Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework Xinyuan Wang † Douglas S. Reeves †‡ S. Felix Wu †† Jim Yuill † † Department.

Slides:

Advertisements

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Advertisements

Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Security Firewall Firewall design principle. Firewall Characteristics.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

Security Awareness: Applying Practical Security in Your World

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Circuit & Application Level Gateways CS-431 Dick Steflik.

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Guide to Computer Network Security

COEN 252: Computer Forensics Router Investigation.

Department Of Computer Engineering

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Intranet, Extranet, Firewall. Intranet and Extranet.

COEN 252 Computer Forensics

Matching TCP/IP Packet to Detect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance.

1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

1 Internet Firewalls What it is all about Concurrency System Lab, EE, National Taiwan University R355.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Advanced Computer Networks Topic 2: Characterization of Distributed Systems.

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Cryptography and Network Security Sixth Edition by William Stallings.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.

Cryptography and Network Security

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Development of a Simulator for the HANARO Research Reactor (Communication Protocol) H.S. Jung.

Prepared By : Pina Chhatrala

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.

Network Security: IP Spoofing and Firewall

* Essential Network Security Book Slides.

Lecture 3: Secure Network Architecture

Introduction to Network Security

OpenSec：Policy-Based Security Using Software-Defined Networking

Presentation transcript:

Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework Xinyuan Wang † Douglas S. Reeves †‡ S. Felix Wu †† Jim Yuill † † Department of Computer Science ‡ Department of Electrical and Computer Engineering North Carolina State University †† Department of Computer Science University of California at Davis IFIP/Sec’01 Paris, France

2 Network-Based Attacks Attacker Target Stepping Stones Slave Machines Master Machine Where do these attacks come from ??? We have detected attacks from the network !!!

3 Tracing Problem and Its Challenges What is tracing problem ? –To identify the source of network-based intrusion Why tracing is important ? –Network-based attacks can not be effectively repelled or eliminated until its source is known Challenges in tracing –Spoofed source IP address –Connections through “stepping stones” One of the hardest network security problems Focus on tracing chained connections with stepping stones

4 Tracing Approaches PassiveActive Host-based DIDSCallerID CIS Network-based ThumbpritingIDIP Timing-basedSWT Deviation-based Classification of Existing Tracing Approaches and SWT

5 Tracing Approach Classification Host-based: –tracing based on information collected from each host Network-based: –tracing based on the property of network connection: the application level content of chained connections is invariant Passive: –passively monitor and compare network traffic, need to compare every concurrent incoming connections with every concurrent outgoing connection. (clueless tracing) Active: –dynamically control what and how connections are to be correlated through customized packet processing. (tracing with clue)

6 Sleepy Watermark Tracing (SWT) SWT is an active network-based tracing framework –Active network seeks to increase the programmability of networks that enables user and application to dynamically control how packets are handled. SWT is “sleepy” and yet “active” SWT exploits following observations –Interactive intrusions with chained connections are bi- directional and symmetric at the granularity of connections –Application level contents are invariant across connection chains

7 SWT Tracing Model H1H1 H0H0 H2H2 H3H3 H4H4 H5H5 H6H6 GW 1 GW 2 GW 3 GW 4 Target injects watermark into the backward connection and “wakes up” guardian gateways along the intrusion path Intruder H i : Host GW i : Guardian Gateway H7H7 Target

8 SWT Concepts and Assumptions Basic SWT concepts –Guardian Gateway (nearest router) Incoming Guardian Gateway Outgoing Guardian Gateway Guardian Gateway Set –Guarded Host Basic SWT assumptions –Intrusions are interactive and bi-directional –Routers are trust worthy and hosts are not trust worthy –Each host has a single SWT guardian gateway –There is no link-to-link encryption

9 SWT Architecture Host Normal Traffic Watermarked Traffic Active Tracing Protocol Watermark Correlation Active Tracing SWT Guardian Gateway IDS Sleepy Intrusion Response Active Tracing Watermark Enabled Application SWT Guarded Host SWT Subsystem

10 SWT Components SWT supporting components –IDS Application level interface to any Intrusion Detection System –Watermark-enabled application Server applications that have been modified to be able to “inject” arbitrary watermark at request SWT components –Sleepy Intrusion Response (SIR) Controls and coordinates overall SWT intrusion tracing –Watermark Correlation (WMC) Matching adjacent connections through watermark –Active Tracing (AT) “Wakes up” and coordinate SWT guardian gateways

11 Watermark A small piece of information that can be used to uniquely identify a connection Application specific Invisible to end users (telnet, rlogin etc) –[Identifying part] + [covering part] “intruder\b\b\b\b\b\b\b\b \b” –Original “Su” –[Original] + [watermark] “Suintruder\b\b\b\b\b\b\b\b \b” Collision probability

12 SWT Analysis SWT Advantages –Separate intrusion tracing from intrusion detection –Does not need to record all the concurrent connections –Requires no clock synchronization –Trace through connection chain within single keystroke –Can trace through connection chain even when the intruder is silent Robustness and security Efficiency Scalability Applicability Intrusiveness

13 SWT Performance SWT Guardian GW Pentium 233Mhz FreeBSD Mbps Measure latency FreeBSD kernel IP forwarding without SWT SWT configured to by pass traffic Divert socket IP forwarding without SWT SWT configured to scan traffic

14 SWT Latency Latency overhead due to SWT itself is about 50 µs

15 Future Work New form of watermark Correlate encrypted connection chains (ssh, IPSEC etc) More watermark-enabled applications Transparent proxy for watermark injection Tracing based active intrusion response –What can be done once we have identified the intrusion source ?