SlideShare a Scribd company logo

Capturing Malicious Bots using a beneficial bot and wiki

Download as PPTX, PDF
Takashi Yamanoue
Takashi Yamanoue

ACM SIGUCCS 2012 @ Memphis, 18, Oct.

Technology
1 of 63
Capturing Malicious Bots Using a Beneficial Bot and Wiki Takashi Yamanoue, Kentaro Oda, Koichi Shimozono Kagoshima University
Contents • Introduction • Implementation • Usage Example • Related Research • Concluding Remarks
Introduction • A bot – runs automated tasks over the Internet. – usually a malicious application – controlled by a malicious herder • Herder – the master of the bot
Introduction • Many resent viruses • are used for recruiting a host into a botnet – Botnet • is a collection of malicious bots. – Malicious bots - in a campus LAN • Leak private information of students, research secrets • spam other people • attack other web sites via DDos.
Introduction • A campus with malicious bots – may be considered to be engaging in criminal activity.
Introduction • The manager of the campus LAN – has to be careful about malicious bots and remove the bot quickly when found
Introduction • A fire-wall and a Network Address Translation (NAT) – enhance network security of a LAN.
Introduction • NAT or fire-wall – defend the LAN against intrusion of a malicious bot. – like a house protected by a door with a key. – Only permitted IP packets may pass through the fire-wall or the NAT – much like only people who have the key may pass through the door of the house.
Introduction
Introduction • When a host in the sub-LAN is compromized by a malicous bot – it is hard to identify the compromized host from the outside of the LAN, much like it is hard to find a robber who is hidden in the house or the building. – DHCP and IPv6 with privacy address extension (RFC 3041) also make it difficult – the IP address is changed dynamically.
Introduction
Introduction • A campus’s LAN – a central network infrastructure + sub-LANs. • Some sub-LANs – may be protected by a fire-wall or a NAT. Sub- The Internet LAN Sub- LAN Sub- Central Network Infrastructure LAN
Introduction • Network managers sometimes have to find out bots which are hidden in such protected sub-LANs.
Introduction • One way to realize this is to prohibit use of a fire-wall or a NAT for a sub-LAN.
Introduction • It is easy to define the rule, but unrealistic because broadband routers with fire-wall or NAT function are so common. Laws are made to be broken
Introduction • When malicious communication between a bot in a protected sub-LAN and another ? host on the outside is discovered by the manager of the central network infrastructure (or the central manager), ? ? ?
Introduction • the central manager usually directs the manager of the sub-LAN to disconnect the sub-LAN from the central network infrastructure immediately. ? ? ?
Introduction • The sub-manager inspects all PCs in the sub-LAN using anti-virus software. ? ? ?
Introduction • Cannot always find the bot because – anti-virus software can not find 0-day attacks, – the central manager can not observe the malicious communication in the sub-LAN. ? ? ?
Introduction • Sometimes, the central manager would like to monitor sub-LANs in order to find the compromized host. The compromized host should be found as quickly as possible.
Introduction • The central manager can monitor the sub-LAN by re-configuring the LAN. ?
Introduction • However such re-configuration without care may cause serious trouble. Ex. Loop – Such re-configuration usually takes a long time.
Introduction • The manager should have an easy and fast way to monitor and control sub-LANs.
Introduction • We have made a network security controlling system which uses – a remote security device and – a web site with wiki software. (PukiWiki)
Introduction • The device can be deployed fast and easily because it is portable.
Introduction • The central manager can monitor and control the sub-LAN behind a fire-wall or a NAT easily from a web site with common wiki software, using the remote security device.
Introduction
Introduction • The remote security device is a kind of bot which is controlled by the central manager.
Introduction • The device can do the following: – Monitor traffic between hosts in the sub-LAN and outside hosts. – Filter out malicious packets of the traffic.
Introduction – Intercept DNS query packets from the suspicious host and return the IP address of the fake host which pretends the herder’s host. – Pretend the herder’s host such like returning the fake syn-ack packet to the syn packet from the suspicious host.
Introduction Fire-Wall IDS The Internet Organization’s Central Network The Wiki Site Infrastructure Portable Remote Security Device NAT or Router Original Connection This Security Controlling System Virus Infected Host Sub-LAN Auxiliary Switch Auxiliary Wi-fi AP
