1. # (11/01/2014) @mrtc0

2. About me Twitter : @mrtc0 Blog : http://mrt-k.github.io/ Seccamp Kyusyu'14 3. 1,2 ... 4. IDS 5. () 6. ??? PRML ??? PRML .... 7. C4.5Neural NetworkSupport Vector MachineAda BoostCore Vector MachineK-MeansNaive BayesROC CurveIndexGini EMRandom ForestAprioriAuto EncorderRBM 8. () PRML , 9. http://www.slideshare.net/unnonouno/jubatus-casual-talks http://www.slideshare.net/ffri/mr201306-machine-learningforcomputersecurityjpn 10. 11. Weka (http://www.cs.waikato.ac.nz/ml/weka) Java GUI API 12. 2 13. ex) (, 180.4, 78.3), (, 146.4, 42.1) - , ,F(178.3, 75.4) F(x) 14. , : : {,,,} ex) { long, purple,purple,Rize } 15. : hair_style,hair_color,eye,namelong,blue,blue,Tinoshort,brown,purple,Cocoalong,black,green,Tiyalong,black,purple,Rizeshort,brown,green,Syaro 16. 17. (!) IDS 18. shellshock alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt";flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, rulesetcommunity, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31975; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt";flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, rulesetcommunity, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31976; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt";flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, rulesetcommunity, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31977; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt";flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, rulesetcommunity, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31978; rev:3;) alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP server bash environment variable injection attempt";flow:stateless; content:"() {"; fast_pattern:only; content:"|02 01 06 00|"; depth:4; metadata:policy balanced-ips drop, policy security-ips drop,ruleset community, service dhcp; reference:cve,2014-6271; reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:3;) 19. Alert tcp any any -> any 80 (msg:WEB-IISISAPI .ida attempt; uricontent:.idq?;...) .ida? 20. ... IP + 21. HTTP / HTTPS Anum()Normal() J48, RandomTree 22. User Agent Content Length Content Type Method URI Payload IP 23. ArmitageHailMary 376 102 tshark,CSVlen,srcport,dstport,user_agent,content_length,content_type,method,uri,data,label613,45485,80,0,440,0,POST,42,880,anum 24. m m-1 1 m 25. C4.5 ID3 X, 26. weka C4.5 27. True FalsePositiveTP(True Positive)FP(False Positive)Negative TN(True Negative)FN(FalseNegative) 28. = TPTP+FP= FPTN+FP 29. UA () {:;}; /bin/cat /etc/passwd ? 30. 31. 32. 33. 34. UA 35. & 36. 3 / 4781 / 478 37. 38. 39. () 40. 41. & 42. 43. C4.5 , 44. , + 45. HTTP () 46.