Intrusion Detection Systems: A Formal Algorithmic approach



Similar documents
AN ACTIVE HOST-BASED INTRUSION DETECTION SYSTEM FOR ARP-RELATED ATTACKS AND ITS VERIFICATION 1

Security Technology White Paper

Packet Sniffing on Layer 2 Switched Local Area Networks

CSCE 465 Computer & Network Security

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Network Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention

CSCI 4250/6250 Fall 2015 Computer and Networks Security

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Firewalls, Tunnels, and Network Intrusion Detection

Address Resolution Protocol (ARP): Spoofing Attack and Proposed Defense

CS 356 Lecture 16 Denial of Service. Spring 2013

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

CS5008: Internet Computing

Own your LAN with Arp Poison Routing

Development of a Network Intrusion Detection System

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

An Efficient Detection Algorithm for TCP/IP DDoS Attacks

Firewalls and Intrusion Detection

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Brocade NetIron Denial of Service Prevention

co Characterizing and Tracing Packet Floods Using Cisco R

PROFESSIONAL SECURITY SYSTEMS

An Intrusion Detection System for Kaminsky DNS Cache poisoning

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Networks: IP and TCP. Internet Protocol

Securing IP Networks with Implementation of IPv6

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Router Attacks-Detection And Defense Mechanisms

Keywords Attack model, DDoS, Host Scan, Port Scan

ARP Storm Detection and Prevention Measures

Linux Network Security

McAfee SecurityCenter Evaluation under DDoS Attack Traffic

Attack Lab: Attacks on TCP/IP Protocols

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CSE 127: Computer Security. Network Security. Kirill Levchenko

TARP: Ticket-based Address Resolution Protocol

Distributed Denial of Service (DDoS)

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Security vulnerabilities in the Internet and possible solutions

Building Secure Network Infrastructure For LANs

How To Protect A Dns Authority Server From A Flood Attack

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Secure Software Programming and Vulnerability Analysis

Architecture Overview

Chapter 8 Security Pt 2

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

AlliedWare TM OS How To. Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks. Introduction. Related How To Notes

IDS / IPS. James E. Thiel S.W.A.T.

ACHILLES CERTIFICATION. SIS Module SLS 1508

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Strategies to Protect Against Distributed Denial of Service (DD

Defending Computer Networks Lecture 6: TCP and Scanning. Stuart Staniford Adjunct Professor of Computer Science

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Frequent Denial of Service Attacks

Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

OrchSec: An Orchestrator-Based Architecture For Enhancing Network Monitoring and SDN Control Functions

Securing Cloud using Third Party Threaded IDS

Denial of Service Attacks

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Ethernet. Ethernet. Network Devices

CHAPTER 1 INTRODUCTION

Network Security: Attacks and Defenses

Network Forensics: Log Analysis

Deployment of Snort IDS in SIP based VoIP environments

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

SECURING APACHE : DOS & DDOS ATTACKS - I

TCP/IP Security Problems. History that still teaches

Network Concepts. IT 4823 Information Security Concepts and Administration. The Network Environment. Resilience. Network Topology. Transmission Media

Network Based Intrusion Detection Using Honey pot Deception

LEARNING COMPUTER SYSTEMS VULNERABILITIES EXPLOITATION THROUGH PENETRATION TEST EXPERIMENTS

Network reconnaissance and IDS

Firewall. User Manual

DDoS Protection Technology White Paper

Denial of Service. Tom Chen SMU

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

What is Web Security? Motivation

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

During your session you will have access to the following lab configuration. CLIENT1 (Windows XP Workstation) /24

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

NETWORK INTRUSION DETECTION SYSTEM USING HYBRID CLASSIFICATION MODEL

S5700S-LI Series Gigabit Enterprise Switches

A Subnet Based Intrusion Detection Scheme for Tracking down the Origin of Man-In-The-Middle Attack

