1 / 21

Towards trapping wily intruders in the large

This paper presents a comprehensive approach to detecting and tracking network intrusions, including the use of traffic-flow signatures, correlation of signatures, and map-based distributed intrusion tracking. The techniques outlined in this research paper aim to counter the devious techniques used by hackers and enhance network security.

flemingd
Download Presentation

Towards trapping wily intruders in the large

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards trapping wily intruders in the large Glenn Mansfield, Kohei Ohta, Yohsuke Takei, Nei Kato, Yoshiaki Nemoto Cyber Solutions Inc., Tohoku University RAID’99, September 7-9, 1999

  2. outline • background • network-based illegal access detection • characteristics of network intrusions • signatures of intrusions • detection of intrusion from traffic-flow • traffic-flow signature • correlation of signatures • experimental evaluation • map-based distributed intrusion tracking • conclusion

  3. background • Network-based illegal access detection • rapid increase in network bandwidth • devious techniques (e.g. spoofing) used by the hackers.

  4. Suspicious Behavior ? Repeated Failures ? Signatures ? Knocking at several doors

  5. characteristics of network intrusions (I) • Signals from TCP-Reset Characteristics

  6. characteristics of network intrusions (II) • Number of ICMP-UR packets (port SNMP(161))

  7. characteristics of network intrusions (III) • ICMP destination port unreachable messages for SNMP port (under scan)

  8. characteristics of network intrusions (IV) • Distribution of inter-message interval

  9. detection of intrusion from traffic-flow signature • Packet contents may be encrypted • Packet contents may be manipulated • The traffic volume may be very large

  10. Traffic-flow signature(1)

  11. Traffic-flow signature(2)

  12. correlating traffic-flow signature Correlation of traffic patterns: correlation coefficient r (A, B are two flows)

  13. experimental evaluation(configuration) • 100Mbps FDDI backbone network • ICMP echo request/reply messages

  14. relay of ICMP echo reply • A burst of ICMP echo reply triggered by broadcast ping, Smurf

  15. relay of ICMP echo request • A cluster of ICMP echo request triggering the bursty ICMP reply

  16. ChaIn: Charting the Internet http://www.cysols.com/IPAMaps/ IPA:Information technology Promotion Agency, Japan(www.ipa.go.jp)

  17. map-based intrusion tracking

  18. inter-N/W communication I • Traffic monitoring at N/W border • watch all the traffic • process only suspicious packets. • Use network configuration information to trap and/or track-down the intruder. • Communication using SNMP(v3) notifications.

  19. inter-N/W communication II http://…………. ftp://………….. snmp://……….. detection system detection system SNMP INFORM PDU http://…………. ftp://………….. snmp://………..

  20. X AS3 AS1 AS2 X Intruder Saw this? Saw this? Saw this? 5. Network Security Using Maps Suspicious !! Suspicious !! Suspicious !! Suspicious !! AS1 AS2 Monitor AS0 X No Yes No No Yes

  21. conclusion • Profiling network traffic to distinguish normal usage from abnormal or ill-intentioned usage. • Monitoring suspicious signals in a distributed information collection framework • A new technique based on packet flow monitoring to counter the threats posed by spoofing. • Use of network configuration information to track down intruders. • Use of SNMP based messaging system.

More Related