Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Backdoors and Stepping Stones Yin Zhang Cornell University Vern Paxson ACIRI/LBNL 9 th USENIX Security Symposium.

Published byEsmond Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting Backdoors and Stepping Stones Yin Zhang Cornell University Vern Paxson ACIRI/LBNL 9 th USENIX Security Symposium."— Presentation transcript:

1 Detecting Backdoors and Stepping Stones Yin Zhang Cornell University yzhang@CS.Cornell.EDU Vern Paxson ACIRI/LBNL vern@aciri.org 9 th USENIX Security Symposium Denver, CO, August 2000

2 08/17/002 Backdoors & Stepping Stones Two big headaches for intrusion detection Ease of returning to a compromised system Ease of hiding attacker’s identity Backdoors Standard service on non-standard port, or on standard port associated with different service Stepping stones Compromised, intermediary hosts used during attacks to hide attacker’s identity

3 08/17/003 Targeted Environment Monitor captures inbound/outbound traffic Assume single ingress/egress point for stepping stone detection Interne t Access Link M

4 08/17/004 Methodology Design space Trace investigation General algorithms Refinements Trace-based evaluation: FP, FN, efficiency

5 08/17/005 Backdoor Methodology Design space A lot in common General algorithm: Pkt size + timing doesn’t require content Protocol specific algorithms Stateless filter  highly efficient Performance Evaluation

6 08/17/006 Design Space Open vs. evasive attackers raising the bar, “Arms race” Passive vs. active monitoring Accuracy: FP vs. FN Content vs. timing Timing: can be very cheap, robust against encryption Real-time vs. off-line analysis Off-line algorithms: full stream reassembly, baseline for how good you might do Filtering Lots skipped in kernel  huge reduction in load

7 08/17/007 A General Algorithm for Detecting Interactive Backdoors Leveraging large number of small pkts (S - G - 1) / N  0.2 S: number of small packets G: number of gaps in small packets N: total number of packets Leveraging large number of long pauses #interarrivals  [10ms, 2s] / #interarrivals  0.2 Almost the same performance when 2 sec  100 sec. Filtering Only small packets (e.g. with  20 bytes payload) Need some guesses for G and N

8 08/17/008 Protocol-Specific Algorithms BackdoorOptimal AlgorithmStateless Algorithm SSHSsh-sig, ssh-lenSsh-sig-filter RloginRlogin-sigRlogin-sig-filter TelnetTelnet-sigTelnet-sig-filter FTP/SMTPFtp-sigFtp-sig-filter Root shellRoot-sigRoot-sig-filter NapsterNapster-sigNapster-sig-filter GnutellaGnutella-sigGnutella-sig-filter

9 08/17/009 Detecting SSH Ssh-sig Signature: SSH version string ` ^SSH-[12]\. ’ Ssh-len (mainly for partial connections) Interactive according to the general algorithm Most packets have 8N (N  2) bytes payload, or most packets have (8N+4) bytes payload Ssh-sig-filter Implemented by a stateless tcpdump filter tcp[(tcp[12]>>2):4] = 0x5353482D and (tcp[((tcp[12]>>2)+4):2] = 0x312E or tcp[((tcp[12]>>2)+4):2] = 0x322E)

10 08/17/0010 Detecting Others BackdoorSignatureEquivalent Pattern Rlogin Username terminal dialog, terminated ‘\x00$’ TelnetOption negotiation ‘^\xFF[\xFB-\xFE]’ FTP/SMTPServer status codes ‘^(220|421)[ -]’ NapsterSEND/GET directives ‘^(SEND|GET)$’ GnutellaConnection negotiation ‘^GNUTELLA ’ Root shell *Root shell prompt ‘^# ’ * A hack, but works surprisingly well

11 08/17/0011 Trace Descriptions ssh.trace (194 MB, 380K pkts, 905 conns) A half hour snapshot of SSH traffic at UCB lbnl.mix1.trace (54MB, 134K packets, 4.6K conns) lbnl.mix2.trace (421MB, 863K packets, 14.7K conns) 1 hour of aggregate traffic at LBNL with high volume protocols filtered out lbnl.inter.trace (389MB, 3.5M packets, 5.5K conns) 1 day’s worth of Telnet/Rlogin traffic at LBNL

12 08/17/0012 Performance Evaluation AlgorithmFPFN % bytes captured Ssh-sig0/16,9380/546NA Ssh-sig-filter0/16,9380/5460.057% Ssh-len5/16,938NA Rlogin-sig0/17,3060/175NA Rlogin-sig-filter4/17,3060/1751.6%

