Intrusion Detection Research

Intrusion Detection Research

Stephen HuangSept. 20, 2013

News

2

http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/ 3

Jobs

http://www.homelandsecuritynewswire.com/dr20130809-cybersecurity-jobs-average-over-100-000-a-year

4

7

Intrusion Detection Research

Objective: To protect the infrastructure and the integrity of the computer systems and its data.

Assumptions: Hackers are able to establish a connection

session to the victim machine. Packets are exchanged between the

originating source and the victim. Data may be encrypted.

8

Attack

AttackerVictim

9

Stepping-Stone Attack

AttackerVictim

Stepping-Stone

10

Our Strategy

AttackerVictim

Stepping-Stone

11

Our Solutions 1 & 2 Refuse to be a Stepping-Stone. Identifying a

host being used as a stepping-stone (Stepping-Stone Detection).

Detecting long downstream connections chains. Comparing incoming and outgoing streams of packets

for similarity.

Long Connection Chain Detection

Matching Send- and Echo- Packets to compute the Round-Trip Time (RTT).

Stepping-Stone Detection

14

Victim Host Protection

Visible Hosts

Attacker

Victim

Connection Chain

Solution 3

Refuse to be a victim. Identifying a host being attacked through a stepping-stone chain. Examining the behavior of long connection

chains.

15

Challenges

Intruder’s evasion techniques, Chaffing Time jittering

New Technology TOR

16

17

Evasion

Correlation-Based Approach

S1

Decision

S2

Stepping-Stone

Correlation

Normal

Attack

Y

N

18

Evasion

Correlation-Based Approach

S1

Chaffed

Decision

S2

Stepping-Stone

Correlation

Normal

Attack

Y

N?

Solution 4

If one jitter or chaff a traffic stream enough, the pattern of the packets becomes different from the norm.

19

20

Countering the Evasion

DecisionChaff Detection

Y

N

Decision

S2

Stepping-Stone

Correlation

Normal

Attack

Y

N

S1

TOR

TOR (The Onion Router) is a network of virtual tunnels that allows people to improve their privacy and security on the Internet.

Anonymity Online.

21

Issues

Users have an anonymous way to connect to a host. So do the hackers! More convenient.

Can we detect when a user is trying to sign on to our server by going through TOR?

There may be legitimate reason to do so, but certainly very suspicious.

22

Typical TCP Connection

23

SYN

SYN-ACK

ACK

HTTP GET

TOR HTTP Connection

24

SYN

SYN-ACK

ACK

HTTP GET

begin{relay}

{relay}

{relay}

connected

HTTP GET

25

Summary

Real-time intrusion detection is critical in protecting data and integrity of computer systems.

It is possible to detect a large percentage of cases by using various methods.

Intruders have developed techniques to evade detection. We have to come up with countermeasures.