トラフィック特徴量の時系列データにおける相関特性を用いた変化点からの異常検出

Transcript

1. 1.

   1/29 B

2. 2.

   2/29 ⇒

3. 3.

   3/29 IDS( ) ⇒ ⇒

4. 4.

   4/29 ↓ ▪ ⇒ ⇒

5. 5.

   5/29 DoS ⇒

6. 6.

   6/29 [4] ChangeFinder ⇒ ⇒ DoS [4] J. Takeuchi and

   K. Yamanishi, “A Unifying Framework for Detecting Outliers and Change Points from Time Series,” IEEE transactions on Knowledge and Data Engineering, pp.482-492, 2006.
7. 7.

   7/29

8. 8.

   8/29

9. 9.

   9/29 ▪ ⇒ [ 1] HTTP ⇒ ⇒ [ 2]

   ⇒ ⇒
10. 10.

    10/29 ▪ ⇒ 1 2 ⇒ 3 ⇒

11. 11.

    11/29 (A) (A) (B) ▪ A B IP IP ⇒

    DoS
12. 12.

    12/29 DoS ▪ DoS HTTP IP ⇒ ⇒ DoS ⇒

13. 13.

    13/29 ( ) IP. > IP. : ( ) 00:37:07

    IP 172.16.114.50.http > 206.48.44.50.2222: . ack 5841 win 32120 00:37:17 IP 172.16.114.50.http > 206.48.44.90.2313: . ack 2921 win 32120 00:37:25 IP 206.48.44.40.2222 > 172.16.114.30.http: . (256) ack 8192 win 31744 00:37:25 IP 206.48.44.50.2222 > 172.16.114.40.http: . (1320) ack 8192 win 31744 00:37:38 IP 206.48.44.60.2222 > 172.16.114.70.http: . (156) ack 8192 win 31744 00:37:49 IP 206.48.44.90.2313 > 172.16.114.50.http: . (1460) ack 8192 win 31744 00:37:58 IP 206.48.44.90.2313 > 172.16.114.50.http: . (1460) ack 8192 win 31744 [ ] = 7 7 4 5 [ = ⇒ HTTP [ ] = 4 [ ] = 5 ⇒ DoS 1
14. 14.

    14/29 ( DoS ) IP. > IP. : ( )

    00:38:07 IP 172.16.114.50.http > 206.48.44.50.2222: . ack 5841 win 32120 00:38:17 IP 172.16.114.50.http > 206.48.44.90.2313: . ack 2921 win 32120 00:38:25 IP 206.48.44.50.2222 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:25 IP 206.48.44.50.2222 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:38 IP 206.48.44.50.2222 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:49 IP 206.48.44.90.2313 > 172.16.114.50.http: . (320) ack 8192 win 31744 00:38:58 IP 206.48.44.90.2313 > 172.16.114.50.http: . (320) ack 8192 win 31744 [ ] = 7 7 5 [ = ⇒ HTTP [ ] = 1 [ ] = 5 ⇒ DoS ⇒ ⇒
15. 15.

    15/29 ▪ ⇒ ⇒ [ 1] IP [ 2]

16. 16.

    16/29 FIN ACK FIN ACK ACK FIN ACK FIN SYN

    ACK( ) SYN( ) ACK SYN ACK SYN FIN 3way-handshake
17. 17.

    17/29 SYN ACK( ) SYN( ) RST SYN FIN SYN

    FIN
18. 18.

    18/29 SYN FIN ⇒ ⇒ 1 SYN FIN

19. 19.

    19/29 ▪ ( )( ) ( ) ( ) ∑

    ∑ ∑ = = = − − − − N i i N i i N i i i y y x x y y x x 1 2 1 2 1 N ⇒ 1 ( ) ( ) { }( ) N i y x y x i i . , 2 , 1 , , L = = y x, : N ※
20. 20.

    20/29 ChangeFinder[4] 1 T ⇒ T ⇒ T t x

    t x t x
21. 21.

    21/29 ChangeFinder[4] 2 1 t x t x 2 ⇒

22. 22.

    22/29

23. 23.

    23/29 ▪MIT LINCOLN IDS IDS Week5 Tuesday (tcpdump ) -

    HTTP DoS 1 - HTTP DoS 211 795 - 616 N = 20 - [ 1] HTTP DoS ⇒ DoS ⇒ [ ] - [ 2] SYN FIN ⇒
24. 24.

    24/29 (1) 0 10000 20000 30000 40000 50000 60000 70000

    80000 1 101 201 301 401 501 601 701 801 minute packet_count 0 5 10 15 20 25 CF_score packet_80 CF_score 0 10000 20000 30000 40000 50000 60000 70000 80000 1 101 201 301 401 501 601 701 801 minute packet_count 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 CF_score packet_80 CF_score ▪ HTTP DoS DoS ◦ ◦ ◦ × ⇒ DoS ⇒ HTTP
25. 25.

    25/29 (2) – 0 500 1000 1500 2000 2500 3000

    3500 4000 4500 5000 1 101 201 301 401 501 601 701 801 minute packet_count 0 5 10 15 20 25 30 CF_score syn_packet CF_score 0 100 200 300 400 500 600 700 1 101 201 301 401 501 601 701 801 minute packet_count 0 5 10 15 20 25 30 CF_score fin_packet CF_score SYN FIN DoS DoS
26. 26.

    26/29 (2) – 0 1 2 3 4 5 6

    7 8 1 101 201 301 401 501 601 701 801 minute CF_score syn_fin_correl DoS DoS DoS
27. 27.

    27/29

28. 28.

    28/29 ▪ ⇒ ⇒ ▪ ⇒

29. 29.

    29/29 ▪ ⇒ 0 ⇒ ▪ ⇒ ⇒ ⇒ ▪

    ⇒ ⇒