13 08/17/0013 Performance Evaluation (con’t) AlgorithmFPFN % bytes captured telnet-sig0/12,70818*/1,526NA telnet-sig-filter0/12,70818/1,5260.15% ftp-sig0/20,13529**/5,629NA ftp-sig-filter0/20,13529/5,6290.12% General Algo.12/12,000+22/1,450NA * 17 involve the same passwordless catalog server w/o any option negotiation; the 18 th is HTTP/1.1 on port 23  not FN ** Most are partial connections w/o the initial dialog

14 08/17/0014 Operational Experience Root-sig-filter: dirt cheap, but strikingly powerful Finds su’s Finds 437 root backdoors at 291 sites in 24 hours from Berkeley SSH detectors find SSH servers on various ports 80 (HTTP); 110 (POP); 32; 44320-44327; variants of 22 (222, 922, 2222, …) Napster detectors find Napster server on port 21 (FTP), and plenty of others! Large number of legitimate backdoors require refined policy scripts

15 08/17/0015 Stepping Stone Methodology Design space A lot in common A timing-based algorithm Doesn’t require content Calibration algorithms Mainly used as baseline algorithms Efficient ones are also used for production use Performance Evaluation

16 08/17/0016 General Principles Find invariant or at least highly correlated characteristics Leverage particulars of how interactive traffic behaves A C B M

17 08/17/0017 Additional Design Space Direct vs. indirect stepping stones, i.e. “A-B-C” vs. “A-B … C-D” A D B C Internet M

18 08/17/0018 Additional Design Space (con’t) Whether to analyze content ? Content-based fingerprinting [SH95] Pro: natural; Con: cost, opportunity. Minimize state for connection pairs N 2 memory explosion

19 08/17/0019 Timing Correlation When OFF Periods End Only consider the end of OFF periods OFF period: no activity for  0.5 sec Immensely reduces analysis possibilities! Two OFF periods considered correlated, if their ending times differ by < 80ms  Detection criteria #coincidences / #OFF_periods #consecutive_coincidences #consecutive_coincidences / #OFF_periods ABAB CDCD < 80ms?

20 08/17/0020 Calibration Algorithms Brute-force one-time calibration Extract the aggregate Telnet/Rlogin output Find connections with similar content by looking at lines in common using standard Unix utilities Identify stepping stones with additional manual inspection Two Unix-centric hacks: Looking for propagated $DISPLAY propagated status line in the login dialog. Last login: Fri Jun 18 12:56:58 from host.x.y.z.com

21 08/17/0021 Trace Descriptions Lbnl-telnet.trace 1 day’s worth of telnet/rlogin traffic at LBNL 120 MB, 1.5M pkts, 3,831 conns 21 stepping stones Ucb-telnet.trace 5.5 hours’ worth of telnet/rlogin traffic at UCB 390 MB, 5M pkts, 7,319 conns ~79 stepping stones

22 08/17/0022 Performance Evaluation Accuracy: Very low false positive/negative ratios Lbnl-telnet.trace: FP = 0, FN = 2/21 Ucb-telnet.trace: FP = 0, FN = 5/79 Brute-force scheme missed 32 Efficiency: capable of real-time detection 1.1 real-time minutes for lbnl-telnet.trace 24 real-time minutes for ucb-telnet.trace Impact of different control parameters Current parameter settings are fairly optimal Considerable room exists for varying the parameters in response to certain evasion threats

23 08/17/0023 Failures Excessively small stepping stones Limits attackers to a few keystrokes Message broadcast applications lead to non-stepping-stone correlation Can filter out Phase-drift in periodic traffic leads to false coincidences Can filter out

24 08/17/0024 Operational Experience Nifty algorithm, clearly useful in some circumstances Large number of legitimate stepping stones require refined policy scripts An unanticipated security bonus Exposed passphrase due to clear-text protocol upstream and encrypted protocol downstream Unfortunately, this happens all too often 

25 08/17/0025 Future Directions Backdoor detection Combining general algorithm with protocol- specific algorithms Other protocols, e.g., BackOrifice Stepping stone detection Detecting non-interactive stepping stones, e.g. “relays”, and “slaves”. All sorts of evasion possible -- ” let the arms race begin ”

26 08/17/0026 Acknowledgements Ken Lindahl, Cliff Frost Stuart Staniford-Chen, Felix Wu Mark Handley, Tara Whalen, and anonymous reviewers

Download ppt "Detecting Backdoors and Stepping Stones Yin Zhang Cornell University Vern Paxson ACIRI/LBNL 9 th USENIX Security Symposium."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
1 Network Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.

1 Network Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Copyright © 2005 Department of Computer Science CPSC 641 Winter 20111 WAN Traffic Measurements There have been several studies of wide area network traffic.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff +1 312 362-5878 DePaul University.

IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.

On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Similar presentations

Ads by Google