Identifying Stepping Stone Attack using Trace Back Based Detection Approach

Similar documents
Detecting Intrusion Attacks Caused By Stepping Stones in Interactive Networks

Error-Free correlation in Encrypted Attack Traffic by Watermarking flow through Stepping Stones

Resist Intruders Manipulation via Context-based TCP/IP Packet Matching

Design of Network-based Connection Traceback System for Current Internet Environment

Matching TCP/IP Packets to Resist Stepping-Stone Intruders Evasion

Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets

An Algorithm to Detect Stepping-Stones in the Presence of Chaff Packets

Th e L o o p F a lla c y a n d S e ria liz a tio n in Tra c in g

Correlating Temporal Thumbprints for Tracing Intruders

Solving Time Gap Problems Through The Optimization of Detecting Stepping Stone Algorithm

The FootFall Project Tracing Attacks Through Non-Cooperative Networks and Stepping Stones with Timing-Based Watermarking

A MULTI-AGENT BASED DISTRIBUTED INTRUSION PREVENTION SYSTEM AGAINST DDOS FLOODING ATTACKS

Correlating TCP/IP Interactive Sessions with Correlation Coefficient to Detect Stepping-Stone Intrusion

Matching TCP/IP Packets to Detect Stepping-Stone Intrusion

Finding a Connection Chain for Tracing Intruders

CERIAS Tech Report A RECURSIVE SESSION TOKEN PROTOCOL FOR USE IN COMPTUER FORENSICS AND TCP TRACEBACK. by Brian Carrier & Clay Shields

Efficient Detection of Delay-Constrained Relay Nodes

Keywords: fingerprinting; flow watermarking; dynamic watermark; proactive network security.

Multivariate Correlation Analysis based detection of DOS with Tracebacking

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

Fuzzy Intrusion Detection System

The New Cell-Counting-Based Against Anonymous Proxy

Firewalls, Tunnels, and Network Intrusion Detection

0x1A Great Papers in Computer Security

Web Security Vulnerabilities: Challenges and Solutions

Protecting Network Quality of Service Against Denial of Service Attacks

Optimization of Firewall Rules

Robust TCP Stream Reassembly In the Presence of Adversaries

Xun Gong, Student Member, IEEE, Mavis Rodrigues, Negar Kiyavash, Member, IEEE. Abstract

Double Guard: Detecting intrusions in Multitier web applications with Security

DDOS Attack Prevention Technique in Cloud

A SIMPLE INTRODUCTION TO TOR

Smart Cooperative Firewalls

BotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts

1.1 SYMPTOMS OF DDoS ATTACK:

CE Advanced Network Security Anonymity II

A New Enhancement for Security Mechanism in Routers

AN exam March

FPGA based Network Traffic Analysis using Traffic Dispersion Graphs

Analyzing the Dual-Path Peer-to-Peer Anonymous Approach

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

Forensic Analysis for Epidemic Attacks in Federated Networks

Abstract. Keywords: Virus, inetmon Engine, Virus Parser, Virus Matching Engine. 1. Introduction

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Detecting Covert Timing Channels Using Normalizing Weights

Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

EECS 428 Final Project Report Distributed Real-Time Process Control Over TCP and the Internet Brian Robinson

The Need for Flow Fingerprints to Link Correlated Network Flows

intelop Stealth IPS false Positive

Implementation and Analysis of DoS Attack Detection Algorithms

A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Denial of Service, Traceback and Anonymity

Wei Wang, Mehul Motani and Vikram srinivasan Department of Electrical & Computer Engineering National University of Singapore, Singapore

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

Enriching intrusion alerts through multi-host causality

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Distributed Denial of Service (DDoS)

Intrusion Detection and Containment in Database Systems. Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur

Computer Networks CS 552

Computer Networks CS 552

Research on WSN Secure Communication Method Based on Digital Watermark for the Monitoring of Electric Transmission Lines

Connection Logging. Introduction to Connection Logging

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

A METHOD FOR DETECTING FALSE POSITIVE AND FALSE NEGATIVE ATTACKS USING SIMULATION MODELS IN STATISTICAL EN- ROUTE FILTERING BASED WSNS

McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications

Provision of Quality of Service with Router Support

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

The UCSD Network Telescope

Lecture 13 Page 1. Lecture 13 Page 3

Connection Logging. About Connection Logging

Spoofing Detection in Wireless Networks

Denial of Service (DoS) Attack Detection by Using Fuzzy Logic over Network Flows

EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS

A Rule-Based Intrusion Alert Correlation System for Integrated Security Management *

