Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University.

Published byRosamond Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University."— Presentation transcript:

1 1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University RAID’99, September 7-9, 1999

2 Cyber Solutions RAID’99 2 outline X background –network-based illegal access detection X characteristics of network intrusions –signatures of intrusions X detection of intrusion from traffic-flow –traffic-flow signature –correlation of signatures –experimental evaluation X map-based distributed intrusion tracking X conclusion

3 Cyber Solutions RAID’99 3 background X Network-based illegal access detection –rapid increase in network bandwidth –devious techniques (e.g. spoofing) used by the hackers.

4 Cyber Solutions RAID’99 4 Suspicious Behavior ? ? ? Repeated Failures Knocking at several doors Signatures

5 Cyber Solutions RAID’99 5 characteristics of network intrusions (I) X Signals from TCP-Reset Characteristics

6 Cyber Solutions RAID’99 6 characteristics of network intrusions (II) X Number of ICMP-UR packets (port SNMP(161))

7 Cyber Solutions RAID’99 7 characteristics of network intrusions (III) X ICMP destination port unreachable messages for SNMP port (under scan)

8 Cyber Solutions RAID’99 8 characteristics of network intrusions (IV) X Distribution of inter-message interval

9 Cyber Solutions RAID’99 9 detection of intrusion from traffic-flow signature X Packet contents may be encrypted X Packet contents may be manipulated X The traffic volume may be very large

10 Cyber Solutions RAID’99 10 Traffic-flow signature(1)

11 Cyber Solutions RAID’99 11 Traffic-flow signature(2)

12 Cyber Solutions RAID’99 12 correlating traffic-flow signature Correlation of traffic patterns: correlation coefficient r ( A, B are two flows)

13 Cyber Solutions RAID’99 13 experimental evaluation (configuration) X 100Mbps FDDI backbone network X ICMP echo request/reply messages

14 Cyber Solutions RAID’99 14 relay of ICMP echo reply X A burst of ICMP echo reply triggered by broadcast ping, Smurf

15 Cyber Solutions RAID’99 15 relay of ICMP echo request X A cluster of ICMP echo request triggering the bursty ICMP reply

16 Cyber Solutions RAID’99 16 http://www.cysols.com/IPAMaps/ ChaIn: Charting the Internet IPA:Information technology Promotion Agency, Japan (www.ipa.go.jp)

17 Cyber Solutions RAID’99 17 map-based intrusion tracking

18 Cyber Solutions RAID’99 18 inter-N/W communication I X Traffic monitoring at N/W border –watch all the traffic –process only suspicious packets. X Use network configuration information to trap and/or track-down the intruder. X Communication using SNMP(v3) notifications.

19 Cyber Solutions RAID’99 19 inter-N/W communication II detection system SNMP INFORM PDU http://…………. ftp://………….. snmp://……….. http://…………. ftp://………….. snmp://………..

20 Cyber Solutions RAID’99 20 5. Network Security Using Maps YesNo Suspicious !! Yes X AS 1 AS 2 Saw this? X X Suspicious !! No Saw this? AS 0 AS 1 AS 2 AS 3 IntruderMonitor

21 Cyber Solutions RAID’99 21 conclusion X Profiling network traffic to distinguish normal usage from abnormal or ill-intentioned usage. X Monitoring suspicious signals in a distributed information collection framework X A new technique based on packet flow monitoring to counter the threats posed by spoofing. X Use of network configuration information to track down intruders. X Use of SNMP based messaging system.

Download ppt "1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Synchronizing Management Information using Traffic Pattern Matching Technique Kohei Ohta, Yohsuke Takei, Nei Kato, Glenn Mansfield, Yoshiaki Nemoto Cyber.

1 Synchronizing Management Information using Traffic Pattern Matching Technique Kohei Ohta, Yohsuke Takei, Nei Kato, Glenn Mansfield, Yoshiaki Nemoto Cyber.
SNMP IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

SNMP IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Network Administration Procedures Tools –Ping –SNMP –Ethereal –Graphs 10 commandments for PC security.

Network Administration Procedures Tools –Ping –SNMP –Ethereal –Graphs 10 commandments for PC security.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google