Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.

Slides:

Advertisements

Similar presentations

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Firewalls and Intrusion Detection Systems

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Computer Security and Penetration Testing

Host Intrusion Prevention Systems & Beyond

Lecture 11 Intrusion Detection (cont)

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

Introduction to Honeypot, Botnet, and Security Measurement

 Find out initial information ◦ Open Source ◦ Whois ◦ Nslookup  Find out address range of the network ◦ ARIN (American registry for internet numbers)

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.

Chapter 6: Packet Filtering

DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Team 6: (DDoS) The Amazon Cloud Attack Kevin Coleman, Jeffrey Starker, Karthik Rangarajan, Paul Beresuita, Arunabh Verma and Amay Singhal.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Tracking Rejected Traffic.  When creating Cisco router access lists, one of the greatest downfalls of the log keyword is that it only records matches.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.

DoS/DDoS attack and defense

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Defending against Hitlist Worms using NASR Khanh Nguyen.

Port Scanning Detection Zelfi Security Team Project1 Supervised by Loai Bani Melhim Issa Smadi April 11 1 Network Security Project Team.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Chien-Chung Shen Cyber Scanning Chien-Chung Shen

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Could SP-NAT Save the Internet?

Port Scanning James Tate II

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Port Scanning (based on nmap tool)

Firewalls Jiang Long Spring 2002.

Request for Comments(RFC) 3489

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos Kranakis

Carleton University School of Computer Science Outline Scanning detection challenges Problems with attribution-based detection techniques Exposure Maps Experimental Results Conclusions

Carleton University School of Computer Science Scanning Detection Challenges Sophisticated scanning techniques –Slow –Fragmented –Idle –Distributed (Botnet) I detected a scan –Was it successful? –What did it reveal? Volume of Internet “whitenoise” –Backscatter –Worm propagation (known) –Network diagnostics –Web spiders –Wrong numbers

Carleton University School of Computer Science Attribution-based Scanning Detection Variety of scanning detection techniques –Observing connection failures –Abnormal network behavior –Connections to darkspace –Increased connection attempts Majority of these rely on correlating scanning activity based on the perceived last-hop Focus of detection is who is scanning instead of what is being scanned

Carleton University School of Computer Science Shifting Focus Attribution is not practical for an increasing number of sophisticated scanning techniques Focus on attribution overlooks critical components of any observed scanning campaign: –What are my adversaries looking for? –Has the network behavior changed as a result of being scanned? Exemplar technique: Exposure Maps

Carleton University School of Computer Science Exposure Maps (1/2) Passively observe network traffic (training period) Ignore network traffic initiated from the inside Record only internal system responses to external events such as: –TCP: SYN ACK –TCP: RST –UDP: IP pairs list –ICMP: echo reply, host not found, time exceeded

Carleton University School of Computer Science Exposure Maps (2/2) Host Exposure Map (HEM) –Visible and enumerated services –Externally visible interface of an individual host Network Exposure Map (NEM) –Union of HEMS in a target network –Externally visible interface of the network Let your adversaries do the vulnerability scanning for you!

Carleton University School of Computer Science HostDescriptionTCP PortsUDP Ports Mail/DNS/HTTP Server22, 25, 80, 993, DNS/HTTP Server22, 80, SSH Server22 Sample NEM (proof-of-concept) Test network size: 1/4 Class C Test period: two weeks NEM was stable within 12 hours of the testing period

Carleton University School of Computer Science Scan Detection Incoming connection is defined as any atomic TCP connection, UDP or ICMP datagram A connection attempt to a host/port combo outside of the NEM is considered a scan and recorded No connection state tracking required

Carleton University School of Computer Science Post-Scan Detection Activities Monitor changes in the NEM –Validate new services offered –Unexpected changes in the NEM may indicate compromise Monitor changes in network scanning activity –Spikes in scanning activity may indicate a new exploit Attribution is possible post-scan detection for most unsophisticated and certain classes of sophisticated scanning activity

Carleton University School of Computer Science Detected Scanning Activity

Carleton University School of Computer Science Conclusions Shifting focus away from attribution during scan detection may provide a means to detect sophisticated scanning campaigns The true insight that can be gained by scanning detection is not who is scanning you but what are they scanning for?

Carleton University School of Computer Science Discussion …..

Carleton University School of Computer Science Observed Sophisticated Scanning “Slice and dice” recorded scans using a variety of attributes Slow Scan - pcanywhere ~ 15 min intervals Possible distributed scan - 6 systems from the same class C network and scanning footprint

Carleton University School of Computer Science Exposures vs. Scanning Activity Network scanning possibilities In practice: |NEM| < |A| < |E|