A Software Tool for Network Intrusion Detection

Similar documents
Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Configuring attack detection and prevention 1

DDoS Testing with XM-2G. Step by Step Guide

Configuring attack detection and prevention 1

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

INTRODUCTION ON D-DOS. Presentation by RAJKUMAR PATOLIYA

Attack Prevention Technology White Paper

Network Security. Chapter 0. Attacks and Attack Detection

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Denial of Service and Distributed Denial of Service Attacks

Denial of Service, Traceback and Anonymity

Computer Security: Principles and Practice

HP High-End Firewalls

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Distributed Denial of Service (DDoS)

HP High-End Firewalls

Denial of Service (DoS) attacks and countermeasures

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

9. Security. Safeguard Engine. Safeguard Engine Settings

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Anatomy and Mechanism of DOS attack

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Chapter 7. Denial of Service Attacks

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Worldwide Detection of Denial of Service (DoS) Attacks

SecBlade Firewall Cards Attack Protection Configuration Example

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Chapter 8 roadmap. Network Security

H3C SecPath Series High-End Firewalls

ELEC5616 COMPUTER & NETWORK SECURITY

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Network Security. Thierry Sans

Our Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities

Denial of Service. EJ Jung 11/08/10

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

DDoS and Traceback 1

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Detecting Denial of Service Intrusion Detection Aamir Islam Dept. of Computer Science, University of Central Punjab, Lahore, Pakistan.

Denial of Service (DoS)

IBM i Version 7.3. Security Intrusion detection IBM

CSC 574 Computer and Network Security. TCP/IP Security

HP Load Balancing Module

Technical White Paper June 2016

Flashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities

Common Network Attacks

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

NETWORK SECURITY. Ch. 3: Network Attacks

Network Security. Tadayoshi Kohno

Guide to DDoS Attacks November 2017

Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

network security s642 computer security adam everspaugh

DENIAL OF SERVICE ATTACKS

CTS2134 Introduction to Networking. Module 08: Network Security

The Protocols that run the Internet

DDoS PREVENTION TECHNIQUE

Module 19 : Threats in Network What makes a Network Vulnerable?

Basic Concepts in Intrusion Detection

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 9

ECE 435 Network Engineering Lecture 10

Introduction to Computer Security

Detecting Specific Threats

Operational Security Capabilities for IP Network Infrastructure

Cloudflare Advanced DDoS Protection

To Study and Explain the Different DDOS Attacks In MANET

COMPUTER NETWORK SECURITY

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

A Study on Intrusion Detection Techniques in a TCP/IP Environment

CE Advanced Network Security Botnets

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

CSE 565 Computer Security Fall 2018

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic

Strengthening and Securing the TCP/IP Stack against SYN Attacks

20-CS Cyber Defense Overview Fall, Network Basics

On A Recursive Algorithm for SYN Flood Attacks

CSE 565 Computer Security Fall 2018

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

ICS 451: Today's plan

Unit 4: Firewalls (I)

MITIGATING DDOS ATTACK IN CLOUD ENVIRONMENT WITH PACKET FILTERING USING IPTABLES

Network Security. Network Vulnerabilities

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

A quick theorical introduction to network scanning. 23rd November 2005

Configuring IP Services

Transcription:

A Software Tool for Network Intrusion Detection 4th Biennial Conference Presented by: Christiaan van der Walt Date:October 2012

Presentation Outline Need for intrusion detection systems Overview of attacks Illustration of network traffic for various attacks Simulation of data Description of NetID Algorithm Illustration of NetID Software Tool Future Work CSIR 2012 Slide 2

The Need for Network Intrusion Detection Systems Online services and security of data Serve content -> serve applications Online services include internet banking, e-commerce, video streaming, Gmail Data services include Dropbox, Google Docs, Google Drive Threats: hacking, Denial of Service (DoS) attacks Victims of DoS attacks include Yahoo, ebay, e-trade, CNN Distributed DoS attacks Why another software tool? CSIR 2012 Slide 3

Types of DoS attacks Consumption of computational resources bandwidth, disk space, processor time Disruption of configuration information routing information Disruption of state information unsolicited resetting of TCP connections Obstructing communication media users and victim can t communicate adequately CSIR 2012 Slide 4

Commonly used attacks TCP SYN (Neptune) flooding attack More than 90% of DoS attacks use the TCP protocol SYN flood is the most commonly-used TCP attack Exploits the limitation of the three-way hand shake, that maintains half-open connections for a certain time period Neptune - SYN flood denial of service on one or more ports CSIR 2012 Slide 5

Commonly used attacks ICMP (Smurf) attack Use spoofed broadcast ICMP echo (ping) messages Sends spoofed ping messages (spoof ip address so that it seems the victim of the attack is sending them) The network to which these ping requests are sent, then forwards these requests to all hosts in the network and each of them respond with an echo reply, thus multiplying the traffic by the number of hosts Teardrop attack Exploits the flaw in the implementation of TCP/IP stacks that can not handle overlapping IP fragments Sends mangled IP packets with overlapping IP fragments, and large payloads to victim of attack CSIR 2012 Slide 6

What do DoS Attacks Look Like? Figure: Network packet rate for different attacks CSIR 2012 Slide 7

Approaches to detecting DoS flooding attacks Adaptive threshold algorithms Monitor the traffic flow (number of packets per second), in case of SYN flood, they monitor the SYN packet rate When packet rate exceeds a threshold a possible intrusion is flagged Threshold is adapted to account for daily and weekly variations, typically make use of mean packet rate of recent traffic Change-point detection algorithms Based on hypothesis testing for iid data Continually estimate a statistical distribution of network traffic, and test whether the change in distribution is statistically significant CSIR 2012 Slide 8

Algorithm Development Make use DARPA Intrusion Detection Evaluation Data generated by MIT The simulated the following DoS attacks CSIR 2012 Slide 9

Data Simulation Setup CSIR 2012 Slide 10

NetID Online Detection Algorithm Detect attacks in real-time (is capable of scanning 4 hours of data in a few minutes) High detection accuracy and fast detection time (< 5 seconds) Performs change detection via an advanced statistics adaptive threshold algorithm Algorithm Specify sampling rate (typically 5ms) Arrival times of network packets are converted to packet rate (packets per sampling rate) Specify window length (typically 80s) Estimate the probability density function (PDF) of the data in the time window starting at time t Specify a window step size (typically 2.5s) Move the samples in the window to time t + step_size Estimate the PDF of window t + step_size Calculate the change in distribution Test if change > threshold CSIR 2012 Slide 11

Simulation results Smurf Attack 1 CSIR 2012 Slide 12

Simulation results Neptune Attack 1 CSIR 2012 Slide 13

Simulation results Smurf Attack 2 CSIR 2012 Slide 14

NetID Software Tool (Illustration) CSIR 2012 Slide 15

Operator Controls Figure: Operator Tools Figure: Parameter settings CSIR 2012 Slide 16

Future Work Add more intrusion detection algorithms to NetID Software Investigate more attacks and their detection performance Simulate our own attacks (possibly from within NetID Software) Further develop the analysis tools for NetID CSIR 2012 Slide 17

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback