Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection of Interactive Stepping Stones Shobha Venkataraman Joint work with Avrim Blum & Dawn Song Carnegie Mellon University ICML Workshop.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Detection of Interactive Stepping Stones Shobha Venkataraman Joint work with Avrim Blum & Dawn Song Carnegie Mellon University ICML Workshop."— Presentation transcript:

1 Detection of Interactive Stepping Stones Shobha Venkataraman shobha@cs.cmu.edu Joint work with Avrim Blum & Dawn Song Carnegie Mellon University ICML Workshop 2006 June 29, 2006

2 Stepping Stone stepping-stone attack: attacker uses chain of compromised machines to reach victim Difficult to find attacker from looking only at victim Victim only sees the last host in chain Attacker A X1X1 Victim V XkXk

3 Why stepping-stones? Stepping-stones attractive to attackers Ease of compromising hosts on Internet Difficulty of detection Don’t know when host is compromised Only know when there is attack Don’t know who compromised Chaos and volume of Internet traffic Not always logged True attacker almost untraceable: near-perfect way to achieve anonymity! Large-scale stepping-stones: botnets…

4 Botnets: “For sale, stepping-stones” Botnets: Set of compromised hosts controlled by a single “command-center” How this works: individual hosts compromised “control priveleges” sold to other attackers, who use them launch attacks. Nearly impossible to discover true attackers Extremely prevalent on Internet Logs at CMU dept: discovered Gaobot infection Across 6-7 months of traffic (everything we examined!) Across 100+ hosts (1/10th network) at peak infection

5 Botnets (II) CMU Stanford Pittsburgh Verizon DSL VICTIM Attacker #1 Attacker #2

6 General Stepping-Stone Detection Extremely difficult: Indefinite delay between stepping-stone “legs” Traffic too voluminous/insufficiently logged for traceback Packets encrypted or padded between “legs” Stepping-stone “legs” additionally masked by adding superfluous traffic (“chaff”)

7 Restricting the Problem Restrictions: Traffic monitoring done at routers/gateways Interactive stepping-stone streams Bounded delay  between stepping-stones A X1X1 X2X2 V S2S2 S 1 M1M1 M2M2 Internet T = 0 T  

8 Restricting the Problem (II) Restrictions put together: observe 2 time-delayed streams at monitor, are they a stepping-stone pair? If attacker uses no chaff If attacker uses chaff A X1X1 X2X2 V S2S2 S 1 Internet T = 0 T  

9 Prior work Donoho, Flesia, Shankar, Paxson, Coit & Staniford, RAID 02 Assumptions needed: Attack stream from Poisson or Pareto distribution Normal users perfectly uncorrelated No guarantees on monitoring time or false positives Wang & Reeves, CCS 03 Assumptions needed: Timing perturbation of packets iid [strong assumption] No chaff Scheme breaks without assumptions Other related work : [SH95, YE00, ZP00, WRWY01, WRW02, W04]

10 Our work Want to allow correlations among normal users Don’t flag just any correlated pair Time-correlated pair != stepping-stone pair Use milder assumptions Model non-attack streams as sequences of Poisson processes No additional assumption on attacker Allow chaff Present algorithms and analysis for these models`

11 Inspiration from learning theory Learning Theory Question: How many examples do we need to see before we can identify hypotheses with guaranteed confidence? Our Question: How many packets do we need to see before we can identify normal/attack streams with guaranteed confidence? Rest of talk: answer this question…

12 Outline Problem definition Without chaff Simple Poisson model Generalized Poisson model With chaff Algorithms Hardness of detection results Conclusions

13 Problem Definition (I) Set-up: stepping-stone monitor tracks no. of packets in streams S 1, S 2 at a given time t : N 1 (t), N 2 (t) Assumptions: Packets correspond 1-1 on stepping-stone streams (without chaff) Max tolerable delay bound  exists Max no. packets attacker can send in time  exists: p  Our bounds will be in terms of p .

14 Problem Definition (II) For stepping-stone streams S 1 & S 2 : 1. Every packet on S 2 comes from S 1 N 1 (t)  N 2 (t) 2. Every packet on S 1 appears on S 2 within  time N 1 (t)  N 2 (t +  ) Assumptions on normal streams next… Detect stepping-stone pairs with guarantees on: Monitoring time M total packets observed on both streams before detection False-positive probability 

15 Simple Poisson Model Assumptions: Normal stream: Poisson process with fixed rates (generalize this later) p  is known (relax this later). No chaff (generalize this later). Outline: Algorithm Analysis sketch Relax knowledge of p 

16 Algorithm Observe y packets on union of streams S 1 and S 2 Compute difference in no. of packets d = N 1 – N 2. If d is not in [- p , p  , return NORMAL Repeat over x iterations the above procedure Return ATTACK if d lies in [-p , p   throughout Thm: with x = log 1/ , y = 2(p   2 Monitoring time M = xy = O(p  2 log 1  packets False positives <  S2S2 S1S1

17 Analysis (I) Overhead: Only per-stream packet counters running all the time! Compute sums & differences for pairs once in a while Algorithm needs NO knowledge of Poisson rates Any stepping-stone pair sending M packets reported For stepping-stone pair, d within [-p , p  ] If |d| > p ,  some packet violates max delay bound Ensure that false positive probability less than  i.e. d leaves [-p , p  ] with probability more than 1 -  When d leaves [-p , p  ], algorithm returns “normal”

18 Analysis (II) Streams S 1 and S 2 Poisson processes with rates 1, 2 (normalized so that 1 + 2 = 1) On union of streams, each packet: 1 chance of coming from S 1, 2 chance of coming from S 2 Stream 1 Stream 2 Time

19 Analysis (III) Every time packet appears on S 1  S 2 Z = Z + 1 with probability 1 Z = Z - 1 with probability 2 Thus, Z equivalent to 1-d random walk Need Z to exit [-p , p  ] after some steps 10-22 Z1 0 1 2 1 0 1 0 0 1 0 1 Let Z be the difference in no. of packets on S 1 and S 2 Stream 1 Stream 2

20 Analysis (IV) Fact: 1-d random walk exits bounded region of length t in expected O(t 2 ) time! Therefore, When n = O(p  2 ), Pr[Z will stay in bounded region] < 1/2 Repeat for m = log 1/  iterations Pr[Z will stay in bounded region] <  When Z exits bounded region, normal pair does not get falsely accused. Done! 10-22

21 What if p  is unknown? What if we do not know p  ? Use “guess and double” strategy. Set p j = 2 j. Run algorithm over sequence of p j : p 1, p 2, … When a pair is “cleared” for p j, examine it with respect to p j+1..

22 What if p  is unknown? For stepping-stone pair, increases monitoring time by O(log log p  ). Guarantee depends only on true value of p  ! In practice, set upper bound for p  Normal streams monitored until upper bound reached As j increases, test differences exponentially less often Fundamental problem: cannot distinguish between normal pair and attack pair with longer delay bound

23 Summary: Simple Poisson Normal streams: Poisson process with single fixed rate. Algorithm with guaranteed false positives and monitoring time Algorithm needs no knowledge of Poisson rates Analysis extended When p  is unknown When false positive probability is distributed over all pairs of streams: in paper

24 Outline Problem definition Without chaff Simple Poisson model Generalized Poisson model With chaff Algorithms Hardness of detection results Conclusions

25 Generalized Poisson model Model normal process as SEQUENCE of Poisson processes: varying rates for varying time periods i.e. stream given by: ( 1, t 1 ), ( 2, t 2 ), … General model: coarsely approximate almost any usage pattern, for example: Coarsely simulate Pareto distributions – good model of typing patterns Correlated users: same sequence of Poisson rates &time intervals

26 Analysis Sketch Formally, a stream S is given by: ( 1, t 1 ), ( 2, t 2 ), … Key observation: At time T, packet distribution equivalent to Poisson process with single fixed rate  j ( j. t j )/T (weighted mean) More details in paper. 10-22

27 Summary: General Poisson Normal streams modelled as sequences of Poisson processes: ( 1, t 1 ), ( 2, t 2 ), … Very general model Algorithm with guarantees on monitoring time and false positive rate Once again, algorithm needs no knowledge of Poisson rates Results in this model extended similarly: When p  is unknown When false positive probability is distributed over all pairs of streams

28 Outline Problem definition Without chaff Simple Poisson model Generalized Poisson model With chaff Algorithms Hardness of detection results Conclusions

29 Chaff Algorithms (as presented) broken by single packet of chaff Next, modify algorithms to handle limited chaff… Attacker Victim Stepping Stone Chaff: dummy packets inserted in traffic streams to avoid detection

30 Chaff: Algorithms Fix chaff rate, but chaff arbitrarily distributed Simple Poisson model Algorithm: Let y be number of packets needed before we exit bounded region in random walk. Allow chaff rate of p  /4y, monitor for difference to leave [-2p , 2p  ] Regular streams get difference (wait longer) Can tweak algorithm to handle slightly higher chaff rate, but that’s all. Hardness results next… Extends similarly to general Poisson model.

