DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National Economy 2) Department of Computer Science, U. of Maine

The Web Neighborhood Watch Project This project seeks to identify websites belonging to dangerous people such as terrorists In addition to the artificial intelligence components, there is a need for locating the website in physical space At last year's conference, work was presented on using the distributed traceroute approach to help locate computers physically

Not only is locating computers physically important for the Web Neighborhood Watch Project, but for dealing with cyber- attacks in general Current methods for tracking Internet- based attacks are primitive. It is almost impossible to trace sophisticated attacks using current tools. Locating Computers in Physical Space

Intruders Attack Sophistication and Intruder Technical Knowledge High Low Intruder Knowledge Attack Sophistication Cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools stealth / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Staged Auto Coordinated

Techniques for Physically Locating Computers Whois Traceroute Distributed Traceroute Time Delay Method (new)

Whois Limitations Whois contains information about top-level domains only Distributed databases are not always connected

Traceroute Limitations It does not take advantage of the fact that there typically exist several different paths to the target computer Executing a single trace from a single location tends to produce results that are geographically insufficient

Distributed Traceroute Limitations The results are not always as accurate as one would want This approach cannot be applied when the attacker uses intermediate hosts with software redirectors to make a cyber-attack

Time Delay Method (new) Based on the concept that the most recent computer from which the attack was received was either: – a) The actual attacking computer – b) An intermediate host being used with redirection software Choosing between a) and b) is based on comparing the time delay between the attacking computer (AC) and the victim computer (VC) to the most recent time delay

A Cyber-attack using Redirectors T total = t 1 + t 2 + t 3 +…+t n + t n+1, t i - the time delay of the i-th link Attacking Computer Redirector 1 t1t1 t2t2 t3t3 tntn t n+1 Redirector 2 … Redirector n Victim Computer

Experimental Results The following servers were used: –TANE (Ternopil Academy of the National Economy, Ukraine, ) –Kiel University (Germany, ) –HTTL (Home To good service and Technology Ltd, London, England, )

Direct connection

Time Delays From HTTL to TANE

Time Delays from TANE to HTTL

Connection using redirector

Time Delays from HTTL to TANE using Kiel-redirector

Conclusion The Time Delay Method has the ability to locate a remote computer in real time based on delays in IP packet travel The Time Delay Method can also be used to analyze the nature of the links involved in the attack chain

Contact Information Roman Romanyak: Anatoly Sachenko: Serhiy Voznyak: Gene Connolly: George Markowsky: