Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection Testing and Benchmarking Methodologies Nicholas Athanasiades,

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network Traffic Anomaly Detection Based on Packet Bytes Matthew V. Mahoney Florida Institute of Technology

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated

Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.

Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Multi-Route Anomaly detection using Principal Component Analysis Adnan Iqbal Superviser Dr. Waqar Mahmood

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Network Security Testing Techniques Presented By:- Sachin Vador.

Information Networking Security and Assurance Lab National Chung Cheng University How to Evaluate Network Intrusion Detection Systems?

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Computer Security and Penetration Testing

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Lecture 11 Intrusion Detection (cont)

INTRUSION DETECTION SYSTEM

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Black Hat Europe 2000: Strategies for Defeating Distributed Attacks Simple Nomad Hacker Nomad Mobile Research Centre Occam Theorist RAZOR Security Team,

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Forensic and Investigative Accounting

Richard P. Lippmann - R. K. Cunningham, D. J. Fried, S. L. Garfinkel,

Survey – IDS Testing Marmagna Desai [ 592 Presentation]

1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Chapter 6: Packet Filtering

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.

Copyright © 2002 Pearson Education, Inc. Slide 3-1 CHAPTER 3 Created by, David Zolzer, Northwestern State University—Louisiana The Internet and World Wide.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Honeypot and Intrusion Detection System

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

What is a “Network Intrusion Detection System (NIDS)"?

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection Matt Mahoney Feb. 18, 2003.

Linux Networking and Security

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.

Network Infrastructure Microsoft Windows 2003 Network Infrastructure MCSE Study Guide for Exam

Retina Network Security Scanner

BNL PDN Enhancements. Perimeter Load Balancers Scaleable Performance Fault Tolerance Server Maintainability User Convenience Perimeter Security.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Hands-On Ethical Hacking and Network Defense

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Quiz 2 -> Exam Topics Fall Chapter 10a - Firewalls Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set.

Machine Learning for Network Anomaly Detection Matt Mahoney.

Role Of Network IDS in Network Perimeter Defense.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

CompTIA Security+ Study Guide (SY0-401)

CITA 352 Chapter 5 Port Scanning.

CompTIA Security+ Study Guide (SY0-401)

Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University Intrusion Detection Testing and Benchmarking Methodologies Nicholas Athanasiades, Randal Abler, John Levine, Henry Owen, and George Riley School of Electrical and Computer Engineering Georgia Institute of Technology

Information Networking Security and Assurance Lab National Chung Cheng University 2 1. Introduction Beginning of the Intrusion Detection Evaluation  DARPA(1998~1999)  LARIAT (Lincoln Adaptable Real-time Information Assurance Test-bed)(2000~2001) Most common methodologies Traffic generation is one of the most difficult ones  Synthetic traffic not represent the realities of an actual network SmartBits Scripting tools

Information Networking Security and Assurance Lab National Chung Cheng University 3 2. Existing Tools and Testing Methodologies A. DARAPA Environment B. LARIAT Environment C. Nidsbench and IDS Wakeup D. IDSwakeup E. Flame Thrower F. WebAvalanche/WebReflector G. Tcpreplay H. Fragrouter I. Hping2 J. Iperf

Information Networking Security and Assurance Lab National Chung Cheng University 4 2. Existing Tools and Testing Methodologies A. DARAPA Environment  Approach An off-line (Tune and optimize) and an on-line (actual testing) evaluation executed Tcpreplay  Protocol/traffic activity HTTP, X window, SQL, SMTP, DNS, FTP, POP3, Finger, Telnet, IRC, SNMP, and Time

Information Networking Security and Assurance Lab National Chung Cheng University 5 2. Existing Tools and Testing Methodologies A. DARAPA Environment SolarisSunOSLinux Denial of Service (11 types, 43 instances) Back, Neptune, Ping of death, Smurf, syslog, Land, apache2, Mailbomb, Process table, UDP storm Back, Neptune, Ping of death, Smurf, Land, apache2, Mailbomb, Process table, UDP storm Back, Neptune, Ping of death, Smurf, teardrop, Land, apache2, Mailbomb, Process table, UDP storm Remote to Local (14 types, 17 instances) Dictionary, ftp-write, guest, phf, http tunnel, xlock, xsnoop Dictionary, ftp-write, guest, imap, phf, named, http tunnel, sendmail, xlock, xsnoop User to Root (7 type, 38 instances) Eject, ffbconfig, Fdformat, ps Loadmodule, psPerl, xterm Surveillance/ Probe (6 types, 22 instances) Eject, nmap, Port sweep, Satan, mscan, saint Figure 1 Attacks in the 1998 DARPA evaluation

Information Networking Security and Assurance Lab National Chung Cheng University 6 2. Existing Tools and Testing Methodologies A. DARAPA Environment  1999: the goals shifted to testing complete systems  Changes and additions Victim Windows NT added New stealthy attacks added Two new types of analysis performed An analysis of misses and high-scoring false alarms Participants were allowed to submit information aiding in the identification of many attacks and their appropriate response Detection of novel attacks without first training

