Considering Statistical Reports of Populations Penetration in Attack to Networks

8/3/2019 Considering Statistical Reports of Populations Penetration in Attack to Networks

http://slidepdf.com/reader/full/considering-statistical-reports-of-populations-penetration-in-attack-to-networks 1/6

(IJCSIS) International Journal of Computer Science and Information Security,

Vol. 9, No. 11, November 2011

Considering Statistical Reports of Populations

Penetration in Attack to Networks

Afshin Rezakhani RoozbahaniDepartment of Computer Engineering

The University of Ayatollah Alozma

Boroujerdi, Boroujerd, Iran

[email protected]

Nasser ModiriDepartment of Computer Engineering

Zanjan Azad University

Zanjan, [email protected]

Nasibe MohammadiDepartment of Computer Engineering

The University of Ayatollah Alozma

Boroujerdi, Boroujerd, Iran

[email protected]

Abstract —because the internet traffic is increasing continuously,

analyzing internet events and the penetration of countries is more

important from previous years. In this article, we study thepopulation of countries with most network traffics and consider

the attacks rate that accurate in them. Also we study countries

subject to attack and the rate of their attacks. These results can

be used in future research to place coordinators in gorgelocations of world to manage information that are passed

between countries. Also these results can be used in collaborative

intrusion detection systems (IDSs) for inform new attack methods

to all IDSs in other location of worlds.

Keywords-internet traffic; attacks rate; IDSs;

I. INTRODUCTION

The Internet is a global system of interconnected computernetworks that use the standard Internet Protocol Suite (TCP/IP)to serve billions of users worldwide [1]. The Internet,sometimes called simply "the Net," is a worldwide system of computer networks - a network of networks in which users at

any one computer can, if they have permission, get informationfrom any other computer (and sometimes talk directly to usersat other computers). It was conceived by the AdvancedResearch Projects Agency (ARPA) of the U.S. government in1969 and was first known as the ARPANet. The original aimwas to create a network that would allow users of a researchcomputer at one university to be able to "talk to" researchcomputers at other universities. A side benefit of ARPANet'sdesign was that, because messages could be routed or reroutedin more than one direction, the network could continue tofunction even if parts of it were destroyed in the event of amilitary attack or other disaster [2]. The security disciplines of computer networks are classified into three main classes:Detection, prevention, and protection [16]. The detectionmethods are in charge of detecting any intrusion in networks.

Prevention methods aim to deploy secure policies forunderlying network(s) and finally the protection methods try toexert manager’s views for protecting the networks.

II. INTERNET ATTACK METHODS

Without security measures and controls in place, our data

might be subjected to an attack. Some attacks are passive,

meaning information is monitored; others are active, meaning

the information is altered with intent to corrupt or destroy the

data or the network itself. In this section we seek the overview

on the methods that are used by hackers to attack in the

networks. These methods explain in below subsections [17].

A. Eavesdropping

In general, the majority of network communications occur in

an unsecured or "cleartext" format, which allows an attacker

who has gained access to data paths in your network to "listen

in" or interpret (read) the traffic. When an attacker is

eavesdropping on your communications, it is referred to as

sniffing or snooping. The ability of an eavesdropper to

monitor the network is generally the biggest security problem

that administrators face in an enterprise. Without strong

encryption services that are based on cryptography, your data

can be read by others as it traverses the network.

B. Data Modification

After an attacker has read your data, the next logical step is to

alter it. An attacker can modify the data in the packet without

the knowledge of the sender or receiver. Even if you do not

require confidentiality for all communications, you do not

want any of your messages to be modified in transit. For

example, if you are exchanging purchase requisitions, you do

not want the items, amounts, or billing information to be

modified.

C. Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a

computer to identify a valid entity. In certain cases, it ispossible for an IP address to be falsely assumed— identity

spoofing. An attacker might also use special programs to

construct IP packets that appear to originate from valid

addresses inside the corporate intranet.

132 http://sites.google.com/site/ijcsis/ISSN 1947-5500





After gaining access to the network with a valid IP address,

the attacker can modify, reroute, or delete your data. The

attacker can also conduct other types of attacks, as described

in the following sections.

D. Password-Based Attacks

A common denominator of most operating system and

network security plans is password-based access control. This

means your access rights to a computer and network resourcesare determined by who you are, that is, your user name and

your password.

Older applications do not always protect identity information

as it is passed through the network for validation. This might

allow an eavesdropper to gain access to the network by posing

as a valid user.

When an attacker finds a valid user account, the attacker has

the same rights as the real user. Therefore, if the user has

administrator-level rights, the attacker also can create accounts

for subsequent access at a later time.

After gaining access to your network with a valid account, anattacker can do any of the following:

Obtain lists of valid user and computer names and network

information.

Modify server and network configurations, including access

controls and routing tables.

Modify, reroute, or delete your data.

III. CONSIDERING THE POPULATION OF CONTRIES WITH

MORE INTERNET TRAFFICS

A. Considering the Population of Contries

First, we study the population of some countries that playimportant role in internet traffics and network attacks producer.The below table is based on most network attacks producercountries. These report showing in table1 [3, 4, 5, 6, 7, 8, 9,10].

Table 1. Population and Percentage of countries in the world

Country Population Percentage in

world

China 1,330,141,295 19%

USA 310,232,863 4%

Netherlands 16,783,092 0.2%

Germany 82,282,988 1%

Russia 142,012,121 2%

Great Britain 62,348,447 0.9%

Canada 34019000 0.4%

Ukraine 45,415,596 0.6%

Latvia 2,231,503 0.03%

France 64,768,389 0.9%

B. Considering the Rate of Attack Producers

In this section, we study the rate of attacks that areoccurred at internet. Of course our study is depended on top

ten countries hosting malware [11].

Table2. Compare percentage of Contries Population with their

attackers

Country Percentage of all

attacks(hosting malware)

Percentage

in world

China 52.7% 19%

USA 19.02% 4%

Netherlands 5.86% 0.2%

Germany 5.07% 1%

Russia 2.58% 2%Great Britain 2.54% 0.9%

Canada 2.22% 0.4%

Ukraine 2.17% 0.6%

Latvia 1.53% 0.03%

France 0.6% 0.9%

Of course countries with next rates are according below:

11. Spain 12. North Korea 13. Brazil 14. Cyprus 15. Sweden

16. Taiwan 17. Norway 18. Israel 19. Luxemburg 20. Estonia

Table2 compares the Percentage of all attacks (hosting

malware) with Percentage of their population penetrations in

world. For example, the penetration of China population in

world is: 19%. Meanwhile, the hosting malware in this country

is: 52.7%. This means about of 52% of world attackers, is

managing their attacks in China.

C. Considering the Statistical Report of Internet Users in

Above Countries

In two previous sections, we considered percentage of population and attackers. But in this section, we study theinternet users at exist in these countries. This statistical report

is showing as below [3].

Table 3. Considering the penetration (% population) in ten

countries

Country Population Internet Penetration

133 http://sites.google.com/site/ijcsis/

ISSN 1947-5500







Figure 2. Internet Users in the worlds by geographic region[12]

Figure 3. world Internet penetration rates by geographic regions[12]

Figure 4. Internet Users in the world by distribution by world

regions[12]

F. Top ten malicious programs on the Internet

The twenty malicious programs most commonly used in

Internet attacks are listed below. Each program has been

identified more than 170,000 times and, overall, the programs

listed below were involved in more than 37% (27,443,757) of

all identified incidents [11].

Table 5. Top ten malicious programs on the Internet

№ Name Number of

attacks

% of

total

1 HEUR:Trojan.Script.Iframer 9858304 13.39

2 Trojan-

Downloader.JS.Gumblar.x

2940448 3.99

3 not-a-

virus:AdWare.Win32.Boran.z

2875110 3.91

4 HEUR:Exploit.Script.Generic 2571443 3.49

5 HEUR:Trojan-

Downloader.Script.Generic

1512262 2.05

6 HEUR:Trojan.Win32.Generic 1396496 1.9

7 Worm.VBS.Autorun.hf 1131293 1.548 Trojan-

Downloader.HTML.IFrame.sz

935231 1.27

9 HEUR:Exploit.Script.Generic 752690 1.02

10 Trojan.JS.Redirector.l 705627 0.96

IV. CONSIDERING THE RELIABILITY OF NETWORKS

Another important subject is the availability and reliability

of Internet platform. For this, we study the network

monitoring in some regions and ten countries hosting malware.

The Internet Traffic Report monitors the flow of data around

the world. It then displays a value between zero and 100.

Higher values indicate faster and more reliable connections

[12].

A. Internet Traffic Report in Regions

We consider in this section the score of networks inregions. The "traffic index" is a score from 0 to 100 where 0 is


ISSN 1947-5500





"slow" and 100 is "fast". It is determined by comparing thecurrent response of a ping echo to all previous responses fromthe same router over the past 7 days. A score of 0 to 100 is thenassigned to the current response depending on if this responseis better or worse than all previous responses from that router[13]. This report shows the Global Traffic Index for the 24hours (10/12/2010).

Table 6. Compare Internet traffics in regions

Region Score Avg. Response

Time (ms)

Avg. Packet

Loss (%)

Asia 68 302 9 %

Australia 83 162 0 %

Europe 75 244 11 %

North

America 78 213 16 %

South

America 85 144 0 %

B. Internet Traffic Report in ten Countries

We consider in this section the traffic scores in tencountries hosting malware. Similar to above subsection,this report structure is showing as below table [12].

Table 7. Compare Internet traffics in ten Countries

Country Score Avg. Response

Time (ms)

Avg. Packet

Loss (%)

China 96 34 0

USA 83 - 99 9 - 166 0

Netherlands 84 158 0

Germany 83 168 0

Russia Not

Consider

- -

Great Britain 82 - 85 149 - 156 0

Canada 94 57 0

Ukraine Not

Consider

- -

Latvia NotConsider

- -

France NotConsider

- -

V. CONSIDERING COUNTRIES SUBJECT TO ATTACK

More than 86% of the 73,619,767 attacks targeted the

machines of users in the ten countries listed below. This

ranking has changed significantly since last year. China

remains the leader in terms of numbers of potential victims, but

the number of attacks dropped by 7%. Other countries which

were near the top of the table last year, such as Egypt, Turkey,

and Vietnam, now seem to be of less interest to cybercriminals.

However, the number of attacks on users based in the US,

Germany, Great Britain and Russia rose significantly [11].

Table 8. Top ten countries subject to attack in 2009

Country Percentage of all

attacks

1 China 46.75%

2 USA 6.64%

3 Russia 5.83%

4 India 4.54%

5 Germany 2.53%

6 Great Britain 2.25%

7 Saudi Arabia 1.81%

8 Brazil 1.78%

9 Italy 1.74%

10 Vietnam 1.64%

VI. OUR SUGGESTED APPROACH

A. Suggested Toplogy

We studied statistical reports from Internet traffics in some

important countries and saw that the most attackers utilize

these countries to networks attacks. Also they were the victim

countries and subject to attack. So, if exist some powerful

coordinators in these countries and strongly monitor their

networks to detect/prevent attacks, other countries able work

at Internet safety. This idea is showing in figure4.


ISSN 1947-5500





Figure 5. Placing Strong/Intelligence IDS/IPS in Countries that

Subject to Attacks

Because the significant percentage of hackers, attack in

few countries, we propose place powerful IDSs/IPSs to these

countries. When new attack is detected by IDSs/IPSs, they

send properties of detected attack to All IDSs/IPSs that exist

in other countries. We evaluated this idea in other papers and

showed the overhead traffic decreased by the time and do not

created any significant problem [14].

Also, the relations between IDSs/IPSs can be done with

secured mobile agents [15]. They propose a system where

agent system will be explored on the top Grid systems that

will provide security, autonomy, dynamic behavior and robust

infrastructure. The key features of the proposed Agent based

Grid Architecture are:* Resuming of tasks (by using software agents) after a CPU

has returned back to its idle state. All the communication and

the execution of tasks are handled by software agents.

* Providing security to agents personal (confidential) data.

Support of task migration is provided by our architecture due

to the introduction of agents. It handles fault tolerance by

maintaining multiple copies of the task.

The architecture is actually a modification of Globus

Toolkit where agents are introduced. In this way we reduced

the communication overhead and provided support for task

migration for resource utilization [15].

B. Standardization all Detection Methods

We propose use semantic web stucture between all

IDSs/IPSs to simple relation between coordinators. This work,

leads to collaboration platform intrusion detection/prevention

systems and causes all be abled to use from other experiences

of IDSs/IPSs. We propoesd this idea is other paper Precisely.

The form of semantic web that is create when an attack is

detected is showing in below figure.

Figure 6. The Semantic Web Form of a detected Attack[14]

VII. CONCOLUSION

In this article, we considered the population of countries

with most traffic attacks rate that accurate in them. Also we

studied the probability and the rate of attacks. Studies of ten

countries subject to attack in 2009 were performing. Do not

found any semantic relation between population and attacks.

At last, we proposed place coordinators in top countries

hosting malware to detect anomalies quickly. With this, All

IDSs/IPSs use from coordinators abilities to detect the attacks.

REFERENCES

[1] en.wikipedia.org/wiki/Internet.

[2] http://searchwindevelopment.techtarget.com/definition/Internet,

[3] http://www.internetworldstats.com/stats.htm

[4] http://www.indexmundi.com/netherlands/population.html

[5] http://www.countryreports.org/people/overview.aspx?Countryname=&countryId=91.

[6] http://www.trueknowledge.com/q/population_of_russia_2010

[7] www.trueknowledge.com/q/population_of_uk_2010 [8] www.statcan.gc.ca

[9] www.kyivpost.com/news/nation/detail/86668/

[10] https://www.cia.gov/library/publications/the-world-factbook/geos/fr.html.

[11] Kaspersky Security Bulletin 2009. Statistics, 2009

[12] http://www.internettrafficreport.com/

[13] http://www.internettrafficreport.com/faq.htm#trindex

[14] Afshin Rezakhani Roozbahani, L.Rikhtechi and N.mohammadi,"Converting Network Attacks to Standard Semantic Web Formin Cloud Computing Infrastructure", International Journal of Computer Applications (0975 – 8887) Volume 3 – No.4, June2010.

[15] K.MuthuManickam, "A Security Model for Mobile Agent inGrid Environment", International Journal of ComputerApplications (0975 – 8887) Volume 2 – No.2, May 2010.

[16] J. M. Kizza,”Computer Network Security”, Published bySpringer, 2005.

[17] Microsoft, TechNet Library, Resources for IT Professionals,http://technet.microsoft.com/en-us/library/default.aspx, Last visited atDecember2010


ISSN 1947-5500

Documents

Considering Statistical Reports of Populations Penetration in Attack to Networks