Identifying Stepping Stone Attack using Trace Back Based Detection Approach

Transcription

1 International Journal of Security Technology for Smart Device Vol.3, No.1 (2016), pp Identifying Stepping Stone Attack using Trace Back Based Detection Approach Shaik.Moulali 1 Electrical & Electronics Engineering, KL University,Vaddeswaram, Guntur. itsmoulali212@kluniversity.in Abstract Networking is one of the major technological areas that face intrusion threat. Intruders on the Internet often prefer to launch network intrusions indirectly, i.e., using a chain of hosts on the Internet as relay machines by using protocols such as Telnet or SSH. This type of attack is called a stepping-stone attack.stepping-stone attacks are often used by networkintruders to hide their identities. Tracing attackers traffic through stepping stones is a challengingproblem.the main source of attack arises from intermediate hosts or routers called as stepping stones. Our paper focuses on developing an effective intrusion detection algorithm that identifies the stepping stone through a trace back policy, despite the perturbation caused by jitter and chaff.it involves tracing back the encrypted stepping stone all the way from the target host to its origin point. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. By using our approach, we can detect any anomalous interactive traffic. 1. Introduction Internet has become more important than before, however, at the same time, Internet attack has increased significantly [1]. Intruders on the Internet often launch network intrusions indirectly, in order to decrease their chances of being discovered. Attackers can use intermediate hosts as their stepping stone before attacking the real target [2]. This compromised host has given some advantages for attackers to hide their track. In a stepping- stone attack, an attacker uses a sequence of hosts on the Internet as relay machines and constructs a chain of interactive connections using protocols such as Telnet or SSH. The attacker types commands on his local machine and then the commands are relayed via the chain of stepping stones" until they finally reach the victim. Because the final victim only sees the traffic from the last hop of the chain of the stepping stones, it is difficult for the victim to learn any information about the true origin of the attack. There has been considerable research on stepping stone detection like content-based techniques, timing-based methods and soon. Here, the methods focused on passive traffic monitoring but also raised the issue of active traffic perturbations. The initial line of research focused on content-based detection techniques, including comparing content over different streams looking for a high degree of correlation and actively injecting content watermarkinto interactive traffic. Later, timing-based stepping stone detection has become an active research area. But timing-based stepping stone detection has then focused on making the algorithm Article history: Received (December 25, 2015), Review Result (February 11, 2016), Accepted (March 02, 2016) Print ISSN: , eissn: IJSTSD Copyright c 2016GV School Publication

2 Identifying Stepping Stone Attack using Trace back based Detection Approach more resistant to evasions like timing perturbation and chaffs. Later, watermark-based scheme was proposed, which detects correlation between streams of packets by actively injecting watermark into inter-packet delays which may not hold in practice. In this paper, we propose an effective intrusion detection algorithm that identifies the stepping stone through a trace back policy, despite the perturbation caused by jitter and chaff. To construct a stepping stone detection algorithm that is robust against timing perturbations, and, that doesn t allow the stepping stone to evade from the detection process. It involves tracing back the encrypted stepping stone all the way from the target host to its origin point. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. By using our approach, we can detect any anomalous interactive traffic. 2. Related work Staniford and Heberlein proposed a content-based algorithm that created thumbprints of streams and compared them, looking for extremely good matches. Another content-based approach, Sleepy Water-mark tracing, was proposed by Wang et al. These content-based approaches require that the content of the streams under consideration do not change significantly between the streams. Thus, for example, they do not apply to encrypted traffic such as SSH sessions. Another line of work studies correlation of streams based on connection timings. Yoda and Etoh [3] proposed a deviation-based algorithm to trace the connection chains of intruders. They computed deviations between a known intruder stream and all other concurrent streams n the Internet compared the packets of streams which have small deviations from the intruder's stream, and utilize these analyses to identify a set of streams that match the intruder stream. Wang et al. [4] proposed another timing-based approach that uses the arrival and departure times of packets to correlate connections in real-time. They showed that the interpacket timing characteristics are preserved across many router hops, and often uniquely identify the correlations between connections. These algorithms based on connection timings, however, are all vulnerable to active timing pertubation by the attacker - they will not be able to detect stepping stones when the attacker actively perturbs the timings of the packets on the stepping-stone streams. Snapp et al. [5] develop Distributed Intrusion Detection System (DIDS), a host-based tracing mechanism that keep track of user in the network and account for all activities to network-wide IDS. Research by Jung et al. [6] also studies ahost-based and passive based tracing mechanism called Caller Identification System (CIS).Caller ID, research conducted by Air Force is anhost-based approach. Both DIDS and CIS use passiveapproaches where network packets need to be captured continuously. However, it is different from Caller ID where tracing is executed when an intrusion is occurred. Wang and Reeves [7] proposed a watermark-based scheme, which can detect correlation between streams of encrypted packets. However, they assumethat the attacker's timing perturbation of packets is independent and identically distributed (iid). 3. Attack model Considers an origin host (where the attacker is located), a final host (the attack target) and a stepping stone chain between attacker and target. In this model, the stepping stone detectionproblem consists of detecting whether a given node belongs to the chain between 16 Shaik.Moulali

