Link to PowerPoint presentation

advertisement
Matching TCP/IP Packet to
Detect Stepping-stone Intrusion
Jianhua Yang
TSYS School of Computer Science
Edward Bosworth
Center for Information Assurance Education
Columbus State University
3/14/2016
Columbus State University
1/24
Layout





Background
Related Work
SWAM algorithm
Compare with SDC
Conclusion and future work
3/14/2016
Columbus State University
2/24
1. Background

How to attack other computers?



Interactive
Non-interactive
Interactive attack


Direct
Indirect
3/14/2016
Columbus State University
3/24
Indirect attack
Stepping-stone
Intrusion
Stepping-stone
Intrusion
Detection
Victim
Attacker
Stepping-stones
3/14/2016
Monitor Point
Columbus State University
4/24
A detection model
Incoming
Connection
3/14/2016
Outgoing
Connection
Columbus State University
5/24
2. Related Work






Content-based (Thumbprint) [1]
Time-based (ON-OFF)[2]
Deviation-based[3]
Packet number based [4,7]
Watermark-based [5,6]
One dimension Random-Walk [Yang-13]
3/14/2016
Columbus State University
6/24
Another model
Send-Echo
Steppingstone
Send-Ack
Ratio=RTT (Send_Ack) / RTT(Send-Echo)
3/14/2016
Columbus State University
7/24
The problems



Length estimation
Measure bar
Absorbing
3/14/2016
Columbus State University
8/24
Matching TCP Packet



Step-function (Packet-matching)[8-yang]
Fluctuation estimation [9-yang]
Clustering-Partitioning algorithm [10-yang, 11-yang]
3/14/2016
Columbus State University
9/24
SDC

(Standard deviation based Cluster Matching)
RTT distribution
Figure 1: A distribution of RTT for a connection chain
3/14/2016
Columbus State University
10/24
How SDC works
S={s1, s2, s3, s4}
={1099702684, 1099772525, 1099909440, 1099928524}
E={e1, e2, e3, e4}
={1099828523, 1099898019, 1100036000, 1100058999 }
S1={125839, 195335, 333316, 356315},
S2={55998, 125494, 263475, 286474},
S3={-80917, -11421, 126560, 149559},
S4={-100001, -30505, 107476, 130475}.
3/14/2016
Columbus State University
11/24
Basic Idea to do SDC
S={s1, s2, …, sn}
E={e1, e2, …, em}
S1={s1e1, s1e2,…, s1em},
S2={s2e1, s2e2,…, s2em},
…
Sn={sne1, sne2,…, snem }.
Combination
Clusters
Standard Deviation
Computing
Get the smallest one
3/14/2016
Columbus State University
12/24
complexity


mn
Example:
 80 send packets
 115 echo packets
 11580 =7.175e+164 clusters
3/14/2016
Columbus State University
13/24
SWAM



(sliding window packet matching algorithm)
S = {s1, s2, s3, s4, s5, s6, s7, s8, s9, s10}
E = {e1, e2, e3, e4, e5, e6, e7, e8, e9, e10, e11, e12, e13, e14}
Window size =3
Q= {s1, s2, e1, s3, e2, s4, e3, e4, s5, e5, s6, e6, e7, s7, e8, e9, s8, e10, s9, e11, e12,
s10, e13, e14}
Q1= {s1, s2, e1, s3, e2, s4, e3, e4, s5, e5, s6, e6, e7, s7, e8,
e9, s8, e10, s9, e11, e12, s10, e13, e14}
3/14/2016
Columbus State University
14/24
Comparison
For the previous example
SDC: number of clusters =
1410 = 289254654976
SWAM: number of clusters
= 210 = 1024
0.00000035%
3/14/2016
Columbus State University
15/24
General Comparison
i  w2
1
3/14/2016
i
n
i  w1
m
n
Columbus State University
16/24
Live Sliding Window


Why use LSW?
Possible?
3/14/2016
Columbus State University
17/24
How to use LSW?

