Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke.

Published byVernon Greene Modified over 9 years ago

Similar presentations

Presentation on theme: "Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke."— Presentation transcript:

1 Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke

2 A Little Background… Clifford Stoll v. German Hackers (1986) C. Stoll, “Stalking the Wiley Hacker” in Communications of the ACM, vol 31, 1998, pp. 484-497. DoD v. Electronic Disturbance Theater (1998) http://archives.cnn.com/2000/TECH/computing/04/07/self-defense.idg/ Conxion v. E-Hippies (2000) http://www.nwfusion.com/research/2000/0529feat2.html FBI v. Russian Hackers (2001) a.k.a. ‘Invita’ Case http://www.wired.com/news/politics/0,1283,47650,00.htm

3 Where We’re At…

4 Where We Want To Be…

5 Why? Response is not a choice… Insufficient Protection on Imperfect Systems A Policy Is Necessary (even if not utilized) Vulnerable Systems – Air Traffic Control http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/ – SCADA Systems http://www.securityfocus.com/news/6767

6 Research Question Since any action or inaction is a response, what is an appropriate set of actions to take during a security event in order to mitigate the threat given the immense social and technical considerations of response?

7 Research Goals Framework for Discussion – Definition – Taxonomy – Summary of Challenges ADAM – Response Model – Decision Model – Algorithm Example – Evolutionary Implementation

8 Elements of a Definition Time Bound – Before an attack is not active response, after an attack is forensics – Self-defense Necessity/Imminent, Proportionality Technologically Independent – Humans and Computers can respond Purposeful – Not for retribution or revenge, but to return to a previous secure state

9 Definition of Active Response Any action sequence deliberately performed by an individual or organization between the time an attack is detected and the time it is determined to be finished, in an automated or non-automated fashion, in order to mitigate the identified threat’s negative effects upon a particular asset set. Active does not modify response, but rather describes the state of the attack

10 Taxonomy of Actions 8 Types – No Action – Internal Notification – Internal Response – External Cooperative Response – Non-cooperative Intelligence Gathering – Non-cooperative ‘Cease and Desist’ – Counter-Strike – Preemptive Defense

11 No Action Under attack, conscious decision to take no action

12 Internal Notification Contact Administrators Contact CTO, CEO, CISO Contact Users

13 Internal Response Write Firewall Rules (firewall signaling) – Block IP, range of IPs, block specific ports Strategic Segmentation/Disconnection – Nat, change subnets, re-address, remove port Drop Connections – TCP RST packet to client AND server – Use ICMP (port, host, network unreachable) – UDP – Unreliable, must come in sequence

14 External Cooperative Response Contact CERT, FBI, Secret Service, Local Police, upstream ISPs – Dshield – Symantec

15 Non-Cooperative Intelligence Gathering Direct attacker to honeynet/honeypot Use tools to determine identity of attacker – Ping, finger, traceroute, lsrr packets

16 Non-Cooperative ‘Cease and Desist’ Use tools to disable harmful services without affecting usability – University scenario – Zombie Zapper by BindView

17 Counter-Strike Active Counter-Strike (direct action) – Worm focusing only on attacker IP or to trace back the attack and report – Straight hack-back Passive Counter-Strike (cyber aikido) – Footprinting Strike-Back (DNS) Send endless data, send bad data for illegitimate names (brute force) (e.g. defense networks), send SQL or bad data for illegitimate requests – Network Recon Strike Back Traceroute packets (ICMP “TTL Expired”) receive spoofed random addresses (creating any network we want)

18 Preemptive Defense Conexion vs. E-Hippies – Traffic Redirection DoD vs. Electronic Disturbance Theater – Killer applet

19 Challenges of Active Response Legal – Civil, Criminal, Domestic, International Ethical – Teleological, Deontological Technical – Traceback, Reliable IDS, Confidence Value, Real Time Risk Analysis – Measure ethical, legal risk effectively? Unintended Consequences – Attacker Action, Collateral Damage, Own Resources

20 Research Goals Framework for Discussion – Definition – Taxonomy – Summary of Challenges ADAM – Response Model – Decision Model – Algorithm Example – Evolutionary Implementation

21 Goals of ADAM Provide a generalizable, extendable model for any organization – Completely model the risk of the threat and AD actions – Find appropriate active defense solution for the threat – maximize benefit, minimize risk – Allow for automation – Provide legal (and ethical) due diligence

22 Response Process Model

23 Decision Model AR Policy Escalation Ladder Asset Evaluation Action Evaluation Asset Identification Threat Identification Risk Identification Goal Identification Action Identification Risk Identification Utility Modifier Success Ordering Decision Set Scoring Chart

24 Algorithm A pragmatic and implementable description of the process and decision model Illustrates the use of the decision model within the process of response

25 Solutions Provided by ADAM Ethicalness – Incorporates Teleological and Deontological ethical concerns Legal – No precedent: minimal force, proportional force, immediate threat Unintended Consequences – Statistical measure of confidence in action performing as expected (if confidence values provided by IDS) Risk Valuation – Provides statistical bounds for potential risk (if confidence values provided by IDS)