3 International Journal of Security Technology for Smart Device Vol.3, No.1 (2016)pp attacker and target, and the attacker tracebackproblem consists of detecting all stepping stones and the origin host associated with an attack to a target host. Attackers typically utilize interactive sessions (e.g., Telnet, SSH) between the origin host and the stepping stones, and between pairs of stepping stones, for initiating the attack. Monitoring the communication exchanged across these sessions is a typical initial step towards solving both problems. A session can be characterized as a sequence of ON and OFF periods, as follows. When there is no data traffic on a session for more than Tidle seconds, the session is considered to be in an OFF period. We consider a packet as containing data only if it carries data in its TCP payload. When a packet with non- empty payload then appears, the flow ends its OFF period and begins an ON period, which lasts until the session again goes data-idle for Tidleseconds Figure 1. Model for stepping stone 4. Algorithm for stepping stone detection The stepping stone algorithm is based on the fact that if two nodes are part of a stepping stone chain, then the flow of traffic on these machines will be highly correlated. Each connection is split into a stream of ON-OFF periods. An OFF period starts if no data traffic has been observed on a connection for more than Tidle (set to 500 milliseconds). Any packet seen after a connection is in an OFF period marks the end of the OFF period and the start of an ON period. If the difference between end times of OFF periods (or start times of ON periods) across two connections is less than (set to 80 milliseconds), then these OFF periods are said to be correlated as shown in Figure 1. If the attacker injects timing jitter or delay of more than α milliseconds in one of the connections, then he will be able to evade detection. This is because OFF periods are considered correlated only if their end times differ by less than α. If the attacker injects chaff packets randomly in one of the connections then the ratio of correlated OFF periods to the total OFF periods will reduce. Injecting sufficient chaff will cause this ratio to fall below and the attacker will be able to evade detection. 5. Anomaly detection algorithm and trace back methodology Anomaly is referred to the jitter and chaff that is introduced in the stepping stone detection algorithm in order to evade it. Response-time based algorithm is developed to detect jitter and Copyright c 2016GV School Publication 17

4 Identifying Stepping Stone Attack using Trace back based Detection Approach chaff based anomalies in interactive traffic. The stepping stone detection algorithms together with the anomaly detection techniques form a robust attacker traceback methodology that is difficult to evade. All the anomaly detection algorithms are online and can detect jitter and chaff in live interactive traffic. Our response-time based anomaly detection algorithm is based on the fact that in an interactive session, a packet on the forward leg of a connection (e.g. from a client to a server) must be followed by a response on the backward leg within a certain amount of time. Let C be an interactive connection where C12 indicates the flow of packets from client to server and C21 indicates the flow of packets from server to client. The pseudo code for response-time based anomaly detection algorithm is as follows: 1. Initialize ON Packets = 0, Anomalous Packets = 0 2. Let C12 (resp., C21) be the forward (resp., reverse) direction of an interactive connection 3. Split the packets on C12 into ON and OFF periods using T idle. 4. For every acknowledgement sent on C21 for a data packet sent on C12 Update RTT using Jacobson/Karles algorithm For every packet sent at ON period from C12 Increment count for ON Packets If response packet from C21 is sent within (RTT + RT )msec Packet is not anomalous Else Packet is anomalous Increment count for Anomalous Packets If procedure Check for anomaly returns yes Return: connection is anomalous due to jitter 5. Return: connection is not anomalous. The timing based stepping stone detection algorithm and the anomaly detection technique can be efficiently combined to form an integrated methodology for detecting the source of an intrusion and tracing back to the attacker, as follows. If the attacker uses a chain of intermediate nodes for malicious activity then this methodology consists of iterating the combination of the timing based stepping stone detection algorithm and the three anomaly detection techniques. Each execution of this combination helps detecting a new stepping stone even in the presence of active traffic perturbation like jitter and chaff, and adds a new node on the path from the target to the attacker, until tracing back to the attacker is completed. In this process, any attempts by the attacker to evade detection using jitter or chaff will cause the traffic to appear anomalous and the anomaly detection algorithms will flag the connections as anomalous. 18 Shaik.Moulali

5 International Journal of Security Technology for Smart Device Vol.3, No.1 (2016)pp Conclusion In this paper, we propose an effective intrusion detection algorithm that identifies the stepping stone through a trace back policy, despite the perturbation caused by jitter and chaff. To construct a stepping stone detection algorithm that is robust against timing perturbations, and, that doesn t allow the stepping stone to evade from the detection process. It involves tracing back the encrypted stepping stone all the way from the target host to its origin point. The anomaly detection algorithm coupled with the stepping stone detection algorithm provides an integrated framework that is robust and difficult to evade. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. By using our approach, we can detect any anomalous interactive traffic. References [1] CERT, Explosion of Incidents, accessed June (2007). [2] Y. Zhang and V. Paxson, Detecting Stepping Stones, Proceeding on 9 th USENIX Security Symposium, pp , (2000), Denver, CO. [3] K. Yoda andh. Etoh, Finding a connection chain for tracing intruders, In: F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security,ESORICS 2000 LNCS-1895, October (2000), Toulouse, France. [4] X. Wang, D. Reeves and S. Wu, Inter-packet delay-based correlation for tracing encrypted connections through stepping stones, In D.Gollmann, G.Karjoth, M.Waidner, eds.: 7th European Symposium on Research in Computer Security, (ESORICS 2002), Lecture Notes in Computer Science, Springer, Vol. 2502, pp ,(2002). [5] S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, L.T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, S. E. Smaha, T. Grance, D.M. Teal and D. Mansur, DIDS (Distributed Intrusion Detection System) Motivation, Architecture and Early Prototype, Proceeding 14th National Computer Security Conference, pp , (1991). [6] H.T. Jung, H.L. Kim, Y.M. Seo, G. Choe, S.L. Min and C.S. Kim, Caller Identification System In The Internet Environment, Proceedings of 4th USENIX Security Symposium, (1997). [7] X. Wang and D. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of inter-packet delays, In: Proceedings of the 2003 ACM Conference on Computer and Communications Security (CCS 2003), ACM Press, pp , (2003). Copyright c 2016GV School Publication 19

6 Identifying Stepping Stone Attack using Trace back based Detection Approach 20 Shaik.Moulali