Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.

Slides:



Advertisements
Similar presentations
Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,
Advertisements

24-1 Chapter 24. Congestion Control and Quality of Service (part 1) 23.1 Data Traffic 23.2 Congestion 23.3 Congestion Control 23.4 Two Examples.
RTP: A Transport Protocol for Real-Time Applications Provides end-to-end delivery services for data with real-time characteristics, such as interactive.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Generated Waypoint Efficiency: The efficiency considered here is defined as follows: As can be seen from the graph, for the obstruction radius values (200,
1 Stochastic Event Capture Using Mobile Sensors Subject to a Quality Metric Nabhendra Bisnik, Alhussein A. Abouzeid, and Volkan Isler Rensselaer Polytechnic.
Network Attacks Mark Shtern.
Architecture for Network Hub in 2011 David Chinnery Ben Horowitz.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.
Available bandwidth measurement as simple as running wget D. Antoniades, M. Athanatos, A. Papadogiannakis, P. Markatos Institute of Computer Science (ICS),
Streaming Media. Unicast Redundant traffic Multicast One to many.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Subnetting.
John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Signal Propagation Propagation: How the Signal are spreading from the receiver to sender. Transmitted to the Receiver in the spherical shape. sender When.
Monitoring for network security and management Cyber Solutions Inc.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.
POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
E Multimedia Communications Anandi Giridharan Electrical Communication Engineering, Indian Institute of Science, Bangalore – , India Multimedia.
I-Path : Network Transparency Project Shigeki Goto* Akihiro Shimoda*, Ichiro Murase* Dai Mochinaga**, and Katsushi Kobayashi*** 1 * Waseda University **
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Chapter 5: Implementing Intrusion Prevention
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.
Cisco 3 - Switching Perrine. J Page 16/4/2016 Chapter 4 Switches The performance of shared-medium Ethernet is affected by several factors: data frame broadcast.
Queueing and Active Queue Management Aditya Akella 02/26/2007.
GPSR: Greedy Perimeter Stateless Routing for Wireless Networks EECS 600 Advanced Network Research, Spring 2005 Shudong Jin February 14, 2005.
Interconnect simulation. Different levels for Evaluating an architecture Numerical models – Mathematic formulations to obtain performance characteristics.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
1 Data Link Layer Lecture 23 Imran Ahmed University of Management & Technology.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
E Multimedia Communications Anandi Giridharan Electrical Communication Engineering, Indian Institute of Science, Bangalore – , India Multimedia.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
Spring 2000CS 4611 Routing Outline Algorithms Scalability.
Spring Routing: Part I Section 4.2 Outline Algorithms Scalability.
1 CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A CURELAN TECHNOLOGY Co., LTD
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.
CS 6401 Intra-domain Routing Outline Introduction to Routing Distance Vector Algorithm.
By Billy Ripple.  Security requirements  Authentication  Integrity  Privacy  Security concerns  Security techniques  WEP  WPA/WPA2  Conclusion.
11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Network Processing Systems Design
Chapter 3 TCP and IP Chapter 3 TCP and IP.
NET 536 Network Security Firewalls and VPN
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
RTP: A Transport Protocol for Real-Time Applications
Worm Origin Identification Using Random Moonwalks
Intradomain Routing Outline Introduction to Routing
Mapping Internet Sensors With Probe Response Attacks
Reliability and Channel Coding
Performing Security Auditing In Hardware
Presentation transcript:

Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan Motomu Itoh JPCERT/CC

Passive Internet Threat Monitors Passive Internet monitoring measures and characterizes interesting network activity – e.g. worms, distributed DoS attacks, etc. The operation of Internet threat monitors assumes that sensors are observing only non-biased background traffic.

Passive Internet Threat Monitors

Characterizing Threat Monitors Report Types – Port Table Captured events over a range of ports. – Time-Series Graph Summarizing and visualizing events.

The Problem The addresses of real network monitor sensors can be identified. – Sensors may be fed with arbitrary packets. – Sensors may become DoS victims. – Sensors may be evaded. Sensor attackers or evaders do not require a complete list of sensor addresses.

Detection Methods The Basic Cycle

Feedback Properties Accumulation Window: The duration between two consecutive counter resets. Time Resolution: The minimum unit of time that can be observed in a feedback. Feedback Delay: The time between a capture event and next feedback update. Retention Time: The maximum duration that an event is held in the feedback.

Marking Algorithms Address-Encoded-Port Marking – An address is marked with a marker that has its destination port number derived from encoding part of the address bits.

Marking Algorithms Time Series Marking – Each sub-block is marked within the time resolution window of the feedback so that results from marking can be reverse back to the corresponding sub-block.

Marking Algorithms Uniform Intensity Marking (1/2) – All addresses are marked with the same intensity. – Address blocks are divided into smaller sub- blocks. – Each sub-block is marked using time-series marking, each address with a single marker.

Marking Algorithms Uniform Intensity Marking (2/2) – Example Suppose we have a /16 address block which contains several sensors. The original block is divided into 16 /20 sub-blocks. One sensor in sub-block #3 One sensor in sub-block #7 Two sensors in sub-block #10

Marking Algorithms Radix-Intensity Marking (1/2) – Selected address bits are translated into marking intensity. e.g. the number of packets for each address. – For example, if we are marking 16 /20 sub-blocks Mark the first /21 block within a sub-block with 2 markers and the second /21 block with 3 markers.

Marking Algorithms Radix-Intensity Marking (2/2) – Radix-intensity marking was able to derive information about the positions of these sensors within each sub-block. – Uniform-intensity marking would have derived only the number of sensors in each sub-block. – Ambiguity for feedback intensity value of 6 (?). One sensor in the first half One sensor in the second half Two sensors, one in the fist half and the other in the second half

Designing a Marking Activity Target Range – Decide on the range of addresses that we want to mark. Marking Algorithm – Determined by the properties of the feedback.  Table form  Address-Encoded-Port marking  Graph form  Time-Series marking Marker Design – Marker type: proto, source and destination port. – Source address. – Payload.

Designing a Marking Activity Intensity – Number of markers sent to a single address. Bandwidth – Limiting factor. Velocity – The speed with which marker packets can be generated. Address Range Subdivision – Calculated from the velocity and the intensity. Marking Order – Scramble the order in which we send the markers.

Designing a Marking Activity Bandwidth vs. Time for various sized blocks and intensities for 64-byte Markers.

Protecting Threat Monitors Provide Less Information – Decrease the amount of information the system is giving out. E.g. longer accumulation window, less sensitivity, etc. Throttle the Information – Apply some standard remediation techniques that are being used to provide privacy in data mining.

Protecting Threat Monitors Introducing Explicit Noise – Introduce explicit variance into level sensitivity into sensors. – Inter-monitor collaboration. Disturbing Mark-Examine-Update Cycle – Degree of mobility required to disturb the cycle and how it affects monitor results must be studied.

Protecting Threat Monitors Marking Detection – Events generated by marking activities are basically local and transient by nature. Sensor Scale and Placement – Increasing number of sensors that are carefully placed provide a certain level of protection. Small Cautions – Prevent ICMP-based fingerprinting – introduce TTL mangling

A Simple Example

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.