1 / 24

Matching TCP/IP Packet to Detect Stepping-stone Intrusion

Matching TCP/IP Packet to Detect Stepping-stone Intrusion. Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance Education Columbus State University. Layout. Background Related Work SWAM algorithm Compare with SDC Conclusion and future work.

badu
Download Presentation

Matching TCP/IP Packet to Detect Stepping-stone Intrusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Matching TCP/IP Packet toDetect Stepping-stone Intrusion Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance Education Columbus State University Columbus State University

  2. Layout Background Related Work SWAM algorithm Compare with SDC Conclusion and future work Columbus State University

  3. 1. Background • How to attack other computers? • Interactive • Non-interactive • Interactive attack • Direct • Indirect Columbus State University

  4. Victim Attacker Monitor Point Indirect attack Stepping-stone Intrusion Stepping-stone Intrusion Detection Stepping-stones Columbus State University

  5. A detection model Outgoing Connection Incoming Connection Columbus State University

  6. 2. Related Work • Content-based (Thumbprint) [1] • Time-based (ON-OFF)[2] • Deviation-based[3] • Packet number based [4,7] • Watermark-based [5,6] • One dimension Random-Walk [Yang-13] Columbus State University

  7. Send-Echo Stepping-stone Send-Ack Another model Ratio=RTT (Send_Ack) / RTT(Send-Echo) Columbus State University

  8. The problems • Length estimation • Measure bar • Absorbing Columbus State University

  9. Matching TCP Packet • Step-function (Packet-matching)[8-yang] • Fluctuation estimation [9-yang] • Clustering-Partitioning algorithm [10-yang, 11-yang] Columbus State University

  10. SDC (Standard deviation based Cluster Matching) • RTT distribution Figure 1: A distribution of RTT for a connection chain Columbus State University

  11. How SDC works S={s1, s2, s3, s4} ={1099702684, 1099772525, 1099909440, 1099928524} E={e1, e2, e3, e4} ={1099828523, 1099898019, 1100036000, 1100058999 } S1={125839, 195335, 333316, 356315}, S2={55998, 125494, 263475, 286474}, S3={-80917, -11421, 126560, 149559}, S4={-100001, -30505, 107476, 130475}. Columbus State University

  12. Combination Basic Idea to do SDC S={s1, s2, …, sn} E={e1, e2, …, em} S1={s1e1, s1e2,…, s1em}, S2={s2e1, s2e2,…, s2em}, … Sn={sne1, sne2,…, snem }. Clusters Standard Deviation Computing Get the smallest one Columbus State University

  13. complexity • mn • Example: • 80 send packets • 115 echo packets • 11580 =7.175e+164 clusters Columbus State University

  14. SWAM (sliding window packet matching algorithm) • S = {s1, s2, s3, s4, s5, s6, s7, s8, s9, s10} • E = {e1, e2, e3, e4, e5, e6, e7, e8, e9, e10, e11, e12, e13, e14} • Window size =3 Q= {s1, s2, e1, s3, e2, s4, e3, e4, s5, e5, s6, e6, e7, s7, e8, e9, s8, e10, s9, e11, e12, s10, e13, e14} Q1= {s1, s2, e1, s3, e2, s4, e3, e4, s5, e5, s6, e6, e7, s7, e8, e9, s8, e10, s9, e11, e12, s10, e13, e14} Columbus State University

  15. Comparison For the previous example SDC: number of clusters = 1410 = 289254654976 SWAM: number of clusters = 210 = 1024 0.00000035% Columbus State University

  16. General Comparison Columbus State University

  17. Live Sliding Window • Why use LSW? • Possible? Columbus State University

  18. How to use LSW? • Determine the size of SLW by • Gap between si and sj Columbus State University

  19. Why SWAM works? • Six facts from TCP/IP protocol • For details, please read the paper Section 3.1 Motivation. Columbus State University

  20. Conclusion • SWAM works and more efficient than SDC in terms of Matching TCP/IP packets. Columbus State University

  21. Future work • Using SWAM to compute the length of a connection chain. Columbus State University

  22. References • [1]Staniford-Chen, S., and Todd Heberlein, L.: Holding Intruders Accountable on the Internet. Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA (1995) 39-49. • [2][YZ00] Zhang, Y., and Paxson, V.: Detecting Stepping Stones. Proc. of the 9th USENIX Security Symposium, Denver, CO, USA (2000) 171-184. • [3]Yoda, K., and Etoh, H.: Finding Connection Chain for Tracing Intruders. Proc. 6th European Symposium on Research in Computer Security, Toulouse, France (2000) 31-42. • [4] Blum, A., Song, D., and Venkataraman, S.: Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds. Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France (2004) 20-35. • [5]X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, “Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework,” Proceedings of 16th International Conference on Information Security, Paris, France, June 2001, pp. 369-384. • [6] X. Wang, D. Reeves, and S. Wu, “Inter-Packet Delay-based Correlation for Tracing Encrypted Connections through Stepping Stones,” Proceedings of 7th European Symposium on Research in Computer Security, Lecture Notes in Computer Science. Zurich, Switzerland, October 2002, Vol. 2502, pp. 244-263. • [7] T. He and L. Tong, “Detecting Encrypted Interactive Stepping-Stone Connections,” Proc. 2006 IEEE International Conference on Acoustics, Speech, and Signal Processing, Toulouse, France, May 2006. Columbus State University

  23. Cont. • [8] Jianhua Yang, Shou-Hsuan Stephen Huang, "A Real-Time Algorithm to Detect Long Connection Chains of Interactive Terminal Sessions," Proceedings of 3rd ACM International Conference on Information Security (Infosecu'04), Shanghai, China, November 2004, pp. 198-203. (Accepting rate=25%) • [9]Jianhua Yang, Shou-Hsuan Stephen Huang, "Charactering and Estimating Network Fluctuation for Detecting Interactive Stepping-Stone Intrusion," the Proceedings of International Conference on Communication, Network and Information Security, Phoenix, Arizona, November 2005, pp. 70-75. (Accepting rate=34%). • [10] Jianhua Yang, Shou-Hsuan Stephen Huang, Ming D. Wan, "A Clustering-Partitioning Algorithm to Find TCP Packet Round-Trip Time for Intrusion Detection," Proceedings of 20th IEEE International Conference on Advanced Information Networking and Applications (AINA 2006), Vienna, Austria, April 2006, Vol. 1, pp 231-236.(Accepting rate=30%). • [11] Jianhua Yang, Stephen Huang, “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., pp 137-144, Vol. 26 (2007). • [12] Guoqing Zhao, Jianhua Yang, Long Ni, Gurdeep S. Hura, and Shou-Hsuan Stephen Huang, "Correlating TCP/IP Interactive Sessions with Correlation Coefficient to Detect Stepping-Stone Intrusion," to be published in the Proceedings of 23nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2009), Bradford, UK, May 2009. • [13] Jianhua Yang, Byong Lee, Shou-Hsuan Stephen Huang, "Monitoring Network Traffic to Detect Stepping-Stone Intrusion," the Proceedings of 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), Okinawa, Japan, pp 56-61 March 2008. Columbus State University

  24. Thanks! • Questions? Columbus State University

More Related