Download presentation
Presentation is loading. Please wait.
Published byHalle Sherin Modified over 10 years ago
1
DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National Economy 2) Department of Computer Science, U. of Maine
2
The Web Neighborhood Watch Project This project seeks to identify websites belonging to dangerous people such as terrorists In addition to the artificial intelligence components, there is a need for locating the website in physical space At last year's conference, work was presented on using the distributed traceroute approach to help locate computers physically
3
Not only is locating computers physically important for the Web Neighborhood Watch Project, but for dealing with cyber- attacks in general Current methods for tracking Internet- based attacks are primitive. It is almost impossible to trace sophisticated attacks using current tools. Locating Computers in Physical Space
4
Intruders Attack Sophistication and Intruder Technical Knowledge High Low 1980198619921998 2004 Intruder Knowledge Attack Sophistication Cross site scripting password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools stealth / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Staged Auto Coordinated
5
Techniques for Physically Locating Computers Whois Traceroute Distributed Traceroute Time Delay Method (new)
6
Whois Limitations Whois contains information about top-level domains only Distributed databases are not always connected
7
Traceroute Limitations It does not take advantage of the fact that there typically exist several different paths to the target computer Executing a single trace from a single location tends to produce results that are geographically insufficient
8
Distributed Traceroute Limitations The results are not always as accurate as one would want This approach cannot be applied when the attacker uses intermediate hosts with software redirectors to make a cyber-attack
9
Time Delay Method (new) Based on the concept that the most recent computer from which the attack was received was either: – a) The actual attacking computer – b) An intermediate host being used with redirection software Choosing between a) and b) is based on comparing the time delay between the attacking computer (AC) and the victim computer (VC) to the most recent time delay
10
A Cyber-attack using Redirectors T total = t 1 + t 2 + t 3 +…+t n + t n+1, t i - the time delay of the i-th link Attacking Computer Redirector 1 t1t1 t2t2 t3t3 tntn t n+1 Redirector 2 … Redirector n Victim Computer
11
Experimental Results The following servers were used: –TANE (Ternopil Academy of the National Economy, Ukraine, 217.196.166.105) –Kiel University (Germany, 134.245.52.122) –HTTL (Home To good service and Technology Ltd, London, England, 217.34.204.1)
12
Direct connection
13
Time Delays From HTTL to TANE
14
Time Delays from TANE to HTTL
15
Connection using redirector
16
Time Delays from HTTL to TANE using Kiel-redirector
17
Conclusion The Time Delay Method has the ability to locate a remote computer in real time based on delays in IP packet travel The Time Delay Method can also be used to analyze the nature of the links involved in the attack chain
18
Contact Information Roman Romanyak: rrm@tanet.edu.te.uarrm@tanet.edu.te.ua Anatoly Sachenko: as@tanet.edu.te.uaas@tanet.edu.te.ua Serhiy Voznyak: sv@tanet.edu.te.uasv@tanet.edu.te.ua Gene Connolly: gene@einakabob.comgene@einakabob.com George Markowsky: markov@umcs.maine.edumarkov@umcs.maine.edu
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.