Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc.

Slides:



Advertisements
Similar presentations
Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Advertisements

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Firewalls and Intrusion Detection Systems
Intrusion Detection Systems and Practices
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Steganography Part 2 – Detection and Research. Introduction to Steganalysis What is steganalysis?  The art of detecting messages hidden by steganography.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Networking DSC340 Mike Pangburn. Networking: Computers on the Internet  1969 – 4  1971 – 15  1984 – 1000  1987 – 10,000  1989 – 100,000  1992 –
Troubleshooting methods. Module contents  Avaya Wireless tools  Avaya Wireless Client Manager  Avaya Wireless AP Manager  Hardware indicators  Non.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
FIREWALL Mạng máy tính nâng cao-V1.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
What is FORENSICS? Why do we need Network Forensics?
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Honeypot and Intrusion Detection System
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Viruses, Computer Security & Ethical Issues Digital Communication Systems Ms. Powers.
Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.
JEnterprise Suite For Network Monitoring and Security Dr. Sureswaran Ramadass, Dr. Rahmat Budiarto, Mr. Ahmad Manasrah, Mr. M. F. Pasha.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Types of Electronic Infection
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
CHAPTER 9 Sniffing.
Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Computer security By Isabelle Cooper.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.
A presentation by John Rowley for IUP COSC 356 Dr. William Oblitey Faculty member in attendance.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
FOOTPRINTING STEGANOGRAPHY.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Final Project: Advanced Security Blade IPS and DLP blades.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
Eric Van Horn Cosc 356.  Nearly every organization in todays era uses computers and a network to send, receive, and store information  Very important.
CompTIA Security+ Study Guide (SY0-401)
Snort – IDS / IPS.
STEGANOGRAPHY.
Click to edit Master subtitle style
CompTIA Security+ Study Guide (SY0-401)
Security.
Intrusion Detection system
Protocol Application TCP/IP Layer Model
Presentation transcript:

Stego Intrusion Detection System (SIDS) Michael Sieffert Assured Information Security, Inc.

Topics Covered Steganography Steganalysis Misuse / Motivation SIDS structure Screenshots Demo? Future of SIDS Conclusion

Steganography “Art of covered writing” Concealing the existence of communication between two parties Hiding data in common, unstructured areas of media files –Transmitted via computer networks Many tools available freely that work with: –Image, music files –Text –TCP/IP header fields

Stego (continued) (original) (carrier)

Steganalysis Detecting the presence of steganographic data Does a given file contain stego? –How sure can we be? Not always a certainty –If so, is it possible to extract its contents? Many products / algorithms available that attempt to discover stego –Some algorithms are closed source or proprietary –Not organized into any consistent API

Potential for Misuse? Of course! Transmission/storage of illegal or proprietary data –Child pornography –Company secrets Terrorist message passing? Adversaries Intruders –Data exfiltration/infiltration Insider threat

Motivation Adversaries can use stego to communicate undetected –Even through our own networks –Manual attacks –Programmatic attacks A stealthy piece of malicious software is aware of network defenses, and will circumvent them An intelligent virus/trojan program could be using HTTP to transmit and receive data –Current network defense mechanisms will not stop this Firewall Intrusion detection systems Corporate espionage gets easier! Your network is at risk!

HTTP Image Transfer How many images are pulled into/out of your network daily? –Makes an attractive channel for stego’ed data transfer An attacker / virus could create (seemingly normal) HTTP traffic that contains important* data –Instructions for the program –Proprietary / sensitive information (secrets, credit card numbers, etc)

SIDS Stego intrusion detection system –Aims to flag all HTTP traffic containing imagery that tests positive for stego content (more protocols later) Gateway defense mechanism –Placed at a network border –In promiscuous mode, sniffs all HTTP traffic and reconstructs (if necessary) any images transmitted –Tests each image against all known steganalysis algorithms –Alerts user/administrator to presence of stego on their network Not a firewall!

High Level View Algorithm 4 Algorithm 3 Algorithm 2 Algorithm 1 Algorithm n Master Database SIDS FW image1 image2 image3 image4 image5 Scanner Internet

SIDS Highlights Plug-in interface for steganalysis algorithms –Allows SIDS to increase its effectiveness as new methods are developed –Proprietary or sensitive algorithms can be used in house Interface written in Java, making the GUI section of SIDS easily portable to a separate platform in the future SIDS machine does not even need an IP address, making it undetectable to an attacker

SIDS Screen Shots - Statistics - Shows last image testing positive for stego Graphs detailing the number of images captured / flagged

Screen Shots (continued) - Recent Finds - Details of individual images captured from the wire Summary of steganalysis information Allows for manual inspection of images

Screen Shots (continued) - Histograms - Provide a breakdown of the most frequent offender's IP addresses

Limitations Extremely high traffic can cause packet loss Only a handful of algorithms ship with SIDS currently –Working to add more algorithms –User can add their own –Attempting to establish a community standard User interface can be improved, made more lean Only HTTP, currently –Unable to examine encrypted data

Future of SIDS Always more protocols/places to check for stego –FTP, P2P, NNTP, IRC, ICMP, TCP/IP headers, Timing – (attachments), etc. Host based version of SIDS likely on the way –Continually checking all images found on a system for stego –Help catch use of stego storage (stuff that’s not sent across the wire) Enterprise Edition Hardware assisted steganalysis Neural nets

Future of SIDS (continued) Best detection with newest steganalysis algorithms Moving towards the anti-virus model –Database of detection ‘signatures’ must be up to date Development of public database of detection algorithms –Developed as plug-ins for all versions of SIDS –Freely downloadable

Conclusion Stego is being used... and will continue to gain acceptance as a method of hiding in plain sight Defense is a hard problem Efficiency issues with loads of scanning / analysis Steganalysis is improving –Still behind the state of the art in steganography This trend will likely to continue as new forms of stego emerge

Questions.. SIDS –Created by Dr. Leonard Popyack and Charles Green (Assured Information Security, Inc.) –Code Authors: Rodney Forbes (daemons, plug-in interface) Mike Sieffert (Java GUI) –Sponsored by Air Force Research Laboratory (AFRL), Air Force Information Warfare Battlelab (AFIWB) POC: Thomas Blake, AFRL/IFGB