"Considering Statistical Reports of Populations Penetration in Attack to Networks"
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 Considering Statistical Reports of Populations Penetration in Attack to Networks Afshin Rezakhani Roozbahani Nasser Modiri Nasibe Mohammadi Department of Computer Engineering Department of Computer Engineering Department of Computer Engineering The University of Ayatollah Alozma Zanjan Azad University The University of Ayatollah Alozma Boroujerdi, Boroujerd, Iran Zanjan, Iran Boroujerdi, Boroujerd, Iran Af.email@example.com NasserModiri@yahoo.com firstname.lastname@example.org Abstract—because the internet traffic is increasing continuously, analyzing internet events and the penetration of countries is more II. INTERNET ATTACK METHODS important from previous years. In this article, we study the Without security measures and controls in place, our data population of countries with most network traffics and consider might be subjected to an attack. Some attacks are passive, the attacks rate that accurate in them. Also we study countries subject to attack and the rate of their attacks. These results can meaning information is monitored; others are active, meaning be used in future research to place coordinators in gorge the information is altered with intent to corrupt or destroy the locations of world to manage information that are passed data or the network itself. In this section we seek the overview between countries. Also these results can be used in collaborative on the methods that are used by hackers to attack in the intrusion detection systems (IDSs) for inform new attack methods networks. These methods explain in below subsections . to all IDSs in other location of worlds. A. Eavesdropping Keywords-internet traffic; attacks rate; IDSs; In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker I. INTRODUCTION who has gained access to data paths in your network to "listen in" or interpret (read) the traffic. When an attacker is The Internet is a global system of interconnected computer eavesdropping on your communications, it is referred to as networks that use the standard Internet Protocol Suite (TCP/IP) sniffing or snooping. The ability of an eavesdropper to to serve billions of users worldwide . The Internet, monitor the network is generally the biggest security problem sometimes called simply "the Net," is a worldwide system of that administrators face in an enterprise. Without strong computer networks - a network of networks in which users at encryption services that are based on cryptography, your data any one computer can, if they have permission, get information from any other computer (and sometimes talk directly to users can be read by others as it traverses the network. at other computers). It was conceived by the Advanced B. Data Modification Research Projects Agency (ARPA) of the U.S. government in After an attacker has read your data, the next logical step is to 1969 and was first known as the ARPANet. The original aim was to create a network that would allow users of a research alter it. An attacker can modify the data in the packet without computer at one university to be able to "talk to" research the knowledge of the sender or receiver. Even if you do not computers at other universities. A side benefit of ARPANet's require confidentiality for all communications, you do not design was that, because messages could be routed or rerouted want any of your messages to be modified in transit. For in more than one direction, the network could continue to example, if you are exchanging purchase requisitions, you do function even if parts of it were destroyed in the event of a not want the items, amounts, or billing information to be military attack or other disaster . The security disciplines of modified. computer networks are classified into three main classes: C. Identity Spoofing (IP Address Spoofing) Detection, prevention, and protection . The detection methods are in charge of detecting any intrusion in networks. Most networks and operating systems use the IP address of a Prevention methods aim to deploy secure policies for computer to identify a valid entity. In certain cases, it is underlying network(s) and finally the protection methods try to possible for an IP address to be falsely assumed— identity exert manager’s views for protecting the networks. spoofing. An attacker might also use special programs to construct IP packets that appear to originate from valid addresses inside the corporate intranet. 