Determine the size of SLW by

Gap between si and sj
3/14/2016
Columbus State University
18/24
Why SWAM works?


Six facts from TCP/IP protocol
For details, please read the paper Section
3.1 Motivation.
3/14/2016
Columbus State University
19/24
Conclusion

SWAM works and more efficient than
SDC in terms of Matching TCP/IP
packets.
3/14/2016
Columbus State University
20/24
Future work

Using SWAM to compute the length of a
connection chain.
3/14/2016
Columbus State University
21/24
References







[1] Staniford-Chen, S., and Todd Heberlein, L.: Holding Intruders Accountable on the Internet. Proc. IEEE Symposium on
Security and Privacy, Oakland, CA, USA (1995) 39-49.
[2] [YZ00] Zhang, Y., and Paxson, V.: Detecting Stepping Stones. Proc. of the 9th USENIX Security Symposium, Denver, CO,
USA (2000) 171-184.
[3] Yoda, K., and Etoh, H.: Finding Connection Chain for Tracing Intruders. Proc. 6th European Symposium on Research in
Computer Security, Toulouse, France (2000) 31-42.
[4] Blum, A., Song, D., and Venkataraman, S.: Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds.
Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France (2004) 2035.
[5] X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, “Sleepy Watermark Tracing: An Active Network-based Intrusion Response
Framework,” Proceedings of 16th International Conference on Information Security, Paris, France, June 2001, pp. 369-384.
[6] X. Wang, D. Reeves, and S. Wu, “Inter-Packet Delay-based Correlation for Tracing Encrypted Connections through
Stepping Stones,” Proceedings of 7th European Symposium on Research in Computer Security, Lecture Notes in Computer
Science. Zurich, Switzerland, October 2002, Vol. 2502, pp. 244-263.
[7] T. He and L. Tong, “Detecting Encrypted Interactive Stepping-Stone Connections,” Proc. 2006 IEEE International
Conference on Acoustics, Speech, and Signal Processing, Toulouse, France, May 2006.
3/14/2016
Columbus State University
22/24
Cont.






[8] Jianhua Yang, Shou-Hsuan Stephen Huang, "A Real-Time Algorithm to Detect Long Connection Chains of Interactive
Terminal Sessions," Proceedings of 3rd ACM International Conference on Information Security (Infosecu'04), Shanghai, China,
November 2004, pp. 198-203. (Accepting rate=25%)
[9] Jianhua Yang, Shou-Hsuan Stephen Huang, "Charactering and Estimating Network Fluctuation for Detecting Interactive
Stepping-Stone Intrusion," the Proceedings of International Conference on Communication, Network and Information Security,
Phoenix, Arizona, November 2005, pp. 70-75. (Accepting rate=34%).
[10] Jianhua Yang, Shou-Hsuan Stephen Huang, Ming D. Wan, "A Clustering-Partitioning Algorithm to Find TCP Packet
Round-Trip Time for Intrusion Detection," Proceedings of 20th IEEE International Conference on Advanced Information
Networking and Applications (AINA 2006), Vienna, Austria, April 2006, Vol. 1, pp 231-236.(Accepting rate=30%).
[11] Jianhua Yang, Stephen Huang, “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for
Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., pp 137-144, Vol. 26 (2007).
[12] Guoqing Zhao, Jianhua Yang, Long Ni, Gurdeep S. Hura, and Shou-Hsuan Stephen Huang, "Correlating TCP/IP Interactive
Sessions with Correlation Coefficient to Detect Stepping-Stone Intrusion," to be published in the Proceedings of 23nd IEEE
International Conference on Advanced Information Networking and Applications (AINA 2009), Bradford, UK, May 2009.
[13] Jianhua Yang, Byong Lee, Shou-Hsuan Stephen Huang, "Monitoring Network Traffic to Detect Stepping-Stone Intrusion,"
the Proceedings of 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008),
Okinawa, Japan, pp 56-61 March 2008.
3/14/2016
Columbus State University
23/24
Thanks!
 Questions?

3/14/2016
Columbus State University
24/24
Download