1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato,...
-
Upload
rosamond-watts -
Category
Documents
-
view
241 -
download
0
Transcript of 1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato,...
1
Towards trapping wily intruders in the large
Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto
Cyber Solutions Inc., Tohoku UniversityRAID’99, September 7-9, 1999
2Cyber Solutions RAID’99
outline
background– network-based illegal access detection
characteristics of network intrusions– signatures of intrusions
detection of intrusion from traffic-flow– traffic-flow signature– correlation of signatures– experimental evaluation
map-based distributed intrusion tracking conclusion
3Cyber Solutions RAID’99
background
Network-based illegal access detection– rapid increase in network bandwidth– devious techniques (e.g. spoofing) used by the hackers.
4Cyber Solutions RAID’99
Suspicious Behavior
?
?
?
Repeated FailuresRepeated Failures
Knocking at several doorsKnocking at several doors
Signatures
5Cyber Solutions RAID’99
characteristics of network intrusions (I)
Signals from TCP-Reset Characteristics
6Cyber Solutions RAID’99
characteristics of network intrusions (II)
Number of ICMP-UR packets (port SNMP(161))
3 0
222
0 0 0 0 0 0 0 3 0 3 0 2 0 2 2130 0 0 8
304
00
50100150200250300350
Hour
num
ber
of p
acke
ts
7Cyber Solutions RAID’99
characteristics of network intrusions (III)
ICMP destination port unreachable messages for SNMP port (under scan)
Timestamp Source IP Destination IP Src port Dest Port928256855 nnn.101.0.20 nnn.211.2.63 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.62 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.61 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.60 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.59 1026 SNMP(161)928256856 nnn.101.0.20 nnn.211.2.25 1026 SNMP(161)928256856 nnn.101.0.20 nnn.211.2.24 1026 SNMP(161)928256856 nnn.101.0.20 nnn.211.2.23 1026 SNMP(161)
8Cyber Solutions RAID’99
characteristics of network intrusions (IV)
Distribution of inter-message interval
188
223 0 0 3 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1
020406080
100120140160180200
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
inter- message interval
freq
uenc
y
9Cyber Solutions RAID’99
detection of intrusion from traffic-flow signature
Packet contents may be encrypted Packet contents may be manipulated The traffic volume may be very large
10Cyber Solutions RAID’99
Traffic-flow signature(1)
site 1 site 2
site 3
site 4 traffic monitor
traffic monitor
traffic monitor
11Cyber Solutions RAID’99
Traffic-flow signature(2)
n
slottimeapacketsofnumberisnia
aaaA
i
n
)1(
),,,(21..
.
12Cyber Solutions RAID’99
correlating traffic-flow signature
Correlation of traffic patterns:correlation coefficient r
(A, B are two flows)
n
iiout
n
iiin
i
n
ii
outin
Bbn
s
Aan
s
BbAasns
BAr
1
2
1
2
1
)(1
)(1
))((1
),(
13Cyber Solutions RAID’99
experimental evaluation(configuration)
100Mbps FDDI backbone network ICMP echo request/reply messages
network 1 network 2 network 3
probe 1 probe 2
Size of time slot δ 1 minuteWindow size Δ 5 slots
Threshold of correlation coefficient 0.9
14Cyber Solutions RAID’99
relay of ICMP echo reply
A burst of ICMP echo reply triggered by broadcast ping, Smurf
0
20000
40000
60000
80000
100000
120000
140000
160000
9960
1002
0
1008
0
1014
0
1020
0
1026
0
1032
0
1038
0
1044
0
1050
0
1056
0
1062
0
1068
0
1074
0
1080
0
1086
0
1092
0
1098
0
1104
0
1110
0
1116
0
1122
0
time [sec]
num
ber
of
pa
cke
ts
Incoming traffic Outgoing traffic
15Cyber Solutions RAID’99
relay of ICMP echo request
A cluster of ICMP echo request triggering the bursty ICMP reply
0
100
200
300
400
500
600
700
3720
3840
3960
4080
4200
4320
4440
4560
4680
4800
4920
5040
5160
time [sec]
num
ber
of p
acke
ts
Incomming traffic Outgoing traffic
16Cyber Solutions RAID’99
http://www.cysols.com/IPAMaps/
ChaIn: Charting the Internet
IPA:Information technology Promotion Agency, Japan (www.ipa.go.jp)
18Cyber Solutions RAID’99
inter-N/W communication I
Traffic monitoring at N/W border– watch all the traffic – process only suspicious packets.
Use network configuration information to trap and/or track-down the intruder.
Communication using SNMP(v3) notifications.
19Cyber Solutions RAID’99
inter-N/W communication II
detection systemdetection system detection systemdetection system
SNMP INFORM PDU
http://………….ftp://…………..snmp://………..
http://………….ftp://…………..snmp://………..
20Cyber Solutions RAID’99
5. Network Security Using Maps
YesNo
Suspicious !!Suspicious !!
Yes
XAS1 AS2
Saw this? Saw this?X
X
Suspicious !!Suspicious !!Suspicious !!Suspicious !!Suspicious !!Suspicious !!
NoNoSaw this?
AS0
ASAS11 ASAS22
AS
3
IntruderIntruder
MonitorMonitor
21Cyber Solutions RAID’99
conclusion
Profiling network traffic to distinguish normal usage from abnormal or ill-intentioned usage.
Monitoring suspicious signals in a distributed information collection framework
A new technique based on packet flow monitoring to counter the threats posed by spoofing.
Use of network configuration information to track down intruders.
Use of SNMP based messaging system.