Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.

Slides:

Advertisements

Similar presentations

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Advertisements

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.

seminar on Intrusion detection system

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

CONTROLLING P2P APPLICATIONS VIA ADDRESS HARVESTING: THE SKYPE STORY Anat Bremler-Barr Omer Dekel Ran Goldschmidt Hanoch Levy Interdisciplinary Center.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

4/20/2017 7:57 PM.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

By John Bethencourt, Jason Franklin, and Mary Vernon Computer Sciences Department University of Wisconsin, Madison Published in the Proceedings of the.

Final Introduction ---- Web Security, DDoS, others

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.

Protocol-Independent Adaptive Replay of Application Dialog Authors: Vern Paxson, Nicholas C. Weaver, Randy H. Katz Published At: 13th Annual Network and.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.

The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

DoS/DDoS attack and defense

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

1 Monitoring and Early Warning for Internet Worms Authors: Cliff C. Zou, Lixin Gao, Weibo Gong, Don Towsley Univ. Massachusetts, Amherst Publish: 10th.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.

Role Of Network IDS in Network Perimeter Defense.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.

IS3220 Information Technology Infrastructure Security

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.

Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.

DDoS Attacks on Financial Institutions Presentation

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

The Devil and Packet Trace Anonymization

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Mapping Internet Sensors With Probe Response Attacks

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Intrusion Detection Systems

Presentation transcript:

Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005 Presented By: Anvita Priyam

Internet Sensor Networks Used as a tool to detect malicious internet traffic. e.g. honeypots, log analysis centers They publish public reports without disclosing sensor locations. Maintaining sensor anonymity is critical

Overview Central Idea Internet Storm Center(ISC) Background Probe response attack Countermeasures Weaknesses Suggestions

Central Idea This paper presents an attack technique, “Probe Response” It is capable of determining the location of internet sensors that publicly display statistics. It uses SANS internet storm center as case study.

Motivation for attack Focus is on internet sensors that enable collaborative intrusion detection through wide area perspective of internet. logs source central Statistics Repository

Case Study: The SANS Internet Storm Center (ISC) System that collects data from internet sensors and publishes public reports. It analyzes and aggregates this information and automatically publishes several types of reports. These reports are useful in detecting new worms and blacklisting hosts controlled malicious users.

Port Report Attacks are primarily concerned with port reports. For each port the report gives three statistics: > Number of reports: total entries in the log > Number of sources: distinct source IP addresses with given port > Number of targets: distinct destination IP addresses

Example

Probe Response Attack- The Big Picture Core Idea – Probe an IP address with activity that will be reported to the ISC. NO YES YES NO ATTACKER Sends Packets Monitored?? Look for next IP Address Check the Reports Reported?? Host is submitting logs To the ISC

Basic Probe Response Algorithm Consists of two stages First Stage > Begins with an ordered list of IP addresses (0,1,2…) to check. > All invalid or unroutable addresses are filtered out > SYN packets are sent on port Pi to each address in Si.

First Stage (cont’d) Wait for 2 hours and retrieve port report Intervals lacking activity are discarded Remaining intervals are sent to 2 nd stage with number of monitored addresses in each

Second Stage Repeats until the attack is complete Distribute the ports among remaining intervals Divide each interval into subintervals Send packets to every subinterval except the last

Second Stage (cont’d) For each subinterval of remaining interval we retrieve the report Number in last subinterval= (total in that interval-number in other subintervals) Empty subintervals Are discarded Remaining subintervals are new set of remaining intervals Continue to divide until only monitored or unmonitored addresses are left

Example

Dealing with noise Sources other than attacker may be sending packets to monitored address with same destination ports This increases the number of targets reported Causes the algorithm to produce both false positives and false negatives However, for a large number of ports this is low. Use Report Noise Cancellation factor- send multiple number of packets & while reviewing the reports divide by the same factor

Simulation of Attack First scenario- determine exact set of monitored addresses (accurate but time consuming) Second scenario- finding superset and subset of monitored addresses Use three different attackers T Mbps upload bandwidth T Mbps upload bandwidth OC Mbps upload bandwidth

Results

Finding a Superset Maximum false positive rate= 0.94 Report noise cancellation factor= 4 Runtime of attacks is reduced from 112 to 78 hours Accepts around 3.5 million false positives which had little effect on number of probes

Finding a Subset Maximum false negative rate= Report noise cancellation factor= 2 Reduces the runtime from 33 days and 17 hours to 15 days and 18 hours Reduces the number of probes sent from 9.5 billion to 4.4 billion But misses 26% of the sensors

Countermeasures Hashing- some or all of the fields Encryption- encrypting a field with a key not publicly available Private reports- limit the info in the reports Query limiting- limit the rate at which they can be downloaded Sampling- sample the logs coming in for analysis before generating reports

Weaknesses Uses adaptive probe response algorithm as each round depends on the result of the previous one The countermeasures suggested are not very effective

Suggestions Developing and evaluating a non-adaptive approach Come up with more effective countermeasure