1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Synchronizing Management Information using Traffic Pattern Matching Technique Kohei Ohta, Yohsuke Takei, Nei Kato, Glenn Mansfield, Yoshiaki Nemoto Cyber.
SNMP IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Administration Procedures Tools –Ping –SNMP –Ethereal –Graphs 10 commandments for PC security.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
School of Computer Science and Information Systems
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Secure Communication and Intrusion Detection James Hidahl, Josh McCandless, Kyle Ray.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
FIREWALL Mạng máy tính nâng cao-V1.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Intrusion Detection Systems Francis Chang Systems Software Lab OGI.
BotNet Detection Techniques By Shreyas Sali
IIT Indore © Neminah Hubballi
Intrusion Detection Systems. A properly implemented IDS is watched by someone besides your system administrators, such as security personnel.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Monitoring for network security and management Cyber Solutions Inc.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.
NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
Distributed Denial of Service Attacks
1 An Error Reporting Mechanism (ICMP). 2 IP Semantics IP is best-effort Datagrams can be –Lost –Delayed –Duplicated –Delivered out of order –Corrupted.
RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
8: Network Security 8-1 IPsec: Network Layer Security r network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments;
1 Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks l The Problem: Massive distributed DoS attacks have the potential to severely.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
1 Intrusion Detection “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
DoS/DDoS attack and defense
Security System for KOREN/APII-Testbed
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
NETWORKS Fall 2010.
Distributed Denial of Service Attacks
Footprinting (definition 1)
Error and Control Messages in the Internet Protocol
Intrusion Detection Systems (IDS)
ITL Simple Diagnostic Tools
Distributed Denial of Service Attacks
Threats in Networks Jagdish S. Gangolly School of Business
Distributed Denial of Service Attacks
Presentation transcript:

1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University RAID’99, September 7-9, 1999

Cyber Solutions RAID’99 2 outline X background –network-based illegal access detection X characteristics of network intrusions –signatures of intrusions X detection of intrusion from traffic-flow –traffic-flow signature –correlation of signatures –experimental evaluation X map-based distributed intrusion tracking X conclusion

Cyber Solutions RAID’99 3 background X Network-based illegal access detection –rapid increase in network bandwidth –devious techniques (e.g. spoofing) used by the hackers.

Cyber Solutions RAID’99 4 Suspicious Behavior ? ? ? Repeated Failures Knocking at several doors Signatures

Cyber Solutions RAID’99 5 characteristics of network intrusions (I) X Signals from TCP-Reset Characteristics

Cyber Solutions RAID’99 6 characteristics of network intrusions (II) X Number of ICMP-UR packets (port SNMP(161))

Cyber Solutions RAID’99 7 characteristics of network intrusions (III) X ICMP destination port unreachable messages for SNMP port (under scan)

Cyber Solutions RAID’99 8 characteristics of network intrusions (IV) X Distribution of inter-message interval

Cyber Solutions RAID’99 9 detection of intrusion from traffic-flow signature X Packet contents may be encrypted X Packet contents may be manipulated X The traffic volume may be very large

Cyber Solutions RAID’99 10 Traffic-flow signature(1)

Cyber Solutions RAID’99 11 Traffic-flow signature(2)

Cyber Solutions RAID’99 12 correlating traffic-flow signature Correlation of traffic patterns: correlation coefficient r ( A, B are two flows)

Cyber Solutions RAID’99 13 experimental evaluation (configuration) X 100Mbps FDDI backbone network X ICMP echo request/reply messages

Cyber Solutions RAID’99 14 relay of ICMP echo reply X A burst of ICMP echo reply triggered by broadcast ping, Smurf

Cyber Solutions RAID’99 15 relay of ICMP echo request X A cluster of ICMP echo request triggering the bursty ICMP reply

Cyber Solutions RAID’ ChaIn: Charting the Internet IPA:Information technology Promotion Agency, Japan (

Cyber Solutions RAID’99 17 map-based intrusion tracking

Cyber Solutions RAID’99 18 inter-N/W communication I X Traffic monitoring at N/W border –watch all the traffic –process only suspicious packets. X Use network configuration information to trap and/or track-down the intruder. X Communication using SNMP(v3) notifications.

Cyber Solutions RAID’99 19 inter-N/W communication II detection system SNMP INFORM PDU ftp://………….. snmp://……….. ftp://………….. snmp://………..

Cyber Solutions RAID’ Network Security Using Maps YesNo Suspicious !! Yes X AS 1 AS 2 Saw this? X X Suspicious !! No Saw this? AS 0 AS 1 AS 2 AS 3 IntruderMonitor

Cyber Solutions RAID’99 21 conclusion X Profiling network traffic to distinguish normal usage from abnormal or ill-intentioned usage. X Monitoring suspicious signals in a distributed information collection framework X A new technique based on packet flow monitoring to counter the threats posed by spoofing. X Use of network configuration information to track down intruders. X Use of SNMP based messaging system.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.