132 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 After gaining access to the network with a valid IP address, Canada 34019000 0.4% the attacker can modify, reroute, or delete your data. The Ukraine 45,415,596 0.6% attacker can also conduct other types of attacks, as described 2,231,503 0.03% Latvia in the following sections. France 64,768,389 0.9% D. Password-Based Attacks A common denominator of most operating system and B. Considering the Rate of Attack Producers network security plans is password-based access control. This means your access rights to a computer and network resources In this section, we study the rate of attacks that are are determined by who you are, that is, your user name and occurred at internet. Of course our study is depended on top your password. ten countries hosting malware . Older applications do not always protect identity information Table2. Compare percentage of Contries Population with their as it is passed through the network for validation. This might attackers allow an eavesdropper to gain access to the network by posing Country Percentage of all Percentage as a valid user. attacks(hosting malware) in world China 52.7% 19% When an attacker finds a valid user account, the attacker has the same rights as the real user. Therefore, if the user has USA 19.02% 4% administrator-level rights, the attacker also can create accounts Netherlands 5.86% 0.2% for subsequent access at a later time. Germany 5.07% 1% After gaining access to your network with a valid account, an Russia 2.58% 2% attacker can do any of the following: Great Britain 2.54% 0.9% Canada 2.22% 0.4% Obtain lists of valid user and computer names and network Ukraine 2.17% 0.6% information. Latvia 1.53% 0.03% France 0.6% 0.9% Modify server and network configurations, including access controls and routing tables. Modify, reroute, or delete your data. Of course countries with next rates are according below: III. CONSIDERING THE POPULATION OF CONTRIES WITH 11. Spain 12. North Korea 13. Brazil 14. Cyprus 15. Sweden MORE INTERNET TRAFFICS 16. Taiwan 17. Norway 18. Israel 19. Luxemburg 20. Estonia A. Considering the Population of Contries First, we study the population of some countries that play Table2 compares the Percentage of all attacks (hosting important role in internet traffics and network attacks producer. malware) with Percentage of their population penetrations in The below table is based on most network attacks producer world. For example, the penetration of China population in countries. These report showing in table1 [3, 4, 5, 6, 7, 8, 9, world is: 19%. Meanwhile, the hosting malware in this country 10]. is: 52.7%. This means about of 52% of world attackers, is managing their attacks in China. Table 1. Population and Percentage of countries in the world C. Considering the Statistical Report of Internet Users in Country Population Percentage in Above Countries world In two previous sections, we considered percentage of population and attackers. But in this section, we study the China 1,330,141,295 19% internet users at exist in these countries. This statistical report USA 310,232,863 4% is showing as below . Netherlands 16,783,092 0.2% Germany 82,282,988 1% Table 3. Considering the penetration (% population) in ten Russia 142,012,121 2% countries Great Britain 62,348,447 0.9% Country Population Internet Penetration 133 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 Users (% Great 0.9% 82% 0.7% 2.54% Population) Britain China 1,330,141,295 420,000,000 32 % Canada 0.4% 78% 0.3% 2.22% Ukraine 0.6% 33% 0.2% 2.17% USA 310,232,863 239,232,863 77 % Latvia 0.03% 67% 0.02% 1.53% France 0.9% 69% 0.6% 0.6% Netherlands 16,783,092 14,872,200 89% Germany 82,282,988 65,123,800 79% Russia 142,012,121 59,700,000 43% Great Britain 62,348,447 51,442,100 82% This table shows the penetration of total internet users in Canada 34019000 26,224,900 78% ten countries hosting malware that are playing important role in Internet Attacks. For example, the percentage of population Ukraine 45,415,596 15,300,000 33% of China is 19% of total world population. On the other hand, Latvia 2,231,503 1,503,400 67% 32% of the populations of this country are Internet users. France 64,768,389 44,625,300 69% Thus, about 19% * 32% = 6% of the population China is percentage of people who use Internet in all of world Internet Users. This means column4 (Total Internet Users in world (% Population)) is obtained as below: This table show the penetration (% population) in above countries. For example 77% of population is USA use internet Column4 = column2 * column3; in their works. Figure1 show the role of penetration of populations in D. Comparing above Reports these countries in world attacks (hosting malware) that According to internet world stats , total population of occurred in them. world is 6,845,609,960. Also according the reports of this site, total internet users in world is 1,966,514,816. Thus, the average rate of internet users in world is: Average rate = Internet users in world / world population Then: Average rate = 1,966,514,816 / 6,845,609,960 = 28% This means that from each hundred people in world, only about twenty eight of peoples work via internet to do their works. Now we consider this rate in top ten countries hosting malware. This compare is showing in table4. Table 4. Compare population penetration factor in attacks Country Percent Internet Total Internet Percentage age in Users (% Users in world of all world Populatio (% Population) attacks(hosti Figure 1. Relation between population and rate of malware n) ng malware) hosting China 19% 32 % 6% 52.7% E. Study the Internet Users in Regions USA 4% 77 % 3% 19.02% Three below figures that are obtained by Internet World Netherla 0.2% 89% 0.2% 5.86% Stats , compare different regions by Internet Users in the nds world by geographic regions, world Internet penetration rates German 1% 79% 0.8% 5.07% and Internet Users in the world by distribution by world y regions. Russia 2% 43% 0.9% 2.58% 134 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 Figure 4. Internet Users in the world by distribution by world regions F. Top ten malicious programs on the Internet The twenty malicious programs most commonly used in Internet attacks are listed below. Each program has been identified more than 170,000 times and, overall, the programs listed below were involved in more than 37% (27,443,757) of all identified incidents . Table 5. Top ten malicious programs on the Internet Figure 2. Internet Users in the worlds by geographic region № Name Number of % of attacks total 1 HEUR:Trojan.Script.Iframer 9858304 13.39 2 Trojan- 2940448 3.99 Downloader.JS.Gumblar.x 3 not-a- 2875110 3.91 virus:AdWare.Win32.Boran.z 4 HEUR:Exploit.Script.Generic 2571443 3.49 5 HEUR:Trojan- 1512262 2.05 Downloader.Script.Generic 6 HEUR:Trojan.Win32.Generic 1396496 1.9 7 Worm.VBS.Autorun.hf 1131293 1.54 8 Trojan- 935231 1.27 Downloader.HTML.IFrame.sz 9 HEUR:Exploit.Script.Generic 752690 1.02 10 Trojan.JS.Redirector.l 705627 0.96 IV. CONSIDERING THE RELIABILITY OF NETWORKS Another important subject is the availability and reliability of Internet platform. For this, we study the network monitoring in some regions and ten countries hosting malware. The Internet Traffic Report monitors the flow of data around Figure 3. world Internet penetration rates by geographic regions the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections . A. Internet Traffic Report in Regions We consider in this section the score of networks in regions. The "traffic index" is a score from 0 to 100 where 0 is 135 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 "slow" and 100 is "fast". It is determined by comparing the the number of attacks dropped by 7%. Other countries which current response of a ping echo to all previous responses from were near the top of the table last year, such as Egypt, Turkey, the same router over the past 7 days. A score of 0 to 100 is then and Vietnam, now seem to be of less interest to cybercriminals. assigned to the current response depending on if this response However, the number of attacks on users based in the US, is better or worse than all previous responses from that router Germany, Great Britain and Russia rose significantly . . This report shows the Global Traffic Index for the 24 hours (10/12/2010). Table 8. Top ten countries subject to attack in 2009 Table 6. Compare Internet traffics in regions Country Percentage of all Region Score Avg. Response Avg. Packet attacks Time (ms) Loss (%) 1 China 46.75% Asia 68 302 9% 2 USA 6.64% Australia 83 162 0% 3 Russia 5.83% Europe 75 244 11 % 4 India 4.54% North 78 213 16 % America 5 Germany 2.53% South 85 144 0% 6 Great Britain 2.25% America 7 Saudi Arabia 1.81% 8 Brazil 1.78% B. Internet Traffic Report in ten Countries 9 Italy 1.74% We consider in this section the traffic scores in ten countries hosting malware. Similar to above subsection, 10 Vietnam 1.64% this report structure is showing as below table . VI. OUR SUGGESTED APPROACH Table 7. Compare Internet traffics in ten Countries A. Suggested Toplogy Country Score Avg. Response Avg. Packet We studied statistical reports from Internet traffics in some Time (ms) Loss (%) important countries and saw that the most