Implementation Portable Remote Security Device
Implementation
• Filter/Controller – If the packet matches up to a “select pattern”, • pass through the packet (from one DAQ to another DAQ) and • send the information of the frame of the packet to the wiki access engine with the status. – If the packet matches up to a “drop pattern”, • do not pass through the packet and send the information of the frame of the packet to the wiki access engin with the status.
– If the packet matches up to a “forward pattern”, • replace the destination IP address and destination port with the IP address and port of a pseudo application of a pseudo host, and pass the replaced packet to another DAQ. • Send the information of the frame of the original packet to the wiki access engine with the status.
– Sends a packet to one of the bridges from one of the DAQs. The sending packet is one of the following. • The pseudo syn-ack packet to a syn packet of dropped packets. • The pseudo DNS answer packet to a DNS query packet.
Implementation
Usage Example Booting and Setting
Usage Example Booting and Setting
Usage Example Booting and Setting
Usage Example Booting and Setting
Usage Example Monitoring and Controlling Click here, and here
Usage Example Monitoring and Controlling
Usage Example Monitoring and Controlling
Usage Example Commands and Results • get ip=<IP address> • get startsWith <String constant> – Ex. “PING”, “PONG”, “NIC” , “USER” for IRC. • lan2wan drop ip=<IP address> • wan2lan drop ip=<IP address>
Usage Example Commands and Results • lan2wan return-syn-ack ip=<IP address> • lan2wan forward ip=<IP address 1> to <IP address2>:<Port> • lan2wan dns-intercept ip=<IP address 1> to <IP address 2>
Usage Example Commands and Results
Usage Example Responding Infection • The central manager identifies the suspicious sub-LAN by using an IDS or a firewall or managed security monitoring service. ? ? ?
Usage Example Responding Infection • The central manager asks the sub- manager of the sub-LAN to disconnect the NAT or router of the sub-LAN from the central network infrastructure. ? ? ?
Usage Example Responding Infection • The central manager writes commands on the wiki page to capture and filter out the suspicious packets. The manager configures the remote security device to connect the device to the wiki page.
Usage Example Responding Infection • The central manager sends the portable sensor device to the sub-manager – after the sub-manager agrees with the need for identifying the suspicious host. • The sub-manager connects the remote security device to the sub-LAN and starts it. ?
Usage Example Responding Infection • The remote security device reads the commands on the wiki page periodically. • When the device detects suspicious packets, the device drop the packets and writes information of the packets with the MAC address of the suspicious host in the sub-LAN on the wiki page. ?
Usage Example Responding Infection • The central manager confirms the information of the suspicious packets on the wiki page, and if the manager judges the packets to be malicious, • the central manager asks the sub- manager to disconnect the host from that sub-LAN.
Usage Example Responding Infection • If the central manager feels more deep analysis on the traffic, the manager can prepare a telnet server and s/he can write commands for forwarding the packets from the suspicious host to the telnet server on the wiki page.
Usage Example Responding Infection • When a suspicious packet is forwarded to the telnet server, the central manager can see the contents of the packet and can response to the packet on the telnet server.
Usage Example Responding Infection • When the sub-manager cannot identify the suspicious host, the central manager writes the command, which transfers packets from the host to a notification web server, on the wiki page. ?
Usage Example Responding Infection • The notification web server – notifies the user of the suspicious host that the host is suspicious and asks the user of the host to call the sub-manager. • The sub-manager – disconnects the suspicious host,
Usage Example Responding Infection
Related research • Security Monitoring System • Snort • Observing MAC address at the WAN side • Unix device with two NICs • KASEYA and UNIFAS
Concluding Remarks • Bot for Bot • An Easy way of incident response • Wiki • Not so stable now for real using – Hope to have your support, assistant, .. – https://github.com/takashiyamanoue/TrafficC ontroller • Should not turn into dark side.
• Masato Masuya, Takashi Yamanoue, Shinichiro Kubota "An Experience of Monitoring University Network Security Using a Commercial Service and DIY Monitoring" , Proceedings of the 34nd annual ACM SIGUCCS conference on User services, pp.225-230, Edmonton, Alberta, Canada. 5-8 Nov. 2006.
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wiki

Recommended

The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides
Us 13-opi-evading-deep-inspection-for-fun-and-shell-slidesUs 13-opi-evading-deep-inspection-for-fun-and-shell-slides
Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides
Olli-Pekka Niemi
 

Recommended

The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
amiable_indian
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!
Chong-Kuan Chen
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
Jerod Brennen
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides
Us 13-opi-evading-deep-inspection-for-fun-and-shell-slidesUs 13-opi-evading-deep-inspection-for-fun-and-shell-slides
Us 13-opi-evading-deep-inspection-for-fun-and-shell-slides
Olli-Pekka Niemi
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
Rob Gillen
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
APNIC
 
After School cyber security class slides - Pat
After School cyber security class slides - PatAfter School cyber security class slides - Pat
After School cyber security class slides - Pat
Dan Winson
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
RIPE NCC
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
APNIC
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today site
GeekPwn Keen
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Intro to firewalls
Intro to firewallsIntro to firewalls
Intro to firewalls
Joshua Johnston
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
 
A Wearable LED Matrix Sign System@ACM SIGUCCS2015
A Wearable LED Matrix Sign System@ACM SIGUCCS2015A Wearable LED Matrix Sign System@ACM SIGUCCS2015
A Wearable LED Matrix Sign System@ACM SIGUCCS2015
Takashi Yamanoue
 
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
Takashi Yamanoue
 

More Related Content

What's hot

Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
Vishal Vasudev
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
wensheng wei
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 

What's hot (20)

DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
IX 2020 - Internet Security & Mitigation of Risk Webinar: Linux Malware and D...
 
After School cyber security class slides - Pat
After School cyber security class slides - PatAfter School cyber security class slides - Pat
After School cyber security class slides - Pat
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today site
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Intro to firewalls
Intro to firewallsIntro to firewalls
Intro to firewalls
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
 

Viewers also liked

An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
Takashi Yamanoue
 
Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構
Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構
Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構
Takashi Yamanoue
 
ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演
ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演
ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演
Takashi Yamanoue
 
Xilinx ISE で Digilent Atlys ボードの回路を作成する手順
Xilinx ISE で Digilent Atlys ボードの回路を作成する手順Xilinx ISE で Digilent Atlys ボードの回路を作成する手順
Xilinx ISE で Digilent Atlys ボードの回路を作成する手順
Takashi Yamanoue
 
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...
Takashi Yamanoue
 
Wiki と携帯型遠隔操作機器を使った情報セキュリティ対策システム
Wiki と携帯型遠隔操作機器を使った情報セキュリティ対策システムWiki と携帯型遠隔操作機器を使った情報セキュリティ対策システム
Wiki と携帯型遠隔操作機器を使った情報セキュリティ対策システム
Takashi Yamanoue
 
TwitterとWikiを使った自動情報提示システム
TwitterとWikiを使った自動情報提示システムTwitterとWikiを使った自動情報提示システム
TwitterとWikiを使った自動情報提示システム
Takashi Yamanoue
 
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...
Takashi Yamanoue
 

Viewers also liked (20)

