留学生辅导 Botnet & DDoS Deep Dive – Part II

Botnet & DDoS Deep Dive – Part II
The Business Context for Cybersecurity Management
COMP90073 Security Analytics
Dr. , CIS Semester 2, 2021
COMP90073 Security Analytics © University of Melbourne 2021

Overview
• Botnet, DDoS detection
– Feature selection
– Performance comparison
– Honeypot-based analysis
• DDoS prevention
– Ingress/egress filtering
– Router-based filtering
• DDoS reaction
– Destination-end
– Intermediate network
– Source-end
COMP90073 Security Analytics © University of Melbourne 2021

Feature Selection
• Filter-basedmethods – InformationGain – Chi-squareTest – Fisher’sScore
– CorrelationCoefficient – VarianceThreshold –…
• Wrapper-basedmethods
– ForwardFeatureSelection
– BackwardFeatureElimination
• Embeddedmethods
– Lassoregression(L1regularization) – Ridgeregression(L2regularization)
https://www.analyticsvidhya.com/blog/2016/12/introduction-to-feature- selection-methods-with-an-example-or-how-to-select-the-right-variables/
COMP90073 Security Analytics © University of Melbourne 2021

Feature Selection – IG
• Information gain (IG)
– There are k classes in dataset S, S = {S1, S2, … Sk}
𝑆𝑆𝑆𝑆 𝐻𝐻 𝑆𝑆 = − �𝑖𝑖 = 1 𝑝𝑝 𝑖𝑖 𝑙𝑙 𝑙𝑙 𝑙𝑙 𝑝𝑝 𝑖𝑖 = − � 𝑖𝑖 = 1 𝑆𝑆 𝑖𝑖 𝑙𝑙 𝑙𝑙 𝑙𝑙 𝑆𝑆 𝑖𝑖
– Entropy for dataset S, 𝑘𝑘 𝑘𝑘
– Subset with feature F being v , 𝑆𝑆
– Feature F has m values: v , v , … v 12m
j 𝐹𝐹=𝑣𝑣
– The conditional entropy of S given feature F,
𝑚𝑚
𝑆𝑆
𝑗𝑗
𝐻𝐻𝑆𝑆𝐹𝐹 =� 𝐹𝐹=𝑣𝑣𝑗𝑗 �𝐻𝐻 𝑆𝑆
𝑗𝑗=1 𝑆𝑆 𝐹𝐹=𝑣𝑣𝑗𝑗
– 𝐼𝐼𝐼𝐼 𝑆𝑆,𝐹𝐹 =𝐻𝐻 𝑆𝑆 −𝐻𝐻(𝑆𝑆|𝐹𝐹)
COMP90073 Security Analytics © University of Melbourne 2021

Feature Selection – KDD Cup 99
• ResultsoffeatureselectiononKDDCup99usinginformationgain[1]
COMP90073 Security Analytics © University of Melbourne 2021

Feature Selection – CFS
• Correlation-based Feature Selector [2]
– Heuristic “merit” of a feature subset S: 𝑀𝑀𝑠𝑠 =
𝑘𝑘�𝑟𝑟𝑐𝑐𝑐𝑐 𝑘𝑘+𝑘𝑘(𝑘𝑘−1)𝑟𝑟𝑐𝑐𝑐𝑐
• k: the number of features
• 𝑟𝑟 : the average feature-class correlation (𝑓𝑓 ∈ 𝑆𝑆)
𝑐𝑐𝑐𝑐
• 𝑟𝑟 : the average feature-feature intercorrelation
𝑐𝑐𝑐𝑐
– Objectives:
• Increase feature-to-class correlation (𝑟𝑟 )
𝑐𝑐𝑐𝑐
• Reduce feature-to-feature correlation (𝑟𝑟𝑐𝑐𝑐𝑐)
COMP90073 Security Analytics © University of Melbourne 2021

Feature Selection – NSL KDD
• Results of feature selection on NSL KDD [3]
– Wrapper-based: 4, 5, 6, 12, 26, 30
– Filter-based: the global minima were achieved with the top 10 features (5, 3, 6, 4, 30, 29, 33, 34, 35, 38)
COMP90073 Security Analytics © University of Melbourne 2021

Overview
• Botnet, DDoS detection
– Feature selection
– Performance comparison
– Honeypot-based analysis
• DDoS prevention
– Ingress/egress filtering
– Router-based filtering
• DDoS reaction
– Destination-end
– Intermediate network
– Source-end
COMP90073 Security Analytics © University of Melbourne 2021

Botnet Detection – KDD Cup 99
• Accuracy comparison on KDD Cup 99 [4]
COMP90073 Security Analytics © University of Melbourne 2021

Botnet Detection – NSL KDD
• Accuracy comparison on NSL KDD [4]
COMP90073 Security Analytics © University of Melbourne 2021

Botnet Detection – NSL KDD
• Performance comparison of six classifiers [3]
COMP90073 Security Analytics © University of Melbourne 2021

Botnet Detection – NSL KDD
• Impact of feature selection on the performance [3]
COMP90073 Security Analytics © University of Melbourne 2021

Overview
• Botnet, DDoS detection
– Feature selection
– Performance comparison
– Honeypot-based analysis
• DDoS prevention
– Ingress/egress filtering
– Router-based filtering
• DDoS reaction
– Destination-end
– Intermediate network
– Source-end
COMP90073 Security Analytics © University of Melbourne 2021

Botnet Detection
• Honeypot-based analysis
– Mimic the actual server to trap the attacker – Deliberately expose vulnerabilities/materials – Educational purposes vs security purposes
– Limitations
• Encrypted traffic
• Unknown attacks
• Attacker may move laterally to infiltrate the real production network
https://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/
COMP90073 Security Analytics © University of Melbourne 2021

Overview
• Botnet, DDoS detection
– Feature selection
– Performance comparison
– Honeypot-based analysis
• DDoS prevention
– Ingress/egress filtering
– Router-based filtering
• DDoS reaction
– Destination-end
– Intermediate network
– Source-end
COMP90073 Security Analytics © University of Melbourne 2021

DDoS Prevention
• Ingress/egress filtering [2]: only allow traffic to enter/leave the network if its source addresses are within the expected IP address range
– E.g., Router 1 only allows packets having a source IP address with the 204.69.207.0/24 prefix to leave the network
COMP90073 Security Analytics © University of Melbourne 2021

DDoS Prevention
• Router-based filtering: use information about the BGP routing topology to filter traffic with spoofed source addresses
– E.g., attack traffic from AS7 (spoofed as AS3) to AS4; router-based filtering deployed at AS6; attack traffic from AS7 can be filtered if AS6 knows the BGP routing topology
COMP90073 Security Analytics © University of Melbourne 2021

Overview
• Botnet, DDoS detection
– Feature selection
– Performance comparison
– Honeypot-based analysis
• DDoS prevention
– Ingress/egress filtering
– Router-based filtering
• DDoS reaction
– Destination-end
– Intermediate network
– Source-end
COMP90073 Security Analytics © University of Melbourne 2021

DDoS Reaction
• Destination/target-end reaction
– Bottleneck resource management: protect bottleneck resource – E.g., expanding server capacity, history-based IP filtering
• Intermediate network reaction
– Filter attack traffic close to attack sources – E.g., agent-controller model
• Source-end reaction
– Filter attack traffic at the source – E.g., D-WARD
Agent-controller model
COMP90073 Security Analytics © University of Melbourne 2021

DDoS Reaction
• Mitigation Techniques at AWS
– Infrastructure Layer Defence
• Amazon EC2 with Auto Scaling
• Choice of Region
• Elastic Load Balancing
– Application Layer Defence
https://docs.aws.amazon.com/whitepapers/ latest/aws-best-practices-ddos- resiliency/mitigation-techniques.html
COMP90073 Security Analytics © University of Melbourne 2021

Summary
• Examples of Botnet/DDoS detection on KDD Cup, NSL KDD – Feature selection
• Example 1: information gain applied on KDD Cup
• Example 2: CFS applied on NSL KDD – Performance comparison
• Feature selection can reduce model building time without impacting the performance
• DDoS prevention
– Ingress/egress filtering at leaf networks
– Router-based filtering
• DDoS reaction
– Destination-end, intermediate network, source-end
COMP90073 Security Analytics © University of Melbourne 2021

Reference
• [1] Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets. In: Proc. of the Third Annual Conference on Privacy, Security and Trust (2005)
• [2] M. A. Hall (1998). Correlation-based Feature Subset Selection for Machine Learning. Hamilton, .
• [3] Alabdulwahab, Saleh & Moon, Bong-Kyo. (2020). Feature Selection Methods Simultaneously Improve the Detection Accuracy and Model Building Time of Machine Learning Classifiers. Symmetry. 12. 1424. 10.3390/sym12091424.
• [4] Thakkar, A., Lohiya, R. A survey on intrusion detection system: feature selection, model, performance measures, application perspective, challenges, and future research directions. Rev (2021). https://doi.org/10.1007/s10462-021-10037-9
COMP90073 Security Analytics © University of Melbourne 2021

Reference
• [5] and Rich Groves, 2016, Distributed Denial of Service, O’ , Inc.
• [6] , , and , Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems, ACM Computing Surveys
COMP90073 Security Analytics © University of Melbourne 2021

The Business Context for Cybersecurity Management
COMP90073 Security Analytics
Dr. , CIS Semester 2, 2021
COMP90073 Security Analytics © University of Melbourne 2021

Outline
• Security and Risk Management Practice
• Information Security Management Governance • Organizational Behaviour
• Ethics
COMP90073 Security Analytics © University of Melbourne 2021

Security and Risk Management Practice
• Security management ensures – Risks are identified
– An adequate control environment is established to mitigate the risks
– Interrelationships among • Assessing risk
• Implementing policies and controls in response to the risks
• Promoting awareness of the expectations
• Monitoring the effectiveness of the controls
Security and Risk Management relationships (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Information Security Management Governance
• According to IT Governance Institute (ITGI) The Board of Directors should
– Be informed about information security
– Set direction to drive policy and strategy
– Provide resources to security efforts
– Assign management responsibilities
– Set priorities
– Support changes required
– Define cultural values related to risk assessment
– Obtain assurance from internal or external auditors
– Insist that security investments are made measurable and reported on for program effectiveness
COMP90073 Security Analytics © University of Melbourne 2021

Information Security Management Governance
The Management should
– Writesecuritypolicieswithbusinessinput
– Ensurethatrolesandresponsibilitiesaredefinedandclearlyunderstood
– Identifythreatsandvulnerabilities
– Implementsecurityinfrastructuresandcontrolframeworks(standards, guidelines, baselines, and procedures)
– Ensurethatpolicyisapprovedbythegoverningbody
– Establishprioritiesandimplementsecurityprojectsinatimelymanner
– Monitorbreaches
– Conductperiodicreviewsandtests
– Reinforceawarenesseducationascritical
– Buildsecurityintothesystemsdevelopmentlifecycle
COMP90073 Security Analytics © University of Melbourne 2021

Information Security Management Governance
• Security Policies, Procedures, Standards, Guidelines, and Baselines • What’s Risk Management
• Risk Management Principles
• Risk Assessment
COMP90073 Security Analytics © University of Melbourne 2021

Security Policies, Procedures, Standards, Guidelines, and Baselines
Relationships among policies, standards, procedures, baselines, and guidelines (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

What’s Risk Management
• “A discipline for living with the possibility that future events may cause harm, it reduces risks by defining and controlling threats and vulnerabilities”
– by (ISC)2 (The International Information System Security Certification Consortium)
COMP90073 Security Analytics © University of Melbourne 2021

Risk Management Principles
• Risk avoidance
The practice of coming up with alternatives so that the risk in question
is not realized
e.g., Parents won’t allow underage child to drive the family car to avoid the risks of poor driving performance or the cost of insurance for the child
• Risk transfer
The practice of passing on the risk in question to another entity, such as an insurance company
COMP90073 Security Analytics © University of Melbourne 2021

Risk Management Principles
• Risk mitigation
The practice of the elimination of, or the significant decrease in the
level of risk presented
e.g., Organizations put countermeasures in place such as firewalls, IDSs/IPSs, and other mechanisms to deter malicious outsiders from accessing personal and financial information to lessen the risk of exposing this highly sensitive and confidential information
• Risk acceptance
The practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way
COMP90073 Security Analytics © University of Melbourne 2021

Risk Assessment
• Identify vulnerabilities
• Identify threats
• Qualitative assessment
• Quantitative assessment
• Reporting findings
• Countermeasure selection • Information valuation
COMP90073 Security Analytics © University of Melbourne 2021

Risk Assessment
• IdentifyVulnerabilities
– Vulnerability: “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy” – by NIST (National Institute of Standards and Technology)
– Examplesofvulnerabilities
• Absence of a receptionist, mantrap, or other physical security mechanism
upon entrance to a facility
• Inadequate integrity checking in financial transaction software
• Neglecting to require users to sign an acknowledgment of their responsibilities with regard to security, as well as an acknowledgment that they have read, understand, and agree to abide by the organization’s security policies
• Patching and configuration of an organization’s information systems are done on an ad hoc basis, and, therefore, are neither documented nor up to date
COMP90073 Security Analytics © University of Melbourne 2021

Risk Assessment
• Identify Threats
– Threats: “the potential for a particular threat-source to
successfully exercise a particular vulnerability” – by NIST
– Threat source: “either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability” – by NIST
COMP90073 Security Analytics © University of Melbourne 2021

Risk Assessment
– Threatsourcecategory
• Human: Malicious outsider, malicious insider, (bio)terrorist, saboteur, spy political or competitive operative, loss of key personnel, errors made by human intervention, cultural issues
• Natural: Fire, flood, tornado, hurricane, snow storm, earthquake
• Technical: Hardware failure, software failure, malicious code, unauthorized use, use of emerging services, such as wireless, new technologies
• Physical: Closed-circuit TV failure, perimeter defence failure
• Environmental: Hazardous waste, biological agent, utility failure
• Operational: A process (manual or automated) that affects confidentiality, integrity, or availability
COMP90073 Security Analytics © University of Melbourne 2021

Qualitative Assessment
• Determination of likelihood and impact
Rating likelihood and consequences (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Qualitative Assessment
• Determination of risk – the product of likelihood and impact
ANZ 4360 risk levels (Source: [1])
COMP90073 Security Analytics © University of Melbourne 2021

Qualitative Assessment
• Example
– An exploit has a likelihood of 4 (high) and an impact of 3
(moderate), what is the risk level? Answer: High risk
COMP90073 Security Analytics © University of Melbourne 2021

Quantitative Assessment
• Singlelossexpectancy(SLE):thedifferencebetweentheoriginalvalueand the remaining value of an asset after a single exploit
• Annualizedrateofoccurrence(ARO):anestimateofhowoftenathreatwill be successful in exploiting a vulnerability over the period of a year
• Annualizedlossexpectancy(ALE):aproductoftheyearlyestimateforthe exploit (ARO) and the loss in value of an asset after a single exploitation (SLE)
COMP90073 Security Analytics © University of Melbourne 2021

Quantitative Assessment
• Example
– CompanyA’sintellectualpropertyonracingcardesignisworth$600,000, the exposure factor is 80%, and the annualized rate of occurrence is 5%. What’s the annualized loss expectancy?
Answer:
SLE = $600,000 x 80% = $480,000
ALE = ARO x SLE = 5% x $480,000 = $24,000
COMP90073 Security Analytics © University of Melbourne 2021

Risk Assessment
• Reportingfindings
– Once the findings from the assessment have been consolidated and the calculations have been completed, it is time to present a finalized report to senior management
• Countermeasureselection
– Considerationsforcountermeasures
• Accountability (can be held responsible)
• Auditability (can it be tested?)
• Publicly available, simple design (the construction and the nature of the countermeasure are not secret)
• Trusted source (source is known) • Independence (self-determining) • Consistently applied
• Cost-effective
• Reliable
• Distinct from other countermeasures (no overlap)
COMP90073 Security Analytics © University of Melbourne 2021

Risk Assessment
• Ease of use
• Minimum manual intervention
• Sustainable
• Secure
• Protects confidentiality, integrity, and availability of assets • Can be “backed out” in event of issue
• Creates no additional issues during operation
• Leaves no residual data from its function
• Informationvaluation
– Periodicallyattempttoproperlyvalueinformationassets,asinformation
may lose its value
• Over time
• If it is modified, improperly disclosed • Not had its proper value calculated
COMP90073 Security Analytics © University of Melbourne 2021

Organizational Behavior – Structure
Security organisational structure
(Source: ISO27k organization of information security)
COMP90073 Security Analytics © University of Melbourne 2021

Organizational Behaviour –
• Jobrotation
• Separationofduties
• Leastprivilege
• Mandatoryvacations
• Jobpositionsensitivity
• BudgetforInformationSecurity Activities
• Policies,Procedures,Baselines, Standards, and Guidelines
• SecurityAwarenessProgram
• UnderstandBusinessObjectives
• Maintain Awareness of Emerging Threats and Vulnerabilities
• Evaluate Security Incidents and Response
• Develop Security Compliance Program
• Establish Security Metrics
• Participate in Management Meetings
• Ensure Compliance with Government and Industry Regulations
• Assist Internal and External Auditors
• Stay Abreast of Emerging Technologies
COMP90073 Security Analytics © University of Melbourne 2021

Ethics
• Common computer ethics fallacies – Computer game fallacy
• Computer users tend to think that computers will generally prevent them from cheating and doing wrong
– Law-abiding citizen fallacy
• Sometimes users confuse what is legal with regard to computer use with what is reasonable behaviour for using computers. Laws basically define the minimum standard about which actions can be reasonably judged, but such laws also call for individual judgment
– Shatterproof fallacy
• Computer users believe that they can do little harm accidentally with a computer beyond perhaps erasing or messing up a file
COMP90073 Security Analytics © University of Melbourne 2021

Ethics
– Candy-from-a-baby fallacy
• Illegal and unethical activity, such as software piracy and plagiarism, are very easy to do with a computer. However, just because it is easy does not mean that it is right
– Hacker fallacy
• Numerous reports and publications of the commonly accepted hacker belief is that it is acceptable to do anything with a computer as long as the motivation is to learn and not to gain or make a profit from such activities
– Free information fallacy
• The notion that information “wants to be free” ignores the fact the copying and distribution of data are completely under the control of the author who allow it to happen
COMP90073 Security Analytics © University of Melbourne 2021

Ethics
• Sample code of conduct – (ISC)2 – Code of Ethics Preamble
• Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behaviour
– Code of Ethics Canons
• Protect society, the commonwealth, and the infrastructure
– Promote and preserve public trust and confidence in information and systems
– Promote the understanding and acceptance of prudent information security measures
– Preserve and strengthen the integrity of the public infrastructure
– Discourage unsafe practice
COMP90073 Security Analytics © University of Melbourne 2021

Ethics
• Act honourably, honestly, justly, responsibly, and legally
– Tell the truth; make all stakeholders aware of your actions on a
timely basis
– Observe all contracts and agreements, express or implied
– Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order
– Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence
– When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service
COMP90073 Security Analytics © University of Melbourne 2021

Ethics
• Provide diligent and competent service to principals
– Preserve the value of their systems, applications, and information
– Respect their trust and the privileges that they grant you
– Avoid conflicts of interest or the appearance thereof
– Render only those services for which you are fully competent and qualified
• Advance and protect the profession
– Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession
– Take care not to injure the reputation of other professionals through malice or indifference
– Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others
COMP90073 Security Analytics © University of Melbourne 2021

Summary
• Security and Risk Management Practice
– Explain relationships of security and risk management
• Information Security Management Governance
– Describe risk management and four risk management
principles
– Explain risk assessment process
– Determine qualitative risks
– Calculate quantitative risks
• Organizational Behaviour
– Understand best practices
• Ethics
– Explain common computer ethics fallacies
COMP90073 Security Analytics © University of Melbourne 2021

Reference
• [1] . Tipton, 2010, Official (ISC)2 guide to the CISSP CBK, Second Edition, SciTech Book News
COMP90073 Security Analytics © University of Melbourne 2021