SlideShare a Scribd company logo

Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP

Download as PPTX, PDF
Amir Razmjou
Amir Razmjou

Pattern-based techniques are capable to detect predefined patterns and in the case of discover of new vulnerability or attack techniques, one must wait until new software updates to be release. Behaviors-based techniques can also be used to detect in abnormality of user behavior and thus be used as a technique to validate or protect authenticity of user in case of identity thief.

Data & Analytics
1 of 12
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP Amir Razmjou
Pattern-based Techniques and Today’s Cybersecurity Challenges • Protocols specifications evolve more rapidly • Vendor-Specific, Closed Standard Protocols. • Network traffic verification against protocol specifications does not always account for legitimate traffic, – XML XXE Attacks – FTP Bounce Attacks • Unknown attacks. • That abnormality to user interactions account for changes.
Sequential Pattern Mining • It is similar to the frequent item sets mining, but with consideration of ordering. • Sequential Pattern Mining is useful in many application. – Customer shopping sequences: – Medical treatments, natural disasters (e.g., earthquakes), science & eng. processes, stocks and markets, etc. • Useful for extraction of knowledge from semi- structured data (i.e. XML)
What is sequence database and sequential pattern mining • A sequence database consists of ordered elements or events where each element is an unordered set of items. SID sequences 10 <a(abc)(ac)d(cf)> 20 <(ad)c(bc)(ae)> 30 <(ef)(ab)(df)cb> 40 <eg(af)cbc> TID itemsets 10 a, b, d 20 a, c, d 30 a, d, e 40 b, e, f
Sequential Shopping Cart Transaction 1 biscuits Sequence1 biscuits Sequence2 biscuits Sequence3 snack Sequence4 baking needs frozen foods frozen foods salads cake fruit frozen foods chickens fruit baking needs beef snack Transaction 2 baking needs cake pet food cake baking needs lamb vegetables snack chickens pet food electrical salads Transaction 3 snack snack lamb brushware salads chickens salads salads beef chickens Transaction 5 chickens electrical brushware
Sample FTP Flow Welcome to Microsoft FTP Server 3.4 USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS <password> 230 Guest login ok, access restrictions apply. TYPE I 200 Type set to I. CWD xfig 250 CWD command successful.
Data Preparation
Resulting Dataset Source Destination APP Signature COMMAND CODE 4.251.189.14:33257 131.243.1.10:21 custom1 USER 331 4.251.189.14:33257 131.243.1.10:21 custom1 PASS 230 4.251.189.14:33257 131.243.1.10:21 custom1 REST 350 4.251.189.14:33257 131.243.1.10:21 custom1 TYPE 200 4.251.189.14:33257 131.243.1.10:21 custom1 CWD 250 4.251.189.14:33257 131.243.1.10:21 custom1 TYPE 200 140.114.97.25:33983 131.243.1.10:21 custom1 USER 331 140.114.97.25:33983 131.243.1.10:21 custom1 PASS 230 140.114.97.25:33983 131.243.1.10:21 custom1 SYST 215 140.114.97.25:33983 131.243.1.10:21 custom1 CWD 550 53.55.176.50:10011 131.243.1.10:21 custom1 USER 331 53.55.176.50:10011 131.243.1.10:21 custom1 PASS 230 53.55.176.50:10011 131.243.1.10:21 custom1 FEAT 500 53.55.176.50:10011 131.243.1.10:21 custom1 SYST 215 53.55.176.50:10011 131.243.1.10:21 custom1 PWD 257
Result Sequence Rules [1] <{USER}{PASS,230}{TYPE,200}{PASV,227}{RETR,150}> 6391 [2] <{USER}{PASS,230}{TYPE,200}{SIZE,213}{RETR,150}> 4853 [3] <{USER,331}{PASS}{TYPE,200}{PASV,227}{RETR,150}> 6391 [4] <{USER,331}{PASS}{TYPE,200}{SIZE,213}{RETR,150}> 4853 [5] <{USER,331}{PASS,230}{CWD,250}{TYPE,200}{150}> 4872 [6] <{USER,331}{PASS,230}{TYPE}{PASV,227}{RETR,150}> 6391 [7] <{USER,331}{PASS,230}{TYPE}{SIZE,213}{RETR,150}> 4853 [8] <{USER,331}{PASS,230}{TYPE,200}{PASV}{RETR,150}> 6392 [9] <{USER,331}{PASS,230}{TYPE,200}{PASV,227}{RETR}> 7927 [10] <{USER,331}{PASS,230}{TYPE,200}{PASV,227}{150}> 8342 [11] <{USER,331}{PASS,230}{TYPE,200}{SIZE}{RETR,150}> 5062 [12] <{USER,331}{PASS,230}{TYPE,200}{SIZE,213}{RETR}> 4893
Abnormal Flows USER, 331 , PASS, 230, PORT, 200, 500, QUIT, 221, 220, PWD, 257, SYST, 215, CWD, 550, PASV, 227, TYPE, SIZE,213, RETR, 150, 226, MDTM, 250, LIST, 421, ABOR,533, Udd20dfd1U, U15030ab9U, U54668fafU, Udb6ef1c3U, U7694531dU, PORTQUIT, U07c4edf9U, U8855979dU, Uab12679fU, Uc2ca1083U, U5b79257aU, U5f561953U, Ud4a28da8U wu2616121 custom1 wu2616120 proftpdrc2 general172125 general8 msftp4 msftp sunos41 sunos56 other general5 vxworks54 WarFTPd167 • Commands in unmatched flows • Signatures of FTP servers in unmatched flows 7%
Sequence Size and Support
References • Almulhem, A., & Traore, I. (2007). Mining and detecting connection-chains in network traffic. IFIP International Federation for Information Processing, 238, 47–57. http://doi.org/10.1007/978-0-387-73655-6_4 • Bronson, B. J. (2004). Protecting Your Network from ARP Spoofing-Based Attacks, 1–5. • Scigocki, M., & Zander, S. (2013). Improving Machine Learning Network Traffic Classification with Payload-based Features, (November), 1–7. • Zander, S., Zander, S., Nguyen, T., Nguyen, T., Armitage, G., & Armitage, G. (2005). Automated Traffic Classification and Application Identification using Machine Learning. Proceedings of the IEEE.

Recommended

Onlin shopping
Onlin shoppingOnlin shopping
Onlin shoppingsanjeevsingh001
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and ArchitectureSidney Chen
 
Uvm presentation dac2011_final
Uvm presentation dac2011_finalUvm presentation dac2011_final
Uvm presentation dac2011_finalsean chen
 
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;Azad Mishra
 
39245147 intro-es-i
39245147 intro-es-i39245147 intro-es-i
39245147 intro-es-iEmbeddedbvp
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래NAVER D2
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 

Recommended

Onlin shopping
Onlin shoppingOnlin shopping
Onlin shoppingsanjeevsingh001
 
Oracle Basics and Architecture
Oracle Basics and ArchitectureOracle Basics and Architecture
Oracle Basics and ArchitectureSidney Chen
 
Uvm presentation dac2011_final
Uvm presentation dac2011_finalUvm presentation dac2011_final
Uvm presentation dac2011_finalsean chen
 
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;Azad Mishra
 
39245147 intro-es-i
39245147 intro-es-i39245147 intro-es-i
39245147 intro-es-iEmbeddedbvp
 
[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래[1C2]webrtc 개발, 현재와 미래
[1C2]webrtc 개발, 현재와 미래NAVER D2
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
Exactpro: Non-functional testing approach
Exactpro: Non-functional testing approach Exactpro: Non-functional testing approach
Exactpro: Non-functional testing approach Iosif Itkin
 
洛阳市第二中医院网络竣工文档
洛阳市第二中医院网络竣工文档洛阳市第二中医院网络竣工文档
洛阳市第二中医院网络竣工文档zgxworks
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - PresentationBiju Thomas
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codesEOH SAP Services
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSFelipe Prado
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
PLANT INFORMATION SYSTEM.ppt
PLANT INFORMATION SYSTEM.pptPLANT INFORMATION SYSTEM.ppt
PLANT INFORMATION SYSTEM.pptSachin Patidar
 