A Wearable LED Matrix Sign System@ACM SIGUCCS2015
A Wearable LED Matrix Sign System@ACM SIGUCCS2015A Wearable LED Matrix Sign System@ACM SIGUCCS2015
A Wearable LED Matrix Sign System@ACM SIGUCCS2015
 
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
An Inter-Wiki Page Data Processor for a M2M System @Matsue, 1sep., Eskm2013
 
【オンプレミスとの組み合わせに効く】AWSのマネージドサービスつまみ食い10品
【オンプレミスとの組み合わせに効く】AWSのマネージドサービスつまみ食い10品【オンプレミスとの組み合わせに効く】AWSのマネージドサービスつまみ食い10品
【オンプレミスとの組み合わせに効く】AWSのマネージドサービスつまみ食い10品
 
Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構
Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構
Dicomo 2013, デスクトップ画像共有システムのための、トーナメントアルゴリズムを使った負荷分散機構
 
A M2M system using Arduino, Android and Wiki Software
A M2M system using Arduino, Android and Wiki SoftwareA M2M system using Arduino, Android and Wiki Software
A M2M system using Arduino, Android and Wiki Software
 
A Sensor Network System using Arduino, Android and Wiki
A Sensor Network System using Arduino, Android and WikiA Sensor Network System using Arduino, Android and Wiki
A Sensor Network System using Arduino, Android and Wiki
 
ロボットを作って動かしてみよう
ロボットを作って動かしてみようロボットを作って動かしてみよう
ロボットを作って動かしてみよう
 
ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演
ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演
ソーシャルXとP2Pと情報倫理 情報処理学会MBL研究会第60回招待講演
 
Optimizing Data Partitioning at Broadcasting the Data
Optimizing Data Partitioning at Broadcasting the DataOptimizing Data Partitioning at Broadcasting the Data
Optimizing Data Partitioning at Broadcasting the Data
 
BotとWikiを使った試験的な並列プログラミング
BotとWikiを使った試験的な並列プログラミングBotとWikiを使った試験的な並列プログラミング
BotとWikiを使った試験的な並列プログラミング
 
Siguccs20101026
Siguccs20101026Siguccs20101026
Siguccs20101026
 
A Casual Teaching Tool for Large Size Computer Laboratories ans Small Size Se...
A Casual Teaching Tool for Large Size Computer Laboratories ans Small Size Se...A Casual Teaching Tool for Large Size Computer Laboratories ans Small Size Se...
A Casual Teaching Tool for Large Size Computer Laboratories ans Small Size Se...
 
Xilinx ISE で Digilent Atlys ボードの回路を作成する手順
Xilinx ISE で Digilent Atlys ボードの回路を作成する手順Xilinx ISE で Digilent Atlys ボードの回路を作成する手順
Xilinx ISE で Digilent Atlys ボードの回路を作成する手順
 
Realizing a Practical Teleportation System
Realizing a Practical Teleportation System Realizing a Practical Teleportation System
Realizing a Practical Teleportation System
 
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...
A Technique to Assign an Appropriate Server to a Client, for a CDN Consists ...
 
Wiki と携帯型遠隔操作機器を使った情報セキュリティ対策システム
Wiki と携帯型遠隔操作機器を使った情報セキュリティ対策システムWiki と携帯型遠隔操作機器を使った情報セキュリティ対策システム
Wiki と携帯型遠隔操作機器を使った情報セキュリティ対策システム
 
20150305
2015030520150305
20150305
 
テレポーテーションとコンパイラ
テレポーテーションとコンパイラテレポーテーションとコンパイラ
テレポーテーションとコンパイラ
 
TwitterとWikiを使った自動情報提示システム
TwitterとWikiを使った自動情報提示システムTwitterとWikiを使った自動情報提示システム
TwitterとWikiを使った自動情報提示システム
 
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...
Portable Cloud Computing System – A System which Makes Everywhere an ICT Enh...
 

Similar to Capturing Malicious Bots using a beneficial bot and wiki

Similar to Capturing Malicious Bots using a beneficial bot and wiki (20)

Simplifying openstack instances networking
Simplifying openstack instances networkingSimplifying openstack instances networking
Simplifying openstack instances networking
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
 
Myles firewalls
Myles firewallsMyles firewalls
Myles firewalls
 
Netforce: extending neutron to support routed networks at scale in ebay
Netforce: extending neutron to support routed networks at scale in ebayNetforce: extending neutron to support routed networks at scale in ebay
Netforce: extending neutron to support routed networks at scale in ebay
 
Unified Threat Management
Unified Threat ManagementUnified Threat Management
Unified Threat Management
 
Divyanshu.pptx
Divyanshu.pptxDivyanshu.pptx
Divyanshu.pptx
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Network virtualization
Network virtualizationNetwork virtualization
Network virtualization
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
 
Monitoring a virtual network infrastructure - An IaaS perspective
Monitoring a virtual network infrastructure - An IaaS perspectiveMonitoring a virtual network infrastructure - An IaaS perspective
Monitoring a virtual network infrastructure - An IaaS perspective
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Network security
Network security Network security
Network security
 
VPN & FIREWALL
VPN & FIREWALLVPN & FIREWALL
VPN & FIREWALL
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Demystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source OptionsDemystifying Wireless Security Using Open Source Options
Demystifying Wireless Security Using Open Source Options
 

More from Takashi Yamanoue

スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
Takashi Yamanoue
 
簡便な大型幅広デジタルサイネージシステムとその自動運用システム
簡便な大型幅広デジタルサイネージシステムとその自動運用システム簡便な大型幅広デジタルサイネージシステムとその自動運用システム
簡便な大型幅広デジタルサイネージシステムとその自動運用システム
Takashi Yamanoue
 
Bot Computing using the Power of Wiki Collaboration
Bot Computing using the Power of Wiki CollaborationBot Computing using the Power of Wiki Collaboration
Bot Computing using the Power of Wiki Collaboration
Takashi Yamanoue
 
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
Takashi Yamanoue
 

More from Takashi Yamanoue (20)

人が乗れる自動運転電気自動車作成中その4, -version up その1-
人が乗れる自動運転電気自動車作成中その4, -version up その1-人が乗れる自動運転電気自動車作成中その4, -version up その1-
人が乗れる自動運転電気自動車作成中その4, -version up その1-
 
シン3次元表示装置 ーその1ー
シン3次元表示装置 ーその1ーシン3次元表示装置 ーその1ー
シン3次元表示装置 ーその1ー
 
Wiki IoT/Bot Computingを使った顔ロボット群の制御
Wiki IoT/Bot Computingを使った顔ロボット群の制御Wiki IoT/Bot Computingを使った顔ロボット群の制御
Wiki IoT/Bot Computingを使った顔ロボット群の制御
 
IoTLT-Vol93-Wiki-IoT-20221117.pptx
IoTLT-Vol93-Wiki-IoT-20221117.pptxIoTLT-Vol93-Wiki-IoT-20221117.pptx
IoTLT-Vol93-Wiki-IoT-20221117.pptx
 
IoTLT-Vol92-Wiki-IoT-20221009-1.pptx
IoTLT-Vol92-Wiki-IoT-20221009-1.pptxIoTLT-Vol92-Wiki-IoT-20221009-1.pptx
IoTLT-Vol92-Wiki-IoT-20221009-1.pptx
 
人が乗れる 自動運転電気自動車作成中その3 -自動運転成功!-
人が乗れる 自動運転電気自動車作成中その3 -自動運転成功!-人が乗れる 自動運転電気自動車作成中その3 -自動運転成功!-
人が乗れる 自動運転電気自動車作成中その3 -自動運転成功!-
 
人が乗れる 自動運転 電気自動車 作成中!
人が乗れる 自動運転 電気自動車 作成中!人が乗れる 自動運転 電気自動車 作成中!
人が乗れる 自動運転 電気自動車 作成中!
 