Flow Control Packet Marking Scheme: to identify the sources of Distributed Denial of Service Attacks

Quadratic Route Factor Estimation Technique for Routing Attack Detection in Wireless Adhoc Networks

CERIAS Tech Report

Experience with SPM in IPv6

TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS

NIDS: Snort. Group 8. Niccolò Bisagno, Francesco Fiorenza, Giulio Carlo Gialanella, Riccardo Isoli

Improving stream correlation attacks on anonymous networks

Flooding Attacks by Exploiting Persistent Forwarding Loops

A hybrid IP Trace Back Scheme Using Integrate Packet logging with hash Table under Fixed Storage

Detecting Network Intruders in Real Time

Evading Network Anomaly Detection Sytems - Fogla,Lee. Divya Muthukumaran

Onion Routing. 1) Introduction. 2) Operations. by Harikrishnan S (M.Tech CSE) Ramji Nagariya (M.S CSE), Sai Sambhu J (M.Tech CSE).

A Real-Time Network Simulation Application for Multimedia over IP

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Congestion Avoidance

The following topics describe how to configure correlation policies and rules.

Specification-based Intrusion Detection. Michael May CIS-700 Fall 2004

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Network Forensics: Towards a classification of traceback mechanisms

CSE 565 Computer Security Fall 2018

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

(Submit to Bright Internet Global Summit - BIGS)

Transcription:

International Journal of Security Technology for Smart Device Vol.3, No.1 (2016), pp.15-20 http://dx.doi.org/10.21742/ijstsd.2016.3.1.03 Identifying Stepping Stone Attack using Trace Back Based Detection Approach Shaik.Moulali 1 Electrical & Electronics Engineering, KL University,Vaddeswaram, Guntur. itsmoulali212@kluniversity.in Abstract Networking is one of the major technological areas that face intrusion threat. Intruders on the Internet often prefer to launch network intrusions indirectly, i.e., using a chain of hosts on the Internet as relay machines by using protocols such as Telnet or SSH. This type of attack is called a stepping-stone attack.stepping-stone attacks are often used by networkintruders to hide their identities. Tracing attackers traffic through stepping stones is a challengingproblem.the main source of attack arises from intermediate hosts or routers called as stepping stones. Our paper focuses on developing an effective intrusion detection algorithm that identifies the stepping stone through a trace back policy, despite the perturbation caused by jitter and chaff.it involves tracing back the encrypted stepping stone all the way from the target host to its origin point. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. By using our approach, we can detect any anomalous interactive traffic. 1. Introduction Internet has become more important than before, however, at the same time, Internet attack has increased significantly [1]. Intruders on the Internet often launch network intrusions indirectly, in order to decrease their chances of being discovered. Attackers can use intermediate hosts as their stepping stone before attacking the real target [2]. This compromised host has given some advantages for attackers to hide their track. In a stepping- stone attack, an attacker uses a sequence of hosts on the Internet as relay machines and constructs a chain of interactive connections using protocols such as Telnet or SSH. The attacker types commands on his local machine and then the commands are relayed via the chain of stepping stones" until they finally reach the victim. Because the final victim only sees the traffic from the last hop of the chain of the stepping stones, it is difficult for the victim to learn any information about the true origin of the attack. There has been considerable research on stepping stone detection like content-based techniques, timing-based methods and soon. Here, the methods focused on passive traffic monitoring but also raised the issue of active traffic perturbations. The initial line of research focused on content-based detection techniques, including comparing content over different streams looking for a high degree of correlation and actively injecting content watermarkinto interactive traffic. Later, timing-based stepping stone detection has become an active research area. But timing-based stepping stone detection has then focused on making the algorithm Article history: Received (December 25, 2015), Review Result (February 11, 2016), Accepted (March 02, 2016) Print ISSN: 2205-8451, eissn: 2207-4244 IJSTSD Copyright c 2016GV School Publication

