440 likes | 456 Views
Detection Issues and Tools. Pravin Rajamoney. Papers:. Detecting Backdoors. Y.Zhang and V.Paxson Detecting Stepping Stones. Y.Zhang and V.Paxson Anonymous Connection and Onion Routing. M.Reed, P.Syverson, D.Goldschlag
E N D
Detection Issues and Tools Pravin Rajamoney CSE 581 - Network Technology
Papers: • Detecting Backdoors. Y.Zhang and V.Paxson • Detecting Stepping Stones. Y.Zhang and V.Paxson • Anonymous Connection and Onion Routing. M.Reed, P.Syverson, D.Goldschlag • Transport and Application Protocol Scrubbing. G.Malan, D.Watson, F.Jahanian, P.Howell CSE 581 - Network Technology
Detecting Backdoors Backdoors are often installed by attackers who have compromised a system to ease their subsequent return to the system CSE 581 - Network Technology
Backdoor • Interactive: Interactive backdoors frequently run over protocols such as Telnet, Rlogin or SSH. • Non-Interactive: Non-interactive backdoors could be a SMTP server to facilitate relaying spam email or FTP backdoor to copy pirated software or music like a compromised Napster server. CSE 581 - Network Technology
Backdoor detection: A basic principal for backdoor detection is to find distinctive features indicative of the activity of interest, be it general interactive access, or use of a specific protocol such a SSH. These feature include specific contents in the header data, packet size, transmission rate of the packet and the timing structure. The paper dwells into the timing structure and exploits some of the timing information of inter-arrival user keystrokes. CSE 581 - Network Technology
Backdoor Detection Tradeoffs: • Open vs. evasive attackers Its more difficult if the intruder makes extra effort to consciously avoid being detected. Detection algorithms is not to detect all attackers. The goal is to make it more difficult for the attacker to do his job. Its more like an “arms race” • Passive vs. active monitoring: Passive monitoring has the advantage of not effecting normal network operations. Active monitoring might actually find out who is attacking but it also tip off the attacker that he is being probed. • Content vs. timing: Scanning each byte analyzing the stream can be expensive and CPU intensive. Encryption avoids packet monitoring. Timing is not effected if the packet is encrypted. Timing can be distorted due to clock skew, propagation delay, packet loss. CSE 581 - Network Technology
Backdoor Detection Tradeoffs: (filtering) • Filtering: Filtering is the most important aspect of backdoor monitoring. It weeds out data that might not be relevant to monitor. Unfortunately, once filtered out, data is unrecoverable. Packet size – capture packets that are small (keystrokes packets). Directionality – filter packets that are initiated by the client. Filter just inbound connections. Unable to establish direction if the stream is already open before monitoring starts. Packet content – filter using packet header, for example, SSH or Telnet that have specific header values. CSE 581 - Network Technology
Backdoor Detection Tradeoffs: • Accuracy False positive – non backdoor connection flagged as backdoor. False negative – backdoors connections that the monitor fails to detect. • Responsiveness: How long does it take a monitor to detect a backdoor after the backdoor connections starts? Most detection algorithm depends on the system administrator to act upon detection. Detection a backdoor early is good but waiting longer might give us more information. How do we decide when to react? CSE 581 - Network Technology
General backdoor detection algorithm • Exploiting connection directionality - An interactive connection is most likely initiated by the client. Only observing keystrokes originating from the client side. When the initiator is unknown then both directions need to be monitored. • Exploiting packet length characteristics - Keystroke packets are generally small even if its sent on line mode. Analyzing internet traffic of 2.1 million telnet & rlogin data packets, 79% carried a single byte, 97% carried 3 bytes or less and 99.7% carried 20 bytes or less. With SSH packets, 150 K client data packets, 28% had packet length 20 or less. CSE 581 - Network Technology
General backdoor detection algorithm • Frequency of small packets – A metric to measure frequency of small packets. Packets that did not fall under a certain criteria were dropped. Too small packets were dropped. Inter-arrival packet frequency and packet that fall between 10ms – 2s were evaluated. • Real time or off-line analysis – Using real-time, filtering has to be performed so that only certain packets are analyzed. With off-line analysis, the backdoor connection can still evaluated even after the attacker has left the system. CSE 581 - Network Technology
Conclusion • Interactive traffic has characteristics different from most machine-driven traffic (packets size and frequency), it is possible to search efficiently for interactive traffic. • Findings – that there are large numbers of legitimate backdoor connection on a network. • Successfully implemented these algorithms on BRO intrusion detection system • Future work – to be able to throw the entire packet stream if it detects a stateless packet. CSE 581 - Network Technology
Detecting Stepping Stones Intruders often assemble a collection of accounts on compromised hosts, and then when conducting a new attack they log-in through a series of these hosts before finally assaulting the target. CSE 581 - Network Technology
Benefits in Stepping Stones: • To flag suspicious activity. • To maintain logs in case a break-in is subsequently detected as having come from the local site. • To detect inside attackers laundering their connections through external hosts. • To enforce policies regarding transit traffic. CSE 581 - Network Technology
Host 4 Host 6 Host 2 Host 1 Attacker Target Stepping stone connection pair Host 5 Host 3 CSE 581 - Network Technology
Stepping stone: • How do we know if they are a stepping-stone connection pair? High correlation with traffic timing patterns. • Content-based detection – If the attacker is running multiple programs, the correlation to the target connection will not match. If the data is encrypted, monitoring content is useless. CSE 581 - Network Technology
Stepping Stone tradeoffs: • Direct vs. Indirect – Finding a direct pair host1 host2 host3 is easier then host1 host2….host3 host4. • Real time vs. off-line – In real time, the system administrator can do something before the connection end. Data monitored does not need to be stored. • Passive vs active monitoring – Passive monitoring has the advantage of not effecting normal network operations. Active monitoring might actually find out who is attacking but it also may tip off the attacker that he is being probed. Active monitoring also has the advantage that if they think they found a stepping stone, they can delay the source, effecting the target point. This gives them reliable reason to believe that the connection is a stepping stone connection pair. CSE 581 - Network Technology
Stepping Stone tradeoffs: (filtering) • Filtering - Filtering is the most important aspect of stepping stone detection. It weeds out data that might not be relevant to monitor. Unfortunately, once filtered out, data is unrecoverable. Small packet size. Remove connection pairs sharing the same port on the same host. Remove connection pairs with inconsistent direction. Remove connection pair with inconsistent timing. CSE 581 - Network Technology
Stepping Stone tradeoffs: • Traffic pattern – Timing of the packets. By evaluating the ON/OFF period on both ends, we can correlate the connection pair. • Accuracy - False positive – non stepping stone connection pair flagged as a pair. False negative – stepping stone connection pair that the monitor fails to detect. • Responsiveness: How long does it take a monitor to detect a backdoor after the backdoor connections starts? Most detection algorithm depends on the system administrator to act upon detection. Detection a backdoor early is good but waiting longer might give us more information. How do we decide when to react? Open vs. evasive attackers: same as paper 1 CSE 581 - Network Technology
Detecting attackers: • Not possible to catch everybody all the time. • The goal for this detection is to make it extremely difficult for the attacker to do his/her job. CSE 581 - Network Technology
Stepping stone algorithm: • Studies have shown that 25% of keystrokes packet come 500ms or more apart. 15% arrive 1sec or more apart. 1.6% arrive 10sec or more apart. • Most machine-driven-packets have less OFF period then interactive operations. • The algorithm calculates the correlation time of the OFF period between to ends. • To further improve the accuracy of the algorithm, the frequency of coincidence on matching keystroke time is calculated. CSE 581 - Network Technology
Avoiding Stepping stone detection: An attacker can generate long delays purposely from his machine to evade the detection. The telnet program can be configured to generate fix length null packets between data packets. • Reason for false-negative Excessive short stepping stone. Message broadcast like “talk” and “wall” by Unix utility. Phase shift of periodic traffic. High latency in from the connection; example slow modem. CSE 581 - Network Technology
False negative: • Excessive short stepping stone. • Message broadcast like “talk” and “wall” by Unix utility. • Phase shift of periodic traffic. • High latency from the connection; example slow modem. CSE 581 - Network Technology
Conclusion • The stepping stone algorithm depends on isolating by detecting the hosts and then correlating the pair. • The paper doesn’t say how it detects the host or under what criteria a host is a candidate for monitoring. • More work is needed in analyzing a stepping stone connection pair. Mainly because of the many false-positive that was detected by this detection method. CSE 581 - Network Technology