Inside Kafka Streams—Monitoring Comcast’s Outside Plant
Inside Kafka Streams—Monitoring Comcast’s Outside Plant Inside Kafka Streams—Monitoring Comcast’s Outside Plant
Inside Kafka Streams—Monitoring Comcast’s Outside Plant confluent
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS ServicesEuropean Collaboration Summit
 
Scada Based Online Circuit Breaker Monitoring System
Scada Based Online Circuit Breaker Monitoring SystemScada Based Online Circuit Breaker Monitoring System
Scada Based Online Circuit Breaker Monitoring SystemIOSR Journals
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2Lori Head
 
Defects mining in exchanges - medvedev, klimakov, yamkovi
Defects mining in exchanges - medvedev, klimakov, yamkoviDefects mining in exchanges - medvedev, klimakov, yamkovi
Defects mining in exchanges - medvedev, klimakov, yamkoviDataFest Tbilisi
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Cuneyt Goksu
 
Wrapper feature selection method
Wrapper feature selection methodWrapper feature selection method
Wrapper feature selection methodAmir Razmjou
 
Data mining cyber security
Data mining cyber securityData mining cyber security
Data mining cyber securityAmir Razmjou
 

More Related Content

Similar to Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP

DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
Exactpro: Non-functional testing approach
Exactpro: Non-functional testing approach Exactpro: Non-functional testing approach
Exactpro: Non-functional testing approach Iosif Itkin
 
洛阳市第二中医院网络竣工文档
洛阳市第二中医院网络竣工文档洛阳市第二中医院网络竣工文档
洛阳市第二中医院网络竣工文档zgxworks
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for DetectionSourcefire VRT
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - PresentationBiju Thomas
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codesEOH SAP Services
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSFelipe Prado
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]Mahmoud Hatem
 
PLANT INFORMATION SYSTEM.ppt
PLANT INFORMATION SYSTEM.pptPLANT INFORMATION SYSTEM.ppt
PLANT INFORMATION SYSTEM.pptSachin Patidar
 
Inside Kafka Streams—Monitoring Comcast’s Outside Plant
Inside Kafka Streams—Monitoring Comcast’s Outside Plant Inside Kafka Streams—Monitoring Comcast’s Outside Plant
Inside Kafka Streams—Monitoring Comcast’s Outside Plant confluent
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposPriyanka Aash
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrGeorg Knon
 
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS ServicesEuropean Collaboration Summit
 
Scada Based Online Circuit Breaker Monitoring System
Scada Based Online Circuit Breaker Monitoring SystemScada Based Online Circuit Breaker Monitoring System
Scada Based Online Circuit Breaker Monitoring SystemIOSR Journals
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2Lori Head
 
Defects mining in exchanges - medvedev, klimakov, yamkovi
Defects mining in exchanges - medvedev, klimakov, yamkoviDefects mining in exchanges - medvedev, klimakov, yamkovi
Defects mining in exchanges - medvedev, klimakov, yamkoviDataFest Tbilisi
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptxssuserb4d806
 
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Cuneyt Goksu
 

Similar to Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP (20)

DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
Exactpro: Non-functional testing approach
Exactpro: Non-functional testing approach Exactpro: Non-functional testing approach
Exactpro: Non-functional testing approach
 
洛阳市第二中医院网络竣工文档
洛阳市第二中医院网络竣工文档洛阳市第二中医院网络竣工文档
洛阳市第二中医院网络竣工文档
 
A New Framework for Detection
A New Framework for DetectionA New Framework for Detection
A New Framework for Detection
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codes
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
PLANT INFORMATION SYSTEM.ppt
PLANT INFORMATION SYSTEM.pptPLANT INFORMATION SYSTEM.ppt
PLANT INFORMATION SYSTEM.ppt
 
Inside Kafka Streams—Monitoring Comcast’s Outside Plant
Inside Kafka Streams—Monitoring Comcast’s Outside Plant Inside Kafka Streams—Monitoring Comcast’s Outside Plant
Inside Kafka Streams—Monitoring Comcast’s Outside Plant
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren NetzwerkverkehrSplunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
 
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
[Collinge] Modern Enterprise Network Connectivity Architecture for SaaS Services
 
Scada Based Online Circuit Breaker Monitoring System
Scada Based Online Circuit Breaker Monitoring SystemScada Based Online Circuit Breaker Monitoring System
Scada Based Online Circuit Breaker Monitoring System
 
