Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Lecture 14 Firewalls modified from slides of Lawrie Brown.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Intrusion Detection Systems and Practices

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Security Awareness: Applying Practical Security in Your World

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Lecture 11 Intrusion Detection (cont)

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Department Of Computer Engineering

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

G53SEC 1 Network Security Hijacking, flooding, spoofing and some honey.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.

Distributed Phishing Attacks Markus Jakobsson Joint work with Adam Young, LECG.

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Bypassing Network Security: Evading IDSs, Honeypots, and Firewalls.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Security Evaluation of Pattern Classifiers under Attack.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Chapter 5: Implementing Intrusion Prevention

Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

Intrusion Detection System (IDS). What Is Intrusion Detection Intrusion Detection is the process of identifying and responding to malicious activity targeted.

HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.

Cryptography and Network Security Sixth Edition by William Stallings.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

DoS/DDoS attack and defense

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Network Intrusion Detection System (NIDS)

© 2006, iPolicy Networks, Inc. All rights reserved. Security Technology Correlation Proneet Biswas Sr. Security Architect iPolicy Networks

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Final Project: Advanced security blade

Snort – IDS / IPS.

Introduction to Networking

6.6 Firewalls Packet Filter (=filtering router)

Presentation transcript:

Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research) Jia Wang(AT&T Labs - Research)

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 2 How do adversaries impact measurements? While measurement systems are widespread, attention to impact of unwanted traffic is light Currently only arbitrary subset of attacks are considered Systematic evaluation of adversaries’ impact on measurement systems is needed

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 3 How adversaries impact malware measurements Focus on malware measurements as opposed to general measurements In general measurements, gaming is common - consider Keynote – which measures from n sites but measures know them and can counteract In security related measurements, system could be compromised and inference could be flawed

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 4 Background on measuring unwanted traffic Other categorizations possible but broadly Firewall: maintain per-flow state and control connection set-up NIDS - network intrusion detection systems: anomaly detection (e.g., by matching signatures) Honeypots: monitor and responds to probes Application-level filters: e.g., spam filter

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 5 Challenges to security-related measurement systems Direct attacks Evasion Avoidance attacks

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 6 Direct attacks Attack an IDS by increasing its memory requirements -- make it maintain more state Increasing background noise (via legitimate requests) Compromise measurement platform (e.g. Witty worm compromise hosts running ISS)

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 7 Evasion Break payloads across packets ("ro" and "ot") Use non-standard port - port 80 for ssh Reorder and retransmit to fool NIDS Common victim: spam filters -- hence the use of random strings, deliberate mis-spellings Arms race - no easy way to defeat fully

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 8 Avoidance attacks Reverse blacklisting honeypots to avoid them Reverse blacklists exchanged between attackers One countermeasure is Mohonk technique of rotating blackhole prefixes

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 9 Taxonomy of how unwanted traffic pollutes measurement: concepts Two key concepts: consistency and isolation  Consistency: Set of packets P i always results in same set of log entries A j  Isolation: Set of packets P i results only in log entries A j Log entries vary across firewalls/NIDS and honeypots  Firewalls/NIDS logs: alarms with summary information from rule matching packets  Honeypot logs: packet traces with headers and/or payloads

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 10 Taxonomy of how unwanted traffic pollutes measurement Consistent/isolated:  P i  A i and no other P k will impact A i  the baseline case - no pollution Consistent/non-isolated:  P i  A i but P i +P j  A j  measurement system behaves fine but log entries caused by unwanted traffic altered by other unwanted traffic Inconsistent/isolated:  P i  A j1 at time t 1 and P i  A j2 at time t 2  inconsistent behavior but limited impact Inconsistent/non-isolated: highly unpredictable

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 11 Consistent/non-isolated - example Rule #1: uricontent:"/hsx.cgi"; (raise an alarm if /hsx.cgi appears in the URI) Rule #2: uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; (/hsx.cgi appears in URI and content of../.. followed by null byte in payload, raise an alarm) Sequence S 1 : payload 1: POST /hsx.cgi HTTP/1.0\r\nContent-length: 10\r\n\r\n payload 2:../ payload 3:../ payload 4: \x00\x00\x00\x00 Sequence S 2 : payload 1: POST /hsx.cgi HTTP/1.0\\r\\nContent-length: 10\r\n\r\n payload 2:../ payload 3: \x08/ payload 4:../ payload 5: \x00\x00\x00\x00 Snort generates alarms 1 and 2 on sequence S 1 but only alarm 1 on S 2 (backspace character in the fourth packet) - log entry changed by S 2

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 12 Inconsistent/isolated Measurement system generates different alarm sets A 1, A 2 for same set of packets P arrived at time t 1 and t 2. Multiple backspace packets sent to Snort leads to unpredictable impact (inconsistency) on log entries but only signatures affected by backspace are problematic (isolated)

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 13 Inconsistent/non-isolated Measurement system generates different log entries over time and is thus unpredictable Randomness in unwanted packet streams (beyond order of arrival) DoS: significantly increase resource use on measurement system What gets logged can be hard to predict

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 14 Adding resilience to measurement systems Situational awareness Separating an attack from a non-attack Bypassing attacks Graceful degradation

July 7, 2006 Tracking the Role of Adversaries in Measuring Unwanted Traffic 15 Summary We have examined impact of unwanted traffic on measurement systems An initial taxonomy of how such traffic pollutes measurement Helps us design resilient measurement systems