Pattern-based techniques are capable to detect predefined patterns and in the case of discover of new vulnerability or attack techniques, one must wait until new software updates to be release.
Behaviors-based techniques can also be used to detect in abnormality of user behavior and thus be used as a technique to validate or protect authenticity of user in case of identity thief.
Using GSP data mining algorithm to detect malicious flows in Lawrence Berkeley National Laboratory FTP
1. Using GSP data mining algorithm to
detect malicious flows in Lawrence
Berkeley National Laboratory FTP
Amir Razmjou
2. Pattern-based Techniques and
Today’s Cybersecurity Challenges
• Protocols specifications evolve more rapidly
• Vendor-Specific, Closed Standard Protocols.
• Network traffic verification against protocol
specifications does not always account for
legitimate traffic,
– XML XXE Attacks
– FTP Bounce Attacks
• Unknown attacks.
• That abnormality to user interactions account for
changes.
3. Sequential Pattern Mining
• It is similar to the frequent item sets mining,
but with consideration of ordering.
• Sequential Pattern Mining is useful in many
application.
– Customer shopping sequences:
– Medical treatments, natural disasters (e.g., earthquakes),
science & eng. processes, stocks and markets, etc.
• Useful for extraction of knowledge from semi-
structured data (i.e. XML)
4. What is sequence database and
sequential pattern mining
• A sequence database consists of ordered
elements or events where each element is an
unordered set of items.
SID sequences
10 <a(abc)(ac)d(cf)>
20 <(ad)c(bc)(ae)>
30 <(ef)(ab)(df)cb>
40 <eg(af)cbc>
TID itemsets
10 a, b, d
20 a, c, d
30 a, d, e
40 b, e, f
6. Sample FTP Flow
Welcome to Microsoft FTP Server 3.4
USER anonymous
331 Guest login ok, send your complete e-mail address as
password.
PASS <password>
230 Guest login ok, access restrictions apply.
TYPE I
200 Type set to I.
CWD xfig
250 CWD command successful.
12. References
• Almulhem, A., & Traore, I. (2007). Mining and detecting
connection-chains in network traffic. IFIP International
Federation for Information Processing, 238, 47–57.
http://doi.org/10.1007/978-0-387-73655-6_4
• Bronson, B. J. (2004). Protecting Your Network from ARP
Spoofing-Based Attacks, 1–5.
• Scigocki, M., & Zander, S. (2013). Improving Machine
Learning Network Traffic Classification with Payload-based
Features, (November), 1–7.
• Zander, S., Zander, S., Nguyen, T., Nguyen, T., Armitage, G.,
& Armitage, G. (2005). Automated Traffic Classification and
Application Identification using Machine Learning.
Proceedings of the IEEE.