Download powerpoint - ARQoS - North Carolina State University

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Document related concepts

Zero-configuration networking wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Nonblocking minimal spanning switch wikipedia , lookup

Distributed firewall wikipedia , lookup

Airborne Networking wikipedia , lookup

Network tap wikipedia , lookup

Deep packet inspection wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Sleepy Watermark Tracing: An Active
Network-based Intrusion Response
Framework
Xinyuan Wang† Douglas S. Reeves†‡ S. Felix Wu†† Jim Yuill†
†Department
of Computer Science
‡Department of Electrical and Computer Engineering
North Carolina State University
††Department
of Computer Science
University of California at Davis
IFIP/Sec’01 Paris, France
Network-Based Attacks
We have detected attacks from the network !!!
Stepping Stones
Attacker
Target
Master
Machine
Slave
Machines
Where do these attacks come from ???
2
Tracing Problem and Its Challenges
• What is tracing problem ?
– To identify the source of network-based intrusion
• Why tracing is important ?
– Network-based attacks can not be effectively repelled or
eliminated until its source is known
• Challenges in tracing
– Spoofed source IP address
– Connections through “stepping stones”
• One of the hardest network security problems
• Focus on tracing chained connections with stepping stones
3
Tracing Approaches
Host-based
Passive
Active
DIDS
CallerID
CIS
Network-based
Thumbpriting
IDIP
Timing-based
SWT
Deviation-based
Classification of Existing Tracing Approaches and SWT
4
Tracing Approach Classification
• Host-based:
– tracing based on information collected from each host
• Network-based:
– tracing based on the property of network connection: the
application level content of chained connections is invariant
• Passive:
– passively monitor and compare network traffic, need to
compare every concurrent incoming connections with every
concurrent outgoing connection. (clueless tracing)
• Active:
– dynamically control what and how connections are to be
correlated through customized packet processing. (tracing
with clue)
5
Sleepy Watermark Tracing (SWT)
• SWT is an active network-based tracing framework
– Active network seeks to increase the programmability of
networks that enables user and application to dynamically
control how packets are handled.
• SWT is “sleepy” and yet “active”
• SWT exploits following observations
– Interactive intrusions with chained connections are bidirectional and symmetric at the granularity of connections
– Application level contents are invariant across connection
chains
6
SWT Tracing Model
H1
H2
GW1
H0
GW2
H3
GW4
H6
Intruder
GW3
H4
H5
H7
Hi: Host
GWi: Guardian Gateway
Target
Target injects watermark into the backward connection and
“wakes up” guardian gateways along the intrusion path
7
SWT Concepts and Assumptions
• Basic SWT concepts
– Guardian Gateway (nearest router)
• Incoming Guardian Gateway
• Outgoing Guardian Gateway
• Guardian Gateway Set
– Guarded Host
• Basic SWT assumptions
–
–
–
–
Intrusions are interactive and bi-directional
Routers are trust worthy and hosts are not trust worthy
Each host has a single SWT guardian gateway
There is no link-to-link encryption
8
SWT Architecture
IDS
Sleepy Intrusion
Response
Active Tracing
Watermark Enabled
Application
Host
SWT Subsystem
SWT Guarded Host
Normal Traffic
Watermarked Traffic
Active Tracing Protocol
Watermark
Correlation
Active Tracing
SWT Guardian Gateway
9
SWT Components
• SWT supporting components
– IDS
• Application level interface to any Intrusion Detection System
– Watermark-enabled application
• Server applications that have been modified to be able to
“inject” arbitrary watermark at request
• SWT components
– Sleepy Intrusion Response (SIR)
• Controls and coordinates overall SWT intrusion tracing
– Watermark Correlation (WMC)
• Matching adjacent connections through watermark
– Active Tracing (AT)
• “Wakes up” and coordinate SWT guardian gateways
10
Watermark
• A small piece of information that can be used to uniquely
identify a connection
• Application specific
• Invisible to end users (telnet, rlogin etc)
– [Identifying part] + [covering part]
• “intruder\b\b\b\b\b\b\b\b \b”
– Original
• “Su”
– [Original] + [watermark]
• “Suintruder\b\b\b\b\b\b\b\b \b”
• Collision probability
11
SWT Analysis
• SWT Advantages
–
–
–
–
–
•
•
•
•
•
Separate intrusion tracing from intrusion detection
Does not need to record all the concurrent connections
Requires no clock synchronization
Trace through connection chain within single keystroke
Can trace through connection chain even when the intruder
is silent
Robustness and security
Efficiency
Scalability
Applicability
Intrusiveness
12
SWT Performance
100 Mbps
100 Mbps
SWT Guardian GW
Pentium 233Mhz
FreeBSD 4.0
Measure latency
• FreeBSD kernel IP forwarding without SWT
• SWT configured to by pass traffic
• Divert socket IP forwarding without SWT
• SWT configured to scan traffic
13
Latency (microseconds)
SWT Latency
320
300
280
260
240
220
200
180
160
140
120
100
80
60
40
20
0
S WT S c a n
Dive rt S o c ke t
S WT B ypa s s
F re e B S D Ke rne l
0
200
400
600
800
1000
1200
1400
1600
Packet Size (bytes)
Latency overhead due to SWT itself is about 50 µs
14
Future Work
•
•
•
•
•
New form of watermark
Correlate encrypted connection chains (ssh, IPSEC etc)
More watermark-enabled applications
Transparent proxy for watermark injection
Tracing based active intrusion response
– What can be done once we have identified the intrusion
source ?
15
Related documents
Oral Sex - Islamic
Oral Sex - Islamic
Dias nummer 1
Dias nummer 1
Database Functions and Capabilities
Database Functions and Capabilities
Skiptrace
Skiptrace
Heat density of the heating elements shall be such the temperature
Heat density of the heating elements shall be such the temperature
streamMiningPfahringerLesson2
streamMiningPfahringerLesson2
KNOWLEDGE IN ISLAM I begin with the name of Allah the most
KNOWLEDGE IN ISLAM I begin with the name of Allah the most
Position Description
Position Description
Epidemic dynamics in complex populations Motivation    Infectious disease is, worldwide, the main thing that kills people. Systematic, 
Epidemic dynamics in complex populations Motivation    Infectious disease is, worldwide, the main thing that kills people. Systematic, 
ACS Seminar on Internet computing Internet Security Issues
ACS Seminar on Internet computing Internet Security Issues