着る電光掲示板の新機能  -場所に応じた情報の自動表示-
着る電光掲示板の新機能  -場所に応じた情報の自動表示-着る電光掲示板の新機能  -場所に応じた情報の自動表示-
着る電光掲示板の新機能  -場所に応じた情報の自動表示-
 
Real->Virtual変換システムの開発その1の2
Real->Virtual変換システムの開発その1の2Real->Virtual変換システムの開発その1の2
Real->Virtual変換システムの開発その1の2
 
Real->Virtual 変換システムの開発その1の1
Real->Virtual 変換システムの開発その1の1Real->Virtual 変換システムの開発その1の1
Real->Virtual 変換システムの開発その1の1
 
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
スマートフォンで操作する双方向型大型デジタルサイネージシステムの試作
 
Teleport dressor 20200524
Teleport dressor 20200524Teleport dressor 20200524
Teleport dressor 20200524
 
SeeThroughChameleonDress-on-the-way-ex1
SeeThroughChameleonDress-on-the-way-ex1SeeThroughChameleonDress-on-the-way-ex1
SeeThroughChameleonDress-on-the-way-ex1
 
PukiWiki と Raspberry Pi と Arduino を連携させてIoT システムを作ってみた話
PukiWiki と Raspberry Pi と Arduino を連携させてIoT システムを作ってみた話PukiWiki と Raspberry Pi と Arduino を連携させてIoT システムを作ってみた話
PukiWiki と Raspberry Pi と Arduino を連携させてIoT システムを作ってみた話
 
Zoomはぶっ飛ばせないけど... - Portable Cloud の紹介
Zoomはぶっ飛ばせないけど... - Portable Cloud の紹介Zoomはぶっ飛ばせないけど... - Portable Cloud の紹介
Zoomはぶっ飛ばせないけど... - Portable Cloud の紹介
 
trouble-with-mboed-os
trouble-with-mboed-ostrouble-with-mboed-os
trouble-with-mboed-os
 
簡便な大型幅広デジタルサイネージシステムとその自動運用システム
簡便な大型幅広デジタルサイネージシステムとその自動運用システム簡便な大型幅広デジタルサイネージシステムとその自動運用システム
簡便な大型幅広デジタルサイネージシステムとその自動運用システム
 
Wiki と Raspberry Pi と Arduino を組み合わせて作成した電気製品の自動運転・遠隔操作システム
Wiki と Raspberry Pi と Arduino を組み合わせて作成した電気製品の自動運転・遠隔操作システムWiki と Raspberry Pi と Arduino を組み合わせて作成した電気製品の自動運転・遠隔操作システム
Wiki と Raspberry Pi と Arduino を組み合わせて作成した電気製品の自動運転・遠隔操作システム
 
Bot Computing using the Power of Wiki Collaboration
Bot Computing using the Power of Wiki CollaborationBot Computing using the Power of Wiki Collaboration
Bot Computing using the Power of Wiki Collaboration
 
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
悪性Botnet包囲網のBotによるWannaCryのようなマルウェアの活動検知の試み
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 