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 29Tuts.Com New CCNA 200-120 New CCNA New Questions 2
9Tuts.Com New CCNA 200-120 New CCNA New Questions 2
 
Defects mining in exchanges - medvedev, klimakov, yamkovi
Defects mining in exchanges - medvedev, klimakov, yamkoviDefects mining in exchanges - medvedev, klimakov, yamkovi
Defects mining in exchanges - medvedev, klimakov, yamkovi
 
Labs_BT_20221017.pptx
Labs_BT_20221017.pptxLabs_BT_20221017.pptx
Labs_BT_20221017.pptx
 
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
 

More from Amir Razmjou

Wrapper feature selection method
Wrapper feature selection methodWrapper feature selection method
Wrapper feature selection methodAmir Razmjou
 
Data mining cyber security
Data mining cyber securityData mining cyber security
Data mining cyber securityAmir Razmjou
 
Netmap presentation
Netmap presentationNetmap presentation
Netmap presentationAmir Razmjou
 
Cite track presentation
Cite track presentationCite track presentation
Cite track presentationAmir Razmjou
 
Motif presentation
Motif presentationMotif presentation
Motif presentationAmir Razmjou
 
Who creates trends in online social media
Who creates trends in online social mediaWho creates trends in online social media
Who creates trends in online social mediaAmir Razmjou
 
Respina shaper presentation
Respina shaper presentationRespina shaper presentation
Respina shaper presentationAmir Razmjou
 

More from Amir Razmjou (7)

Wrapper feature selection method
Wrapper feature selection methodWrapper feature selection method
Wrapper feature selection method
 
Data mining cyber security
Data mining cyber securityData mining cyber security
Data mining cyber security
 
Netmap presentation
Netmap presentationNetmap presentation
Netmap presentation
 
Cite track presentation
Cite track presentationCite track presentation
Cite track presentation
 
Motif presentation
Motif presentationMotif presentation
Motif presentation
 
Who creates trends in online social media
Who creates trends in online social mediaWho creates trends in online social media
Who creates trends in online social media
 
Respina shaper presentation
Respina shaper presentationRespina shaper presentation
Respina shaper presentation
 

Recently uploaded

Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubaihf8803863
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfMarinCaroMartnezBerg
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一ffjhghh
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceSapana Sha
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 

Recently uploaded (20)

Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts Service
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docx
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 

Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP

  • 1. Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP Amir Razmjou
  • 2. Pattern-based Techniques and Today’s Cybersecurity Challenges • Protocols specifications evolve more rapidly • Vendor-Specific, Closed Standard Protocols. • Network traffic verification against protocol specifications does not always account for legitimate traffic, – XML XXE Attacks – FTP Bounce Attacks • Unknown attacks. • That abnormality to user interactions account for changes.
  • 3. Sequential Pattern Mining • It is similar to the frequent item sets mining, but with consideration of ordering. • Sequential Pattern Mining is useful in many application. – Customer shopping sequences: – Medical treatments, natural disasters (e.g., earthquakes), science & eng. processes, stocks and markets, etc. • Useful for extraction of knowledge from semi- structured data (i.e. XML)
  • 4. What is sequence database and sequential pattern mining • A sequence database consists of ordered elements or events where each element is an unordered set of items. SID sequences 10 <a(abc)(ac)d(cf)> 20 <(ad)c(bc)(ae)> 30 <(ef)(ab)(df)cb> 40 <eg(af)cbc> TID itemsets 10 a, b, d 20 a, c, d 30 a, d, e 40 b, e, f
  • 5. Sequential Shopping Cart Transaction 1 biscuits Sequence1 biscuits Sequence2 biscuits Sequence3 snack Sequence4 baking needs frozen foods frozen foods salads cake fruit frozen foods chickens fruit baking needs beef snack Transaction 2 baking needs cake pet food cake baking needs lamb vegetables snack chickens pet food electrical salads Transaction 3 snack snack lamb brushware salads chickens salads salads beef chickens Transaction 5 chickens electrical brushware
  • 6. Sample FTP Flow Welcome to Microsoft FTP Server 3.4 USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS <password> 230 Guest login ok, access restrictions apply. TYPE I 200 Type set to I. CWD xfig 250 CWD command successful.
  • 8. Resulting Dataset Source Destination APP Signature COMMAND CODE 4.251.189.14:33257 131.243.1.10:21 custom1 USER 331 4.251.189.14:33257 131.243.1.10:21 custom1 PASS 230 4.251.189.14:33257 131.243.1.10:21 custom1 REST 350 4.251.189.14:33257 131.243.1.10:21 custom1 TYPE 200 4.251.189.14:33257 131.243.1.10:21 custom1 CWD 250 4.251.189.14:33257 131.243.1.10:21 custom1 TYPE 200 140.114.97.25:33983 131.243.1.10:21 custom1 USER 331 140.114.97.25:33983 131.243.1.10:21 custom1 PASS 230 140.114.97.25:33983 131.243.1.10:21 custom1 SYST 215 140.114.97.25:33983 131.243.1.10:21 custom1 CWD 550 53.55.176.50:10011 131.243.1.10:21 custom1 USER 331 53.55.176.50:10011 131.243.1.10:21 custom1 PASS 230 53.55.176.50:10011 131.243.1.10:21 custom1 FEAT 500 53.55.176.50:10011 131.243.1.10:21 custom1 SYST 215 53.55.176.50:10011 131.243.1.10:21 custom1 PWD 257
  • 9. Result Sequence Rules [1] <{USER}{PASS,230}{TYPE,200}{PASV,227}{RETR,150}> 6391 [2] <{USER}{PASS,230}{TYPE,200}{SIZE,213}{RETR,150}> 4853 [3] <{USER,331}{PASS}{TYPE,200}{PASV,227}{RETR,150}> 6391 [4] <{USER,331}{PASS}{TYPE,200}{SIZE,213}{RETR,150}> 4853 [5] <{USER,331}{PASS,230}{CWD,250}{TYPE,200}{150}> 4872 [6] <{USER,331}{PASS,230}{TYPE}{PASV,227}{RETR,150}> 6391 [7] <{USER,331}{PASS,230}{TYPE}{SIZE,213}{RETR,150}> 4853 [8] <{USER,331}{PASS,230}{TYPE,200}{PASV}{RETR,150}> 6392 [9] <{USER,331}{PASS,230}{TYPE,200}{PASV,227}{RETR}> 7927 [10] <{USER,331}{PASS,230}{TYPE,200}{PASV,227}{150}> 8342 [11] <{USER,331}{PASS,230}{TYPE,200}{SIZE}{RETR,150}> 5062 [12] <{USER,331}{PASS,230}{TYPE,200}{SIZE,213}{RETR}> 4893
  • 10. Abnormal Flows USER, 331 , PASS, 230, PORT, 200, 500, QUIT, 221, 220, PWD, 257, SYST, 215, CWD, 550, PASV, 227, TYPE, SIZE,213, RETR, 150, 226, MDTM, 250, LIST, 421, ABOR,533, Udd20dfd1U, U15030ab9U, U54668fafU, Udb6ef1c3U, U7694531dU, PORTQUIT, U07c4edf9U, U8855979dU, Uab12679fU, Uc2ca1083U, U5b79257aU, U5f561953U, Ud4a28da8U wu2616121 custom1 wu2616120 proftpdrc2 general172125 general8 msftp4 msftp sunos41 sunos56 other general5 vxworks54 WarFTPd167 • Commands in unmatched flows • Signatures of FTP servers in unmatched flows 7%
  • 11. Sequence Size and Support
  • 12. References • Almulhem, A., & Traore, I. (2007). Mining and detecting connection-chains in network traffic. IFIP International Federation for Information Processing, 238, 47–57. http://doi.org/10.1007/978-0-387-73655-6_4 • Bronson, B. J. (2004). Protecting Your Network from ARP Spoofing-Based Attacks, 1–5. • Scigocki, M., & Zander, S. (2013). Improving Machine Learning Network Traffic Classification with Payload-based Features, (November), 1–7. • Zander, S., Zander, S., Nguyen, T., Nguyen, T., Armitage, G., & Armitage, G. (2005). Automated Traffic Classification and Application Identification using Machine Learning. Proceedings of the IEEE.