Download Malicious Information Gathering

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts

Cracking of wireless networks wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Distributed firewall wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Transcript 
Malicious Information Gathering
Caezar
Introduction
 By creating mobile agents that communicate
and make decisions, a vast number of
“secrets” can be learned without triggering
the target system’s alarms.
 Presented by Caezar, a network security
research developer
History
 Knowing your opponents strategy has always
been critical to success
 Since the advent of radio transmission
opposing groups have monitored each other’s
strategic communications
 Today, the medium has changed toward the
Internet but the espionage concepts are
identical
Topics of Discussion
 Distributed Hacking
 Agents
 Information Representation
 Goal Seeking
 Mobility
 Application
Distributed Hacking
 Performs identically to common hacking
 Appears to come from many Internet
addresses
 Very difficult to stop, but fairly easy to detect
 Recent examples include Trinoo and TFN
attacks on major web sites
Distributed Hacking
 Each node is a module of the central
command
 With increasing distance between nodes,
communication latency becomes extremely
difficult to manage
 The central command decides which action
to take so the flexibility of the network
decreases as its size increases
Agents
 An agent is a person or thing that acts on
your behalf so that the authority does not
need to be present
 Normally, agents make the best available
decision without consulting the authority
 Only in exceptional cases does an agent halt
to wait for orders or permission
Agents
 A human food-delivery agent, for instance,
will not halt at a closed road, rather he will
choose another route and continue to perform
his tasks
 These are often called “autonomous agents”
in artificial intelligence (AI) research, but I
will refer to them simply as “agents”
Agents
 To be effective, computer agents need
sensors, actors and a management unit
 For information gathering, the sensors are
packet filters and pattern matchers
 The actors simply communicate interesting
data from the sensors back to the Authority
Agent, or an intermediary Director Agent
Agents
 The management unit receives requests from
other Agents or Director Agents and
prioritizes them, possibly declining to
perform the service
 Due to ideal small size requirements, we use
a simple rule set with a busy indicator to
decide when to accept or reject requests
Agents vs. Modules
 Modules have a predefined purpose and use,
agents are multipurpose and have
interchangeable uses
 Modules perform their tasks immediately,
agents may schedule the task for later
completion
 Agents can choose to reject a request,
modules cannot make that choice
Information Representation
 For the system of agents to communicate
effectively they must agree on a format of
representing their collected data
 If the data collected is going to be used to
mount a network attack on a particular target,
the agents should be able to identify
weaknesses and catalog them with a
Librarian for future use by a Director
Information Representation
 To catalog and retrieve learned information,
it must be consistently and uniquely named
 XML or ASN.1 make good information
descriptions
 Both can be used easily with SQL-based
exploit libraries by a Librarian Agent
Goal Seeking
 Bruce Schneier of Counterpane Systems
recently elaborated on attack trees in Doctor
Dobb’s Journal, December 1999
 The attack tree model is an excellent pattern
against which the data collected by the
Librarian can be compared
 Each fully matching branch indicates an
available method for attack success
Goal Seeking
 Creating an attack tree for every desirable
goal allows each goal to be broken into small
pieces and managed by a Director Agent
 Redundant nodes can be applied to several
trees without wasted effort
 With a good set of attack trees and agent
tools, a Director can find and exploit security
flaws without intervention
Goal Seeking
 Given several goals, the management unit
can schedule the agent to fulfill many
requests without requiring further
communication with the network
 Director Agents divide larger tasks into
smaller ones and distribute the work amongst
available agents
Goal Seeking
 An example is port-scanning a Class C domain
 The task can be divided between Directors who
then subdivide the job between their agents
 Each agent will make a small number of requests
 As a whole, this example agent network makes a
complete scan
Mobility
 By adding an exploit sensor to every agent literally
thousands of machines can be found to infect
 If a Librarian agent provides exploit code to the
agents, those found machines become hacked
machines
 If the exploit code starts an agent running, then the
agent network grows of its own volition
Mobility
 For the rest of this presentation, assume that
a particular target network is being attacked;
for instance “bigcompany.com”
 We do not want to infect the whole Internet
to attack or monitor the target
 By restricting the agent to infect only
machines “closer” to the target, we eliminate
the radical growth problem
Application
 To bring all of this material together, we need the
following components:



A goal like “Collect all of the e-mail to or from
bigcompany.com”
A library of exploit code designed to inject a running
agent into currently popular systems
A Librarian Agent capable of searching the database and
returning code matched to a requested target
Application
 Component list (continued):



E-mail capture code with source and destination
filters (e.g. dsniff by Dug Song)
A Director Agent to manage agent
communication, e.g. to Librarian Agent
A communication channel; direct TCP for
simplicity
Application
 Identify a large list of initial nodes, perhaps by
scanning for known Trojans
 Insert Librarian and Director Agents
 Communicate the initial target list to the Director
 As the Director spawns new agents they begin to
feed data back regarding more potential targets,
network layout, adjacency, etc.
Application
 The agent network surrounds the target
 Depending on the quality of the exploit
library it will be able to monitor portions of
the target’s network traffic
 The ability to attack routers, ISP hosts and
other “hard” targets is critical to the success
of this sort of attack
What This Means
 Distributed information gathering, especially
agent-based, can do much of the work of
network mapping software without triggering
your IDS
 Corporate and government security models
must consider simple TCP services like
SMTP, POP3 and HTTP as totally insecure
unless explicitly audited
What This Means
 Assume that mobile, autonomous agents are
already available to the intelligence
community
 Assume that attackers do not need to probe
your network before attacking
 They can listen long enough before attacking
to passively identify your systems and
servers
What This Means
 With the introduction of automated
distributed attacks, it is reasonable to expect
that Artificial Intelligence and Superficial
Intelligence will pose new threats to online
security
Related documents
Library Statistics - Library and Information Science
Library Statistics - Library and Information Science
Web Evaluation - American Library Association
Web Evaluation - American Library Association
Growth Hacking - Roy Povarchik
Growth Hacking - Roy Povarchik
OUCC Doing More with Less PowerPoint Presentation
OUCC Doing More with Less PowerPoint Presentation
Library History - Town of Franklinville
Library History - Town of Franklinville
Artificial Intelligence
Artificial Intelligence
New Ways to Exploit Raw Data May Bring Surge of Innovation
New Ways to Exploit Raw Data May Bring Surge of Innovation
Scientific Data and Social Science Data Libraries
Scientific Data and Social Science Data Libraries
Equipment and Help Call Management System
Equipment and Help Call Management System
天 津 大 学 文 件
天 津 大 学 文 件
Short Assignment #4 - Dr. John D. Cressler
Short Assignment #4 - Dr. John D. Cressler
What is AI? - faculty.cs.tamu.edu
What is AI? - faculty.cs.tamu.edu
IR Web Modules
IR Web Modules
Library QA/QE Mechanism
Library QA/QE Mechanism
A Data Mining Technique to Detect Remote Exploits
A Data Mining Technique to Detect Remote Exploits
Research and the Internet - Delhi University Library System
Research and the Internet - Delhi University Library System