Presentation is loading. Please wait.

Presentation is loading. Please wait.

Matching TCP/IP Packet to Detect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance.

Published byJocelin Copeland Modified over 8 years ago

Similar presentations

Presentation on theme: "Matching TCP/IP Packet to Detect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance."— Presentation transcript:

1 Matching TCP/IP Packet to Detect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance Education Columbus State University 9/11/2015Columbus State University1/24

2 Layout Background Related Work SWAM algorithm Compare with SDC Conclusion and future work 9/11/2015Columbus State University2/24

3 1. Background 9/11/2015Columbus State University How to attack other computers? Interactive Non-interactive Interactive attack Direct Indirect 3/24

4 Indirect attack Monitor Point Stepping-stones Stepping-stone Intrusion Attacker Victim 9/11/2015Columbus State University Stepping-stone Intrusion Detection 4/24

5 A detection model Incoming Connection Outgoing Connection 9/11/2015Columbus State University5/24

6 2. Related Work Content-based (Thumbprint) [1] Time-based (ON-OFF) [2] Deviation-based [3] Packet number based [4,7] Watermark-based [5,6] One dimension Random-Walk [Yang-13] 9/11/2015Columbus State University6/24

7 Another model Stepping- stone Send-Echo Send-Ack Ratio=RTT (Send_Ack) / RTT(Send-Echo) 9/11/2015Columbus State University7/24

8 The problems Length estimation Measure bar Absorbing 9/11/2015Columbus State University8/24

9 Matching TCP Packet Step-function (Packet-matching) [8-yang] Fluctuation estimation [9-yang] Clustering-Partitioning algorithm [10-yang, 11-yang] 9/11/2015Columbus State University9/24

10 SDC (Standard deviation based Cluster Matching) RTT distribution Figure 1: A distribution of RTT for a connection chain 9/11/2015Columbus State University10/24

11 How SDC works S={s 1, s 2, s 3, s 4 } ={1099702684, 1099772525, 1099909440, 1099928524} E={e 1, e 2, e 3, e 4 } ={1099828523, 1099898019, 1100036000, 1100058999 } S 1 ={125839, 195335, 333316, 356315}, S 2 ={55998, 125494, 263475, 286474}, S 3 ={-80917, -11421, 126560, 149559}, S 4 ={-100001, -30505, 107476, 130475}. 9/11/2015Columbus State University11/24

12 Basic Idea to do SDC S={s 1, s 2, …, s n } E={e 1, e 2, …, e m } S 1 ={s 1 e 1, s 1 e 2, …, s 1 e m }, S 2 ={s 2 e 1, s 2 e 2, …, s 2 e m }, … S n ={s n e 1, s n e 2, …, s n e m }. Combination Clusters Get the smallest one Standard Deviation Computing 9/11/2015Columbus State University12/24

13 complexity m n 9/11/2015Columbus State University Example: 80 send packets 115 echo packets 115 80 =7.175e+164 clusters 13/24

14 SWAM (sliding window packet matching algorithm) S = {s 1, s 2, s 3, s 4, s 5, s 6, s 7, s 8, s 9, s 10 } E = {e 1, e 2, e 3, e 4, e 5, e 6, e 7, e 8, e 9, e 10, e 11, e 12, e 13, e 14 } Window size =3 9/11/2015Columbus State University Q= {s 1, s 2, e 1, s 3, e 2, s 4, e 3, e 4, s 5, e 5, s 6, e 6, e 7, s 7, e 8, e 9, s 8, e 10, s 9, e 11, e 12, s 10, e 13, e 14 } Q 1 = {s 1, s 2, e 1, s 3, e 2, s 4, e 3, e 4, s 5, e 5, s 6, e 6, e 7, s 7, e 8, e 9, s 8, e 10, s 9, e 11, e 12, s 10, e 13, e 14 } 14/24

15 Comparison 9/11/2015Columbus State University For the previous example SDC: number of clusters = 14 10 = 289254654976 SWAM: number of clusters = 2 10 = 1024 0.00000035% 15/24

16 General Comparison 9/11/2015Columbus State University16/24

17 Live Sliding Window Why use LSW? Possible? 9/11/2015Columbus State University17/24

18 How to use LSW? Determine the size of SLW by Gap between s i and s j 9/11/2015Columbus State University18/24

19 Why SWAM works? Six facts from TCP/IP protocol For details, please read the paper Section 3.1 Motivation. 9/11/2015Columbus State University19/24

20 Conclusion SWAM works and more efficient than SDC in terms of Matching TCP/IP packets. 9/11/2015Columbus State University20/24

21 Future work Using SWAM to compute the length of a connection chain. 9/11/2015Columbus State University21/24

22 References [1] Staniford-Chen, S., and Todd Heberlein, L.: Holding Intruders Accountable on the Internet. Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA (1995) 39-49. [2] [YZ00] Zhang, Y., and Paxson, V.: Detecting Stepping Stones. Proc. of the 9th USENIX Security Symposium, Denver, CO, USA (2000) 171-184. [3] Yoda, K., and Etoh, H.: Finding Connection Chain for Tracing Intruders. Proc. 6th European Symposium on Research in Computer Security, Toulouse, France (2000) 31-42. [4] Blum, A., Song, D., and Venkataraman, S.: Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds. Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France (2004) 20- 35. [5] X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, “Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework,” Proceedings of 16th International Conference on Information Security, Paris, France, June 2001, pp. 369-384. [6 ] X. Wang, D. Reeves, and S. Wu, “Inter-Packet Delay-based Correlation for Tracing Encrypted Connections through Stepping Stones,” Proceedings of 7th European Symposium on Research in Computer Security, Lecture Notes in Computer Science. Zurich, Switzerland, October 2002, Vol. 2502, pp. 244-263. [7 ] T. He and L. Tong, “Detecting Encrypted Interactive Stepping-Stone Connections,” Proc. 2006 IEEE International Conference on Acoustics, Speech, and Signal Processing, Toulouse, France, May 2006. 9/11/2015Columbus State University22/24

23 Cont. [8] Jianhua Yang, Shou-Hsuan Stephen Huang, "A Real-Time Algorithm to Detect Long Connection Chains of Interactive Terminal Sessions," Proceedings of 3rd ACM International Conference on Information Security (Infosecu'04), Shanghai, China, November 2004, pp. 198-203. (Accepting rate=25%) [9] Jianhua Yang, Shou-Hsuan Stephen Huang, "Charactering and Estimating Network Fluctuation for Detecting Interactive Stepping-Stone Intrusion," the Proceedings of International Conference on Communication, Network and Information Security, Phoenix, Arizona, November 2005, pp. 70-75. (Accepting rate=34%). [10] Jianhua Yang, Shou-Hsuan Stephen Huang, Ming D. Wan, "A Clustering-Partitioning Algorithm to Find TCP Packet Round-Trip Time for Intrusion Detection," Proceedings of 20th IEEE International Conference on Advanced Information Networking and Applications (AINA 2006), Vienna, Austria, April 2006, Vol. 1, pp 231-236.(Accepting rate=30%). [11] Jianhua Yang, Stephen Huang, “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., pp 137-144, Vol. 26 (2007). [12] Guoqing Zhao, Jianhua Yang, Long Ni, Gurdeep S. Hura, and Shou-Hsuan Stephen Huang, "Correlating TCP/IP Interactive Sessions with Correlation Coefficient to Detect Stepping-Stone Intrusion," to be published in the Proceedings of 23nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2009), Bradford, UK, May 2009. [13] Jianhua Yang, Byong Lee, Shou-Hsuan Stephen Huang, "Monitoring Network Traffic to Detect Stepping-Stone Intrusion," the Proceedings of 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), Okinawa, Japan, pp 56-61 March 2008. 9/11/2015Columbus State University23/24

24 Thanks! Questions? 9/11/2015Columbus State University24/24

Download ppt "Matching TCP/IP Packet to Detect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance."

