Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection:

Published byIris Reed Modified over 7 years ago

Similar presentations

Presentation on theme: "Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection:"— Presentation transcript:

1 Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Authors: Mark Handley and Vern Paxson (International Computer Science Institute) & Christian Kreibich (Technische Universitat Munchen) Presented by: Jamie Margaret Huenefeld

2 Introduction An Ambiguous Problem An Ambiguous Problem –NIDS Passively monitors network traffic to detect suspicious activity Requires knowledge of receiving host traffic and correct interpretation Result = Host vs. NIDS interpretation Limited to Network and Transport layer interpretation

3 Presentation Outline Normalization Normalization Active Mapping Active Mapping Comparision of Normalization and Active Mapping Comparision of Normalization and Active Mapping Experimental Results using Active Mapping Experimental Results using Active Mapping Conclusions Conclusions

4 Normalization Tool that directly filters network traffic to eliminate ambiguities before reaching NIDS Tool that directly filters network traffic to eliminate ambiguities before reaching NIDS –Removes some evasive opportunities (bump in the wire) –Authors attempt to identify all potential normalizations –Example, w/ Picture(page 3)

5 Why Normalization? The alternatives are not comprehensive enough The alternatives are not comprehensive enough –Host Based IDS Difficult deployment, Counter-NIDS solution –Understanding details of intranet Large networks will be cumbersome –Bifurcating Analysis Can result in exponential analysis

6 Normalization Tradeoffs As the degree of Normalization increases, performances decreases & has greater impacts on semantics As the degree of Normalization increases, performances decreases & has greater impacts on semantics –Normalization vs. Protection –End-to-End Semantics –Stateholding –Inbound vs. Outbound traffic

7 Two major Considerations.... “Cold Start” “Cold Start” –Analyzer lacks knowledge of previously- established connections Attacking the Normalizer Attacking the Normalizer –Stateholding Attacks Incorrect Headers Normalizer required to hold state CPU Overload

8 Header Walking – A Systematic Approach Consider value ranges, semantics and methods of exploitation within header elements Consider value ranges, semantics and methods of exploitation within header elements –Uses IP v.4 –Image from paper –We can just drop these packets w/o semantic consequences: Header Length > packet length or < 20 byte Length > Link-Layer Clear bit between IP Ident & DF DF set, Non-Zero fragmentation offset

9 Header Walking w/ Semantic Consequences Image from paper Image from paper Manipulation of TTL Manipulation of TTL –Establish minimum TTL in Normalizer, and propagate to packets w/ lower values –Effect on Semantics: Infinite Loop Break Traceroute Expanding Search Ring performance impaired

10 Header Walking w/ Semantic Consequences Image from paper Image from paper Invalid Source IP address, e.g. 127.0.0.1, 0.0.0.0 Invalid Source IP address, e.g. 127.0.0.1, 0.0.0.0 –Drop it! –Effect on Semantics: Can cause packet drops for internal machines –Source routing

11 Incompleteness of Normalization Restricted to internetwork and transport layers Restricted to internetwork and transport layers Difficult to remove all ambiguities Difficult to remove all ambiguities Similar to a firewall, but does more work Similar to a firewall, but does more work Must be extremely reliable, even during attacks Must be extremely reliable, even during attacks Changes semantics Changes semantics Can Active Mapping replace some Normalizations? Can Active Mapping replace some Normalizations?

12 Active Mapping Acquiring network knowledge to determine: Acquiring network knowledge to determine: –Packet Arrival –Interpretation Maintained in profile database Maintained in profile database Combined with some techniques used in NormalizationActive Mapping Combined with some techniques used in NormalizationActive Mapping

13 NIDS + Active Mapping = Disambiguation Resolves without intercepting or modifying stream Resolves without intercepting or modifying stream Opperational and Semantic Advantages Opperational and Semantic Advantages –Eliminates Confusion

14 Base Network Assumptions Stable Network Topology Stable Network Topology Attacker is outside network Attacker is outside network Firewall used for simple packet filtering Firewall used for simple packet filtering Consistent behavior in Host TCP/IP Stacks Consistent behavior in Host TCP/IP Stacks

15 Design Goals Comparable runtime performance Comparable runtime performance Mapping should be lightweight Mapping should be lightweight Avoid harming the hosts Avoid harming the hosts

16 Architecture Mapping Tool runs on topologically equivalent network to monitored network Mapping Tool runs on topologically equivalent network to monitored network

17 Protocol Details and Limitations Use of header-walking is a good place to start. Use of header-walking is a good place to start. Firewall Filters Firewall Filters Selected Mappings Selected Mappings Difficult/Intractable Cases Difficult/Intractable Cases Practical Considerations Practical Considerations

