1 / 23

Intrusion Detection Research

Intrusion Detection Research. Stephen Huang Sept. 20, 2013. News. http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/. Jobs. http://www.homelandsecuritynewswire.com/dr20130809-cybersecurity-jobs-average-over-100-000-a-year.

manny
Download Presentation

Intrusion Detection Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Research Stephen Huang Sept. 20, 2013

  2. News

  3. http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/

  4. Jobs • http://www.homelandsecuritynewswire.com/dr20130809-cybersecurity-jobs-average-over-100-000-a-year

  5. Intrusion Detection Research • Objective: To protect the infrastructure and the integrity of the computer systems and its data. • Assumptions: • Hackers are able to establish a connection session to the victim machine. • Packets are exchanged between the originating source and the victim. • Data may be encrypted.

  6. Attack Victim Attacker

  7. Stepping-Stone Attack Stepping-Stone Victim Attacker

  8. Our Strategy Stepping-Stone Victim Attacker

  9. Our Solutions 1 & 2 • Refuse to be a Stepping-Stone. Identifying a host being used as a stepping-stone (Stepping-Stone Detection). • Detecting long downstream connections chains. • Comparing incoming and outgoing streams of packets for similarity.

  10. Long Connection Chain Detection Matching Send- and Echo- Packets to compute the Round-Trip Time (RTT).

  11. Stepping-Stone Detection

  12. Victim Host Protection Connection Chain Attacker Visible Hosts Victim

  13. Solution 3 • Refuse to be a victim. Identifying a host being attacked through a stepping-stone chain. • Examining the behavior of long connection chains.

  14. Challenges • Intruder’s evasion techniques, • Chaffing • Time jittering • New Technology • TOR

  15. Evasion Attack S1 Y Stepping-Stone Correlation Decision N S2 Normal Correlation-Based Approach

  16. Evasion Attack S1 Chaffed ? Y Stepping-Stone Correlation Decision N S2 Normal Correlation-Based Approach

  17. Solution 4 • If one jitter or chaff a traffic stream enough, the pattern of the packets becomes different from the norm.

  18. Countering the Evasion Y Chaff Detection Decision Attack S1 N Y Stepping-Stone Correlation Decision N S2 Normal

  19. TOR • TOR (The Onion Router) is a network of virtual tunnels that allows people to improve their privacy and security on the Internet. • Anonymity Online.

  20. Issues • Users have an anonymous way to connect to a host. • So do the hackers! More convenient. • Can we detect when a user is trying to sign on to our server by going through TOR? • There may be legitimate reason to do so, but certainly very suspicious.

  21. Typical TCP Connection SYN SYN-ACK ACK HTTP GET

  22. TOR HTTP Connection begin {relay} SYN SYN-ACK {relay} ACK connected {relay} HTTP GET HTTP GET

  23. Summary • Real-time intrusion detection is critical in protecting data and integrity of computer systems. • It is possible to detect a large percentage of cases by using various methods. • Intruders have developed techniques to evade detection. We have to come up with countermeasures.

More Related