Satoru Torii

TOPASE: Detection and Prevention of Brute Force Attacks with Disciplined IPs from IDS Logs

Brute force attacks are used to obtain pairs of user names and passwords illegally by using all existing pairs to login to network services. These are a major security threat faced by network service administrators. In general, to prevent brute force attacks, administrators can set limitations on the number of login trials and shut down the traffic of brute force attacks with an intrusion prevention system (IPS) at the entry point to their services. In recent years, stealthy brute force attacks that can avoid the security rules and IPS and intrusion detection system (IDS) detection have appeared. Attackers tend to arrange a large amount of hosts and allocate them fewer login trials than the limitations administrators set. In this paper, we report a kind of distributed brute force attack event (brute force attacks with disciplined IPs, or DBF) against the Remote Desktop Protocol (RDP) by analyzing IDS logs integrated from multiple sites. In DBF, a particular number of attacks is repeated automatically from a host to a service over a period. For this reason, existing countermeasures have no effect on DBF. We investigate the structure of DBF and improve the existing countermeasure system. We also present TOPASE, which is replaced at each step of the existing countermeasure system and is suitable for DBF countermeasures. TOPASE analyzes the regularity of login trials between a source host and a destination host. Furthermore, TOPASE intercepts the network traffic from the source host of the brute force attack for a specific period. As a result of the evaluation with our IDS log, we estimate the performance of TOPASE and clarify the factors that maximize TOPASE’s effectiveness.

TOPASE: Detection of brute force attacks used disciplined IPs from IDS log

In recent years, there exists stealthy brute force attacks that can avoid the security rules and detection by IPS (Intrusion Prevention System) and IDS (Intrusion Detection System). Attackers tend to arrange innumerable hosts and allocate them fewer login trials than the limitations the administrators have set. In this paper, we report a brute force attack event (Brute force attacks with disciplined IPs, DBF) by analyzing log with site-federated viewpoint analysis. The analyses can lead us to the structure of DBF and the existence of attackers behind the DBF. We also present TOPASE, which detect victim hosts of DBF. Combining TOPASE and shutting down based on the regularity of DBF can mitigate the DBFs to those victims.

Timing to Block Scanning Malwares by Using Combinatorics Proliferation Model

One of the worst threats present in an enterprise network is the propagation of “scanning malware” (e.g., scanning worms and bots). It is important to prevent such scanning malware from spreading within an enterprise network. It is especially important to suppress scanning malware infection to less than a few infected hosts. We estimated the timing of containment software to block “scanning malware” in a homogeneous enterprise network. The “combinatorics proliferation model”, based on discrete mathematics, developed in this study derives a threshold that gives the number of the packets sent by a victim that must not be exceeded in order to suppress the number of infected hosts to less than a few. This model can appropriately express the early state under which an infection started. The result from our model fits very well to the result of computer simulation using a typical existing scanning malware and an actual network.

Suspicious User Detection Based on File Server Usage Features

As a countermeasure against insider threats in a broad sense, a method of detecting suspicious behavior of the accounts on a file server is presented. Our proposed method employs some statistics as usage features and the deviation from other users as an anomaly score. An experiment is conducted on a file server which is actually used by tens of thousands of users. We report some characteristic behavior of the accounts which are detected as anomaly by the method.

Wamber: Defending Web Sites on Hosting Services with Self-Learning Honeypots

Web sites have been great diversity because of their purposes and structures today and many web sites are working on hosting services. A hosting service is one of the network services for outsourcing construction and maintenance of the servers. Thus, the web site operators are free from hardware setting and server maintenance. On the other hand, web sites have been exposed to cyber attacks. To counter those web site attacks, hosting service providers should monitor their web sites. However, in many cases, it is difficult for the service providers to analyze such attacks with full information because of contracts about a protection of personal information. As another approach, it is effective to construct server side honeypots and observe malicious access to them. Unfortunately, honeypots could not always observe all type of attacks because of the diversity of web sites. In this paper, we propose a novel approach for keeping up security intelligence and strengthening countermeasures against web attacks on a hosting service. Our approach helps the service providers to protect their customers web sites by combining the analysis of IDS logs and web access logs provided from these sites and dedicated honeypots for observing web attacks. The honeypots keep learning interactions from the actual hosted sites, and attract attackers by mimicking the sites to gain the intelligence on malicious web attacks. We also describe the case study in a hosting service on our university, in which suspicious requests are confirmed to be malicious by our approach.

A Combinatorics Proliferation Model with Threshold for Malware Countermeasure

Security software such as anti-virus software and personal firewall are usually installed in every host within an enterprise network. There are mainly two kinds of security software: signature-based software and anomaly-based software. Anomaly-based software generally has a “threshold” that discriminates between normal traffic and malware communications in network traffic observation. Such a threshold involves the number of packets used for behavior checking by the anomaly-based software. Also, it indicates the number of packets sent from an infected host before the infected host is contained. In this paper, we propose a mathematical model that uses discrete mathematics known as combinatorics, which is suitable for situations in which there are a small number of infected hosts. Our model can estimate the threshold at which the number of infected hosts can be suppressed to a small number. The result from our model fits very well with the result of computer simulation using typical existing scanning malware and a typical network.