Capturing Malicious Bots using a beneficial bot and wiki

  • 1. Capturing Malicious Bots Using a Beneficial Bot and Wiki Takashi Yamanoue, Kentaro Oda, Koichi Shimozono Kagoshima University
  • 2. Contents • Introduction • Implementation • Usage Example • Related Research • Concluding Remarks
  • 3. Introduction • A bot – runs automated tasks over the Internet. – usually a malicious application – controlled by a malicious herder • Herder – the master of the bot
  • 4. Introduction • Many resent viruses • are used for recruiting a host into a botnet – Botnet • is a collection of malicious bots. – Malicious bots - in a campus LAN • Leak private information of students, research secrets • spam other people • attack other web sites via DDos.
  • 5. Introduction • A campus with malicious bots – may be considered to be engaging in criminal activity.
  • 6. Introduction • The manager of the campus LAN – has to be careful about malicious bots and remove the bot quickly when found
  • 7. Introduction • A fire-wall and a Network Address Translation (NAT) – enhance network security of a LAN.
  • 8. Introduction • NAT or fire-wall – defend the LAN against intrusion of a malicious bot. – like a house protected by a door with a key. – Only permitted IP packets may pass through the fire-wall or the NAT – much like only people who have the key may pass through the door of the house.
  • 10. Introduction • When a host in the sub-LAN is compromized by a malicous bot – it is hard to identify the compromized host from the outside of the LAN, much like it is hard to find a robber who is hidden in the house or the building. – DHCP and IPv6 with privacy address extension (RFC 3041) also make it difficult – the IP address is changed dynamically.
  • 12. Introduction • A campus’s LAN – a central network infrastructure + sub-LANs. • Some sub-LANs – may be protected by a fire-wall or a NAT. Sub- The Internet LAN Sub- LAN Sub- Central Network Infrastructure LAN
  • 13. Introduction • Network managers sometimes have to find out bots which are hidden in such protected sub-LANs.
  • 14. Introduction • One way to realize this is to prohibit use of a fire-wall or a NAT for a sub-LAN.
  • 15. Introduction • It is easy to define the rule, but unrealistic because broadband routers with fire-wall or NAT function are so common. Laws are made to be broken
  • 16. Introduction • When malicious communication between a bot in a protected sub-LAN and another ? host on the outside is discovered by the manager of the central network infrastructure (or the central manager), ? ? ?
  • 17. Introduction • the central manager usually directs the manager of the sub-LAN to disconnect the sub-LAN from the central network infrastructure immediately. ? ? ?
  • 18. Introduction • The sub-manager inspects all PCs in the sub-LAN using anti-virus software. ? ? ?
  • 19. Introduction • Cannot always find the bot because – anti-virus software can not find 0-day attacks, – the central manager can not observe the malicious communication in the sub-LAN. ? ? ?
  • 20. Introduction • Sometimes, the central manager would like to monitor sub-LANs in order to find the compromized host. The compromized host should be found as quickly as possible.
  • 21. Introduction • The central manager can monitor the sub-LAN by re-configuring the LAN. ?
  • 22. Introduction • However such re-configuration without care may cause serious trouble. Ex. Loop – Such re-configuration usually takes a long time.
  • 23. Introduction • The manager should have an easy and fast way to monitor and control sub-LANs.
  • 24. Introduction • We have made a network security controlling system which uses – a remote security device and – a web site with wiki software. (PukiWiki)
  • 25. Introduction • The device can be deployed fast and easily because it is portable.
  • 26. Introduction • The central manager can monitor and control the sub-LAN behind a fire-wall or a NAT easily from a web site with common wiki software, using the remote security device.
  • 28. Introduction • The remote security device is a kind of bot which is controlled by the central manager.
  • 29. Introduction • The device can do the following: – Monitor traffic between hosts in the sub-LAN and outside hosts. – Filter out malicious packets of the traffic.
  • 30. Introduction – Intercept DNS query packets from the suspicious host and return the IP address of the fake host which pretends the herder’s host. – Pretend the herder’s host such like returning the fake syn-ack packet to the syn packet from the suspicious host.
  • 31. Introduction Fire-Wall IDS The Internet Organization’s Central Network The Wiki Site Infrastructure Portable Remote Security Device NAT or Router Original Connection This Security Controlling System Virus Infected Host Sub-LAN Auxiliary Switch Auxiliary Wi-fi AP
