nguyen, T., Nguyen, T., Armitage, G., & Armitage, G. (2005). Automated Traffic Classification and Application Identification using Machine Learning. Proceedings of the IEEE.