Monday, September 13, 2010

Feature library to create instance of IDS Intrusion Analysis (2)



Fourth, determine the characteristics of "candidate"
To better understand how to develop value based on the special header data, following an example by analyzing the whole process in detail.

Synscan is a popular system for scanning and detection tool, because its code is used to create the beginning of the Ramen worm fragments and steal the show in early 2001. Synscan with the implementation of behavior is typical, it sends packets with a variety of distinguished features, including:

IP address information from different sources
TCP source port 21, destination port 21
Service Type 0
IP identification number 39426 (IP identification number)
SYN and FIN flag set
Different set of serial numbers (sequence numbers set)
Confirmation number of different collections (acknowledgment numbers set)
TCP window size 1028

Here we screened the data above, to see which features more suitable to do data. We are looking for is illegal, unusual or suspicious data, the majority of cases, this all reflects the loopholes exploited by attackers or they use special technology. The following are characteristics of the data candidates:

Only with the SYN and FIN flag set of data packets, which is recognized as signs of malicious behavior.

ACK flag not set, but with different values of the data packet confirmation number, but normally should be 0.

Source port and destination port are set to 21 packets, often associated with the FTP server. Port the same situation that are generally known as "reflexive" (reflexive), in addition to some particular individual, such as NetBIOS when the newsletter, under normal circumstances should not have this phenomenon. "Reflexivity" TCP port itself does not violate the standard, but in most cases they are not expected values. For example, in a normal FTP dialogue, the destination port is usually 21, but the source port is usually higher than 1023.

TCP window size to 1028, IP identification numbers of all packets for 39,426. According to IP RFC's definition, two class rooms in the data value should be different, so, if sustained, would show that the suspicious.

5, announced the best features of "winner"

From these four candidates, we can select a single feature as the header-based data, a number of combinations can be selected as the feature data.

Select a data as the feature has great limitations. For example, a simple feature can only sign with the SYN and FIN packets, although this may well suggest that we might have a suspicious behavior, but why not give place for more information. SYN and FIN are usually combined with attacks on fences and other equipment, as long as they appear, they indicate the scan is taking place, information is being collected, the attacker will begin. But only those it, what we need is more detailed information.

Select more than four joint as the feature data is not realistic, because it looks a little too special. Although the act to provide accurate information, but as more than just use a data feature, the lack of efficiency would appear far. In fact, the feature definition always in efficiency and achieve a compromise between accuracy. In most cases, the simple features of complex features more likely than false positives (false positives), because the former is common; complex features more likely than a simple feature omission (false negatives), because the former is too full, a software attack a feature will change as time goes on.

More does not work, less is not entirely by the actual conditions. For example, we want to determine possible tool for attacking what is, then the SYN and FIN flags in addition to other, but also what other properties? "Reflexivity" port though suspicious, but many tools are used to it, and some of the normal communications have this phenomenon, it is not appropriate selected features. TCP window size of 1028 despite a bit suspicious, but it can also happen naturally. The same IP identification number 39426. ACK ACK flag value is not obviously illegal, so it is suitable for selected characteristics of the data. Of course, according to the different environment, timely adjustment or combination of features of the data, is the only way to achieve optimal results.

Next we create a real feature, used to find and identify synscan TCP packet sent in each of the following attributes:

Only the SYN and FIN flag set
IP identification number is 39426
TCP window size to 1028

The first project is too general, the second and third joint projects in the same situation in the packet are not so many, so these three items together can define a detailed features of the. Together with other synscan property does not significantly improve the accuracy of features, can only increase the cost of resources. This, the software features that distinguish synscan to create finished.







Recommended links:



Solaris Cryptographic Framework password system



ASP And PHP Storage



Ultimate registry operations - lock REGISTRY



Report Calculators And Converters



IDC how to charge only REASONABLE



Hewlett-Packard REPORTED fiscal second quarter 2006: revenue of 22.6 billion U.S. dollars



blackberry video format



Easy to use Games Simulation



C # drag and drop source Xiangjie 1



convert mp4 to AVI



SAN terminology Reference Table



dvd RIPPER



World-class - And Stronger - So Long - Bigger



Black July - Daohao Trojan collective "home for dinner"



3gpp converter



No comments:

Post a Comment