Information Networking Security and Assurance Lab National Chung Cheng University 7 2. Existing Tools and Testing Methodologies B. LARIAT Environment  LARIAT “emulates the network traffic from a small organization connected to the Internet”  Many phases Network discovery phase Then, initializes the network and configures the hosts The test’s conditions are set up  Traffic generation is done through the use of defined service models Modified a Linux Kernel that allow their software to generate background traffic  Part of a government project and not publicly available

Information Networking Security and Assurance Lab National Chung Cheng University 8 2. Existing Tools and Testing Methodologies C. Nidsbench  A NIDS Test Suite released in 1999  Made up of the components tcpreplay, idtest and fragrouter D. IDSwakeup  Like Nidsbench  It generates false attacks, a false positive test utility  Consists of IDSwakeup and utilizes hping and iwu E. Flame Thrower  Commercial load stress tool used to identify network infrastructure weaknesses  Produces transaction in order to test network infrastructure and applications  Supports HTTP/HTTPS 1.0, 1.1 and SSL  It can emulate over two million IP address  FirewallStressor measure throughput under attack conditions  Flame Thrower intended for testing firewalls

Information Networking Security and Assurance Lab National Chung Cheng University 9 2. Existing Tools and Testing Methodologies F. WebAvalanche/WebReflector  Commercial network appliances used in the testing of IDS  WebAvalanche is a stress-testing appliance  WebReflector emulates the behavior of large Web, application and data server environments  Support such as HTTP 1.0/1.1, SSL, RTSP/RTP and FTP  Measure percent dropped packets, latencies, maximum number of users and new user arrival rates G. Tcpreplay  Allows captured traffic to be played back on a network at different speeds  Tcpdump or snoop

Information Networking Security and Assurance Lab National Chung Cheng University Existing Tools and Testing Methodologies H. Fragrouter  An attack generation tool  For testing anti-evasion techniques and fragmentation queues I. Hping2  A command-line packet assembler and analyzer  Allows one to create and transmit custom ICMP, UDP, and TCP packets  Fingerprint remote operating systems J. Iperf  Measures bandwidth, delay jitter and datagram loss  Used as a background traffic source

Information Networking Security and Assurance Lab National Chung Cheng University Examples of Intrusion Detection Evaluation Environments DARPA Like Environment Custom Software Advanced Security Audit Trail Analysis on Unix Vendor Independent Testing Lab Trade Magazine Evaluation

Information Networking Security and Assurance Lab National Chung Cheng University 12 DARPA Like Environment 5 components  Traffic generating  Victim was “an anonymous FTP server running on a Sun UltraSparc-1 using a Solaris 2.5 OS  Attack Injection programs  The in house reference programs counted the number of hung connection at the victim server as a measure of attack effectiveness. They used a metric called virulence. Virulence described the intensity of an attack situation.  The evaluation method was to use 10, 15, 30, 40 and 60 attacking hosts each utilizing rates of varying rates of attacks per second.

Information Networking Security and Assurance Lab National Chung Cheng University 13 Custom Software A software platform that simulates intrusions and tests IDS effectiveness Criteria used included  Broad Detection Range  Economy in resource usage  Resilience to stress The benchmark platform was base on Expect and Tool Command Language Distributed Programming (TCL-DP) package

Information Networking Security and Assurance Lab National Chung Cheng University 14 A dvanced S ecurity audit trail A nalysis on uni X The test consisted of the following scenarios  Trojan horse  Attempted break-ins  Masquerading  Suspicious connections  Black listed addresses  Nosing: numerous moves through directories  Privilege abuse

Information Networking Security and Assurance Lab National Chung Cheng University 15 Vendor Independent Testing Lab NSS tests a broad range of features of IDS  Convenience: ease of installation, deployment and management  UI: reporting and alerts delivered  Attack signatures  Accuracy  Peripheral issues like licensing, documentation and log management

Information Networking Security and Assurance Lab National Chung Cheng University 16 Vendor Independent Testing Lab NSS’s test-bed  P3 1GHz 768 MB RAM running Windows 2000 SP2, FreeBSD 4.4 or Red Hat 6.2/7.1  Ghost image  100M Ethernet with CAT-5, Intel NetStructure 40T routing Switches and Intel auto-sensing 10/100 network cards  IDS installed on a dual-homed PC on each subnet  No firewall used

Information Networking Security and Assurance Lab National Chung Cheng University 17 Vendor Independent Testing Lab NSS five types of tests  Attack recognition SAN top 20 and/or ICAT top 10 vulnerability lists  Performance under load Back Orifice ping 64-byte, 1514-byte packets/25,50,75 and 100 percent of network load Adtech AX/4000 Broadband Test System and SmartBits SMB6000

Information Networking Security and Assurance Lab National Chung Cheng University 18 Vendor Independent Testing Lab NSS five types of tests  IDS evasion techniques Tools: Fragrouter and whisker  Stateful operation test Tools: stick and snot used to generate false alerts  Host performance Network load, CPU and memory utilizations were monitored

Information Networking Security and Assurance Lab National Chung Cheng University 19 Trade Magazine Evaluation Interesting approach  IDSs in the production network of an ISP  Deployed four machines The metrics were accuracy, ease of use, and uptime

Information Networking Security and Assurance Lab National Chung Cheng University 20 Conclusion