18 Firewall Filters Firewall should reject packets that could not be part of legitimate traffic Firewall should reject packets that could not be part of legitimate traffic –Handled by Stateless Packet Filtering –Example: Verifying IP Header

19 Selected Mappings Hop Count - # of hops to an end host Hop Count - # of hops to an end host PMTU - Packets discarded when > PMTU && DF set PMTU - Packets discarded when > PMTU && DF set TCP RST Acceptance – Noncompliant TCP can create connection discrepencies TCP RST Acceptance – Noncompliant TCP can create connection discrepencies Overlapping/Inconsistent IP Segments – Resolves segments to contain “new” data Overlapping/Inconsistent IP Segments – Resolves segments to contain “new” data –First policy

20 Difficult/Intractible Cases Application Level Parameters Application Level Parameters New Semantics New Semantics Nondeterministic Packet Drops Nondeterministic Packet Drops

21 Dealing with Timeouts and Packet Drops Can't notify about every router or host packet drop Can't notify about every router or host packet drop Send packets to receive packets Send packets to receive packets

22 Practical Considerations Active Mapping does not require a complete profile to be useful Active Mapping does not require a complete profile to be useful Can incrementally deploy while handling hurdles Can incrementally deploy while handling hurdles –NAT –DHCP –TCP Wrappers –Attacks on the active mapper

23 Prototype Implementation Implemented in Perl and ported to Linux and FreeBSD Implemented in Perl and ported to Linux and FreeBSD ICMP and TCP ICMP and TCP –Sent directly with raw sockets –User-level similar to Tbit Tests conducted in parallel with respect to Machine and Task Tests conducted in parallel with respect to Machine and Task

24 Mapping Tools Nmap/Queso – Determine O/S of host Nmap/Queso – Determine O/S of host –Neither utility is precise –O/S knowledge = reduces false positives Can serve as a proxy for mapping characteristics Ntop NIDS Ntop NIDS Tbit – Learns TCP (congestion control) behavior of web servers Tbit – Learns TCP (congestion control) behavior of web servers

25 Experiments and Results Observed Active Mapping Profiles Observed Active Mapping Profiles –Obtained signifigant data for over 4,800 hosts –Diversity –Few inconsistent results

26 Stability of Results Tests to determine the number of IP addresses and for profile consistency. Tests to determine the number of IP addresses and for profile consistency.

27 Mapping Time Test results depend on Host and Host's policies Test results depend on Host and Host's policies Inefficiencies and Limited Parallelism Inefficiencies and Limited Parallelism

28 Mapping Traffic Bidirectional Network Traffic Bidirectional Network Traffic

29 NIDS Integration Tests Correct data interpretation Correct data interpretation –Synthetic test w/ ambiguous traffic using fragroute –Reasonably Correct No additional runtime costs No additional runtime costs –Comparision on real-world traffic revealed accurate results

30 Conclusions and Recommendations Mapping can be performed frequently Mapping can be performed frequently –Remap large sites weekly (off-peak hours) Inconsistencies between Stored and Observed policies can trigger Remap Inconsistencies between Stored and Observed policies can trigger Remap On-the-fly Mapping is improbable On-the-fly Mapping is improbable Runtime performance not affected by Active Mapping Runtime performance not affected by Active Mapping –Success depends on correct host/policy!

31 Summary Ambiguity is a difficult problem to solve Ambiguity is a difficult problem to solve Elimination of Network and Transport Layer ambiguities is proposed in this paper Elimination of Network and Transport Layer ambiguities is proposed in this paper –Active Mapping infers by sending/receiving packets –Efficient in terms of time, speed, bandwidth & output

32 Summary Future Directions? Future Directions? –Passive monitoring to determine appropriate remapping –More mapping implementations –Application Layer implementations

33 Works Cited [0] Mark Handley, Christian Kreibich and Vern Paxson, “Network Intrusion Detection: Evasion, Traffic Normaliation, and End-to-End Protocol Semantics,” Proc. 10 th USENIX Security Symposium, 2001. [0] Mark Handley, Christian Kreibich and Vern Paxson, “Network Intrusion Detection: Evasion, Traffic Normaliation, and End-to-End Protocol Semantics,” Proc. 10 th USENIX Security Symposium, 2001. [1] Umesh Shankar and Vern Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic” [1] Umesh Shankar and Vern Paxson, “Active Mapping: Resisting NIDS Evasion Without Altering Traffic”

Download ppt "Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection:"

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.

Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
Examining IP Header Fields

Examining IP Header Fields
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.

Similar presentations

Ads by Google