Anonymous Connection and Onion Routing • Definition: Onion routing is an infrastructure for private communication over a public network. The onion routing network allows the connection between the initiator and responder to remain anonymous. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. CSE 581 - Network Technology
Anonymous Connection and Onion Routing The purpose of traffic analysis is to determine who is talking to whom. A anonymous connection is designed to be resistant to traffic analysis, i.e., to make it difficult for observers to learn identifying information from the connection (reading packet headers, tracking encrypted payloads, etc.) Onion Routing provides bi-directional and near real-time communication. CSE 581 - Network Technology
Onion Routing Overview Application proxy Application Data Data CSE 581 - Network Technology
Data Onion Routing Overview Socket call Onion Proxy Application proxy Application Data Data CSE 581 - Network Technology
Data Data Onion Routing Overview Entry funnel Socket call Onion Proxy Application proxy Application Data Data CSE 581 - Network Technology
Data Onion Routing Overview Entry funnel Onion Router Onion Router Onion Router Data CSE 581 - Network Technology
Data Onion Routing Overview Entry funnel Onion Router Onion Router Onion Router Data Data CSE 581 - Network Technology
Data Onion Routing Overview Entry funnel Onion Router Onion Router Onion Router Data Data Data CSE 581 - Network Technology
Onion Routing Overview Exit Funnel Onion Router Data Data CSE 581 - Network Technology
Onion Routing Overview Exit Funnel Application Server Onion Router Data Data Data CSE 581 - Network Technology
Configuration • Firewall configuration Onion routers sit on the firewall and pass data to a known onion router outside the network via its permanent connection. The application proxy and onion proxy resides behind the firewall • Remote Proxy configuration The initiator can make an encrypted connection to the remote onion proxy. And then it works as though he is behind a firewall. Network monitors can detect when a connection is initiated and terminated. CSE 581 - Network Technology
Configuration • Customer-ISP Configuration If the ISP is running an onion router and has dedicated links to other onion routers. The ISP just becomes a common carrier without knowing what the contents are passing through the layered encrypted structure. Having a longstanding connection to the entry funnel onion router makes it even more difficult to tell when the initiator is actually sending data. CSE 581 - Network Technology
Applications • VPN • Anonymous chatting • Anonymous cash • Remote login • Web browsing • Electronic mail CSE 581 - Network Technology
Conclusion • Anonymous connection is resistant to both eavesdropping and traffic analysis. It separates the anonymity of the connection from the anonymity of communication over that connection. • Can easily be ported to work with other application by using an application proxy. • Expensive if encryption is being used for each router hop. • Network routers must cooperate by installing an onion router and having a permanent connection to another onion router CSE 581 - Network Technology
Transport and Application Protocol Scrubbing CSE 581 - Network Technology
Scrubbing: • Attackers use ambiguities in network protocol implementations to deceive Network Intrusion Detection system (NID). • Most NID systems are passive, the response of a notification may not be quick enough to avoid an attack on an infrastructure. • This scrubbing method avoids both these limitation. CSE 581 - Network Technology
Scrubbing: • Application Scrubber - Allows a creation of active, interposed NID that can used to modify important network protocols in real-time; real-time response. • Transport Scrubber - Converts ambiguous network flows into well-behaved flows that are interpreted identically by all downstream endpoints. CSE 581 - Network Technology
Scrubbing: • The role of the transport scrubber is to pick one interpretation of the protocols and to convert incoming flows into a single representation that all endpoints will universally interpret. • An application scrubber is used to protect highly sensitive flows - such as infrastructure control protocols. Fail-close application. Interposed application. CSE 581 - Network Technology
Contribution: • Identification of transport scrubbing - Creation of well behaved flows • Design and implementation of TCP/IP scrubber - Current implementation on a modified FreeBSD kernel • Creation of a transparent application-level protocol scrubbing mechanism - Supports flexible transparent application protocol scrubbers that can modify applications level flow in real-time. CSE 581 - Network Technology
Conclusion: • Active device compared to NID which is passive • Works as a complement to a passive detection system • Avoid ambiguities on the protocol level. • Not an application proxy. CSE 581 - Network Technology
Future work • Incorporate zero-copying techniques to the TCP/IP scrubber. • Handling high speed networking - 1Gbps and beyond • Application scrubbing on more routing protocols such BGP and OSPF CSE 581 - Network Technology