Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.

Slides:



Advertisements
Similar presentations
Marc Grégoire, DRDC Ottawa Luc Beaudoin, Bologik Inc.
Advertisements

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
CUBIC DEFENSE APPLICATIONS Security Summit Discussions Jeff Snyder Vice President, Cyber Programs Cubic Defense Applications.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
E-commerce security by Asif Dalwai Introduction E-commerce applications Threats in e-commerce applications Measures to handle threats Incorporate.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Penetration Testing Security Analysis and Advanced Tools: Snort.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Copyright Justin C. Klein HECTOR Security Intelligence Platform Developed for: University of Pennsylvania School of Arts & Science.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
BUSINESS B1 Information Security.
Data Security and Privacy in Academic Computing Terry Benzel Deputy Director Internet and Networked Systems Division Information Sciences Institute John.
Monitoring for network security and management Cyber Solutions Inc.
Honeypot and Intrusion Detection System
Software Firewalls © N. Ganesan, Ph.D.. Module Objectives Explore the features of a software firewall such as Zone Alarm Pro.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
FORESEC Academy FORESEC Academy Security Essentials (III)
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Chapter 5: Implementing Intrusion Prevention
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Successes and Failures applying to SaTC/TWC/TC/CT Nikita Borisov University of Illinois at Urbana- Champaign.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
1 9/14/2010 Cloud Network Defense Tom Byrnes Founder & CEO x4242 Cloud Network Defense.
Copyright Justin C. Klein Security Intelligence From What and Why to How.
Cryptography and Network Security Sixth Edition by William Stallings.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
What are the common problems facing Database Security? Presenters: Group 13 Yichen Jiang, Yingxu Liu Ericka Chickowski, “Five Hurdles That Slow Database.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Traffic Analysis and Risk Assessment of a Medium-Sized ISP Alan W. Rateliff, II Florida Internet Service Provider Approximately 2000 ADSL users Connections.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
Janis Buikauskis Joe Kubena Kyle Nelson Chris Schrader.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
CISC 849 : Applications in Fintech Vaishnavi Gandra Dept of Computer & Information Sciences University of Delaware Extracting Cybersecurity Related Linked.
If we don’t subnet and use as our subnet mask then we use all of our IP addresses on one network. This is not an efficient use of our Class.
Proactive Incident Response
SIEM Rotem Mesika System security engineering
Domain 4 – Communication and Network Security
Click to edit Master subtitle style
Detection and Analysis of Threats to the Energy Sector (DATES)
Security of a Local Area Network
Privacy Through Anonymous Connection and Browsing
Gregory Morton COSC380 February 16, 2011
AKAMAI INTELLIGENT PLATFORM™
0x1A Great Papers in Computer Security
Autonomous Network Alerting Systems and Programmable Networks
IP Addresses & Ports IP Addresses – identify a device on a network
Network Security in Academia: an Oxymoron?
Presentation transcript:

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin

Intrusion detection data Security alerts Firewall data How to do collaborative analysis if networks don’t trust each other? Goal: stop attackers from abusing these data Big Picture

Sample Intrusion Detection Alert  may contain victim’s IP address  reveals relationships with other networks  reveals target’s IP address  reveals topology of targeted network and attack propagation  leaks information stored on targeted systems  may reveal organization that owns it

Basic Tradeoffs tradeoffs privacy and anonymity utility efficiency Do not enable attackers to track attack propagation Do not announce site defenses Do not reveal network topology, configuration, enabled services Support (at least) coarse-grained analysis: event trends, identification of common attack sources, connection patterns, blacklisting, etc. Low overhead; no complicated crypto

lAlerts may be used to track progress of attacks and find new vulnerabilities lHard to tell the difference between an attacker and a legitimate researcher lSometimes, the only difference is intent - Hard to tell by looking at data requests Fundamental Problem alert database

Example: Probe-Response Attack attack a particular IP address attack is detected and alert reported to repository alert attacker looks up the alert and learns the address of the detecting IDS sensor IP hashing doesn’t help! Attacker knows targeted subnet, stages simple dictionary attack with small (<256) dictionary repository

Unique attack signature Port combinations Rare IDS rules Multiple scans (to cross statistical thresholds) Attack is detected and alert reported to repository alert Attacker completely maps out network defenses and avoids them in the future “Fingerprinting” Attacks [E.g., see Bethencourt et al., USENIX Security 2005] Attacker wants attack to be detected

 A and B can compare their observations of events on C’s network  Dictionary attack possible, but address space is large  Enables detection of widely observed IP addresses Current IP Address Sanitization Is this IP address on my network? Yes: use HMAC with secret key No: use SHA-1  Can only be compared for equality with IP addresses reported by IDS on the same network  Dictionary attack not feasible

Current Alert Sanitization lContent fields scrubbed - InfectedFile, CapturedData, etc. lTimestamps rounded - Tradeoff: limit sequence analysis lHigh port numbers rounded - Tradeoff: limit port analysis possibilities lUnique contributor IDs (not stored) - Rely on source anonymity to hide identity

lFormalization of fingerprinting attacks + secure alert correlation schemes lIP address virtualization that preserves topological structure of address space without revealing true addresses - Reconstruct topology of attack graphs lProtocols that reveal attack data only if similar attack has been observed by a threshold number of contributors Data Sanitization Challenges

Internet Overlay peer-to-peer randomized routing (robust even if some nodes are compromised) Based on Tor (low-latency TCP-level anonymity) Protecting Source Identity

Internet Overlay peer-to-peer randomized routing Future Work: Backpropagation Propagate analysis results back to contributors (e.g., hashed IP addresses for filtering)

lDataset poisoning and denial of service - Deliberate attacks or accidental flooding lPre-registration and vetting are needed lGroup membership credentials - Issued through “blind” registration; unlinkable to contributor’s true identity - Hard to guess, easy to check - Linkability of same-source contributions? lPossible attacks on registration process Source Anonymity Issues

lContributor IDs issued by Cyber-TA Coordination Center - Random IDs unlinkable to true identity lRepositories can blacklist certain contributor IDs lCurrent research: - Prevention of flooding and data poisoning - Revocation mechanisms - Reputation systems Contributor Registration

Timing Attack Internet Observe outgoing connection (sniff or attack 1 st overlay node) De-anonymize alert origin by correlating message timings Overlay peer-to-peer randomized routing

Additional Protection lRe-keying by alert repository - Additional keyed hashing of IP addresses lRandomized hot list thresholds - Publish only the hot list of reported alerts that have something in common  Need randomness to prevent flushing attacks lDelayed alert publication … all of these rely on repository integrity!

Source address: can be used as a marker to learn sensor coverage Port number: rare port numbers can be used as markers to link alerts to sensors Destination address: reveals sensor coverage, capabilities, network topology Port number: reveals network services Timestamp: can be used to link an alert to the sensor that produced it SensorID: reveals defensive services and capabilities, organization that owns sensor EventID: reveals defensive services, capabilities, policies Outcome: reveals target site’s vulnerabilities, topologies, policies, etc. Captured data, Infected file: reveals private user data, topology and applications, vulnerabilities. Sample Intrusion Detection Alert