1 / 18

The Web Neighborhood Watch Project

DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1) , A . Sachenko 1) , S. Voznyak 1) , G . Connolly 2) , G . Markowsky 2) 1) Ternopil Academy of National Economy 2) Department of Computer Science, U. of Maine. The Web Neighborhood Watch Project.

thi
Download Presentation

The Web Neighborhood Watch Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DETECTING A CYBER-ATTACK SOURCE IN REAL TIMER. Romanyak1), A. Sachenko1), S. Voznyak1), G. Connolly2), G. Markowsky2)1) Ternopil Academy of National Economy2) Department of Computer Science, U. of Maine

  2. The Web Neighborhood Watch Project • This project seeks to identify websites belonging to dangerous people such as terrorists • In addition to the artificial intelligence components, there is a need for locating the website in physical space • At last year's conference, work was presented on using the distributed traceroute approach to help locate computers physically

  3. Locating Computers in Physical Space • Not only is locating computers physically important for the Web Neighborhood Watch Project, but for dealing with cyber-attacks in general • Current methods for tracking Internet-based attacks are primitive. • It is almost impossible to trace sophisticated attacks using current tools.

  4. Intruders Attack Sophistication and Intruder Technical Knowledge Auto Coordinated Tools Cross site scripting “stealth” / advanced scanning techniques High Staged packet spoofing denial of service distributed attack tools sniffers Intruder Knowledge sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code password guessing Low 2004 1980 1986 1992 1998

  5. Techniques for Physically Locating Computers • Whois • Traceroute • Distributed Traceroute • Time Delay Method (new)

  6. Whois Limitations • Whois contains information about top-level domains only • Distributed databases are not always connected

  7. Traceroute Limitations • It does not take advantage of the fact that there typically exist several different paths to the target computer • Executing a single trace from a single location tends to produce results that are geographically insufficient

  8. Distributed Traceroute Limitations • The results are not always as accurate as one would want • This approach cannot be applied when the attacker uses intermediate hosts with software redirectors to make a cyber-attack

  9. Time Delay Method (new) • Based on the concept that the most recent computer from which the attack was received was either: • a) The actual attacking computer • b) An intermediate host being used with redirection software • Choosing between a) and b) is based on comparing the time delay between the attacking computer (AC) and the victim computer (VC) to the most recent time delay

  10. t1 t2 Attacking Computer Redirector 1 Redirector 2 t3 tn+1 tn … Redirector n Victim Computer A Cyber-attack using Redirectors Ttotal = t1 + t2 + t3 +…+tn+ tn+1, ti -thetime delay of the i-th link

  11. Experimental Results • The following servers were used: • TANE (Ternopil Academy of the National Economy, Ukraine, 217.196.166.105) • Kiel University (Germany, 134.245.52.122) • HTTL (Home To good service and Technology Ltd, London, England, 217.34.204.1)

  12. Direct connection

  13. Time Delays From HTTL to TANE

  14. Time Delays from TANE to HTTL

  15. Connection using redirector

  16. Time Delays from HTTL to TANE using Kiel-redirector

  17. Conclusion • The Time Delay Method has the ability to locate a remote computer in real time based on delays in IP packet travel • The Time Delay Method can also be used to analyze the nature of the links involved in the attack chain

  18. Contact Information Roman Romanyak:rrm@tanet.edu.te.ua AnatolySachenko: as@tanet.edu.te.ua SerhiyVoznyak: sv@tanet.edu.te.ua GeneConnolly: gene@einakabob.com GeorgeMarkowsky: markov@umcs.maine.edu

More Related