Conditional Entropy for Deception Analysis E. John Custy Neil C. Rowe Center for Information Security Research U.S. Naval Postgraduate School

Slides:



Advertisements
Similar presentations
Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Lecture 1: Overview modified from slides of Lawrie Brown.
Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices
Network Security Testing Techniques Presented By:- Sachin Vador.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Examining IP Header Fields
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Host Intrusion Prevention Systems & Beyond
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 9 Testing a Claim
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Chapter 9 Intruders.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
DoS/DDoS attack and defense
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.
Role Of Network IDS in Network Perimeter Defense.
+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Unit 5: Hypothesis Testing.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
+ Chapter 9 Testing a Claim 9.1Significance Tests: The Basics 9.2Tests about a Population Proportion 9.3Tests about a Population Mean.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
100% Exam Passing Guarantee & Money Back Assurance
Managing Secure Network Systems
The Devil and Packet Trace Anonymization
Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Intrusion Detection Systems (IDS)
Self Organized Networks
FIREWALL.
By: Dr. Visavnath, Lecturer Comp. Engg. Deptt.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Conditional Entropy for Deception Analysis E. John Custy Neil C. Rowe Center for Information Security Research U.S. Naval Postgraduate School

Overview Definition of Deception A Channel Model for Deception The Symmetric Complement of a Deception Examples of Deceptions Mapped to Channel Models Conditional Entropy So What? –Conditional Entropy is Concave –General Counter Deception Opportunities Exist –Deception Can Be Interpreted Geometrically –Deception-Based Computer Security A spoofing channel implementation with a honeypot

A Definition of Deception The deception target’s decision is binary: there is only one correct version of reality, and one incorrect version of reality. Deception is the presentation of a specific false version of reality by a deceiver to a target for the purpose of changing the target’s actions in a specific way that benefits the deceiver.

A Channel Model for Deception Deception causes the actual state of the environment to differ, on occasion, from the inferred state of the environment. The deceiver acts as noise: without deception, the target will correctly infer the state of nature. The deception target is vulnerable to only one type of error

The Symmetric Complement The symmetric complement of a deception makes the channel model symmetric Terminology: A two-sided deception is a deception deployed along with its symmetric complement Here the deception target is vulnerable to two types of error

Examples (1/2) One-Sided Deceptions –Sale of Low Quality Items False Version of Reality: Product is High Quality Actual Version of Reality: Product is Low Quality –Camouflage False Version of Reality: No intruders are present Actual Version of Reality: An intruder is present –Phishing False Version of Reality: Web site is valid Actual Version of Reality: Web site is in valid –Social Engineering False Version of Reality: Person claiming authority has author. Actual Version of Reality: Person claiming authority has none

Examples (2/2) Two-Sided Deception –Feints False Version of Reality: An attack is in progress Actual Version of Reality: No attack is in progress –Dummy Aircraft & Tanks False Version of Reality: Dummies are valuable Actual Version of Reality: Dummies are worthless –Runway Strafing False Version of Reality: Runway is usable Actual Version of Reality: Runway is useless

Conditional Entropy (1/2) Conditional Entropy of One-Sided Deceptions –An effective one-sided deception makes the target’s observations worthless –But this situation is fragile: failures by deceiver can be exploited by target

Conditional Entropy (2/2) Conditional Entropy of Two-Sided Deceptions –Target’s observations can be worse than worthless... –But counter-deception opportunities are available... –However, deceiver can “back-off” to make observations worthless in a non-fragile manner...

So What? (1/2) We have done nothing more than reinterpret standard results from information theory in terms of deception Answer 1:Conditional entropy is a concave function... (√) Answer 2:Signal space concepts suggest a geometric interpretation of this work... (Work in progress) Answer 3:Counter-deception based on a negative correlation between observed & actual state of environment (√)

So What? (2/2) Answer 3:Computer Security Tools that burden attackers with uncertainty: A Fake Honeypot is the symmetric complement of the honeypot deception (√) Spoofing Channels provide intruders with data that has the same statistical structure as the original, but is otherwise arbitrary (√)

Experiments with a spoofing channel We are modifying honeypot computer systems into "intrusion- response systems" that frustrate attackers by confusing them. We used a honeypot on the Internet outside our School's firewall. We installed Snort Inline and used it to modify single bits in packets (TCP and UDP protocols only) sent to it. Since attacks commands are sensitive to errors, this might make the attack ineffective and confuse the attacker. Here’s an example Snort Inline rule we used. It says to change the 50th byte of the incoming data portion of a TCP-protocol packet to an upper-case X. alert tcp $EXTERNAL_NET any -> $HONEYNET any (msg:"Exp2-TCP-offset-50"; content:"|00|"; offset:50; flags:P+; replace:"X";classtype:exp2; priority:10; sid: ;rev:1;)

Experimental results (1) Attack durations increased on the average with packet bit modifications. Much of the increase was in the form of retries of the same commands. There was not much variation in effect with location in the packet. We conclude then that rare random bit modifications are a good delaying tactic against attacks, while preserving most of the information content in the channel. Our deceptions also changed the frequencies of attacks we saw.

Experimental results (2) The table shows counts of Snort attack classes with first a control experiment (no packet modifications) and then changes to packets at offsets into the packet of 10, 20, 100, 20, and 20 respectively. The last two experiments changed the bytes to "W" rather than "X", and the last ignored the flags, to see if this made a difference. Each experiment was run for two days. ICMP Ping and MS-SQL traffic was not affected. FTP attacks (generally password guessing) are quite sporadic and not significant. NETBIOS and SHELLCODE attacks show effects in Exps. 1, 3, and 5. ControlExp.1 Exp.2Exp.3 Exp.4Exp.5 FTP ICMP Ping MS-SQL NETBIOS POLICY SHELLCODE WEB