Stephen Huang Sept 20 2013 News 2 httparstechnicacomsecurity201309meethiddenlynxthemostelitehackercrewyouveneverheardof 3 Jobs httpwwwhomelandsecuritynewswirecomdr20130809cybersecurityjobsaverageover100000ayear ID: 530738
Download Presentation The PPT/PDF document "Intrusion Detection Research" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Intrusion Detection Research
Stephen Huang
Sept. 20, 2013Slide2
News
2Slide3
http://arstechnica.com/security/2013/09/meet-hidden-lynx-the-most-elite-hacker-crew-youve-never-heard-of/
3Slide4
Jobs
http://www.homelandsecuritynewswire.com/dr20130809-cybersecurity-jobs-average-over-100-000-a-year
4Slide5
F-22
vs J-20
5Slide6Slide7
7
Intrusion Detection ResearchObjective: To protect the infrastructure and the integrity of the computer systems and its data.
Assumptions:
Hackers are able to establish a connection session to the victim machine.
Packets are exchanged between the originating source and the victim.
Data may be encrypted.Slide8
8
Attack
Attacker
VictimSlide9
9
Stepping-Stone Attack
Attacker
Victim
Stepping-StoneSlide10
10
Our Strategy
Attacker
Victim
Stepping-StoneSlide11
11
Our Solutions 1 & 2
Refuse to be a Stepping-Stone. Identifying
a host being used as a stepping-stone (Stepping-Stone Detection).
Detecting long downstream connections chains.
Comparing incoming and outgoing streams of packets for similarity.Slide12
Long Connection Chain Detection
Matching
Send-
and
Echo-
Packets to compute the Round-Trip Time (RTT).Slide13
Stepping-Stone DetectionSlide14
14
Victim Host Protection
Visible Hosts
Attacker
Victim
Connection ChainSlide15
Solution 3
Refuse to be a victim. Identifying a host being attacked through a stepping-stone chain. Examining the behavior of long connection chains.
15Slide16
Challenges
Intruder’s evasion techniques,ChaffingTime jitteringNew TechnologyTOR
16Slide17
Evasion
Correlation-Based Approach17
S
1
Decision
S
2
Stepping-Stone Correlation
Normal
Attack
Y
NSlide18
Evasion
Correlation-Based Approach18
S
1
Chaffed
Decision
S
2
Stepping-Stone Correlation
Normal
Attack
Y
N
?Slide19
Solution 4
If one jitter or chaff a traffic stream enough, the pattern of the packets becomes different from the norm.
19Slide20
Countering the Evasion
20
Decision
Chaff Detection
Y
N
Decision
S
2
Stepping-Stone Correlation
Normal
Attack
Y
N
S
1Slide21
TOR
TOR (The Onion Router) is a network of virtual tunnels that allows people to improve their privacy and security on the Internet.Anonymity Online.
21Slide22
Issues
Users have an anonymous way to connect to a host.So do the hackers! More convenient.Can we detect when a user is trying to sign on to our server by going through TOR?There may be legitimate reason to do so, but certainly very suspicious.
22Slide23
Typical TCP Connection
23
SYN
SYN-ACK
ACK
HTTP GETSlide24
TOR HTTP Connection
24
SYN
SYN-ACK
ACK
HTTP GET
begin
{relay}
{relay}
{relay}
connected
HTTP GETSlide25
25
Summary
Real-time intrusion detection is
critical in protecting data and integrity of computer systems.
It is possible to detect a large percentage of cases by using various methods.
Intruders have developed techniques to evade detection. We have to come up with countermeasures.