Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

1 Reading Log Files. 2 Segment Format

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

Firewalls and Intrusion Detection Systems

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

(Geneva, Switzerland, September 2014)

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Norman SecureSurf Protect your users when surfing the Internet.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Introduction to Honeypot, Botnet, and Security Measurement

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

Chapter 6: Packet Filtering

Honeypot and Intrusion Detection System

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

ACT: Attachment Chain Tracing Scheme for Virus Detection and Control Jintao Xiong Proceedings of the 2004 ACM workshop on Rapid malcode Presented.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

Distributed Denial of Service Attacks

.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.

April 14, 2005Sergio Caltagirone The Essence of Sergio Caltagirone April 14, 2005 Active Response.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

12/5/2003Sergio Caltagirone University of Idaho An Active Defense Decision Model Sergio Caltagirone Major Professor: Deborah Frincke, PhD University of.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

© Mike D. Schiffman. Synopsis  Introduction  Overview  Impetus  Internals  Implementation  Risk Mitigation  Futures.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

ADAM: Active Defense Algorithm and Model Sergio Caltagirone University of Idaho

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

The Response Continuum Sergio Caltagirone University of Idaho Deborah Frincke Pacific Northwest National Laboratory.

DoS/DDoS attack and defense

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

The Technicalities of Active Response Sergio Caltagirone April 26, 2005 CS 523 – Net Sec.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Security in Networking

Digital Pacman: Firewall Edition

Defending Against DDoS

Firewalls Jiang Long Spring 2002.

Presentation transcript:

Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke

A Little Background… Clifford Stoll v. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp DoD v. Electronic Disturbance Theater (1998) Conxion v. E-Hippies (2000) FBI v. Russian Hackers (2001) a.k.a. ‘Invita’ Case

Where We’re At…

Where We Want To Be…

Why? Response is not a choice… Insufficient Protection on Imperfect Systems A Policy Is Necessary (even if not utilized) Vulnerable Systems – Air Traffic Control – SCADA Systems

Research Question Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response?

Research Goals Framework for Discussion – Definition – Taxonomy – Summary of Challenges ADAM – Response Model – Decision Model – Algorithm Example – Evolutionary Implementation

Elements of a Definition Time Bound – Before an attack is not active response, after an attack is forensics – Self-defense Necessity/Imminent, Proportionality Technologically Independent – Humans and Computers can respond Purposeful – Not for retribution or revenge, but to return to a previous secure state

Definition of Active Response Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set. Active does not modify response, but rather describes the state of the attack

Taxonomy of Actions 8 Types – No Action – Internal Notification – Internal Response – External Cooperative Response – Non-cooperative Intelligence Gathering – Non-cooperative ‘Cease and Desist’ – Counter-Strike – Preemptive Defense

No Action Under attack, conscious decision to take no action

Internal Notification Contact Administrators Contact CTO, CEO, CISO Contact Users

Internal Response Write Firewall Rules (firewall signaling) – Block IP, range of IPs, block specific ports Strategic Segmentation/Disconnection – Nat, change subnets, re-address, remove port Drop Connections – TCP RST packet to client AND server – Use ICMP (port, host, network unreachable) – UDP – Unreliable, must come in sequence

External Cooperative Response Contact CERT, FBI, Secret Service, Local Police, upstream ISPs – Dshield – Symantec

Non-Cooperative Intelligence Gathering Direct attacker to honeynet/honeypot Use tools to determine identity of attacker – Ping, finger, traceroute, lsrr packets

Non-Cooperative ‘Cease and Desist’ Use tools to disable harmful services without affecting usability – University scenario – Zombie Zapper by BindView

Counter-Strike Active Counter-Strike (direct action) – Worm focusing only on attacker IP or to trace back the attack and report – Straight hack-back Passive Counter-Strike (cyber aikido) – Footprinting Strike-Back (DNS) Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests – Network Recon Strike Back Traceroute packets (ICMP “TTL Expired”) receive spoofed random addresses (creating any network we want)

Preemptive Defense Conexion vs. E-Hippies – Traffic Redirection DoD vs. Electronic Disturbance Theater – Killer applet

Challenges of Active Response Legal – Civil, Criminal, Domestic, International Ethical – Teleological, Deontological Technical – Traceback, Reliable IDS, Confidence Value, Real Time Risk Analysis – Measure ethical, legal risk effectively? Unintended Consequences – Attacker Action, Collateral Damage, Own Resources

