Post on 28-Mar-2015
DETECTING A CYBER-ATTACK SOURCE IN REAL TIME
R. Romanyak1), A. Sachenko1), S. Voznyak1), G. Connolly2), G. Markowsky2)
1) Ternopil Academy of National Economy2) Department of Computer Science, U. of Maine
The Web Neighborhood Watch Project
• This project seeks to identify websites belonging to dangerous people such as terrorists
• In addition to the artificial intelligence components, there is a need for locating the website in physical space
• At last year's conference, work was presented on using the distributed traceroute approach to help locate computers physically
• Not only is locating computers physically important for the Web Neighborhood Watch Project, but for dealing with cyber-attacks in general
• Current methods for tracking Internet-based attacks are primitive.
• It is almost impossible to trace sophisticated attacks using current tools.
Locating Computers in Physical Space
Intruders
Attack Sophistication andIntruder Technical Knowledge
High
Low
1980 1986 1992 1998 2004
IntruderKnowledge
AttackSophistication
Cross site scripting
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools“stealth” / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Staged
Auto Coordinated
Techniques for Physically Locating Computers
• Whois
• Traceroute
• Distributed Traceroute
• Time Delay Method (new)
Whois Limitations
• Whois contains information about top-level domains only
• Distributed databases are not always connected
Traceroute Limitations
• It does not take advantage of the fact that there typically exist several different paths to the target computer
• Executing a single trace from a single location tends to produce results that are geographically insufficient
Distributed Traceroute Limitations
• The results are not always as accurate as one would want
• This approach cannot be applied when the attacker uses intermediate hosts with software redirectors to make a cyber-attack
Time Delay Method (new)
• Based on the concept that the most recent computer from which the attack was received was either:– a) The actual attacking computer– b) An intermediate host being used with
redirection software
• Choosing between a) and b) is based on comparing the time delay between the attacking computer (AC) and the victim computer (VC) to the most recent time delay
A Cyber-attack using Redirectors
Ttotal = t1 + t2 + t3 +…+tn+ tn+1,
ti - the time delay of the i-th link
Attacking Computer
Redirector 1t1 t2
t3
tntn+1
Redirector 2
… Redirector n Victim Computer
Experimental Results
• The following servers were used:– TANE (Ternopil Academy of the National
Economy, Ukraine, 217.196.166.105)– Kiel University (Germany, 134.245.52.122)– HTTL (Home To good service and
Technology Ltd, London, England, 217.34.204.1)
Direct connection
Time Delays From HTTL to TANE
0.00E+00
2.00E+05
4.00E+05
6.00E+05
8.00E+05
1.00E+06
1 3 5 7 9 11 13 15 17 19 21 23 25 27
IP-packets
tim
e d
elay
s, μ
s
Time Delays from TANE to HTTL
0.00E+00
2.00E+05
4.00E+05
6.00E+05
8.00E+05
1.00E+06
1 3 5 7 9 11 13 15 17 19 21 23 25 27
IP-packets
tim
e d
ela
ys
, μ
s
Connection using redirector
Time Delays from HTTL to TANE using Kiel-redirector
0.00E+00
2.00E+06
4.00E+06
6.00E+06
8.00E+06
1.00E+07
1 3 5 7 9 11 13 15 17 19 21 23 25 27
IP-packets
tim
e d
ela
ys
, μ
s
Conclusion
• The Time Delay Method has the ability to locate a remote computer in real time based on delays in IP packet travel
• The Time Delay Method can also be used to analyze the nature of the links involved in the attack chain
Contact Information
Roman Romanyak: rrm@tanet.edu.te.ua
Anatoly Sachenko: as@tanet.edu.te.ua
Serhiy Voznyak: sv@tanet.edu.te.ua
Gene Connolly: gene@einakabob.com
George Markowsky: markov@umcs.maine.edu