  • 34. • Filter/Controller – If the packet matches up to a “select pattern”, • pass through the packet (from one DAQ to another DAQ) and • send the information of the frame of the packet to the wiki access engine with the status. – If the packet matches up to a “drop pattern”, • do not pass through the packet and send the information of the frame of the packet to the wiki access engin with the status.
  • 35. – If the packet matches up to a “forward pattern”, • replace the destination IP address and destination port with the IP address and port of a pseudo application of a pseudo host, and pass the replaced packet to another DAQ. • Send the information of the frame of the original packet to the wiki access engine with the status.
  • 36. – Sends a packet to one of the bridges from one of the DAQs. The sending packet is one of the following. • The pseudo syn-ack packet to a syn packet of dropped packets. • The pseudo DNS answer packet to a DNS query packet.
  • 42. Usage Example Monitoring and Controlling Click here, and here
  • 43. Usage Example Monitoring and Controlling
  • 44. Usage Example Monitoring and Controlling
  • 45. Usage Example Commands and Results • get ip=<IP address> • get startsWith <String constant> – Ex. “PING”, “PONG”, “NIC” , “USER” for IRC. • lan2wan drop ip=<IP address> • wan2lan drop ip=<IP address>
  • 46. Usage Example Commands and Results • lan2wan return-syn-ack ip=<IP address> • lan2wan forward ip=<IP address 1> to <IP address2>:<Port> • lan2wan dns-intercept ip=<IP address 1> to <IP address 2>
  • 48. Usage Example Responding Infection • The central manager identifies the suspicious sub-LAN by using an IDS or a firewall or managed security monitoring service. ? ? ?
  • 49. Usage Example Responding Infection • The central manager asks the sub- manager of the sub-LAN to disconnect the NAT or router of the sub-LAN from the central network infrastructure. ? ? ?
  • 50. Usage Example Responding Infection • The central manager writes commands on the wiki page to capture and filter out the suspicious packets. The manager configures the remote security device to connect the device to the wiki page.
  • 51. Usage Example Responding Infection • The central manager sends the portable sensor device to the sub-manager – after the sub-manager agrees with the need for identifying the suspicious host. • The sub-manager connects the remote security device to the sub-LAN and starts it. ?
  • 52. Usage Example Responding Infection • The remote security device reads the commands on the wiki page periodically. • When the device detects suspicious packets, the device drop the packets and writes information of the packets with the MAC address of the suspicious host in the sub-LAN on the wiki page. ?
  • 53. Usage Example Responding Infection • The central manager confirms the information of the suspicious packets on the wiki page, and if the manager judges the packets to be malicious, • the central manager asks the sub- manager to disconnect the host from that sub-LAN.
  • 54. Usage Example Responding Infection • If the central manager feels more deep analysis on the traffic, the manager can prepare a telnet server and s/he can write commands for forwarding the packets from the suspicious host to the telnet server on the wiki page.
  • 55. Usage Example Responding Infection • When a suspicious packet is forwarded to the telnet server, the central manager can see the contents of the packet and can response to the packet on the telnet server.
  • 56. Usage Example Responding Infection • When the sub-manager cannot identify the suspicious host, the central manager writes the command, which transfers packets from the host to a notification web server, on the wiki page. ?
  • 57. Usage Example Responding Infection • The notification web server – notifies the user of the suspicious host that the host is suspicious and asks the user of the host to call the sub-manager. • The sub-manager – disconnects the suspicious host,
  • 59. Related research • Security Monitoring System • Snort • Observing MAC address at the WAN side • Unix device with two NICs • KASEYA and UNIFAS
  • 60. Concluding Remarks • Bot for Bot • An Easy way of incident response • Wiki • Not so stable now for real using – Hope to have your support, assistant, .. – https://github.com/takashiyamanoue/TrafficC ontroller • Should not turn into dark side.
  • 61. • Masato Masuya, Takashi Yamanoue, Shinichiro Kubota "An Experience of Monitoring University Network Security Using a Commercial Service and DIY Monitoring" , Proceedings of the 34nd annual ACM SIGUCCS conference on User services, pp.225-230, Edmonton, Alberta, Canada. 5-8 Nov. 2006.