Network Intrusion Goals and Methods

Size: px

Start display at page:

Download "Network Intrusion Goals and Methods"

Christopher Fitzgerald
5 years ago
Views:

1 Network Intrusion Goals and Methods Mgr. Rudolf B. Blažek, Ph.D. Department of Computer Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek Network Security MI-SIB, ZS 2011/12, Lecture 4 The European Social Fund Prague & EU: We Invest in Your Future

2 Cíle a metody síťových útoků Mgr. Rudolf B. Blažek, Ph.D. Katedra počítačových systémů Fakulta informačních technologií České vysoké učení technické v Praze Rudolf Blažek Síťová bezpečnost MI-SIB, ZS 2011/12, Přednáška 4 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnosf

3 Network Intrusion Goals and Methods Trends in Attack Goals and Methods 3

4 Trends in Attack Goals and Methods Trends in Attack Goals and Methods Source: Breach Security, Web Hacking Incidents Database Report

5 Trends in Attack Goals and Methods Attack Goals Source: Breach Security, Web Hacking Incidents Database Report 2007 & 2011 Figu 5

6 Trends in Attack Goals and Methods Trends in Attack Goals and Methods Source: Breach Security, Web Hacking Incidents Database Report

7 Trends in Attack Goals and Methods Figure 2 Attack Methods Used Source: Breach Security, Web Hacking Incidents Database Report 2007 &

8 Weaknesses Used Application Weaknesses Used Figu Source: Breach Security, Web Hacking Incidents Database Report

9 Summary Application Weaknesses, Attack Methods, Outcomes Outcome Attack Method Application Weakness Government Defacement (26%) SQL Injection (24%) Improper Input Handling (26%) Finance Monetary Loss (64%) Stolen Credentials (36%) Insufficient Authentication (59%) Retail Credit Card Leakage (27% SQL Injection (27%) Improper Input Handling (27%) Source: Breach Security, Web Hacking Incidents Database Report

10 Further Reading Application Weaknesses vs. Attack Methods Attack -> Application Weakness DoS/Brute Force -> Insufficient Anti-automation Example: SQL Injection -> Improper Input Handling XSS -> Improper Output Handling Read: Threat classification %20Classification Source: Breach Security, Web Hacking Incidents Database Report

11 Types of Network Intrusions Types of Network Intrusions 11

12 Types of Network Intrusions Main Types of Network Intrusions Man-in-the-Middle attacks (MiM) ARP, DHCP, DNS, WiFi Deauthentication, fake SSL certs Denial of service attacks TCP SYN, DHCP, Botnets, IP Spoofing (TCP packet bounce) Port scanning Usually a preparation for attacks on system and software Hybrid attacks Carried over the network, but not exploiting net protocols E.g. password cracking, buffer overflows, worms, SQL injection, cross-site scripting 12

13 Types of Network Intrusions External vs. Insider Intrusions External Network Intrusions Performed by attackers outside the LAN or CAN Include port scanning, denial of service, password cracking But also worm intrusions, buffer overflows, etc... Can often be detected by relatively simple methods Signature detection Rule based detection Various statistical approaches 13

14 Types of Network Intrusions External vs. Insider Intrusions Insider Network Intrusions Performed by attackers INSIDE the company A spy employee paid by a competitor An unhappy employee, or one who is getting fired A social engineer Attacker who penetrated computers in a subsidiary (e.g. external attacks like worms, key loggers) Extremely hard to detect Attackers are very smart, act like regular users Advanced methods are needed, e.g. behavioral, statistical 14

15 Types of Network Intrusions U.S. DoE Backbone Network Fusion Center in Oak Ridge IDS Sensor Chicago New York IDS Sensor IDS Sensor Sunnyvale IDS Sensor Washington Atlanta IDS Sensor IDS Sensor El Paso Corporate Backbone IDS Communication 15

16 Examples Network Attack Examples 16

17 Examples In the second half of 2007, 58 percent of all vulnerabilities affected Web applications Symantec Today over 70% of attacks against a company s web site or web application come at the application layer not the network or the system layer. -- Gartner 17

18 Examples Man-in-the Middle Attacks Discussed before Can use ARP, DNS, WiFi or other protocols Encrypted connections like SSH or HTTPS hijacked via fake public keys (fake identity) Goals of MiM attacks: Capture login names and passwords Record or hijack connections both in a LAN and to the outside world 18