Research Goals Framework for Discussion – Definition – Taxonomy – Summary of Challenges ADAM – Response Model – Decision Model – Algorithm Example – Evolutionary Implementation

Goals of ADAM Provide a generalizable, extendable model for any organization – Completely model the risk of the threat and AD actions – Find appropriate active defense solution for the threat – maximize benefit, minimize risk – Allow for automation – Provide legal (and ethical) due diligence

Response Process Model

Decision Model AR Policy Escalation Ladder Asset Evaluation Action Evaluation Asset Identification Threat Identification Risk Identification Goal Identification Action Identification Risk Identification Utility Modifier Success Ordering Decision Set Scoring Chart

Algorithm A pragmatic and implementable description of the process and decision model Illustrates the use of the decision model within the process of response

Solutions Provided by ADAM Ethicalness – Incorporates Teleological and Deontological ethical concerns Legal – No precedent: minimal force, proportional force, immediate threat Unintended Consequences – Statistical measure of confidence in action performing as expected (if confidence values provided by IDS) Risk Valuation – Provides statistical bounds for potential risk (if confidence values provided by IDS)

Research Goals Framework for Discussion – Definition – Taxonomy – Summary of Challenges ADAM – Response Model – Decision Model – Algorithm Example – Evolutionary Implementation

Evolutionary Model Competitive Co-Evolution – Genetic Algorithm Uses biologically equivalent operators (crossover, mutation, gene, chromosome, populations) Determines global maxima or minima Fitness Function / Value – Two competing populations, co-evolving Attackers / Defenders – Game Based Fitness: risk assumed by defenders

Evolutionary Model ParadigmGenerational # of Populations2 Population Size60 # of Trials100 Parental SelectionTournament ElitismTop 2 Mutation TypeUniform Random Replacement Mutation Rate1/n Crossover Type2 point Crossover Probability100% # of Actions in Chromosome8 # Initial Actions4

Evolutionary Model (Defender) DEFENSE ACTION DEFENSE POSITION Null Action Contact Administrator Contact Chief Technology Officer Shutdown port at firewall Filter IP at firewall Shutdown Server Send TCP RST Packet Ask ISP to Shut-off Attack Contact FBI Use Traceback Send Virus Against IP Initiate DoS Against IP Attempt to Hack Attacker

Evolutionary Model (Attacker) ATTACK ACTION ATTACK POSITION Null Action Spoof IP Address Port Scan the Server Ping the Server DoS the Server DDoS the Server w/ Zombies Poison DNS Hack Server, Install Backdoor Hack Server, Download Records Hack Server, Change Records Send Virus Against Server

Results of Evolutionary Model Population finesses show that model was correct W.R.T evolutionary techniques IT IS POSSIBLE! – Proof-Of-Concept that reasonable active response strategies can be developed using the rational behind ADAM Competitive Co-Evolution is a potential model for computer security relationships – First implementation applying concept to a computer security scenario

Conclusions & Contributions The First Definition of Active Response Taxonomy of Actions – Illustrates active response is more than strike-back methodology Summary of Challenges – Ethical, Legal, Risk Analysis, Technical, Unintended Consq. Response Process Model Decision Model – Max Benefit, Min Risk, Incorporates Legal & Ethical Active Defense Algorithm – Implementable version of process and decision model Evolutionary Active Response Model – Provides proof-of-concept

Future Work Simulate and Validate Model (Currently Ongoing – Medical/Univ/Financial) – R. Blue Further define taxonomy More work on applying evolutionary techniques – R. Blue, S. Gotshall Clearly define legal risks – A. Hubbard Generate More Discussion / Educate

Publications Sergio Caltagirone, Deborah Frincke, "The Response Continuum," presented at 6th IEEE Information Assurance Workshop, West Point, NY, USA, June Sergio Caltagirone, Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March Sergio Caltagirone, "Active Defense Decision and Escalation Model," 20th Annual Computer Security Applications Conference, Works In Progress. Tucson, AZ, USA, December Sergio Caltagirone, "An Active Defense Decision Model," presented at the Agora Workshop, University of Seattle, Seattle, WA. December, 2003.

Thank You