Similar presentations

Tanmoy Sarkar, Johnny Wong, Samik Basu Response to Collaborative Attacks Against Network Vulnerability Iowa State University, Department Of Computer Science.

Tanmoy Sarkar, Johnny Wong, Samik Basu Response to Collaborative Attacks Against Network Vulnerability Iowa State University, Department Of Computer Science.
GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.

GSM Security Threats and Countermeasures Saravanan Bala Tanvir Ahmed Samuel Solomon Travis Atkison.
EPFL, Lausanne, Switzerland Márk Félegyházi Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case Márk Félegyházi.

EPFL, Lausanne, Switzerland Márk Félegyházi Equilibrium Analysis of Packet Forwarding Strategies in Wireless Ad Hoc Networks – the Static Case Márk Félegyházi.
1 TCP Vegas: New Techniques for Congestion Detection and Avoidance Lawrence S. Brakmo Sean W. O’Malley Larry L. Peterson Department of Computer Science.

1 TCP Vegas: New Techniques for Congestion Detection and Avoidance Lawrence S. Brakmo Sean W. O’Malley Larry L. Peterson Department of Computer Science.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.

A Hybrid and Cross-Protocol Architecture with Semantics and Syntax Awareness to Improve Intrusion Detection Efficiency in Voice over IP Environments Department.
Joint Access Point Placement and Channel Assignment for 802.11 Wireless LANs Xiang Ling School of Communication and Information Engineering University.

Joint Access Point Placement and Channel Assignment for Wireless LANs Xiang Ling School of Communication and Information Engineering University.
Voice over IP: A growing cadre of criminals is hiding secret messages in voice data. From: Voice Over IP: The VoIP Steganography Threat. IEEE Spectrum.

Voice over IP: A growing cadre of criminals is hiding secret messages in voice data. From: "Voice Over IP: The VoIP Steganography Threat". IEEE Spectrum.
The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.

The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running.
In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang 2006-07-17.

In/Out Traffic Proportion Based Analyses for Network Anomaly Detection By Zhang FengXiang
CUBIC : A New TCP-Friendly High-Speed TCP Variant 2005.2. Injong Rhee, Lisong Xu Member, IEEE 2005.1.30 v 0.2.

CUBIC : A New TCP-Friendly High-Speed TCP Variant Injong Rhee, Lisong Xu Member, IEEE v 0.2.
Specification-based Intrusion Detection Michael May CIS-700 Fall 2004.

Specification-based Intrusion Detection Michael May CIS-700 Fall 2004.
電腦攻擊與防禦 The Attack and Defense of Computers

電腦攻擊與防禦 The Attack and Defense of Computers
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University.

IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.
Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.

Protection Mechanisms for Application Service Hosting Platforms Xuxian Jiang, Dongyan Xu, Rudolf Eigenmann Department of Computer Sciences, Center for.
Data-Centric Energy Efficient Scheduling for Densely Deployed Sensor Networks IEEE Communications Society 2004 Chi Ma, Ming Ma and Yuanyuan Yang.

Data-Centric Energy Efficient Scheduling for Densely Deployed Sensor Networks IEEE Communications Society 2004 Chi Ma, Ming Ma and Yuanyuan Yang.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Aims and Motivation The goal of this project is to produce a secure and dependable way of distributing and storing data securely over a distributed system.

Aims and Motivation The goal of this project is to produce a secure and dependable way of distributing and storing data securely over a distributed system.
1 Design study for multimedia transport protocol in heterogeneous networks Haitao Wu; Qian Zhang; Wenwu Zhu; Communications, 2003. ICC '03. IEEE International.

1 Design study for multimedia transport protocol in heterogeneous networks Haitao Wu; Qian Zhang; Wenwu Zhu; Communications, ICC '03. IEEE International.
WBest: a Bandwidth Estimation Tool for IEEE 802.11 Wireless Networks Presented by Feng Li Mingzhe Li, Mark Claypool, and.

WBest: a Bandwidth Estimation Tool for IEEE Wireless Networks Presented by Feng Li Mingzhe Li, Mark Claypool, and.

Similar presentations

Ads by Google