トラフィック特徴量の時系列データにおける相関特性を用いた変化点からの異常検出

Transcript

1. 1/29 B

2. 2/29 ⇒

3. 3/29 IDS( ) ⇒ ⇒

4. 4/29 ↓ ▪ ⇒ ⇒

5. 5/29 DoS ⇒

6. 6/29 [4] ChangeFinder ⇒ ⇒ DoS [4] J. Takeuchi and

   K. Yamanishi, “A Unifying Framework for Detecting Outliers and Change Points from Time Series,” IEEE transactions on Knowledge and Data Engineering, pp.482-492, 2006.

7. 7/29

8. 8/29

9. 9/29 ▪ ⇒ [ 1] HTTP ⇒ ⇒ [ 2]

   ⇒ ⇒

10. 10/29 ▪ ⇒ 1 2 ⇒ 3 ⇒

11. 11/29 (A) (A) (B) ▪ A B IP IP ⇒

    DoS

12. 12/29 DoS ▪ DoS HTTP IP ⇒ ⇒ DoS ⇒

13. 13/29 ( ) IP. > IP. : ( ) 00:37:07

    IP 172.16.114.50.http > 206.48.44.50.2222: . ack 5841 win 32120 00:37:17 IP 172.16.114.50.http > 206.48.44.90.2313: . ack 2921 win 32120 00:37:25 IP 206.48.44.40.2222 > 172.16.114.30.http: . (256) ack 8192 win 31744 00:37:25 IP 206.48.44.50.2222 > 172.16.114.40.http: . (1320) ack 8192 win 31744 00:37:38 IP 206.48.44.60.2222 > 172.16.114.70.http: . (156) ack 8192 win 31744 00:37:49 IP 206.48.44.90.2313 > 172.16.114.50.http: . (1460) ack 8192 win 31744 00:37:58 IP 206.48.44.90.2313 > 172.16.114.50.http: . (1460) ack 8192 win 31744 [ ] = 7 7 4 5 [ = ⇒ HTTP [ ] = 4 [ ] = 5 ⇒ DoS 1

14. 14/29 ( DoS ) IP. > IP. : ( )

    00:38:07 IP 172.16.114.50.http > 206.48.44.50.2222: . ack 5841 win 32120 00:38:17 IP 172.16.114.50.http > 206.48.44.90.2313: . ack 2921 win 32120 00:38:25 IP 206.48.44.50.2222 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:25 IP 206.48.44.50.2222 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:38 IP 206.48.44.50.2222 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:49 IP 206.48.44.90.2313 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:58 IP 206.48.44.90.2313 > 172.16.114.50.http: . (320) ack 8192 win 31744 [ ] = 7 7 5 [ = ⇒ HTTP [ ] = 1 [ ] = 5 ⇒ DoS ⇒ ⇒

15. 15/29 ▪ ⇒ ⇒ [ 1] IP [ 2]

16. 16/29 FIN ACK FIN ACK ACK FIN ACK FIN SYN

    ACK( ) SYN( ) ACK SYN ACK SYN FIN 3way-handshake

17. 17/29 SYN ACK( ) SYN( ) RST SYN FIN SYN

    FIN

18. 18/29 SYN FIN ⇒ ⇒ 1 SYN FIN

19. 19/29 ▪ ( )( ) ( ) ( ) ∑

    ∑ ∑ = = = − − − − N i i N i i N i i i y y x x y y x x 1 2 1 2 1 N ⇒ 1 ( ) ( ) { }( ) N i y x y x i i . , 2 , 1 , , L = = y x, : N ※

20. 20/29 ChangeFinder[4] 1 T ⇒ T ⇒ T t x

    t x t x

21. 21/29 ChangeFinder[4] 2 1 t x t x 2 ⇒

22. 22/29

23. 23/29 ▪MIT LINCOLN IDS IDS Week5 Tuesday (tcpdump ) -

    HTTP DoS 1 - HTTP DoS 211 795 - 616 N = 20 - [ 1] HTTP DoS ⇒ DoS ⇒ [ ] - [ 2] SYN FIN ⇒

24. 24/29 (1) 0 10000 20000 30000 40000 50000 60000 70000

    80000 1 101 201 301 401 501 601 701 801 minute packet_count 0 5 10 15 20 25 CF_score packet_80 CF_score 0 10000 20000 30000 40000 50000 60000 70000 80000 1 101 201 301 401 501 601 701 801 minute packet_count 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 CF_score packet_80 CF_score ▪ HTTP DoS DoS ◦ ◦ ◦ × ⇒ DoS ⇒ HTTP

25. 25/29 (2) – 0 500 1000 1500 2000 2500 3000

    3500 4000 4500 5000 1 101 201 301 401 501 601 701 801 minute packet_count 0 5 10 15 20 25 30 CF_score syn_packet CF_score 0 100 200 300 400 500 600 700 1 101 201 301 401 501 601 701 801 minute packet_count 0 5 10 15 20 25 30 CF_score fin_packet CF_score SYN FIN DoS DoS

26. 26/29 (2) – 0 1 2 3 4 5 6

    7 8 1 101 201 301 401 501 601 701 801 minute CF_score syn_fin_correl DoS DoS DoS

27. 27/29

28. 28/29 ▪ ⇒ ⇒ ▪ ⇒

29. 29/29 ▪ ⇒ 0 ⇒ ▪ ⇒ ⇒ ⇒ ▪

    ⇒ ⇒