Intrusion Detection Research
Post on 24-Feb-2016
56 Views
Preview:
DESCRIPTION
Transcript
Intrusion Detection Research
Stephen HuangSept. 20, 2013
News
2
http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/ 3
Jobs
http://www.homelandsecuritynewswire.com/dr20130809-cybersecurity-jobs-average-over-100-000-a-year
4
7
Intrusion Detection Research
Objective: To protect the infrastructure and the integrity of the computer systems and its data.
Assumptions: Hackers are able to establish a connection
session to the victim machine. Packets are exchanged between the
originating source and the victim. Data may be encrypted.
8
Attack
AttackerVictim
9
Stepping-Stone Attack
AttackerVictim
Stepping-Stone
10
Our Strategy
AttackerVictim
Stepping-Stone
11
Our Solutions 1 & 2 Refuse to be a Stepping-Stone. Identifying a
host being used as a stepping-stone (Stepping-Stone Detection).
Detecting long downstream connections chains. Comparing incoming and outgoing streams of packets
for similarity.
Long Connection Chain Detection
Matching Send- and Echo- Packets to compute the Round-Trip Time (RTT).
Stepping-Stone Detection
14
Victim Host Protection
Visible Hosts
Attacker
Victim
Connection Chain
Solution 3
Refuse to be a victim. Identifying a host being attacked through a stepping-stone chain. Examining the behavior of long connection
chains.
15
Challenges
Intruder’s evasion techniques, Chaffing Time jittering
New Technology TOR
16
17
Evasion
Correlation-Based Approach
S1
Decision
S2
Stepping-Stone
Correlation
Normal
Attack
Y
N
18
Evasion
Correlation-Based Approach
S1
Chaffed
Decision
S2
Stepping-Stone
Correlation
Normal
Attack
Y
N?
Solution 4
If one jitter or chaff a traffic stream enough, the pattern of the packets becomes different from the norm.
19
20
Countering the Evasion
DecisionChaff Detection
Y
N
Decision
S2
Stepping-Stone
Correlation
Normal
Attack
Y
N
S1
TOR
TOR (The Onion Router) is a network of virtual tunnels that allows people to improve their privacy and security on the Internet.
Anonymity Online.
21
Issues
Users have an anonymous way to connect to a host. So do the hackers! More convenient.
Can we detect when a user is trying to sign on to our server by going through TOR?
There may be legitimate reason to do so, but certainly very suspicious.
22
Typical TCP Connection
23
SYN
SYN-ACK
ACK
HTTP GET
TOR HTTP Connection
24
SYN
SYN-ACK
ACK
HTTP GET
begin{relay}
{relay}
{relay}
connected
HTTP GET
25
Summary
Real-time intrusion detection is critical in protecting data and integrity of computer systems.
It is possible to detect a large percentage of cases by using various methods.
Intruders have developed techniques to evade detection. We have to come up with countermeasures.
top related