26 Research Goals Framework for Discussion – Definition – Taxonomy – Summary of Challenges ADAM – Response Model – Decision Model – Algorithm Example – Evolutionary Implementation

27 Evolutionary Model Competitive Co-Evolution – Genetic Algorithm Uses biologically equivalent operators (crossover, mutation, gene, chromosome, populations) Determines global maxima or minima Fitness Function / Value – Two competing populations, co-evolving Attackers / Defenders – Game Based Fitness: risk assumed by defenders

28 Evolutionary Model ParadigmGenerational # of Populations2 Population Size60 # of Trials100 Parental SelectionTournament ElitismTop 2 Mutation TypeUniform Random Replacement Mutation Rate1/n Crossover Type2 point Crossover Probability100% # of Actions in Chromosome8 # Initial Actions4

29 Evolutionary Model (Defender) DEFENSE ACTION DEFENSE POSITION 0 1 2 3 4 5 6 7 Null Action 58 58 57 48 57 53 50 52 Contact Administrator 8 2 5 6 6 10 5 5 Contact Chief Technology Officer 3 2 2 6 9 5 7 9 Shutdown port at firewall 0 0 0 0 0 0 0 0 Filter IP at firewall 0 1 1 2 2 1 0 2 Shutdown Server 0 0 0 0 0 0 0 0 Send TCP RST Packet 3 4 6 5 6 5 7 5 Ask ISP to Shut-off Attack 7 15 7 10 9 7 18 11 Contact FBI 4 2 5 4 1 5 3 7 Use Traceback 17 16 17 19 10 14 10 9 Send Virus Against IP 0 0 0 0 0 0 0 0 Initiate DoS Against IP 0 0 0 0 0 0 0 0 Attempt to Hack Attacker 0 0 0 0 0 0 0 0

30 Evolutionary Model (Attacker) ATTACK ACTION ATTACK POSITION 0 1 2 3 4 5 6 7 Null Action 54 51 56 48 56 43 46 49 Spoof IP Address 39 24 19 7 4 2 0 3 Port Scan the Server 0 4 6 7 6 5 6 1 Ping the Server 0 1 0 2 3 2 5 1 DoS the Server 0 0 0 0 0 2 2 4 DDoS the Server w/ Zombies 0 1 0 2 2 6 6 5 Poison DNS 7 12 8 17 10 12 8 11 Hack Server, Install Backdoor 0 1 2 2 1 7 4 3 Hack Server, Download Records 0 0 1 0 2 4 2 4 Hack Server, Change Records 0 2 7 8 10 10 13 12 Send Virus Against Server 0 4 1 7 6 7 8 7

31

32

33 Results of Evolutionary Model Population finesses show that model was correct W.R.T evolutionary techniques IT IS POSSIBLE! – Proof-Of-Concept that reasonable active response strategies can be developed using the rational behind ADAM Competitive Co-Evolution is a potential model for computer security relationships – First implementation applying concept to a computer security scenario

34 Conclusions & Contributions The First Definition of Active Response Taxonomy of Actions – Illustrates active response is more than strike-back methodology Summary of Challenges – Ethical, Legal, Risk Analysis, Technical, Unintended Consq. Response Process Model Decision Model – Max Benefit, Min Risk, Incorporates Legal & Ethical Active Defense Algorithm – Implementable version of process and decision model Evolutionary Active Response Model – Provides proof-of-concept

35 Future Work Simulate and Validate Model (Currently Ongoing – Medical/Univ/Financial) – R. Blue Further define taxonomy More work on applying evolutionary techniques – R. Blue, S. Gotshall Clearly define legal risks – A. Hubbard Generate More Discussion / Educate

36 Publications Sergio Caltagirone, Deborah Frincke, "The Response Continuum," presented at 6th IEEE Information Assurance Workshop, West Point, NY, USA, June 2005. Sergio Caltagirone, Deborah Frincke, "ADAM: Active Defense Algorithm and Model," in Aggressive Network Self-Defense, N.R. Wyler and G. Byrne, Eds. Rockland, MD, USA: Syngress Publishing, 2005, pp. 287-311. Sergio Caltagirone, "Questions About Active Response," 4th Workshop on the Active Response Continuum to Cyber Attacks. George Mason University, Fairfax, VA, USA, March 2005. Sergio Caltagirone, "Active Defense Decision and Escalation Model," 20th Annual Computer Security Applications Conference, Works In Progress. Tucson, AZ, USA, December 2004. Sergio Caltagirone, "An Active Defense Decision Model," presented at the Agora Workshop, University of Seattle, Seattle, WA. December, 2003.

37 Thank You http://www.activeresponse.org

Download ppt "Active Response Sergio Caltagirone Master’s Thesis Defense May 9, 2005 Major Professor: Deb Frincke."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Similar presentations

Ads by Google