Identifying Stepping Stone Attack using Trace back based Detection Approach more resistant to evasions like timing perturbation and chaffs. Later, watermark-based scheme was proposed, which detects correlation between streams of packets by actively injecting watermark into inter-packet delays which may not hold in practice. In this paper, we propose an effective intrusion detection algorithm that identifies the stepping stone through a trace back policy, despite the perturbation caused by jitter and chaff. To construct a stepping stone detection algorithm that is robust against timing perturbations, and, that doesn t allow the stepping stone to evade from the detection process. It involves tracing back the encrypted stepping stone all the way from the target host to its origin point. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. By using our approach, we can detect any anomalous interactive traffic. 2. Related work Staniford and Heberlein proposed a content-based algorithm that created thumbprints of streams and compared them, looking for extremely good matches. Another content-based approach, Sleepy Water-mark tracing, was proposed by Wang et al. These content-based approaches require that the content of the streams under consideration do not change significantly between the streams. Thus, for example, they do not apply to encrypted traffic such as SSH sessions. Another line of work studies correlation of streams based on connection timings. Yoda and Etoh [3] proposed a deviation-based algorithm to trace the connection chains of intruders. They computed deviations between a known intruder stream and all other concurrent streams n the Internet compared the packets of streams which have small deviations from the intruder's stream, and utilize these analyses to identify a set of streams that match the intruder stream. Wang et al. [4] proposed another timing-based approach that uses the arrival and departure times of packets to correlate connections in real-time. They showed that the interpacket timing characteristics are preserved across many router hops, and often uniquely identify the correlations between connections. These algorithms based on connection timings, however, are all vulnerable to active timing pertubation by the attacker - they will not be able to detect stepping stones when the attacker actively perturbs the timings of the packets on the stepping-stone streams. Snapp et al. [5] develop Distributed Intrusion Detection System (DIDS), a host-based tracing mechanism that keep track of user in the network and account for all activities to network-wide IDS. Research by Jung et al. [6] also studies ahost-based and passive based tracing mechanism called Caller Identification System (CIS).Caller ID, research conducted by Air Force is anhost-based approach. Both DIDS and CIS use passiveapproaches where network packets need to be captured continuously. However, it is different from Caller ID where tracing is executed when an intrusion is occurred. Wang and Reeves [7] proposed a watermark-based scheme, which can detect correlation between streams of encrypted packets. However, they assumethat the attacker's timing perturbation of packets is independent and identically distributed (iid). 3. Attack model Considers an origin host (where the attacker is located), a final host (the attack target) and a stepping stone chain between attacker and target. In this model, the stepping stone detectionproblem consists of detecting whether a given node belongs to the chain between 16 Shaik.Moulali

International Journal of Security Technology for Smart Device Vol.3, No.1 (2016)pp.15-20 attacker and target, and the attacker tracebackproblem consists of detecting all stepping stones and the origin host associated with an attack to a target host. Attackers typically utilize interactive sessions (e.g., Telnet, SSH) between the origin host and the stepping stones, and between pairs of stepping stones, for initiating the attack. Monitoring the communication exchanged across these sessions is a typical initial step towards solving both problems. A session can be characterized as a sequence of ON and OFF periods, as follows. When there is no data traffic on a session for more than Tidle seconds, the session is considered to be in an OFF period. We consider a packet as containing data only if it carries data in its TCP payload. When a packet with non- empty payload then appears, the flow ends its OFF period and begins an ON period, which lasts until the session again goes data-idle for Tidleseconds Figure 1. Model for stepping stone 4. Algorithm for stepping stone detection The stepping stone algorithm is based on the fact that if two nodes are part of a stepping stone chain, then the flow of traffic on these machines will be highly correlated. Each connection is split into a stream of ON-OFF periods. An OFF period starts if no data traffic has been observed on a connection for more than Tidle (set to 500 milliseconds). Any packet seen after a connection is in an OFF period marks the end of the OFF period and the start of an ON period. If the difference between end times of OFF periods (or start times of ON periods) across two connections is less than (set to 80 milliseconds), then these OFF periods are said to be correlated as shown in Figure 1. If the attacker injects timing jitter or delay of more than α milliseconds in one of the connections, then he will be able to evade detection. This is because OFF periods are considered correlated only if their end times differ by less than α. If the attacker injects chaff packets randomly in one of the connections then the ratio of correlated OFF periods to the total OFF periods will reduce. Injecting sufficient chaff will cause this ratio to fall below and the attacker will be able to evade detection. 5. Anomaly detection algorithm and trace back methodology Anomaly is referred to the jitter and chaff that is introduced in the stepping stone detection algorithm in order to evade it. Response-time based algorithm is developed to detect jitter and Copyright c 2016GV School Publication 17