31 Hardness of Detection No algorithm based on timing delays alone can detect stepping-stones with smart use of chaff Can give bounds on chaff needed so attacker can pre-generate two independent processes send packets to mimic independent processes exactly Details & strategies in paper If attacker can actively send such chaff, detection requires use of other information

32 Summary Algorithms to detect stepping stones: Guarantees on monitoring time and false positives Simple and generalized Poisson models With and without (arbitrarily distributed) chaff When p  is known/unknown Compared to previous work: Milder assumptions, allow for substantial correlation among normal users No additional assumptions on attacker (besides delay bound) With sufficient chaff, attacker can mask stepping stones, so that no algorithm that uses inter-packet delays can detect them.

33

34

35

36 Prior Work

Download ppt "Detection of Interactive Stepping Stones Shobha Venkataraman Joint work with Avrim Blum & Dawn Song Carnegie Mellon University ICML Workshop."

Similar presentations

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.

Ulams Game and Universal Communications Using Feedback Ofer Shayevitz June 2006.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
3.3 Hypothesis Testing in Multiple Linear Regression

3.3 Hypothesis Testing in Multiple Linear Regression
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
An Efficient Membership-Query Algorithm for Learning DNF with Respect to the Uniform Distribution Jeffrey C. Jackson Presented By: Eitan Yaakobi Tamar.

An Efficient Membership-Query Algorithm for Learning DNF with Respect to the Uniform Distribution Jeffrey C. Jackson Presented By: Eitan Yaakobi Tamar.
PAPER BY : CHRISTOPHER R’E NILESH DALVI DAN SUCIU International Conference on Data Engineering (ICDE), 2007 PRESENTED BY : JITENDRA GUPTA.

PAPER BY : CHRISTOPHER R’E NILESH DALVI DAN SUCIU International Conference on Data Engineering (ICDE), 2007 PRESENTED BY : JITENDRA GUPTA.
Hidden Markov Models (1)  Brief review of discrete time finite Markov Chain  Hidden Markov Model  Examples of HMM in Bioinformatics  Estimations Basic.

Hidden Markov Models (1)  Brief review of discrete time finite Markov Chain  Hidden Markov Model  Examples of HMM in Bioinformatics  Estimations Basic.
Lecture 6  Calculating P n – how do we raise a matrix to the n th power?  Ergodicity in Markov Chains.  When does a chain have equilibrium probabilities?

Lecture 6  Calculating P n – how do we raise a matrix to the n th power?  Ergodicity in Markov Chains.  When does a chain have equilibrium probabilities?
HMM II: Parameter Estimation. Reminder: Hidden Markov Model Markov Chain transition probabilities: p(S i+1 = t|S i = s) = a st Emission probabilities:

HMM II: Parameter Estimation. Reminder: Hidden Markov Model Markov Chain transition probabilities: p(S i+1 = t|S i = s) = a st Emission probabilities:
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.

Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Chapter 10 Section 2 Hypothesis Tests for a Population Mean

Chapter 10 Section 2 Hypothesis Tests for a Population Mean
A Fairy Tale of Greedy Algorithms Yuli Ye Joint work with Allan Borodin, University of Toronto.

A Fairy Tale of Greedy Algorithms Yuli Ye Joint work with Allan Borodin, University of Toronto.
SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.

SIA: Secure Information Aggregation in Sensor Networks Bartosz Przydatek, Dawn Song, Adrian Perrig Carnegie Mellon University Carl Hartung CSCI 7143: Secure.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Co-Training and Expansion: Towards Bridging Theory and Practice Maria-Florina Balcan, Avrim Blum, Ke Yang Carnegie Mellon University, Computer Science.

Co-Training and Expansion: Towards Bridging Theory and Practice Maria-Florina Balcan, Avrim Blum, Ke Yang Carnegie Mellon University, Computer Science.
High Performance All-Optical Networks with Small Buffers Yashar Ganjali High Performance Networking Group Stanford University

High Performance All-Optical Networks with Small Buffers Yashar Ganjali High Performance Networking Group Stanford University

Similar presentations

Ads by Google