Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)

Published byNicholas Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)"— Presentation transcript:

1 Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research) Jia Wang(AT&T Labs - Research)

2 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 2 How do adversaries impact measurements? While measurement systems are widespread, attention to impact of unwanted traffic is light Currently only arbitrary subset of attacks are considered Systematic evaluation of adversaries’ impact on measurement systems is needed

3 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 3 How adversaries impact malware measurements Focus on malware measurements as opposed to general measurements In general measurements, gaming is common - consider Keynote – which measures from n sites but measures know them and can counteract In security related measurements, system could be compromised and inference could be flawed

4 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 4 Background on measuring unwanted traffic Other categorizations possible but broadly Firewall: maintain per-flow state and control connection set-up NIDS - network intrusion detection systems: anomaly detection (e.g., by matching signatures) Honeypots: monitor and responds to probes Application-level filters: e.g., spam filter

5 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 5 Challenges to security-related measurement systems Direct attacks Evasion Avoidance attacks

6 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 6 Direct attacks Attack an IDS by increasing its memory requirements -- make it maintain more state Increasing background noise (via legitimate requests) Compromise measurement platform (e.g. Witty worm compromise hosts running ISS)

7 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 7 Evasion Break payloads across packets ("ro" and "ot") Use non-standard port - port 80 for ssh Reorder and retransmit to fool NIDS Common victim: spam filters -- hence the use of random strings, deliberate mis-spellings Arms race - no easy way to defeat fully

8 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 8 Avoidance attacks Reverse blacklisting honeypots to avoid them Reverse blacklists exchanged between attackers One countermeasure is Mohonk technique of rotating blackhole prefixes

9 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 9 Taxonomy of how unwanted traffic pollutes measurement: concepts Two key concepts: consistency and isolation  Consistency: Set of packets P i always results in same set of log entries A j  Isolation: Set of packets P i results only in log entries A j Log entries vary across firewalls/NIDS and honeypots  Firewalls/NIDS logs: alarms with summary information from rule matching packets  Honeypot logs: packet traces with headers and/or payloads

10 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 10 Taxonomy of how unwanted traffic pollutes measurement Consistent/isolated:  P i  A i and no other P k will impact A i  the baseline case - no pollution Consistent/non-isolated:  P i  A i but P i +P j  A j  measurement system behaves fine but log entries caused by unwanted traffic altered by other unwanted traffic Inconsistent/isolated:  P i  A j1 at time t 1 and P i  A j2 at time t 2  inconsistent behavior but limited impact Inconsistent/non-isolated: highly unpredictable

11 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 11 Consistent/non-isolated - example Rule #1: uricontent:"/hsx.cgi"; (raise an alarm if /hsx.cgi appears in the URI) Rule #2: uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; (/hsx.cgi appears in URI and content of../.. followed by null byte in payload, raise an alarm) Sequence S 1 : payload 1: POST /hsx.cgi HTTP/1.0\r\nContent-length: 10\r\n\r\n payload 2:../ payload 3:../ payload 4: \x00\x00\x00\x00 Sequence S 2 : payload 1: POST /hsx.cgi HTTP/1.0\\r\\nContent-length: 10\r\n\r\n payload 2:../ payload 3: \x08/ payload 4:../ payload 5: \x00\x00\x00\x00 Snort generates alarms 1 and 2 on sequence S 1 but only alarm 1 on S 2 (backspace character in the fourth packet) - log entry changed by S 2

12 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 12 Inconsistent/isolated Measurement system generates different alarm sets A 1, A 2 for same set of packets P arrived at time t 1 and t 2. Multiple backspace packets sent to Snort leads to unpredictable impact (inconsistency) on log entries but only signatures affected by backspace are problematic (isolated)

13 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 13 Inconsistent/non-isolated Measurement system generates different log entries over time and is thus unpredictable Randomness in unwanted packet streams (beyond order of arrival) DoS: significantly increase resource use on measurement system What gets logged can be hard to predict

14 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 14 Adding resilience to measurement systems Situational awareness Separating an attack from a non-attack Bypassing attacks Graceful degradation

15 July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 15 Summary We have examined impact of unwanted traffic on measurement systems An initial taxonomy of how such traffic pollutes measurement Helps us design resilient measurement systems

Download ppt "Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Similar presentations

Ads by Google