Identifying Stepping Stone Attack using Trace back based Detection Approach chaff based anomalies in interactive traffic. The stepping stone detection algorithms together with the anomaly detection techniques form a robust attacker traceback methodology that is difficult to evade. All the anomaly detection algorithms are online and can detect jitter and chaff in live interactive traffic. Our response-time based anomaly detection algorithm is based on the fact that in an interactive session, a packet on the forward leg of a connection (e.g. from a client to a server) must be followed by a response on the backward leg within a certain amount of time. Let C be an interactive connection where C12 indicates the flow of packets from client to server and C21 indicates the flow of packets from server to client. The pseudo code for response-time based anomaly detection algorithm is as follows: 1. Initialize ON Packets = 0, Anomalous Packets = 0 2. Let C12 (resp., C21) be the forward (resp., reverse) direction of an interactive connection 3. Split the packets on C12 into ON and OFF periods using T idle. 4. For every acknowledgement sent on C21 for a data packet sent on C12 Update RTT using Jacobson/Karles algorithm For every packet sent at ON period from C12 Increment count for ON Packets If response packet from C21 is sent within (RTT + RT )msec Packet is not anomalous Else Packet is anomalous Increment count for Anomalous Packets If procedure Check for anomaly returns yes Return: connection is anomalous due to jitter 5. Return: connection is not anomalous. The timing based stepping stone detection algorithm and the anomaly detection technique can be efficiently combined to form an integrated methodology for detecting the source of an intrusion and tracing back to the attacker, as follows. If the attacker uses a chain of intermediate nodes for malicious activity then this methodology consists of iterating the combination of the timing based stepping stone detection algorithm and the three anomaly detection techniques. Each execution of this combination helps detecting a new stepping stone even in the presence of active traffic perturbation like jitter and chaff, and adds a new node on the path from the target to the attacker, until tracing back to the attacker is completed. In this process, any attempts by the attacker to evade detection using jitter or chaff will cause the traffic to appear anomalous and the anomaly detection algorithms will flag the connections as anomalous. 18 Shaik.Moulali

International Journal of Security Technology for Smart Device Vol.3, No.1 (2016)pp.15-20 6. Conclusion In this paper, we propose an effective intrusion detection algorithm that identifies the stepping stone through a trace back policy, despite the perturbation caused by jitter and chaff. To construct a stepping stone detection algorithm that is robust against timing perturbations, and, that doesn t allow the stepping stone to evade from the detection process. It involves tracing back the encrypted stepping stone all the way from the target host to its origin point. The anomaly detection algorithm coupled with the stepping stone detection algorithm provides an integrated framework that is robust and difficult to evade. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. By using our approach, we can detect any anomalous interactive traffic. References [1] CERT, Explosion of Incidents, http://www.cert.org, accessed June (2007). [2] Y. Zhang and V. Paxson, Detecting Stepping Stones, Proceeding on 9 th USENIX Security Symposium, pp. 67-81, (2000), Denver, CO. [3] K. Yoda andh. Etoh, Finding a connection chain for tracing intruders, In: F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security,ESORICS 2000 LNCS-1895, October (2000), Toulouse, France. [4] X. Wang, D. Reeves and S. Wu, Inter-packet delay-based correlation for tracing encrypted connections through stepping stones, In D.Gollmann, G.Karjoth, M.Waidner, eds.: 7th European Symposium on Research in Computer Security, (ESORICS 2002), Lecture Notes in Computer Science, Springer, Vol. 2502, pp. 244-263,(2002). [5] S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, L.T. Heberlein, C. Ho, K.N. Levitt, B. Mukherjee, S. E. Smaha, T. Grance, D.M. Teal and D. Mansur, DIDS (Distributed Intrusion Detection System) Motivation, Architecture and Early Prototype, Proceeding 14th National Computer Security Conference, pp. 167-176, (1991). [6] H.T. Jung, H.L. Kim, Y.M. Seo, G. Choe, S.L. Min and C.S. Kim, Caller Identification System In The Internet Environment, Proceedings of 4th USENIX Security Symposium, (1997). [7] X. Wang and D. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of inter-packet delays, In: Proceedings of the 2003 ACM Conference on Computer and Communications Security (CCS 2003), ACM Press, pp. 20-29, (2003). Copyright c 2016GV School Publication 19

Identifying Stepping Stone Attack using Trace back based Detection Approach 20 Shaik.Moulali

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback