1 Bot-network detection NAIST Mitsuaki Akiyama, Takanori Kawamoto Teruaki Yokoyama.
9Y - NAIST Laboratory for Cyber Resilience · 9Y k ¶¼¯¥»\H U3 OSI 7 Layer Reference Model ......
12
1 (±¯½À£`p/Po 1 k¶¼¯¥» k¶¼¯¥»TCP/IP TCP/IP (±¯½À£`p/Po 2 9Y 9Y k¶¼¯¥»9&:) – ISO 7 layer reference model – u}9&¸®»u{qsC¸®»t ~uq±¯½À£]|Lv'zv TCP/IP9Y – k¶¼¯¥»u{q)N{ISO 7 layer reference model 26uq5¸®»-I – FEq7¸®»]u{q45dX lEAu (±¯½À£`p/Po 3 k¶¼¯¥»q9& k¶¼¯¥»q9&:) :) (±¯½À£`p/Po 4 9Y 9Y k¶¼¯¥»\HU3 OSI 7 Layer Reference Model – f¶¼¯¥»]|8¸®»r¸®»b `{vqayw – ;V – ¡¾¬µ¢À© k¶¼¯¥»J – d!J|vrjvzw (±¯½À£`p/Po 5 =KU3ÁÄ =KU3ÁÄ ÄÈÅÃ!ÄÈÆÃ! fG`J – MKG`rG`q%JfG `ÁeG`ÂM$)rD§¹²¾G<}G Z{iY – Harry Nyquist (1924) • Maximum data rate = 2H log 2 V (bits/s) – H: low pass filter bandwidth – V: discrete level of signal – Claude Shannon (1948) • ²¡ªuec,# • Maximum data rate = H log 2 (1+S/N) – S/N: signal-to-noise ratio (±¯½À£`p/Po 6 =KU3ÁÅ =KU3ÁÅ ÄÈÇÃ! @I¥¾´ºÀ¬ÁxIBM370QÂ{"}q¥¾´ºÀ ¬£«©*>{? – O7 (terminal) ¥¾´ºÀ¬ (host computer) .T – S1(ecw:Rz{^n ff¦À³©Áxm[Â+W¥¾´ºÀ¬f +WqDh0B}J – e¿/Ám¿m[ – ¥¾´ºÀ¬±¯½À£ ¸®·2 – °¼¤fcqg® ¨¬»(e • 300bit/sec, 1200bit/sec, etc. – ³¯wz – _+W (differential Manchester coding etc.)
Transcript of 9Y - NAIST Laboratory for Cyber Resilience · 9Y k ¶¼¯¥»\H U3 OSI 7 Layer Reference Model ......
1
/ 1
TCP/IPTCP/IP
/ 2
– ISO 7 layer reference model
–
TCP/IP
– ISO 7 layer reference
model 5
– 7
/ 3 / 4
OSI 7 Layer Reference Model
–
–
–
–
/ 5
–
– Harry Nyquist (1924)
• Maximum data rate = 2H log2 V (bits/s)
– H: low pass filter bandwidth
– V: discrete level of signal
– Claude Shannon (1948)
•
• Maximum data rate = H log2 (1+S/N)
– S/N: signal-to-noise ratio
/ 6
IBM370
– (terminal) (host computer)
–
–
–
–
• 300bit/sec, 1200bit/sec, etc.
–
– (differential Manchester coding etc.)
2
/ 7
– X.25
• IBM HDLC
•
- Metcalfe’s Ethernet
– Ethernet, Token Ring
–
–
• 1200bit/sec 1Mbps Ethernet
/ 8
–
•
• X.25
•
–
•
•
–
–
•
•
/ 9
–
•
•
–
• Sync. Link / HDLC / X.25
• Coax / Ethernet / XNS
• / ARPAnet
/ 10
–
• ISO/OSI
• TCP/IP
•
– IBM/SNA, Digital/DECnet, Xerox/XNS, ….
/ 11
OSI 7 Layer Reference ModelOSI 7 Layer Reference Model
–
• Physical / Data Link / Network / Transport / Session /
Presentation / Application
– ISO/OSI
•
•
– (reference model)
/ 12
OSI 7 Layer Reference ModelOSI 7 Layer Reference Model
Layer n+1
Layer n
Layer n-1
n-SAP (Service Access Point)
Layer n
n-PDU (Protocol Data Unit)
n-PDU = Header + SDU (Service Data Unit)
Peer entity
3
/ 13
OSI 7 Layer Reference ModelOSI 7 Layer Reference Model
Application
Presentation
Session
Transport
Network
Data Link
Physical
NFS
XDR
Sun RPC
TCP
IP
IEEE802.3
Ethernet Coax
ES (End System) ES (End System)
(Upper Layer Protocol)
IS (Intermediate System)
Physical connection Physical connection
/ 14
Physical LayerPhysical Layer
(communication media)
–
–
• (e.g. 0: < +0.5v, 1 > 3.7v)
• (e.g. ,
–
–
•
/ 15
Data Link Layer (1)Data Link Layer (1)
(Layer 2)
– Physical Layer
–
•
–
–
– (frame format)
– (MAC sub-layer)
/ 16
Data Link Layer (2)Data Link Layer (2)
– HDLC
– LAN IEEE802.x
• Ethernet 802.3
• Token Ring 802.5
• FDDI 802.9
– ISDN DLL
• I.100
Physical layer
–
/ 17
Network Layer (1)Network Layer (1)
(Layer 3)
– ES : End System
–
– IS : Intermediate System
–
/ 18
Network Layer (2)Network Layer (2)
– ES, IS
–
–
–
4
/ 19
Transport Layer (1)Transport Layer (1)
(Layer 4)
End-to-End
– ES
–
–
–
• ES
/ 20
Transport Layer (2)Transport Layer (2)
–
– End-to-End
–
–
/ 21
Session Layer (Upper Layer
Protocol)
–
–
/ 22
Session LayerSession Layer
– Transaction
– Session
– Transaction Logging & Roll-back operation
– Session Termination
/ 23
Presentation LayerPresentation Layer
–
–
•
–
» 1, 2, 4, less than 1 byte (6 bits), ….
–
» Little Endian / Big Endian
–
» MSB first, LSB first
/ 24
Application LayerApplication Layer
(Layer 7)
–
– SMTP (simple mail transfer protocol)
–
• MTA: sendmail, qmail, postfix, etc….
• MUA: Eudora, Mozilla Thunderbird, MS/Outlook, etc….
5
/ 25
– IBM SNA, DECNET, Xerox XNS
– AppleTalk, Novell Netware, NetBIOS
OSI
– CLNP, TP4, IS-IS, X400, …
TCP/IP
– RIP, EGP/BGP, OSPF
– TELNET, SMTP, DNS, FTP, SNMP, NTP, ….
– DARPA
• ARPAnet, MILnet
/ 26
OSI
– ISO
–
– X.500
TCP/IP
– IETF
–
–
/ 27
– DECNET SI Protocol
– AppleTalk TCP/IP
– Netware, NetBios TCP/IP
– Xerox XNS:
IBM SNA
–
–
•
• (Legacy System)
/ 28
–
–
“Demise of protocols”
– MPLS
– J2EE, .NET, GRID….
/ 29
– Ethernet LAN
– HDLC
TCP/IP (TCP/IP Protocol Suite)
–
– IP TCP
/ 30
(multiplexing) (demultiplexing)
–
•
– IEEE802.3 (Ethernet)
IP, AppleTalk
Ethernet
•
6
/ 31
MultiplexingMultiplexing
Application
Presentation
Session
Transport
Network
Data Link
Physical
FTP
TCP
IP
IEEE802.3 Ethernet
CAT/5 cable
UDP
DNS
AppleTalk
TP4/AppleTalk
Session Manager
PAP
/ 32
DemultiplexingDemultiplexing
Application
Presentation
Session
Transport
Network
Data Link
Physical
FTP
TCP
IP
IEEE802.3 Ethernet
CAT/5 cable
UDP
DNS
AppleTalk
TP4/AppleTalk
Session Manager
PAP
/ 33
(encapsulation)
–
– (n-1) PDU = (n-1) header + (n)PDU
–
/ 34
EncapsulationEncapsulation
Application
Presentation
Session
Transport
Network
Data Link
Physical
/ 35
–
–
–
–
–
–
–
•
/ 36
Network Layer GatewayNetwork Layer Gateway
Application
Presentation
Session
Transport
Network
Data Link
Physical
IPv4
ES (End System) ES (End System)
Network layer gateway
Physical connection Physical connection
Application
Presentation
Session
Transport
Network
Data Link
Physical
7
/ 37
Transport Layer GatewayTransport Layer Gateway
Application
Presentation
Session
Transport
Network
Data Link
Physical
IPv4
ES (End System) ES (End System)
Transport layer gateway
Physical connection Physical connection
Application
Presentation
Session
Transport
Network
Data Link
Physical
4/6 mapping
IPv6
/ 38
Application Layer GatewayApplication Layer Gateway
Application
Presentation
Session
Transport
Network
Data Link
Physical
IPv4
ES (End System) ES (End System)Application layer gateway
Physical connection Physical connection
Application
Presentation
Session
Transport
Network
Data Link
Physical
TCP
IPv6
TCP
SMTP 400
/ 39
–
–
•
•
•
•
–
–
•
/ 40
TCP/IPTCP/IP
/ 41
TCP/IP Protocol SuitesTCP/IP Protocol Suites
Internet
LAN
– Computers: UNIX workstations PC Supercomputers
– PDA, , , , , ,…
– IETF (Internet Engineering Task Force)
– http://www.ietf.org/
– 5
/ 42
TCP/IPTCP/IP
Gateway
Gateway
Network
Network
Network
8
/ 43
TCP/IP Protocol SuitsTCP/IP Protocol Suits
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
Network Interface
Hardware
OSI TCP/IP
Message / Stream
Transport Packet
IP Datagram
Frame
Port
IP address
Datalink Address
/ 44
Network Interface LayerNetwork Interface Layer
IP
–
• IP
• IP (next hop address)
– Next hop address
–
–
–
–
/ 45
Internet Layer: IPInternet Layer: IP
IPv4 / IPv6
–
–
IP (Internet Protocol)
– (connectionless service)
• IP
•
• IP Best Effort
–
•
•
• (routing)
/ 46
IPv4IPv4
0xDD0xA3 0x4A 0x7F
163 221 74 127
163.221.74.127/24
203.178.142.0/27
Prefix length Host part
Network part
/ 47
IPv6IPv6
128bit
25
– 1/8
Aggregatable Global Unicast Address allocation
FPTLA
IDNLA ID Interface IDSLA ID
3 13 32 16 64 bits
/ 48
IPv6IPv6
–
Class
(aggregatable)
9
/ 49
IPIP
Hop-by-hop, destination oriented
–
•
–
•
Forwarding and routing
–
–
/ 50
interfaces
(output)
interfaces
(input)
IP module
forwarding
routing
output I/F = f(destaddr): f(x) routing
/ 51
Transport LayerTransport Layer
– end-to-end
–• <IP address, port>
– IP
–
–
–• TCP UDP
•
• 5678/TCP, 5678/UDP
peer entity – IP, IP, ,
, )
–•
• TCP=6, UDP=17
Internet
Network Interface
Hardware
process
Transport
process
Host
/ 52
TCPTCP
Internet Transmission Control Protocol
–
• Connection Oriented
• Virtual Circuit
–
•
–
•
•
• (acknowledgement)
• (retransmission)
/ 53
Virtual CircuitVirtual Circuit
Byte stream semantics
–
–
Connection setup / release
–
/ 54
UDPUDP
Internet User Datagram Protocol
–
• Connectionless
•
–
•
• IP
• Best Effort
–
10
/ 55
Transport Layer ProtocolTransport Layer Protocol
TCP, UDP Transport layer protocol
– VMTP, RTP
–
IP Transport layer protocol
/ 56
Application LayerApplication Layer
– SMTP (Simple Mail Transfer Protocol), FTP (File Transfer
Protocol), TELENET, POP (Post Office Protocol), HTTP
(HyperText Transfer Protocol), ….
– Web HTTP, HTML
/ 57
Presentation LayerPresentation Layer
MIME -
ASN.1 - OSI
XDR - Sun
XML - W3C
/ 58
–
•
• WWW URL
–
• peer entity
• (Port)
• 2 (unsigned short)
–
•
• Internet Address, IP host address
•
–
•
• Ethernet Ethernet Address
/ 59
TCP/IP protocol suit
IP (IPv4 & IPv6)
Gateway architecture & routing
TCP and other transport protocols
Application Layer protocols
Newly added layer: presentation layer
/ 60
11
/ 61
Data Link Layer = multipleData Link Layer = multiple sub-layers (1)sub-layers (1)
Layer2 (data link layer)
–
– IEEE802 802.2 (LLC layer)
IEEE802
Physical Layer
Data link Layer
Network Layer
CCITT X.25
(HDLC/LAPB)Media Access
Control Sublayer
8802/2 LLC
8802/3CSMA/CD
8802/5Token Ring
8802/4Token Bus
Logical Link Control Sublayer
ISO/OSI Local Area
Network Definitions (8802)
CCITT Datalink
Layer Definition
/ 62
Data Link Layer = multipleData Link Layer = multiple sub-layers (2)sub-layers (2)
– =
– ATM
• ATM
Physical Layer
Data link Layer
Network Layer
ATM
signaling data
Adaptation Layer
ATMATM
AAL)
/ 63
Data Link Layer = multipleData Link Layer = multiple sub-layers (3)sub-layers (3)
(sub-layering)
–
•
–
•
• IEEE802
– API
Physical Layer
Data link Layer
Network Layer
API
/ 64
Sub-layering is not only forSub-layering is not only for Layer2Layer2
Layer 3
–
•
•
1 Mobile IP
2
Layer 4
–
• Real-time transmission, multiple data-path management, performance
management, etc….
/ 65
L3 L3 L3L3
7
L3 L3 ?
– “Tunneling”
– (tunneling)
• IPsec / VPN (Virtual Private Network)
• IP Multicasting
• (Mbone, 6bone), overlay network
–
•
• MTU
/ 66
IPIP
TP
IP
Tunneling NIF NIF
TP
IP
IP in IP
NIF
NIF
12
/ 67
IPIP
TP
IP
Tunneling NIF NIF
TP
IP
NIF
IP
NIF
Tunneling
• IP IP
•
/ 68
–
• 4.5
• 3.5
– 7
–
–
• reference model
•