attackers utilize China 96 34 0 these countries to networks attacks. Also they were the victim countries and subject to attack. So, if exist some powerful USA 83 - 99 9 - 166 0 coordinators in these countries and strongly monitor their Netherlands 84 158 0 networks to detect/prevent attacks, other countries able work Germany 83 168 0 at Internet safety. This idea is showing in figure4. Russia Not - - Consider Great Britain 82 - 85 149 - 156 0 Canada 94 57 0 Ukraine Not - - Consider Latvia Not - - Consider France Not - - Consider V. CONSIDERING COUNTRIES SUBJECT TO ATTACK More than 86% of the 73,619,767 attacks targeted the machines of users in the ten countries listed below. This ranking has changed significantly since last year. China remains the leader in terms of numbers of potential victims, but 136 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 B. Standardization all Detection Methods We propose use semantic web stucture between all IDSs/IPSs to simple relation between coordinators. This work, leads to collaboration platform intrusion detection/prevention systems and causes all be abled to use from other experiences of IDSs/IPSs. We propoesd this idea is other paper Precisely. The form of semantic web that is create when an attack is detected is showing in below figure. Figure 6. The Semantic Web Form of a detected Attack VII. CONCOLUSION In this article, we considered the population of countries with most traffic attacks rate that accurate in them. Also we Figure 5. Placing Strong/Intelligence IDS/IPS in Countries that studied the probability and the rate of attacks. Studies of ten Subject to Attacks countries subject to attack in 2009 were performing. Do not found any semantic relation between population and attacks. Because the significant percentage of hackers, attack in At last, we proposed place coordinators in top countries few countries, we propose place powerful IDSs/IPSs to these hosting malware to detect anomalies quickly. With this, All countries. When new attack is detected by IDSs/IPSs, they IDSs/IPSs use from coordinators abilities to detect the attacks. send properties of detected attack to All IDSs/IPSs that exist in other countries. We evaluated this idea in other papers and REFERENCES showed the overhead traffic decreased by the time and do not  en.wikipedia.org/wiki/Internet. created any significant problem .  http://searchwindevelopment.techtarget.com/definition/Internet, Also, the relations between IDSs/IPSs can be done with  http://www.internetworldstats.com/stats.htm secured mobile agents . They propose a system where  http://www.indexmundi.com/netherlands/population.html agent system will be explored on the top Grid systems that  http://www.countryreports.org/people/overview.aspx?Countryna will provide security, autonomy, dynamic behavior and robust me=&countryId=91. infrastructure. The key features of the proposed Agent based  http://www.trueknowledge.com/q/population_of_russia_2010 Grid Architecture are:  www.trueknowledge.com/q/population_of_uk_2010 * Resuming of tasks (by using software agents) after a CPU  www.statcan.gc.ca has returned back to its idle state. All the communication and  www.kyivpost.com/news/nation/detail/86668/ the execution of tasks are handled by software agents.  https://www.cia.gov/library/publications/the-world- * Providing security to agents personal (confidential) data. factbook/geos/fr.html. Support of task migration is provided by our architecture due  Kaspersky Security Bulletin 2009. Statistics, 2009 to the introduction of agents. It handles fault tolerance by  http://www.internettrafficreport.com/ maintaining multiple copies of the task.  http://www.internettrafficreport.com/faq.htm#trindex The architecture is actually a modification of Globus  Afshin Rezakhani Roozbahani, L.Rikhtechi and N.mohammadi, "Converting Network Attacks to Standard Semantic Web Form Toolkit where agents are introduced. In this way we reduced in Cloud Computing Infrastructure", International Journal of the communication overhead and provided support for task Computer Applications (0975 – 8887) Volume 3 – No.4, June migration for resource utilization . 2010.  K.MuthuManickam, "A Security Model for Mobile Agent in Grid Environment", International Journal of Computer Applications (0975 – 8887) Volume 2 – No.2, May 2010.  J. M. Kizza,”Computer Network Security”, Published by Springer, 2005.  Microsoft, TechNet Library, Resources for IT Professionals, http://technet.microsoft.com/en-us/library/default.aspx, Last visited at December2010 137 http://sites.google.com/site/ijcsis/ ISSN 1947-5500