1 Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University.

1

Towards trapping wily intruders in the large

Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto

Cyber Solutions Inc., Tohoku UniversityRAID’99, September 7-9, 1999

2Cyber Solutions RAID’99

outline

background– network-based illegal access detection

characteristics of network intrusions– signatures of intrusions

detection of intrusion from traffic-flow– traffic-flow signature– correlation of signatures– experimental evaluation

map-based distributed intrusion tracking conclusion

3Cyber Solutions RAID’99

background

Network-based illegal access detection– rapid increase in network bandwidth– devious techniques (e.g. spoofing) used by the hackers.

4Cyber Solutions RAID’99

Suspicious Behavior

？

？

？

Repeated FailuresRepeated Failures

Knocking at several doorsKnocking at several doors

Signatures

5Cyber Solutions RAID’99

characteristics of network intrusions (I)

Signals from TCP-Reset Characteristics

6Cyber Solutions RAID’99

characteristics of network intrusions (II)

Number of ICMP-UR packets (port SNMP(161))

3 0

222

0 0 0 0 0 0 0 3 0 3 0 2 0 2 2130 0 0 8

304

00

50100150200250300350

Hour

num

ber

of p

acke

ts

7Cyber Solutions RAID’99

characteristics of network intrusions (III)

ICMP destination port unreachable messages for SNMP port (under scan)

Timestamp Source IP Destination IP Src port Dest Port928256855 nnn.101.0.20 nnn.211.2.63 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.62 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.61 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.60 1026 SNMP(161)928256855 nnn.101.0.20 nnn.211.2.59 1026 SNMP(161)928256856 nnn.101.0.20 nnn.211.2.25 1026 SNMP(161)928256856 nnn.101.0.20 nnn.211.2.24 1026 SNMP(161)928256856 nnn.101.0.20 nnn.211.2.23 1026 SNMP(161)

8Cyber Solutions RAID’99

characteristics of network intrusions (IV)

Distribution of inter-message interval

188

223 0 0 3 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 1

020406080

100120140160180200

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

inter- message interval

freq

uenc

y

9Cyber Solutions RAID’99

detection of intrusion from traffic-flow signature

Packet contents may be encrypted Packet contents may be manipulated The traffic volume may be very large

10Cyber Solutions RAID’99

Traffic-flow signature(1)

site 1 site 2

site 3

site 4 traffic monitor

traffic monitor

traffic monitor

11Cyber Solutions RAID’99

Traffic-flow signature(2)

n

slottimeapacketsofnumberisnia

aaaA

i

n

)1(

),,,(21..

.

12Cyber Solutions RAID’99

correlating traffic-flow signature

Correlation of traffic patterns:correlation coefficient r

(A, B are two flows)

n

iiout

n

iiin

i

n

ii

outin

Bbn

s

Aan

s

BbAasns

BAr

1

2

1

2

1

)(1

)(1

))((1

),(

13Cyber Solutions RAID’99

experimental evaluation(configuration)

100Mbps FDDI backbone network ICMP echo request/reply messages

network 1 network 2 network 3

probe 1 probe 2

Size of time slot δ 1 minuteWindow size Δ 5 slots

Threshold of correlation coefficient 0.9

14Cyber Solutions RAID’99

relay of ICMP echo reply

A burst of ICMP echo reply triggered by broadcast ping, Smurf

0

20000

40000

60000

80000

100000

120000

140000

160000

9960

1002

0

1008

0

1014

0

1020

0

1026

0

1032

0

1038

0

1044

0

1050

0

1056

0

1062

0

1068

0

1074

0

1080

0

1086

0

1092

0

1098

0

1104

0

1110

0

1116

0

1122

0

time [sec]

num

ber

of

pa

cke

ts

Incoming traffic Outgoing traffic

15Cyber Solutions RAID’99

relay of ICMP echo request

A cluster of ICMP echo request triggering the bursty ICMP reply

0

100

200

300

400

500

600

700

3720

3840

3960

4080

4200

4320

4440

4560

4680

4800

4920

5040

5160

time [sec]

num

ber

of p

acke

ts

Incomming traffic Outgoing traffic

16Cyber Solutions RAID’99

http://www.cysols.com/IPAMaps/

ChaIn: Charting the Internet

IPA:Information technology Promotion Agency, Japan (www.ipa.go.jp)

17Cyber Solutions RAID’99

map-based intrusion tracking

18Cyber Solutions RAID’99

inter-N/W communication I

Traffic monitoring at N/W border– watch all the traffic – process only suspicious packets.

Use network configuration information to trap and/or track-down the intruder.

Communication using SNMP(v3) notifications.

19Cyber Solutions RAID’99

inter-N/W communication II

detection systemdetection system detection systemdetection system

SNMP INFORM PDU

http://………….ftp://…………..snmp://………..

http://………….ftp://…………..snmp://………..

20Cyber Solutions RAID’99

5. Network Security Using Maps

YesNo

Suspicious !!Suspicious !!

Yes

XAS1 AS2

Saw this? Saw this?X

X

Suspicious !!Suspicious !!Suspicious !!Suspicious !!Suspicious !!Suspicious !!

NoNoSaw this?

AS0

ASAS11 ASAS22

AS

3

IntruderIntruder

MonitorMonitor

21Cyber Solutions RAID’99

conclusion

Profiling network traffic to distinguish normal usage from abnormal or ill-intentioned usage.

Monitoring suspicious signals in a distributed information collection framework

A new technique based on packet flow monitoring to counter the threats posed by spoofing.

Use of network configuration information to track down intruders.

Use of SNMP based messaging system.