Network Traffic and Intrusion Simulations II

Transcription

1 Network Traffic and Intrusion Simulations II Mgr. Rudolf B. Blažek, Ph.D. Department of Computer Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek Network Security MI-SIB, ZS 2011/12, Lecture 7 The European Social Fund Prague & EU: We Invest in Your Future

2 Simulace síťového provozu a útoků II Mgr. Rudolf B. Blažek, Ph.D. Katedra počítačových systémů Fakulta informačních technologií České vysoké učení technické v Praze Rudolf Blažek Síťová bezpečnost MI-SIB, ZS 2011/12, Přednáška 7 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnosf

3 Complex Network Simulation Continued Deauthentication Attack Network Simulation / 3

4 Deauthentication Attack Handshake Probe Request Probe Response Authentication Request Authentication Challenge Authentication Response Authentication Success Client Association Request Association Response Access Point Data Data Deauthentication Deauthentication 4

5 Deauthentication Attack Deauthentication Attack Data Client Intruder Data Deauthentication Access Point Deauthentication 5

6 Simulation Experiment Tools Used Tools created for Simulations A random number generator that can be called from shell The seed information is returned to the generator Micro sleep command to wait for decimal parts of seconds in shell Tools created for Detection Program in C that observers WiFi deauthentication frames Tools for the Attack Scapy, a tool to generate network packets 6

7 Simulation Experiment Background HTTP traffic g WLAN Simulated HTTP Traffic 7

8 Simulation Experiment Simulated Web Server Unix Shell Script Web Client Initial Random Generator Seed Random Generator rg Developed In-house Random File Size Random Pareto Value k = 81KB, β = 1.1 New Random Generator Seed Simulated HTTP Traffic Traffic Generator tg From USC ISI Random Generator rg Developed In-house Yes tg Finished? Random Wait Time Random Exponential μ = EX = 5 New Random Generator Seed Transmission Finished Delay using microsleep Precision ~ 300μs Developed In-house 8

9 Simulation Experiment Mobile user arrival and departure simulation g WLAN Deauthentication Frames 9

10 Simulation Experiment Simulated Customer Arrivals and Departures Unix Shell Script Initial Random Generator Seed Random Generator rg Developed In-house Random Interarrival & Connected Times EI = 5, EC = 3 Disconnect Times Simulated Deauthentications New Random Generator Seed Yes Deauthentication Packets (11) Scapy No Additional Data? Delay using microsleep Precision ~ 300μs Developed In-house 10

11 Detection of the Intrusion 11

12 Ad-hoc detection of the WiFi attack Snort wireless detection rule: Count number of WiFi deauthentication frames per second Detect the intrusion if the observed number exceeds a chosen threshold Non-statistical features of network intrusions: Network protocols are deterministic and well understood Protocol anomalies can be detected by stateful analysis Many ad-hoc methods work well to detect various attacks 12

13 Ad-hoc detection of the WiFi attack Snort: Signature based detection Only detects selected sets of attacks Tremendous false alarm rates Frequently missed detections, especially of unknown attacks Questions: How do you decide what thresholds to use? What about false alerts? 13

14 Statistical Aspects of Statistical features of network intrusions: Network intrusions occur randomly Intrusions occur at unknown points in time Intrusions lead to changes of statistical properties of some observable characteristics Attack detection viewed as a change-point detection (CPD): Detect changes in the distributions (models, parameters) With fixed delays (batch-sequential approach) Or with minimal average delays (sequential approach) While maintaining the false alarm rate at a given level 14

15 How to Measure System Performance? Probability of false alarm and probability of successful detection? How long period are we considering? False alarms will occur for sure when we monitor the network for a long period Attacks that stop quickly are harder to detect than longterm intrusions Even very weak attacks should be detected if they last long enough 15

16 Sequential Statistical Detection Sequential Statistical Learning Sequential NP-CUSUM statistic Historical estimate of E(X n ) S n = max{0, S n 1 + X n µ εˆθ n }, S 0 = 0 A network characteristic observed in the n th time interval: Number of UDP packets in a size bin Number of packets of a particular type (WiFi Deauthentication, TCP SYN, ICMP or ARP packets) Number of failed connections Level of link saturation An estimate of E(X n ) under attack Tuning parameter 16

17 Sequential Statistical Detection Sequential ID Algorithm with Reflection S k attack begins attack detected threshold possible false alarms update information detection delay time 17

18 Experimental Detection of the attack g WLAN 18

19 WiFi Network Traffic WiFi card in Monitor Mode libpcap library Function pcap_loop() Unix Alarm Signal Fires at Prescribed Interval, e.g. 1 sec Updated Packet Count WIND WLAN System New Time Period Reset Packet Count Function updatestatistics Calculate Sequential Statistics Monitor All Packets Function processpacket Threshold Exceeded New Packet Process No. 1 Filter Packets & Count Packets of Interest Yes Process No. 2 Issue an Alert 19

20 Detector based on libpcap /** Purpose: *!! - Be able to sniff wifi frames *!! - Identify the frame type : Distinguish Management frames (Probe Request, Probe!!! Response, Beacon) *!! from Control Frames and Data Frames *!! - Count the number of Probe Request Frames or Deauthentication Frames *!! - Analyze the statistics */ #include <math.h> #include <ctype.h> #include <pcap.h> #include <string.h> #include <stdlib.h> #include <stdio.h> #include <netinet/if_ether.h> #include <sys/ioctl.h> #include <unistd.h> #include <signal.h> #include <time.h> #include <pthread.h> 20

21 Detector packet monitoring parameters... #define MAXBYTES2CAPTURE 2048 //setting parameters #define START 144 #define START_SSID 160 #define TYPE 12 #define SUBTYPE 240 #define MANAG 0 #define CONTROL 4 #define DATA 8 #define RESERVED 12 #define REQUEST 64 #define RESPONSE 80 #define BEACON 128 #define DEAUTH 192 #define BSSID_LENGTH 6 #define CHANNEL 56 21

22 Detector monitoring initialization! // Open the device in promiscuous mode! descr=pcap_open_live(iface, MAXBYTES2CAPTURE, 1, 512, errbuf);! // Enumerate the data link types, and display! // readable-human names and descriptions for them! num= pcap_list_datalinks(descr, &dlt_buf);! for (ii=0; ii<num; ii++) {!! printf("%d - %s - %s\n\n",dlt_buf[ii],!!! pcap_datalink_val_to_name(dlt_buf[ii]),!!! pcap_datalink_val_to_description(dlt_buf[ii]));! }! // Signals declared in sa_mask field ignored during! // execution of the signal handler! setmasks(&alrmsig);! ALRMsig.sa_handler= actalrmsig;!! // Launch the detector thread! pthread_create (&th, NULL, process_signal, (void*)"1");! // Start infinite packet processing loop! pcap_loop(descr, -1, processpacket, (u_char *) &count);! // Wait for the end of the thread! // But we really do not get here! pthread_join (th, &ret); 22

23 Detector monitoring initialization!... // Start infinite packet processing loop! pcap_loop(descr, -1, processpacket, (u_char *) &count);! // Wait for the end of the thread! // But we really do not get here! pthread_join (th, &ret);! // Close the descriptor of the opened device! pcap_close(descr);! return EXIT_SUCCESS; 23

24 Detector processing of arrived packets /** Filter packets and print some characteristics of each packet */ void processpacket(u_char *arg, const struct pcap_pkthdr* hdr, const u_char* packet) {! u_char type_sub= packet[start]; // Get the interesting byte to analyze the frame type! u_char ch= packet[channel];! printf("channel = %d\n", ch);! // Filter by channel! if ( ( ( channel == 0 ) ( channel == ch )) &&!! filter_bssid(packet) && filter_type(type_sub) )! {!! counter++;! } } 24

25 Sequential Statistical Learning Sequential NP-CUSUM statistic Historical estimate of E(X n ) S n = max{0, S n 1 + X n µ εˆθ n }, S 0 = 0 A network characteristic observed in the n th time interval: Number of observed WiFi Deauthentication frames An estimate of E(X n ) under attack Tuning parameter 25

26 Detector periodical detection step /** Function processing the SIGALRM signal */ /** It is used to process and reset the observed packet counts */ /** The intrusion detection is done here */ void actalrmsig(int sig) {! double SnNew;!!!!! // new value of Sn! long lastcounter= counter;!! // former value of counter! counter= 0;! SnNew= Sn + lastcounter - mu - epsilon * theta;! // Maximum between 0 and SnNew! if (SnNew < 0) {!! SnNew= 0;! }! Sn= SnNew;! if (SnNew > threshold) {!! printf("help!! I am under ATTACK!!!!\n");! }! printf("xn = %d\t SnNew=%g\n", lastcounter, SnNew);! printf("counter = %d\n", counter);! setitimer(itimer_real, &timer, NULL); } 26

27 Section Subsection

28 Sequential Detection of Deauthentication Attack 300 Sequential Detection of an Deauthentication Attack 180 Sequential Detection of an Deauthentication Attack Sequential Statistics S(k) Sequential Statistics S(k) Time (seconds) Time (seconds) Un-optimized Statistic Optimized Statistic 28

29 Performance of the Detection Sequential Detection of an Deauthentication Attack Not Optimized Statistic Optimized Statistic ADD !Log (FAR) 29