Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Intrusion Detection Systems and Practices
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
UNITS meeting September 30, 2004 Network Security Roger Safian
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Privacy-Preserving Cross-Domain Network Reachability Quantification
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Tracking Moving Objects in Anonymized Trajectories Nikolay Vyahhi 1, Spiridon Bakiras 2, Panos Kalnis 3, and Gabriel Ghinita 3 1 St. Petersburg State University.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.
Vigilante: End-to-End Containment of Internet Worms M. Costa et al. (MSR) SOSP 2005 Shimin Chen LBA Reading Group.
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Lecture 11 Intrusion Detection (cont)
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
MITACS-PINTS Prediction In Interacting Systems Project Leader : Michael Kouriztin.
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Calculating Discrete Logarithms John Hawley Nicolette Nicolosi Ryan Rivard.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
By John Bethencourt, Jason Franklin, and Mary Vernon Computer Sciences Department University of Wisconsin, Madison Published in the Proceedings of the.
A Privacy-Preserving Interdomain Audit Framework Adam J. Lee Parisa Tabriz Nikita Borisov University of Illinois, Urbana-Champaign WPES 2006.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Secure Sensor Data/Information Management and Mining Bhavani Thuraisingham The University of Texas at Dallas October 2005.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Role Of Network IDS in Network Perimeter Defense.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.
Distributed Network Traffic Feature Extraction for a Real-time IDS
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Data Streaming in Computer Networking
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
563.10: Bloom Cookies Web Search Personalization without User Tracking
Mapping Internet Sensors With Probe Response Attacks
Memento: Making Sliding Windows Efficient for Heavy Hitters
Presentation transcript:

Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix Security Symposium, 2005, Best Paper Award! Presented by Fei Xie

What is Internet Sensor Network? Definition  An Internet sensor network is a collection of systems which monitor the Internet and produce statistics related to Internet traffic patterns and anomalies. Uses  Useful for distributed intrusion detection and monitoring. Critical Assumption  The integrity of an Internet sensor network is based upon the critical assumption that the IP addresses of systems that serve as sensors are secret.

Examples collaborative intrusion detection systems security log collection and analysis centers  SANS Internet Storm Center  myNetWatchman  Symantec DeepSight network Internet Sinks and Network telescopes  University of Michigan’s Internet Motion Sensor  Cooperative Association for Internet Data Analysis (CAIDA)

Contribution Probe Response Attacks  a new class of attacks called probe response attacks  capable of compromising the anonymity and privacy of individual sensors in an Internet sensor network. Countermeasures  also provide countermeasures which are effective in preventing probe response attacks.

Case Study: the ISC To evaluate the threat of probe response attacks in greater detail, they analyzed the feasibility of mapping a real-life Internet sensor network, the ISC. collects packet filter (firewall) logs hourly one of the most important existing systems which collects and analyzes data from Internet sensors challenging to map  large number of sensors (over 680,000 IP addresses monitored)  IP addresses broadly scattered in address space

SANS Internet Storm Center

ISC Analysis and Reports Port Report port reports list the amount of activity on each destination port this type of report is typical of the reports published by Internet sensor networks in general Sample Port Report The ISC publishes several types of reports and statistics – The authors focus on the “port reports.”

Procedure to Discover Monitored Addresses Core Idea for each IP address i do probe i with reportable activity a wait for next report to be published check for activity a in report end for Problem  The ISC updates the report hourly  There are 2.1 billion valid, routable IP addresses Solution Using Divide and Conquer, check many in parallel.  only a very small portion of addresses are monitored, so send same probe to many addresses if no activity is reported they can all be ruled out otherwise report reveals the number of monitored addresses  since activity reported by port, send probes with different ports to run many independent tests at the same time

Detailed Procedure: First Stage begin with list of 2.1 billion valid IP addresses to check divide up into n search intervals S1, S2,... Sn send SYN packet on port pi to each address in Si wait two hours and retrieve port report rule out intervals corresponding to ports with no activity

Detailed Procedure: Second Stage distribute ports among k remaining intervals R1, R2,... Rk for each Ri  divide into n  k + 1 subintervals  send a probe on port pj to each address in the jth subinterval  not necessary to probe last subinterval (instead infer number of monitored addresses from total for interval)  if subinterval full, add to list and discard repeat second stage with non-empty subintervals until all addresses are marked as monitored or unmonitored

Example Run With Six Ports

Practical Problem How many port can be used in probe?  2^16 ports in total. Lots of them has little activity  Plenty of the ports can be used with some degree of “noise” which are scans not caused by the probe attack How to deal with the “noise”?  If normally no more than m scans for a port, send m times probes rather than one and divide the reports by m and round down to the nearest integer.

Improvement Allow False Positives and False Negatives  Avoid the superset of the sensors (false positives), still get enough IP address to do worm attack  Accept false negative, discard an interval with fraction of monitored address below a threshold  Both can speed up the attack Multiple Source Technique  Divide an interval into k pieces, spoof the probe packet IP, addresses in ith piece will be probed by 2^(i-1) sources  Can tell which pieces contains monitored addresses base on the number of sources in the report.  Still need to send more probes to deal with “source noise”

Simulation of Attack Adversarial Models  T1 attacker Mbps of upload bandwidth  Fractional T3 attacker 38.4 Mbps of upload bandwidth  OC6 attacker 384 Mbps of upload bandwidth Distribution of Monitored addresses  ISC sensor distribution  Clustering model  Totally random address

Attack Progress Details of fractional T3 attacker mapping the addresses monitored by the ISC.

Simulation Summary Probe response attacks are a serious threat.  Both a real set of monitored IP addresses and various synthetic sets can be mapped in reasonable time  Attacker capabilities determine efficiency, but mapping is possible even with very limited resources

Covert Channels in Reports In the proposed attack, destination port is used as a covert channel. many possible fields of information appearing in reports are suitable for use as covert channels Example Fields  Time / date  Source IP  Source port  Destination subnet  Destination port  Captured payload data

Current Countermeasures Hashing, Encryption, and Permutations  simply hashing report fields is vulnerable to dictionary attack  encrypting a field with a key not publicly available is effective, but reduces utility of fields  prefix-preserving permutations obscure IP addresses while still allowing useful analysis Bloom Filters  allow for space efficient set membership tests  configurable false positive rate  vulnerable to iterative probe response attacks as a result of the exponentially decreasing number of false positives

Proposed Countermeasures Information Limiting  limit the information provided in public reports in some way Random Input Sampling Technique  Randomly sample the logs coming into the analysis center before generating reports to increase the probability of false negatives. Scan Prevention  increases IP addresses from 32 bits to 128 bits Delayed Reporting  publish reports reflecting old data  Force the attacker to either wait a long period between iterations or use non-adaptive (off-line) algorithm.  Tradeoff between security and real-time notification.

Weakness No real experiment, just simulation Do not consider probe packet lost on the Internet which may cause false negatives.

Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.