P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis



Similar documents
Network Forensics: Log Analysis

PROFESSIONAL SECURITY SYSTEMS

Intrusion Detection Systems (IDS)

Second-generation (GenII) honeypots

Intrusion Detection Categories (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Network Defense Tools

INTRUSION DETECTION SYSTEMS and Network Security

Security: Attack and Defense

Firewalls, Tunnels, and Network Intrusion Detection

Course Title: Penetration Testing: Security Analysis

Linux Network Security

A Research Study on Packet Sniffing Tool TCPDUMP

Chapter 9 Firewalls and Intrusion Prevention Systems

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

How To Protect Your Network From Attack From A Hacker On A University Server

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

An Overview of the Bro Intrusion Detection System

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Network- vs. Host-based Intrusion Detection

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Chapter 11 Cloud Application Development

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

information security and its Describe what drives the need for information security.

CS5008: Internet Computing

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Centre for the Protection of National Infrastructure Effective Log Management

Security Type of attacks Firewalls Protocols Packet filter

Certified Ethical Hacker Exam Version Comparison. Version Comparison

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

About Firewall Protection

Firewalls. Chapter 3

Jort Kollerie SonicWALL

Build Your Own Security Lab

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

IDS / IPS. James E. Thiel S.W.A.T.

Overview. Packet filter

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Chapter 4 Firewall Protection and Content Filtering

Network Security: Workshop

HoneyBOT User Guide A Windows based honeypot solution

Content Teaching Academy at James Madison University

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Own your LAN with Arp Poison Routing

Chapter 4 Firewall Protection and Content Filtering

CMPT 471 Networking II

CTS2134 Introduction to Networking. Module Network Security

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Global Partner Management Notice

Chapter 11 Phase 5: Covering Tracks and Hiding

Implementing Secure Converged Wide Area Networks (ISCW)

Proxy Server, Network Address Translator, Firewall. Proxy Server

Firewall Design Principles Firewall Characteristics Types of Firewalls

Introduction of Intrusion Detection Systems

Course Content: Session 1. Ethics & Hacking

Network Incident Report

74% 96 Action Items. Compliance

FortKnox Personal Firewall

10 Configuring Packet Filtering and Routing Rules

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Basics of Internet Security

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS

CSE331: Introduction to Networks and Security. Lecture 18 Fall 2006

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS *

Stop that Big Hack Attack Protecting Your Network from Hackers.

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

On A Network Forensics Model For Information Security

Firewalls and Intrusion Detection

Dragon solution. Zdeněk Pala. ECIE certified engineer ECI certified instructor There is nothing more important than our customers

Barracuda Intrusion Detection and Prevention System

Packet Sniffer A Comparative Study

Chapter 8 Phase3: Gaining Access Using Network Attacks

Development of a Network Intrusion Detection System

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

How To Protect A Database From Attack

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

Transcription:

Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for network fornesics, ICCSA 2004, Berlin: Springer-Verlag, p. 176 The action of capturing, recording, and analyzing network audit trails in order to discover the source of security breaches or other information assurance problems. 3 4 Network Attacks Attack Residue P Protocol < Eg, SQL-Injection P Malware < Eg, Virus, Trojan, Worm P Fraud < Eg, Phishing, Pharming, etc. P Successful < Obfuscation of residue P Unsuccessful < Residue is intact 5 6

Network Traffic Capture ging Issues Driving Automated Support P Managing data volume P Managing logging performance P Ensuring logs are useful to reconstruct the Attack P Correlation of data in logs < Importance of timestamping 7 Honeytraps Systems Designed to be Compromised and Collect Attack Data 8 From Yasinac, A. and Manzano, Y. (2002) Honeytraps, A Network Forensic Tool Florida State University. Network Traffic Analysis Traceback Evidence Processing Usually Requires Software Tools P Sessionizing P Protocol parsing and analysis P Decryption P Security of Analysis and Data < Avoiding detection and analysis-data compromise P Minimizing distance to source P Traversing firewalls, proxies and address translation P Muliple cooroborating collectors P Time and location stamping 9 10 Two Important Terms Terms and -based Tracing P Promiscuous Mode < An Ethernet Network Interface Card (NIC) in promiscuous mode is a configuration that will pass all traffic received by the card to the operating system, rather than just packets addressed to it. This feature is normally used for packet sniffing. P IPSpoofing < Forging the source address in the header of an IP packet so that it contains a different address, making it appear that the packet was sent by a different machine. Responses to spoofed packets will go to the forged source address. Mainly used for Denial of Service where the attacker does not care about the response, or defeating IP-based authentication. It is sometimes possible for an attacker to recover responses, when the spoofed address is on LAN or WAN controlled by the attacker. 11 12

Rootkit P Blackhat software that gains control over a computer or network. "Root" refers to the administrative (superuser) computer account. Kit refers to mechanisms that initiate entry into the target computer modify it for later, and more simplified means of access (a backdoor). P Rootkits will usually erase the system event logging capacity in an attempt to hide attack evidence and may disclose sensitive data. A well designed rootkit will replace parts of the operating system with rootkit processes and files, and obscure itself from security scanning. Honeypot Data P A network host computer serving only the purpose of attracting network-based attacks. Because a honeypot is intended to host no legitimate activity, any activity detected on this host is assumed to be intrusion activity. P Data on honeypot activity is carefully captured to avoid detection and corruption. It is used to study ongoing network-based attacks for the purpose of developing defenses and remedies for potential or experienced compromises 13 14 Client HTTP Data TCP Data + TL Pr IP Data + TL/IL Pr X.25 -based Tracing Application Transport Internet Network HTTP Data TCP Data + TL Pr IP Data + TL/IL Pr X.25 Proxy or Firewall Router Sniffers ging Options P Issues of efficiency in logfile space and processing time P Sometimes options, e.g., < Off < Succinct < Verbose Data + TL/IL/NA Pr Forensics Analysis 15 16 Web s Application Layer Analysis Example of Application Layer ging P Access File < Access log file contains a log of all the requests. P Proxy Access File < (If directed) a separate log of proxy transactions (otherwise logged to Access ) P Cache Access < (If directed) a separate log of cache accesses (otherwise logged to Access ) P Error File < of errors 17 18

The Common file Format World Wide Web Consortium (W3C) P Format: remotehost rfc931 authuser [date] "request" status bytes < remotehost Remote hostname (or IP number if DNS hostname is not available, or if DNSLookup is Off. < rfc931 The remote logname of the user. < authuser The username as which the user has authenticated himself. < [date] Date and time of the request. < "request" The request line exactly as it came from the client. < status The HTTP status code returned to the client. < bytes The content-length of the document transferred. Web file Example 209.240.221.71 - - [03/Jan/2001:15:20:06-0800] "GET /Inauguration.htm HTTP/1.0" 200 8788 "http://www.democrats.com/" "Mozilla/3.0 WebTV/1.2 (compatible; MSIE 2.0)" Thamason, L. (2001) Analyzing Web Site Traffic, NetMechanic (4)11. http://www.netmechanic.com/news/vol4/promo_no11.htm 19 20 IIS ging Options Web Access 21 22 Web Analysis Tools: Page Delivery Web Analysis Tools: File Delivery Usually Intended for Management 23 24

Web Analysis Tools: Users Web file Live Example #1 131.96.102.37 - - [27/Mar/2010:22:27:03-0400] "GET /cis8080/readings/sec_you.pdf HTTP/1.0" 401 0 0 "-" "eliza-google-crawler (Enterprise; S5- JDM5GCVTD6NJB; greg@gsu.edu,istmccx@langate.gsu.edu)" Unauthorized Nothing delivered 25 26 Subject to Spoofing Simple Who Is Tracing Web file Live Example #2 208.61.220.34 - infosecstudent [25/Mar/2010:13:34:38-0400] "GET /cis8080/readings/stratisrm_final_typescript.pdf HTTP/1.1" 200 60818 125 "http://cis.gsu.edu/~rbaskerv/cis8080/readings.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 2.0.50727)" Request fulfilled 60KB delivered 27 28 Simple Who is Tracing Help for Tracing Abuse Lower Layer Analysis 29 30

Transport, Internet, Network Access ging Reconstructing Data Flows Transport Internet TCP Data + TL Pr IP Data + TL/IL Pr Proxy or Firewall Router P s record packet headers, not sessions or flows P s usually ignore packet contents for efficiency P Flow can be logically reconstructed from < IP addresses < Port numbers < Implied Protocols < Sequencing Network X.25 Sniffers Reconstructing TCP flows from raw IP network traffic. From E. Casey (2004) Network Traffic as a source of evidence, Digital Investigation 1 (1) 28-43. 31 32 TCP Connection Graph Incoming TCP Connection Graph Network Analysis Tools Inbound port 139 connections suggest the firewall and the host are controlled by intruders. Port 139: This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block. Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy 72-77. Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy 72-77. 33 34 Outgoing TCP Connection Graph Detecting the Moment of Compromise These outgoing port 139 connections suggest this machine has been compromised by intruders. Port 42895 is not listening, attempts to connect are reset (RST). 35 Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy 72-77. Port 42895 starts listening, attempts to connect finish (FIN), some software has started monitoring this port at 5:50:37 Example from Raynal, et al. (2004) Honeypot Forensics IEEE Security & Privacy 72-77. 36

tcpdump Free packet analyzer that allows a computer to intercept and display packets transmitted and received over its attached network. Runs on Unix-like operating systems and there is a port to Windows (WinDump). Uses packet capture engines libpcap (or WinPcap). Tcpdump file format is standard now. Snort Free open source network intrusion prevention and detection system that logs packets and analyzes traffic on IP networks. It performs protocol analysis, content searching/matching, and actively blocks or passively detects many attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts. 37 38 NetDetector Continuous capture and warehousing of network packets and statistics. Alerts on signatures, traffic patterns. and statistical anomalies. Reconstructs web, email, instant messaging, FTP, Telnet, etc. NetIntercept Captures and stores LAN traffic in raw dump files using a promiscuous Ethernet card and a modified UNIX kernel. Can write directly to removable media or network transfer to other machines for archiving. Stream reconstruction on demand. Assembles user-defined range of packets into network connection data streams. The analysis subsystem is graphical, constructing a tree stored in an SQL database. 39 40 Richard Baskerville Georgia State University 41 42

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information