19 Denial-of-Service Attacks Denial-of-Service Attacks DoS attacks flood a server/network host with requests or data To prevent other clients from accessing the server To overload and crash the server, host or device (router, switch) Often DoS attacks are distributed Carried out by bots (robots) a.k.a. zombie computers Computers become zombies after infection by worms or viruses Infected zombies are controlled e.g via chat rooms Some experts claim: DoS attacks are obvious or unimportant. 19

20 Denial-of-Service Attacks Denial-of-Service Attacks Important scenarios when DoS attacks represent a serious threat: Mission Critical Networks (financial, medical, military networks) Customers of large ISPs Wireless networks (WiFi, etc.) There is need for early DoS detection DoS flooding attacks remain the subject of intensive research 20

21 Intrusion Detection An Example Experimental Results: Detection of DOS Attacks (continued from last lecture) 21

22 Intrusion Detection Denial-of-Service Attacks Ad-hoc Detection of DoS Attacks Observing network performance degradation or outage Phone calls from users who are unable to access their or Experience many dropped or sluggish connections Centers often monitor the number of dropped connections Monitoring of some reasonable network characteristic Link saturation (suspects an attack if a customer's link becomes 98% utilized) Number of flows per a host and port (trigger alert if a host has too many connections on a single port) 22

23 Intrusion Detection Denial-of-Service Attacks Ad-hoc Detection of DoS Attacks Signature based detection Only detects selected sets of DOS attacks. Tremendous false alarm rates Frequently missed detections, especially of unknown attacks. Questions: How do you decide what thresholds to use? What about false alerts? 23

24 Intrusion Detection Denial-of-Service Attacks How to Measure Intrusion Detection System Performance? Probability of false alarm and probability of successful detection? How long period are we considering? False alarms will occur for sure when we monitor the network for a long period Attacks that stop quickly are harder to detect than longterm intrusions Even very weak attacks should be detected if they last long enough 24

25 Intrusion Detection Denial-of-Service Attacks Packet Interarrival Times TCP-SYN Flood Average numbers of TCP packets per second: Normal traffic: Modified attack traffic: Sampling period: 0.1 seconds Optimized MNA-CUSUM: ε opt = Time between packet arrivals (seconds) 25

26 Intrusion Detection Sequential Statistical Detection Sequential Statistical Learning Sequential NP-CUSUM statistic Historical estimate of E(X n ) S n = max{0, S n 1 + X n µ εˆθ n }, S 0 = 0 A network characteristic observed in the n th time interval: Number of UDP packets in a size bin Number of packets of a particular type (TCP SYN, ICMP or ARP packets) Number of failed connections Level of link saturation An estimate of E(X n ) under attack Tuning parameter 26

27 Intrusion Detection Sequential Statistical Detection Sequential ID Algorithm with Reflection S k attack begins attack detected threshold possible false alarms update information detection delay time 27

28 Intrusion Detection Sequential Statistical Detection Resampling of Interarrival Times Observed sequence of random variables (or vectors): X1, X2,... Some network characteristics observed at times t1, t2,... Examples: packets sizes, numbers of TCP SYN, ICMP or ARP packets, numbers of failed connections, levels of link saturation etc. Classical Resampling (Bootstrap, Permutation Tests): Resample X1, X2,..., Xn and construct sequential statistic Repeat the process and estimate the FAR (no attack) and ADD (attack) FAR = False Alarm Rate ADD = Average Detection Delay 28

29 Intrusion Detection Sequential Statistical Detection Optimization of the MNA-CUSUM procedure ADD log(far)

30 Intrusion Detection Sequential Statistical Detection Optimization of MNA-CUSUM procedure Observed Value Approximation 4.5 Slope of operating characteristics line Epsilon (optimal value = ) 30

31 Intrusion Detection Sequential Statistical Detection Comparison of the Optimized Non- Parametric and Ad-hoc Tests Optimized Test Not Optimized Test Time of attack: sec Time of detection: sec Detection delay: 6.02 sec Avg. TFD: sec Epsilon: Time of attack: sec Time of detection: sec Detection delay: sec Avg. TFD: sec 700 Sequential Statistic S(k) Sequential Statistic S(k) Time (seconds) Time (seconds) 31

32 Intrusion Detection Sequential Statistical Detection Performance of the Detection Procedure Epsilon=0 Epsilon=0.020 Epsilon=0.050 Epsilon= ADD log(far) 32

Intrusion Techniques

Intrusion Techniques Mgr. Rudolf B. Blažek, Ph.D. Department of Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek 2010-2011 Network Security MI-SIB, ZS 2011/12,