Multi-Route Anomaly detection using Principal Component Analysis Adnan Iqbal Superviser Dr. Waqar Mahmood

The concept Idea is to discover anomalies in the whole network and then to compare these network wide anomalies with those of single route anomalies To find out relationship between network wide anomalies and its constituent single route anomalies

Summary Discover a scheme that can be used to get relationship between network wide anomalies and single route anomalies Implement the scheme Perform Regularization of Data Apply the scheme to suitable routes Analyze Results Analysis of Data used in Anomaly Detection Study of MIT Lincoln Lab intrusion detection data (Completed)

Current Work Study of MIT Lincoln Lab intrusion detection data (contd) Data Sets

Dataset data set (scenario based) LLDOS Scenario One LLDOS Scenario Two Windows NT Attack Data Set Data is in multiple files Tcpdump of inside Tcpdump of DMZ Syslog of different hosts Scenario 1 Data Set DDoS Level 1.0 Adversary :Novice Goal:Install components for, and carry out, a DDOS attack Defender: Naive Spread over multiple phases

Phases of Attack - 1 Phase 1: The adversary performs a scripted IPsweep of multiple class C subnets on the Air Force Base. The following networks are swept from address 1 to 254: /24, /24, /24, /24. The attacker ICMP echo-requests in this sweep and listens for echo-replies to determine which hosts are "up". Phase 2: Those hosts that are found to be alive in the previous phase probed to determine which ones are configured to run the "sadmind" remote administraion tool.

Phases of Attack - 2 Phase 3: The attacker then tries to break into those hosts that are found to be running the sadmind service in the previous phase. The attacker needs to execute two commands, one to "cat" an entry onto the victim's /etc/passwd file and one to "cat" an entry onto the victim's /etc/shadow file. The new root user's name is 'hacker2' and hacker2's home directory is set to be /tmp. To test weather or not a break-in was sucessful, the attack script attempts a login, via telnet, as hacker2, after each set of two breakin attempts. When sucessful the attackers script moves on to the next potential victim.

Phases of Attack - 3 Phase 4: Entering this phase, the attack script has built a list of those hosts on which it has sucessfully installed the 'hacker2' user. These are mill ( ), pascal ( ), and locke ( ). For each host on this list, the script performs a telnet login, makes a directory on the victim called "/tmp/.mstream/" and uses rcp to copy mstream server software. The attacker also installs a ".rhosts" file for themselves in /tmp, so that they can rsh in to startup the binary programs. On the first victim on the list, the attacker also installs the "master-sol" software, which is the mstream master. After installing the software on each host, the attacker uses rsh to startup first the master, and then the servers. as they come up, each server "registers" with the master that it is alive. The master writes out a database of live servers to a file called "/tmp/.sr".

Phases of Attack - 4 Phase 5: In the final phase, the attacker manually launches the DDOS. This is peformed via a telnet login to the victim on which the master is running, and then, from the victim, a "telnet" to port 6723 of the localhost. Port 6723/TCP is the port on which the master listens for connections to its user-interface. After entering a password for the user-interface, the attacker is given a prompt at which he/she enters two commands. The command "servers" causes the UI to list the mstream servers which have registerd with it and are ready to attack. the command "mstream " causes a DDOS attack, of 5 second duration, against the given IP address to be launched by all three servers simulataneously. The mstream DDOS consists of many, many connection requests to a variety of ports on the victim. All packets have a spoofed, random source IP address. The attacker then logs out. The tiny duration was chosen so that it would be possible to easily distribute tcpdump and audit logs of these events -- to avoid them being to large. In real life, one might expect a DDOS of longer duration, several hours or more.

LLDDoS v ADVERSARY: Novice -- scripted attack, fairly blatant ADVERSARY_GOAL: Install components for, and carry out, a DDOS attack DEFENDER: Naive -- sunrpc allowed through firewall, HINFO DNS records contain some valid host information. DIFFERENCES FROM VERS. 1.0: The main difference between and 1.0 is that in the attacker probes for host, platform, operating system by doing DNS HINFO queries, rather than sweeping IP's and rpc ports, and that they break-into one host at Eyrie first, then fan out from there, rather than attacking each host individually.

Phases of Attack v Probe of mill.eyrie.af.mil, Eyrie's public DNS server, via the HINFO query Breakin-to mill.eyrie.af.mil via the sadmind exploit FTP upload of mstream DDoS software and attack script, to break-into more Eyrie hosts. Initiate attack on other Eyrie hosts: Telnet to mill.eyrie.af.mil, setup DDoS master and initiate probing and attack of other Eyrie hosts. Probes are via the HINFO record query and attacks are via the sadmind exploit. Two break-ins are attempted: robin.eyrie.af.mil (a linux host listed as Solaris in the HINFO, breakin fails!) and pascal.eyrie.af.mil (breakin succeeds since the host is Solaris!) Launching the DDoS: Telnet to mill, telnet to localhost port 6723, connect to the master, and launch attack at

Data Files For every phase different files For each phase.fulllist - ASCII.list - ASCII.warn - ASCII.dump.tcpdump-out-dump.xml - it has alerts

Future Work Analysis of Fermi Lab Data