Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello.

Slides:

Advertisements

Similar presentations

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Advertisements

Lecturer: Fadwa Tlaelan

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Access Control Chapter 3 Part 5 Pages 248 to 252.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Network Security Testing Techniques Presented By:- Sachin Vador.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Lecture 11 Reliability and Security in IT infrastructure.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Maintaining and Updating Windows Server 2008

Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Classification of Viruses. A Government Report from Gibb, McMillan and Wylie.

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

The Utility Programs: The system programs which perform the general system support and maintenance tasks are known as utility programs. Tasks performed.

Checking Network/Port Connectivity using Kaseya Agent Procedures Developed By: Emmanuel Giboyeaux Advisor : Dr. S. Masoud Sadjadi School of Computing and.

CIS 450 – Network Security Chapter 15 – Preserving Access.

Honeypot and Intrusion Detection System

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

Introduction of Internet security Sui Wang IS300.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

Computer project – computer virus 1D Christy Chan (9) Patricia Cheung (14)

Chapter 5: General Computer Topics Department of Computer Science Foundation Year Program Umm Alqura University, Makkah Computer Skills /1436.

Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Agenda Link of the week Use of Virtual Machine Review week one lab assignment This week’s expected outcomes Review next lab assignments Break Out Problems.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

Systems II San Pham CS /20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

© 2006 Cisco Systems, Inc. All rights reserved.1 Connection 7.0 Serviceability Reports Todd Blaisdell.

Mahdi The “Messiah” (CPSC 620) Akash Mudubagilu Arindam Gupta.

Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.

Topic 5: Basic Security.

11 WORKING WITH PRINTERS Chapter 10. Chapter 10: WORKING WITH PRINTERS2 THE WINDOWS SERVER 2003 PRINTER MODEL  Locally attached printers Printers that.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Advanced Persistent Threats (APT) Sasha Browning.

BACKDOORS By: Himie Freeman, Joey Adkins, Kennedy Williams, and Erin Bethke.

Performance Comparison of Speaker and Emotion Recognition

DoS/DDoS attack and defense

Advanced Anti-Virus Techniques

Understand Malware LESSON Security Fundamentals.

C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP

Role Of Network IDS in Network Perimeter Defense.

PO/EO: REFS: ACP 125, CANSUPP 1B, RADIOTELEPHONE PROCEDURES USE VOICE PROCEDURE TO CHANGE FREQUENCIES AND USE RADIO SILENCE.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

Created by the E-PoliceSlide 122 February, 2012 Dangers of s By Michael Kuc.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Proactive Incident Response

Botnets A collection of compromised machines

Lecture 8. Cyber Security, Ethics and Trust

Cryptographic Hash Function

be the strong link in your

Botnets A collection of compromised machines

Backtracking Intrusions

Statistics in Applied Science and Technology

Test 3 review FTP & Cybersecurity

Presentation transcript:

Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello

Agenda Introduction- Deceptive Tactics Counterplanning MECOUNTER Building a ploy strategy Questions

Introduction: Deceptive Tactics Second line of defense behind standard information security tactics. Proactive countermeasures. 1.Concealment 2.Camouflage 3.Ruses (use of enemy equipment + procedures) 4.Demonstrations (of capabilities) 5.Disinformation/Lies 6.Displays - “techniques to make the enemy see what isn’t there” 7.Insight (“deceiving the opponent by outthinking)

Cyber Deceptive Tactics 1.Lies - powerful because users are accustomed to truth from computer systems 2.Displays - I.E. simulating virus infection while actually destroying the infection 3.Insight - combination of lies and displays integrated into an overall defensive strategy designed to cause the attacker the maximum amount of trouble

Obstructive Counterplanning Definition: Planning to interfere with or frustrate and existing plan Tool needed to define computer intrusion plans/goals. MECOUNTER: A tool to define attack models with mostly-declarative definitions of actions. Allows users to create model for 1.Anticipating what an enemy would do 2.Defining disruption models 3.Observe how the enemy responds to disruption

MECOUNTER example: “decompress action” 1.If the system does not want a file to be compressed, it should decompress it 2.Decompressing a file on a system requires that it is known to be there, it is compressed, it is known to be compressed, the actor is logged in to its system, and the actor is not currently running any other program there. 3.Normally when a file is decompressed, this deletes the fact of its compression and adds no new facts 4.10% of the time decompression fails with the error message “Wrong Format” 5.Decompression requires a mean time of 5 seconds and has a Poisson distribution

Example Markov model for ten runs of a simplified model for rootkit and port-software installation on a computer system.

Counterplanning Develop “ploys” to keep the attacker connected to the machine for tracing/logging purposes. GOAL: Annoy attackers, keep them connected, but do not make them suspicious GOAL: Avoid annoying legitimate users. A successful ploy meets both of these goals

Probability equation for successful ploys

Building a ploy strategy Build a Markov model for an attack sequence Define probability variables for each state (the j’s) Use a greedy search to permutate all of the available ploys against each state. Define threshold for successful ploy and report results.

High impact ploy strategy for buffer overflow + root kit example Delete the connection at port 80 Delete the fact the buffer is overflowed Add the fact there are problems in the file system Report the connection is terminated Delete administrator status

Questions??