Intrusion Detection Research
description
Transcript of Intrusion Detection Research
![Page 1: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/1.jpg)
Intrusion Detection Research
Stephen HuangSept. 20, 2013
![Page 2: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/2.jpg)
News
2
![Page 3: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/3.jpg)
http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/ 3
![Page 4: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/4.jpg)
Jobs
http://www.homelandsecuritynewswire.com/dr20130809-cybersecurity-jobs-average-over-100-000-a-year
4
![Page 5: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/5.jpg)
7
Intrusion Detection Research
Objective: To protect the infrastructure and the integrity of the computer systems and its data.
Assumptions: Hackers are able to establish a connection
session to the victim machine. Packets are exchanged between the
originating source and the victim. Data may be encrypted.
![Page 6: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/6.jpg)
8
Attack
AttackerVictim
![Page 7: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/7.jpg)
9
Stepping-Stone Attack
AttackerVictim
Stepping-Stone
![Page 8: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/8.jpg)
10
Our Strategy
AttackerVictim
Stepping-Stone
![Page 9: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/9.jpg)
11
Our Solutions 1 & 2 Refuse to be a Stepping-Stone. Identifying a
host being used as a stepping-stone (Stepping-Stone Detection).
Detecting long downstream connections chains. Comparing incoming and outgoing streams of packets
for similarity.
![Page 10: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/10.jpg)
Long Connection Chain Detection
Matching Send- and Echo- Packets to compute the Round-Trip Time (RTT).
![Page 11: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/11.jpg)
Stepping-Stone Detection
![Page 12: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/12.jpg)
14
Victim Host Protection
Visible Hosts
Attacker
Victim
Connection Chain
![Page 13: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/13.jpg)
Solution 3
Refuse to be a victim. Identifying a host being attacked through a stepping-stone chain. Examining the behavior of long connection
chains.
15
![Page 14: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/14.jpg)
Challenges
Intruder’s evasion techniques, Chaffing Time jittering
New Technology TOR
16
![Page 15: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/15.jpg)
17
Evasion
Correlation-Based Approach
S1
Decision
S2
Stepping-Stone
Correlation
Normal
Attack
Y
N
![Page 16: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/16.jpg)
18
Evasion
Correlation-Based Approach
S1
Chaffed
Decision
S2
Stepping-Stone
Correlation
Normal
Attack
Y
N?
![Page 17: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/17.jpg)
Solution 4
If one jitter or chaff a traffic stream enough, the pattern of the packets becomes different from the norm.
19
![Page 18: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/18.jpg)
20
Countering the Evasion
DecisionChaff Detection
Y
N
Decision
S2
Stepping-Stone
Correlation
Normal
Attack
Y
N
S1
![Page 19: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/19.jpg)
TOR
TOR (The Onion Router) is a network of virtual tunnels that allows people to improve their privacy and security on the Internet.
Anonymity Online.
21
![Page 20: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/20.jpg)
Issues
Users have an anonymous way to connect to a host. So do the hackers! More convenient.
Can we detect when a user is trying to sign on to our server by going through TOR?
There may be legitimate reason to do so, but certainly very suspicious.
22
![Page 21: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/21.jpg)
Typical TCP Connection
23
SYN
SYN-ACK
ACK
HTTP GET
![Page 22: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/22.jpg)
TOR HTTP Connection
24
SYN
SYN-ACK
ACK
HTTP GET
begin{relay}
{relay}
{relay}
connected
HTTP GET
![Page 23: Intrusion Detection Research](https://reader035.fdocuments.us/reader035/viewer/2022062813/5681665c550346895dd9df07/html5/thumbnails/23.jpg)
25
Summary
Real-time intrusion detection is critical in protecting data and integrity of computer systems.
It is possible to detect a large percentage of cases by using various methods.
Intruders have developed techniques to evade detection. We have to come up with countermeasures.