DETECTING A CYBER-ATTACK SOURCE IN REAL TIME

R. Romanyak1), A. Sachenko1), S. Voznyak1), G. Connolly2), G. Markowsky2)

1) Ternopil Academy of National Economy2) Department of Computer Science, U. of Maine

The Web Neighborhood Watch Project

• This project seeks to identify websites belonging to dangerous people such as terrorists

• In addition to the artificial intelligence components, there is a need for locating the website in physical space

• At last year's conference, work was presented on using the distributed traceroute approach to help locate computers physically

• Not only is locating computers physically important for the Web Neighborhood Watch Project, but for dealing with cyber-attacks in general

• Current methods for tracking Internet-based attacks are primitive.

• It is almost impossible to trace sophisticated attacks using current tools.

Locating Computers in Physical Space

Intruders

Attack Sophistication andIntruder Technical Knowledge

High

Low

1980 1986 1992 1998 2004

IntruderKnowledge

AttackSophistication

Cross site scripting

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools“stealth” / advanced

scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Staged

Auto Coordinated

Techniques for Physically Locating Computers

• Whois

• Traceroute

• Distributed Traceroute

• Time Delay Method (new)

Whois Limitations

• Whois contains information about top-level domains only

• Distributed databases are not always connected

Traceroute Limitations

• It does not take advantage of the fact that there typically exist several different paths to the target computer

• Executing a single trace from a single location tends to produce results that are geographically insufficient

Distributed Traceroute Limitations

• The results are not always as accurate as one would want

• This approach cannot be applied when the attacker uses intermediate hosts with software redirectors to make a cyber-attack

Time Delay Method (new)

• Based on the concept that the most recent computer from which the attack was received was either:– a) The actual attacking computer– b) An intermediate host being used with

redirection software

• Choosing between a) and b) is based on comparing the time delay between the attacking computer (AC) and the victim computer (VC) to the most recent time delay

A Cyber-attack using Redirectors

Ttotal = t1 + t2 + t3 +…+tn+ tn+1,

ti - the time delay of the i-th link

Attacking Computer

Redirector 1t1 t2

t3

tntn+1

Redirector 2

… Redirector n Victim Computer

Experimental Results

• The following servers were used:– TANE (Ternopil Academy of the National

Economy, Ukraine, 217.196.166.105)– Kiel University (Germany, 134.245.52.122)– HTTL (Home To good service and

Technology Ltd, London, England, 217.34.204.1)

Direct connection

Time Delays From HTTL to TANE

0.00E+00

2.00E+05

4.00E+05

6.00E+05

8.00E+05

1.00E+06

1 3 5 7 9 11 13 15 17 19 21 23 25 27

IP-packets

tim

e d

elay

s, μ

s

Time Delays from TANE to HTTL

0.00E+00

2.00E+05

4.00E+05

6.00E+05

8.00E+05

1.00E+06

1 3 5 7 9 11 13 15 17 19 21 23 25 27

IP-packets

tim

e d

ela

ys

, μ

s

Connection using redirector

Time Delays from HTTL to TANE using Kiel-redirector

0.00E+00

2.00E+06

4.00E+06

6.00E+06

8.00E+06

1.00E+07

1 3 5 7 9 11 13 15 17 19 21 23 25 27

IP-packets

tim

e d

ela

ys

, μ

s

Conclusion

• The Time Delay Method has the ability to locate a remote computer in real time based on delays in IP packet travel

• The Time Delay Method can also be used to analyze the nature of the links involved in the attack chain

Contact Information

Roman Romanyak: rrm@tanet.edu.te.ua

Anatoly Sachenko: as@tanet.edu.te.ua

Serhiy Voznyak: sv@tanet.edu.te.ua

Gene Connolly: gene@einakabob.com

George Markowsky: markov@umcs.maine.edu