Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.

Published byShauna Hollie Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion."— Presentation transcript:

1 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion Traffic Patterns Using OPNET Mian Zhou, Sheau-Dong Lang University of Central Florida

2 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 2 1341 Security Outline  Simulation of network intrusion scenarios.  Testing a frequency-based intrusion detection strategy.  Studying the effects of transmission delays on our detection strategy.

3 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 3 1341 Security  Use OPNET to simulate intrusion scenarios by replaying the network traffic.  Traffic data sources. The publicly available datasets from MIT Lincoln lab. Self-generated attack traffic.  Attack tools: Nmap, Battle  Sniffer: Ethereal Our Approach to Intrusion Simulation

4 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 4 1341 Security Simulation using OPNET Network domainNode domain Process domainC code for a process node

5 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 5 1341 Security  Process the TCPDUMP data.  The packet inter-arrival times.  The traffic duration.  A list of the distinct IP addresses in the traffic source.  Build a network model with the end nodes corresponding to the extracted IP addresses. Pre-processing Traffic Data

6 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 6 1341 Security The attribute panel of the packet generator, with scripted packet inter-arrival times calculated from pre-processing the source data Packet format: Drop the payload of original packets but retain the IP header information including IP address, port number, packet size, time stamp, flags, etc. OPNET Model — Packet Generator

7 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 7 1341 Security Data Source: 1999 Lincoln Week 5 outside data DOS attack: ProcessTable (a) Number of distinct port connections to a victim.(b) Data traffic to Port 25 of the victim PC. Two Sample Outputs from Simulation of the ProcessTable attack

8 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 8 1341 Security Frequency-based Intrusion Detection  Observation: Certain network attacks are executed by running pre-written scripts which automate the process of connecting to various ports, sending packets with fabricated payloads, etc.  Frequency-based intrusion detection. Use Discrete Fourier Transform (DFT) to identify periodicity patterns.  Where to find the periodicity patterns. The time series of packets’ inter-arrival times. The time series of packet arrival rates. The size distribution of packet payloads.

9 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 9 1341 Security Variance analysis Data sequence for each connection Traffic data Parse New connection history Generate the time-series data Average variance of packet size for each connection Compare with a threshold value Report attacks DFT Pass the trusty Connections Data sequence for multiple connections Global frequency pattern Local frequency pattern Overall Detection Strategy new connections

10 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 10 1341 Security Frequency Extraction by Discrete Fourier Transform (DFT) Expanding the right-hand side yields Using the Fast Fourier Transformation (FFT) procedure, the frequency data F(k) can be computed in O(N logN) time. For a given data sequence s(n) where n  0 is a discrete value representing the time, its DFT coefficients F(k) are defined as follows 0  k  N –1, N is the length of s(n)

11 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 11 1341 Security Detection Results: the ProcessTable Attack Frequency patterns extracted by DFT on inter-arrival times of six connections. Connections 2 and 4 show periodicity patterns. The traffic of connection 2 is the ProcessTable attack; connection 4 is a Probe attack, which probes the target’s ports ranging from 1794 to 2631. 31 2 45 6

12 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 12 1341 Security Detection Results: the Dictionary Attack Frequency patterns on inter-arrival times of six connections for the Dictionary attack. Connection 2 shows the password guessing (dictionary) attack. 3 21 456

13 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 13 1341 Security Detection Results: the sshProcessTable Attack 123 456 Frequency patterns of the rates of packet arrivals of six connections for the sshProccessTable attack. Connection 2 contains the attack traffic. 1 2 3 456 Frequency patterns of inter-arrival times for six connections, Connection 2 shows the attack traffic.

14 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 14 1341 Security The Effect of Transmission Delays on Frequency patterns The spectrum (frequency patterns) of three time series data, where the original data values  [0.002, 0.5]. (a)The spectrum of the original data series X(t). (b)The spectrum of the X(t) + exp(0.5) (exponentially distributed delay with mean value 0.5 seconds) (c)The spectrum of the X(t) + exp(5). (a)(b)(c)

15 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 15 1341 Security Transmission delay in LANs A simple LAN, in which the web client sends the traffic to three servers. We collected the inter-arrival times of the traffic to the main server. The profile configuration panel

16 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 16 1341 Security The Effect of Transmission Delays The inter-arrival times and frequency patterns collected: (a) at the sender (the web client); (b) at the receiver (the main server). (a) (b) Frequency patterns collected at the main server, when other types of explicit traffic loads are added to the web client traffic.

17 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 17 1341 Security Transmission Delays in WANs A WAN, in which the site Dublin sends traffic to site London through an Internet cloud. Other types of traffic such as email and ftp are created by the other 5 nodes and coexisted with the custom traffic from Dublin. The configuration panel for the Internet cloud, where we specify the statistical distribution of the packet latency caused by traversing the Internet. The packet delivery process of the custom traffic is controlled by scripted packet time intervals.

18 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 18 1341 Security The Effect of Transmission Delays in WANs Frequency patterns of the packet inter-arrival times with different Internet transmission delays. The distributions for transmission delay include constant, uniform, and exponential. Frequency patterns of the packet inter-arrival times with exponentially distributed transmission delays. The spectrum starts to deviate from the original as the mean value increases.

19 Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. 19 1341 Security Conclusions  Frequency-based intrusion detection  Detects anomalous traffic behaviors (that contain periodicity patterns)  Improves the effectiveness of signature-based intrusion detection systems when combined with other simple statistical features of the traffic data.  Needs measures to counter attacks with randomized script.  limited to the attacks with relatively long duration and heavy load.  Transmission delay on frequency patterns  Frequency patterns will not be affected by near constant transmission delay.  Frequency patterns persist in LANs.  In WANs, further studies on packet latency required.

Download ppt "Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion."

Similar presentations

RTP: A Transport Protocol for Real-Time Applications Provides end-to-end delivery services for data with real-time characteristics, such as interactive.

RTP: A Transport Protocol for Real-Time Applications Provides end-to-end delivery services for data with real-time characteristics, such as interactive.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 1.

COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 1.
Performance analysis and Capacity planning of Home LAN Mobile Networks Lab 4

Performance analysis and Capacity planning of Home LAN Mobile Networks Lab 4
1 Improving the Performance of Distributed Applications Using Active Networks Mohamed M. Hefeeda 4/28/1999.

1 Improving the Performance of Distributed Applications Using Active Networks Mohamed M. Hefeeda 4/28/1999.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.

Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.

Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.

User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.

Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Data Networking Fundamentals Unit 7 7/2/2015 1 Modified by: Brierley.

Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
CS 5253 Workshop 1 MAC Protocol and Traffic Model.

CS 5253 Workshop 1 MAC Protocol and Traffic Model.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Similar presentations

Ads by Google