Fun with Packets: Endeavor Systems DRAFT

Seminar Computer Security

DoS: Attack and Defense

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

The Trivial Cisco IP Phones Compromise

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

DDoS Vulnerability Analysis of Bittorrent Protocol

Lab VI Capturing and monitoring the network traffic

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Transcription:

Intrusion Detection Systems: A Formal Algorithmic approach Santosh Company Biswas LOGO Associate Professor Dept. of CSE, IIT Guwahati

What is Intrusion Detection System? Intrusion What is IDS? A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability, of a computing and networking resource Intrusion detection The process of identifying and responding to intrusion activities

IDS Taxonomy Location of Deployment Host based IDS: Taxonomy Monitor Computer Processes File Integrity Checkers (system files, checksum e.g. hash value) Log File Analysis (attack s are encoded in terms of regular exp.) Statistical Approach (session duration, CPU uses, no. of files open) System Call Monitoring (any deviation is compared with normal seq.) Network based Monitor Network Traffic Packet Signatures Anomalous Activity

IDS Taxonomy Detection Methodology Signature based Detects known attacks whose syntax and behavior is known Can not detects new or novel attacks Generate large number of False Positive Alarms

Signature based IDS pattern matching Intrusion Patterns intrusion activities Example: if (src_ip == dst_ip) then land attack alert ip any any > any any (msg : BAD TRAFFIC samesrc/dst ; sameip; reference : cve,cve 1999 0016; url,www.cert.org/advisories/ca 1997 28.html; classtype : bad unknown; sid : 527; rev : 3; )

Anomaly based IDS Detection Methodology Anomaly based Can detects both known and unknown attacks Create normal (and/or attack) profile from training data set Require pure training dataset for profile generation Network packets are classified as Normal and Anomalous based on the profile Detects patterns that do not confirm expected or normal behavior Generate large number of False Positive Alarms

Anomaly based IDS activity measures 90 80 70 60 50 40 30 20 10 0 CPU Process Size probable intrusion normal profile abnormal

Anomaly based IDS

Event based IDS Detection Methodology Event based IDS: Taxonomy Detects known attacks for which a signature can not be generated These attacks do not change the syntax and sequence of network traffic under normal and compromised situation Detection is through monitoring the difference in sequence of events (i.e. network packets) under normal and compromised situations

Objective Identify Attacks Test Design Detection Mechanism IDS Implement Model

Agenda What is ARP? Address Resolution Protocol maps IP address to MAC address Purpose of ARP 32-bit Internet address ARP RARP 48-bit Ethernet address ARP CACHE : IP MAC Bindings IP MAC TYPE 10.0.0.2 00:00:00:00:00:02 dynamic

Agenda How ARP works? ARP Request is Broadcasted to all the hosts in LAN Who has IP 10.0.0.2? 10.0.0.2 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 10.0.0.3 00:00:00:00:00:03

Agenda How ARP works? Unicast Reply from concerned host I have IP 10.0.0.2 My MAC is 00:00:00:00:00:02 10.0.0.2 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 10.0.0.3 00:00:00:00:00:03

Agenda What is ARP cache? ARP cache : updated 10.0.0.2 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 IP MAC TYPE 10.0.0.2 00:00:00:00:00:02 dynamic 10.0.0.3 00:00:00:00:00:03

Agenda ARP Packet Ethernet : 1 IP : 0X800 OPCODE 1: ARP Request 2: ARP Reply Size : 28 bytes

Agenda Why is ARP vulnerable? ARP is a stateless protocol Hosts cache all ARP replies sent to them even if they had not sent an explicit ARP request for it. No mechanism to authenticate their peer

Agenda ARP-based Attacks ARP Spoofing Man-in-the-Middle Attack Denial-of-Service Attack MAC Flooding ( on Switch ) ARP Flooding DoS by spurious ARP packets

Agenda ARP Spoofing Attacker sends forged ARP packets to the victim I have IP 10.0.0.3 My MAC is 00:00:00:00:00:02 Victim 10.0.0.1 00:00:00:00:00:01 ARP Reply 10.0.0.2 00:00:00:00:00:02 IP MAC TYPE 10.0.0.3 00:00:00:00:00:02 dynamic Attacker

Agenda Man-in-the-Middle Attack IP MAC TYPE 10.0.0.3 00:00:00:00:00:01 dynamic 10.0.0.2 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 Attacker 10.0.0.3 00:00:00:00:00:03 IP MAC TYPE 10.0.0.2 00:00:00:00:00:01 dynamic

Agenda Man-in-the-Middle Attack Session Hijacking IP MAC TYPE 10.0.0.3 00:00:00:00:00:01 dynamic 10.0.0.2 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 Attacker 10.0.0.3 00:00:00:00:00:03 IP MAC TYPE 10.0.0.2 00:00:00:00:00:01 dynamic

Agenda Denial of Service A malicious entry with a non-existent MAC address can lead to a DOS attack I have IP 10.0.0.3 My MAC is XX:XX:XX:XX:XX:XX Victim 00:00:00:00:00:01 10.0.0.1 ARP Reply 10.0.0.2 00:00:00:00:00:02 IP MAC TYPE 10.0.0.3 XX:XX:XX:XX:XX:XX dynamic Attacker

Agenda Denial of Service Victim unable to reach the IP for which the forged packet was sent by the attacker PING 10.0.0.3 Request timed out. Victim 10.0.0.1 00:00:00:00:00:01 10.0.0.2 00:00:00:00:00:02 IP MAC TYPE 10.0.0.3 XX:XX:XX:XX:XX:XX dynamic Attacker

Agenda MAC Flooding Attacker bombards the switch with numerous forged ARP packets at an extremely rapid rate such that its CAM table overflows 10.0.0.1 00:00:00:00:00:01 Attacker PORT MAC 1 00:00:01:01:01:01 2 00:00:02:02:02:02....

Agenda ARP Flooding Attacker sends numerous forged ARP packets at the victim such that its ARP cache overflows leading to ARP Cache Poisoning Results in Victim unable to contact other hosts Victim 10.0.0.1 00:00:00:00:00:01 Attacker IP MAC 10.0.11.12 00:00:01:01:01:01 10.0.11.15 00:00:02:02:02:02....

Agenda DoS by spurious ARP packets Attacker sends numerous spurious ARP packets at the victim such that it gets engaged in processing these packets Makes the Victim busy and might lead to Denial of Service Victim 10.0.0.1 00:00:00:00:00:01 Spurious ARP Packets Attacker Busy Processing

EXISTING TOOLS AND TECHNIQUES

Agenda EXISTING TOOLS AND TECHNIQUES Static ARP Cache entries Fixed IP-MAC pairs Huge administrative effort Does not scale on a large dynamic network One new/changed host affects all the hosts Port Security -- Bind switch port to specified MAC address and shut down pot in case of change in MAC address of a transmitter IP. If the first packet sent has spoofed IP-MAC pair, then genuine packets may be dropped.

Agenda EXISTING TOOLS AND TECHNIQUES ARPWATCH maintains a database with IP-MAC mappings any change detected is reported to administrator using syslog/email ARP Defender Hardware device running ARPWATCH ArpGuard keeps track of a MAC-IP mappings and alerts changes and invalid mappings If the first packet sent has spoofed IP-MAC pair, then genuine packets may be dropped.

Agenda EXISTING TOOLS AND TECHNIQUES Signature and Anomaly based IDS High number of false alarms Modifying ARP using Cryptographic Techniques Secure-ARP - Digital Signature for authentication Ticket-based ARP Tickets from Ticket-issuing Agents Calls for Replacement of entire Network Stack Additional overhead of cryptographic calculations Change Standard ARP

Agenda EXISTING TOOLS AND TECHNIQUES Active Spoof Detection Engine Send TCP SYN packets to probe IP-MAC pairs Receive SYN/ACK if port is open or RST if closed No response => malicious host Violation of network layering architecture Active Man in the Middle Attack Detector IDS finds Systems with IP forwarding enabled Spoof the ARP cache of all such systems: Now all traffic forwarded by such systems reach IDS Additional network Traffic Difficulty in poisoning ARP cache of the attacker

Motivation: What Agenda is Required in an IDS for ARP attacks Should not modify the standard ARP Should generate minimal extra traffic in the network Should not require patching, installation of extra software in all the systems Should detect a large set of LAN based attacks

ARP ATTACK DETECTION USING DISCRETE EVENT SYSTEM

Agenda Network Architecture Port Mirroring is enabled at the switch E is working as IDS IDS A C E Monitor Port Probe Port Switch B D Attacker

Agenda Test Scenario

Agenda ARP Request Handler Event DTD Store RQP In SPOOFT Store RQP In AUTHT Event DTD Event RQP Event PRQP Send Probe Request to RQPIPS

Agenda ARP Response Handler Event DTD Store RSP In SPOOFT Store RSP In AUTHT Event DTD Event RSP Event PRQP Send Probe Request to RSPIPS

Agenda Test Scenario (Revised)

Agenda DES model: Normal Condition

Agenda DES model: Request Spoofing

Agenda DES model: Response Spoofing

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Demonstration by Screen Captures

Agenda References [ARD] https://www.arpdefender.com. [ARG] https://www.arp-guard.com. [Bar03] M. Barnaba. Anticap. 2003. http://cvs.antifork.org/cvsweb.cgi/anticap. [BOR03] D. Bruschi, A. Ornaghi, and E. Rosti. S-arp: a secure address resolution protocol. In ACSAC '03: Proceedings of the 19th Annual Computer Security Applications Conference, page 66,, 2003. IEEE Computer Society. [CIS] http://www.cisco.com/en/us/docs/switches/lan/catalyst6500/ios/12.2sxf/native/ configuration/guide/swcg.html. [Hun] F. Hunleth. Secure link layer. http://www.cs.wustl.edu/fifhunleth/projects/projects.html. [Lab] Lawrence Berkeley National Laboratory. Arpwatch tool: Arp spoofing detector. ftp://ftp.ee.lbl.gov/arpwatch.tar.gz. [LEM05] Wesam Lootah, William Enck, and Patrick McDaniel. Tarp: Ticket-based address resolution protocol. Computer Security Applications Conference, 2005. [Plu82] David C. Plummer. An ethernet address resolution protocol. 1982. RFC826. [RN05] Vivek Ramachandran and Sukumar Nandi. Detecting arp spoofing: An actuve technique. Computer Security Applications Conference, Annual, 0:116-126, 2005.

Agenda References [SM06] Khamphao Sisaat and Daisuke Miyamoto. Source address validation support for network forensics. In The 1st Joint Workshop on Information security, 2006. [Tet03] I. Teterin. Antidote. 2003. http://online.securityfocus.com/archive/1/299929. C. G. Cassandras and S. Lafortune, Introduction to discrete event systems, Kluwer Academic Publishers, 1 edition, 1999. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, A fast automaton-based method for detecting anomalous program behaviors, in Symposium on Security and Privacy. 2001, pp. 144 155, IEEE. S.-J. Whittaker, M. Zulkernine, and K. Rudie, Towards incorporating discrete-event systems in secure software development, in International Conference on Availability, Reliability and Security. 2008, pp. 1188 1195, IEEE. R. Alur and D. L. Dill, A theory of timed automata, in Theoretical Computer Science. 1993, pp. 183 235, Elsevier. K-T. Cheng and A.S. Krishnakumar, Automatic functional test generation using the extended finite state machine model, in International Design Automation Conference. 1993, pp. 86 91, IEEE-ACM.

THANK YOU

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information