Adaptable exploit detection through scalable NetFlow analysis

2016 Information Security for South Africa (ISSA) Pub Date : 2016-08-01 DOI:10.1109/ISSA.2016.7802938

Alan Herbert, B. Irwin

{"title":"Adaptable exploit detection through scalable NetFlow analysis","authors":"Alan Herbert, B. Irwin","doi":"10.1109/ISSA.2016.7802938","DOIUrl":null,"url":null,"abstract":"Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.","PeriodicalId":330340,"journal":{"name":"2016 Information Security for South Africa (ISSA)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 Information Security for South Africa (ISSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2016.7802938","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Full packet analysis on firewalls and intrusion detection, although effective, has been found in recent times to be detrimental to the overall performance of networks that receive large volumes of throughput. For this reason partial packet analysis technologies such as the NetFlow protocol have emerged to better mitigate these bottlenecks through log generation. This paper researches the use of log files generated by NetFlow version 9 and IPFIX to identify successful and unsuccessful exploit attacks commonly used by automated systems. These malicious communications include but are not limited to exploits that attack Microsoft RPC, Samba, NTP (Network Time Protocol) and IRC (Internet Relay Chat). These attacks are recreated through existing exploit implementations on Metasploit and through hand-crafted reconstructions of exploits via known documentation of vulnerabilities. These attacks are then monitored through a preconfigured virtual testbed containing gateways and network connections commonly found on the Internet. This common attack identification system is intended for insertion as a parallel module for Bolvedere in order to further the increase the Bolvedere system's attack detection capability.

查看原文本刊更多论文

通过可扩展的NetFlow分析进行适应性漏洞检测

对防火墙和入侵检测进行全包分析虽然有效，但最近发现对接收大量吞吐量的网络的整体性能是有害的。因此，出现了诸如NetFlow协议之类的部分包分析技术，通过生成日志来更好地缓解这些瓶颈。本文研究了利用NetFlow version 9和IPFIX生成的日志文件来识别自动化系统常用的成功和不成功的漏洞利用攻击。这些恶意通信包括但不限于攻击Microsoft RPC、Samba、NTP(网络时间协议)和IRC(互联网中继聊天)的漏洞。这些攻击是通过Metasploit上现有的漏洞利用实现和通过已知漏洞文档手工重建的漏洞利用来重新创建的。然后通过预先配置的虚拟测试平台监视这些攻击，该测试平台包含Internet上常见的网关和网络连接。该通用攻击识别系统旨在作为Bolvedere的并行模块插入，以进一步提高Bolvedere系统的攻击检测能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 Information Security for South Africa (ISSA)

自引率

0.00%

发文量