Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.

Slides:



Advertisements
Similar presentations
RTP: A Transport Protocol for Real-Time Applications Provides end-to-end delivery services for data with real-time characteristics, such as interactive.
Advertisements

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 1.
Performance analysis and Capacity planning of Home LAN Mobile Networks Lab 4
1 Improving the Performance of Distributed Applications Using Active Networks Mohamed M. Hefeeda 4/28/1999.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.
School of Computer Science and Information Systems
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Data Networking Fundamentals Unit 7 7/2/ Modified by: Brierley.
Lesson 19: Configuring Windows Firewall
CS 5253 Workshop 1 MAC Protocol and Traffic Model.
Authors: Thomas Ristenpart, et at.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Network Simulation Internet Technologies and Applications.
Process-to-Process Delivery:
Document Number ETH West Diamond Avenue - Third Floor, Gaithersburg, MD Phone: (301) Fax: (301)
Penetration Testing Security Analysis and Advanced Tools: Snort.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 6 Basic TCP/IP Services.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
TCP/IP Yang Wang Professor: M.ANVARI.
Teaching with OPNET Software
Monitoring for network security and management Cyber Solutions Inc.
IP Forwarding.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Transmission Control Protocol TCP. Transport layer function.
Linux Networking and Security
COP 4930 Computer Network Projects Summer C 2004 Prof. Roy B. Levow Lecture 3.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.
03/11/2015 Michael Chai; Behrouz Forouzan Staffordshire University School of Computing Streaming 1.
Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST)
Module 7: Advanced Application and Web Filtering.
Alexey A. Didyk Kherson national technical university, Ukraine
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Service Level Monitoring. Measuring Network Delay, Jitter, and Packet-loss  Multi-media applications are sensitive to transmission characteristics of.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Planning and Analyzing Wireless LAN
Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,
Module 10: Windows Firewall and Caching Fundamentals.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Wireless LANs Session
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Performance Evaluation of Ethernet Networks under different Scenarios Lab 6
Network Processing Systems Design
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Network Simulation with Opnet
Chapter 9 Intruders.
Kiyoshi Kodama, SE Japan 07-Oct-2008
Introduction to Opnet Mobile Networks Introduction to Opnet
Process-to-Process Delivery:
Chapter 9 Intruders.
Statistical based IDS background introduction
Presentation transcript:

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion Traffic Patterns Using OPNET Mian Zhou, Sheau-Dong Lang University of Central Florida

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Outline  Simulation of network intrusion scenarios.  Testing a frequency-based intrusion detection strategy.  Studying the effects of transmission delays on our detection strategy.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security  Use OPNET to simulate intrusion scenarios by replaying the network traffic.  Traffic data sources. The publicly available datasets from MIT Lincoln lab. Self-generated attack traffic.  Attack tools: Nmap, Battle  Sniffer: Ethereal Our Approach to Intrusion Simulation

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Simulation using OPNET Network domainNode domain Process domainC code for a process node

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security  Process the TCPDUMP data.  The packet inter-arrival times.  The traffic duration.  A list of the distinct IP addresses in the traffic source.  Build a network model with the end nodes corresponding to the extracted IP addresses. Pre-processing Traffic Data

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The attribute panel of the packet generator, with scripted packet inter-arrival times calculated from pre-processing the source data Packet format: Drop the payload of original packets but retain the IP header information including IP address, port number, packet size, time stamp, flags, etc. OPNET Model — Packet Generator

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Data Source: 1999 Lincoln Week 5 outside data DOS attack: ProcessTable (a) Number of distinct port connections to a victim.(b) Data traffic to Port 25 of the victim PC. Two Sample Outputs from Simulation of the ProcessTable attack

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Frequency-based Intrusion Detection  Observation: Certain network attacks are executed by running pre-written scripts which automate the process of connecting to various ports, sending packets with fabricated payloads, etc.  Frequency-based intrusion detection. Use Discrete Fourier Transform (DFT) to identify periodicity patterns.  Where to find the periodicity patterns. The time series of packets’ inter-arrival times. The time series of packet arrival rates. The size distribution of packet payloads.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Variance analysis Data sequence for each connection Traffic data Parse New connection history Generate the time-series data Average variance of packet size for each connection Compare with a threshold value Report attacks DFT Pass the trusty Connections Data sequence for multiple connections Global frequency pattern Local frequency pattern Overall Detection Strategy new connections

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Frequency Extraction by Discrete Fourier Transform (DFT) Expanding the right-hand side yields Using the Fast Fourier Transformation (FFT) procedure, the frequency data F(k) can be computed in O(N logN) time. For a given data sequence s(n) where n  0 is a discrete value representing the time, its DFT coefficients F(k) are defined as follows 0  k  N –1, N is the length of s(n)

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Detection Results: the ProcessTable Attack Frequency patterns extracted by DFT on inter-arrival times of six connections. Connections 2 and 4 show periodicity patterns. The traffic of connection 2 is the ProcessTable attack; connection 4 is a Probe attack, which probes the target’s ports ranging from 1794 to

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Detection Results: the Dictionary Attack Frequency patterns on inter-arrival times of six connections for the Dictionary attack. Connection 2 shows the password guessing (dictionary) attack

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Detection Results: the sshProcessTable Attack Frequency patterns of the rates of packet arrivals of six connections for the sshProccessTable attack. Connection 2 contains the attack traffic Frequency patterns of inter-arrival times for six connections, Connection 2 shows the attack traffic.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The Effect of Transmission Delays on Frequency patterns The spectrum (frequency patterns) of three time series data, where the original data values  [0.002, 0.5]. (a)The spectrum of the original data series X(t). (b)The spectrum of the X(t) + exp(0.5) (exponentially distributed delay with mean value 0.5 seconds) (c)The spectrum of the X(t) + exp(5). (a)(b)(c)

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Transmission delay in LANs A simple LAN, in which the web client sends the traffic to three servers. We collected the inter-arrival times of the traffic to the main server. The profile configuration panel

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The Effect of Transmission Delays The inter-arrival times and frequency patterns collected: (a) at the sender (the web client); (b) at the receiver (the main server). (a) (b) Frequency patterns collected at the main server, when other types of explicit traffic loads are added to the web client traffic.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Transmission Delays in WANs A WAN, in which the site Dublin sends traffic to site London through an Internet cloud. Other types of traffic such as and ftp are created by the other 5 nodes and coexisted with the custom traffic from Dublin. The configuration panel for the Internet cloud, where we specify the statistical distribution of the packet latency caused by traversing the Internet. The packet delivery process of the custom traffic is controlled by scripted packet time intervals.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security The Effect of Transmission Delays in WANs Frequency patterns of the packet inter-arrival times with different Internet transmission delays. The distributions for transmission delay include constant, uniform, and exponential. Frequency patterns of the packet inter-arrival times with exponentially distributed transmission delays. The spectrum starts to deviate from the original as the mean value increases.

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties Security Conclusions  Frequency-based intrusion detection  Detects anomalous traffic behaviors (that contain periodicity patterns)  Improves the effectiveness of signature-based intrusion detection systems when combined with other simple statistical features of the traffic data.  Needs measures to counter attacks with randomized script.  limited to the attacks with relatively long duration and heavy load.  Transmission delay on frequency patterns  Frequency patterns will not be affected by near constant transmission delay.  Frequency patterns persist in LANs.  In WANs, further studies on packet latency required.