Identifikasi Malicious Host dalam Local Area Network Menggunakan Teknik Graph Clustering dan Filtering
Penulis
Khafidzun Fadli, Achmad Basuki, Eko Setiawan Download PDFAbstrak
Keamanan pada Local Area Network (LAN) sekarang ini adalah masalah serius yang harus diperhatikan. Penyebab LAN menjadi tidak aman dikarenakan teknologi firewall tidak mampu melindungi host (komputer) dalam LAN dari penyebaran malware. Penyebaran malware yang terdapat dalam LAN dilakukan oleh host di dalam LAN yang disebut sebagai malicious host. Tindakan untuk mengurangi penyebaran malware dalam LAN dapat dilakukan dengan mengidentifikasi malicious host. Penelitian ini mengusulkan metode identifikasi malicious host berdasarkan aktivitas ARP request dengan menggunakan teknik graph clustering-filtering. Teknik graph clustering-filtering merupakan langkah-langkah pengelompokan serta penyaringan node dan edge berdasarkan parameter dari graph seperti weight edge, out-degree node dan weight out-degree node yang bertujuan untuk mengidentifikasi malicious host. Berdasarkan parameter dari graph seperti out-degree node dan weight out-degree node, penghitungan persentase aktivitas host dapat dilakukan untuk menunjukkan seberapa besar tingkat aktivitas host dalam melakukan broadcast ARP request, sehingga hasil penghitungan persentase aktivitas host dapat menentukan host yang diidentifikasi sebagai malicious host. Hasil penerapan teknik graph clustering-filtering terhadap 511 node dan 4144 edge didapatkan melalui pengamatan dan pengambilan data selama 3 jam dalam LAN kampus dapat divisualisasikan menjadi hanya 22 node dan 328 edge. Hasil penghitungan berdasarkan persentase jumlah aktivitas host menunjukkan 22 node menjadi 6 node yang diperkirakan sebagai malicious host. Dengan demikian, visualisasi graph menggunakan teknik graph clustering-filtering dan persentase aktivitas host dapat mengidentifikasi jumlah host yang dicurigai sebagai malicious host.
Abstract
Local Area Network (LAN) security is a serious problem to consider. The cause of LAN becomes insecure because firewall technology is not able to protect the host (computer) in LAN from spreading malware. The spread of malware contained within a LAN is carried out by hosts in the LAN which are referred to as malicious hosts. Actions to reduce the spread of malware in the LAN can be done by identifying malicious hosts. This paper proposes a method of identifying malicious hosts based on ARP request activities using graph clustering-filtering techniques. Graph clustering-filtering techniques are steps of grouping and filtering nodes and edges based on graph parameters such as weight edges, out-degree nodes and weight out-degree nodes that aim to identify malicious hosts. Based on parameters from the graph such as out-degree node and weight out-degree node, the calculation of the percentage of host activity can be done to show how much the level of host activity in broadcasting an ARP request, so that the result of calculating the percentage of host activity can determine a host that is categorized as a malicious host. The results of graph visualization using graph clustering-filtering technique can display fewer nodes and edges, from 511 nodes and 4144 edges to 22 nodes and 328 edges observed and collected in a LAN within 3 hour in the campus LAN. The results of the calculation of the percentage of host activity show hosts from 22 nodes become only 6 nodes which are suspected as malicious hosts. Overall, graph visualization with graph clustering-filtering techniques and the percentage of host activity can find a number of hosts identified as malicious hosts.
Teks Lengkap:
PDFReferensi
BASTIAN, M., HEYMANN, S. dan JACOMY, M. (2009) ‘Gephi: An Open Source Software for Exploring and Manipulating Networks. BT - International AAAI Conference on Weblogs and Social’, International AAAI Conference on Weblogs and Social Media, pp. 361–362.
BOND, T. (2009) ‘Visualizing Firewall Log Data to Detect Security Incidents’, Global Information Assurance Certification Paper Copyright.
DESTA, D. H. (2014) Visualization of PRADS Output Data Using Open-source Visualization Tools For Improved Log Analysis. UNIVERSITY OF OSLO Department of Informatics.
HUBBALLI, N., BISWAS, S., ROOPA, S., RATTI, R. dan NANDI, S. (2011) ‘LAN Attack Detection using Discrete Event Systems’, ISA Transactions. Elsevier Ltd, 50(1), pp. 119–130. doi: 10.1016/j.isatra.2010.08.003.
MARKO, P. dan VILHAN, P. (2012) ‘Efficient Detection of Malicious Nodes based on DNS and Statistical Methods’, IEEE 10th Jubilee International Symposium on Applied Machine Intelligence and Informatics, SAMI 2012 - Proceedings. IEEE, pp. 227–230. doi: 10.1109/SAMI.2012.6208963.
MATSUFUJI, K., KOBAYASHI, S., ESAKI, H. dan OCHIAI, H. (2019) ‘ARP Request Trend Fitting for Detecting Malicious Activity in LAN’, Advances in Intelligent Systems and Computing, 935, pp. 89–96. doi: 10.1007/978-3-030-19063-7_8.
MICROSOFT (2018) ‘Microsoft Security Intelligence Report’, Microsoft Security Intelligence Report, 24(Januari-December), pp. 1–19. Available at: http://download.microsoft.com/download/7/2/B/72B5DE91-04F4-42F4-A587-9D08C55E0734/Microsoft_Security_Intelligence_Report_Volume_16_English.pdf.
OCHIAI, H. (2019) ‘LAN-Security Monitoring Project Background : Cyber-Security Research’, Asia Pasific Advanced Network. Available at: https://www.lan-security.net/whitepaper.pdf.
RUOHONEN, K. (2013) Graph Theory. Tampere University of Technology. Available at: http://math.tut.fi/~ruohonen/GT_English.pdf.
SCHAEFFER, S. E. (2007) ‘Graph Clustering’, Computer Science Review, 1(1), pp. 27–64. doi: 10.1016/j.cosrev.2007.05.001.
VALLI, C. (2009) ‘Visualisation of Honeypot Data Using Graphviz and Afterglow’, Journal of Digital Forensics, Security and Law, (January). doi: 10.15394/jdfsl.2009.1056.
WHYTE, D., KRANAKIS, E. dan OORSCHOT, P. VAN (2005) ‘ARP-Based Detection of Scanning Worms within an Enterprise Network’, Annual Computer Security Applications Conference (ACSAC).
DOI: http://dx.doi.org/10.25126/jtiik.2020733339