Network Intrusion Goals and Methods Mgr. Rudolf B. Blažek, Ph.D. Department of Computer Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek 2010-2011 Network Security MI-SIB, ZS 2011/12, Lecture 4 The European Social Fund Prague & EU: We Invest in Your Future
Cíle a metody síťových útoků Mgr. Rudolf B. Blažek, Ph.D. Katedra počítačových systémů Fakulta informačních technologií České vysoké učení technické v Praze Rudolf Blažek 2010-2011 Síťová bezpečnost MI-SIB, ZS 2011/12, Přednáška 4 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnosf
Network Intrusion Goals and Methods Trends in Attack Goals and Methods 3
Trends in Attack Goals and Methods Trends in Attack Goals and Methods Source: Breach Security, Web Hacking Incidents Database Report 2007 4
Trends in Attack Goals and Methods Attack Goals 2011 2007 Source: Breach Security, Web Hacking Incidents Database Report 2007 & 2011 Figu 5
Trends in Attack Goals and Methods Trends in Attack Goals and Methods Source: Breach Security, Web Hacking Incidents Database Report 2007 6
Trends in Attack Goals and Methods Figure 2 Attack Methods Used 2007 2011 Source: Breach Security, Web Hacking Incidents Database Report 2007 & 2011 7
Weaknesses Used Application Weaknesses Used Figu Source: Breach Security, Web Hacking Incidents Database Report 2011 8
Summary Application Weaknesses, Attack Methods, Outcomes Outcome Attack Method Application Weakness Government Defacement (26%) SQL Injection (24%) Improper Input Handling (26%) Finance Monetary Loss (64%) Stolen Credentials (36%) Insufficient Authentication (59%) Retail Credit Card Leakage (27% SQL Injection (27%) Improper Input Handling (27%) Source: Breach Security, Web Hacking Incidents Database Report 2011 9
Further Reading Application Weaknesses vs. Attack Methods Attack -> Application Weakness DoS/Brute Force -> Insufficient Anti-automation Example: http://www.some.site/app/accountdetails.aspx?userid=xyz SQL Injection -> Improper Input Handling XSS -> Improper Output Handling Read: Threat classification http://projects.webappsec.org/w/page/13246978/threat %20Classification Source: Breach Security, Web Hacking Incidents Database Report 2011 10
Types of Network Intrusions Types of Network Intrusions 11
Types of Network Intrusions Main Types of Network Intrusions Man-in-the-Middle attacks (MiM) ARP, DHCP, DNS, WiFi Deauthentication, fake SSL certs Denial of service attacks TCP SYN, DHCP, Botnets, IP Spoofing (TCP packet bounce) Port scanning Usually a preparation for attacks on system and software Hybrid attacks Carried over the network, but not exploiting net protocols E.g. password cracking, buffer overflows, worms, SQL injection, cross-site scripting 12
Types of Network Intrusions External vs. Insider Intrusions External Network Intrusions Performed by attackers outside the LAN or CAN Include port scanning, denial of service, password cracking But also worm intrusions, buffer overflows, etc... Can often be detected by relatively simple methods Signature detection Rule based detection Various statistical approaches 13
Types of Network Intrusions External vs. Insider Intrusions Insider Network Intrusions Performed by attackers INSIDE the company A spy employee paid by a competitor An unhappy employee, or one who is getting fired A social engineer Attacker who penetrated computers in a subsidiary (e.g. external attacks like worms, key loggers) Extremely hard to detect Attackers are very smart, act like regular users Advanced methods are needed, e.g. behavioral, statistical 14
Types of Network Intrusions U.S. DoE Backbone Network Fusion Center in Oak Ridge IDS Sensor Chicago New York IDS Sensor IDS Sensor Sunnyvale IDS Sensor Washington Atlanta IDS Sensor IDS Sensor El Paso Corporate Backbone IDS Communication 15
Examples Network Attack Examples 16
Examples In the second half of 2007, 58 percent of all vulnerabilities affected Web applications Symantec Today over 70% of attacks against a company s web site or web application come at the application layer not the network or the system layer. -- Gartner 17
Examples Man-in-the Middle Attacks Discussed before Can use ARP, DNS, WiFi or other protocols Encrypted connections like SSH or HTTPS hijacked via fake public keys (fake identity) Goals of MiM attacks: Capture login names and passwords Record or hijack connections both in a LAN and to the outside world 18
Denial-of-Service Attacks Denial-of-Service Attacks DoS attacks flood a server/network host with requests or data To prevent other clients from accessing the server To overload and crash the server, host or device (router, switch) Often DoS attacks are distributed Carried out by bots (robots) a.k.a. zombie computers Computers become zombies after infection by worms or viruses Infected zombies are controlled e.g via chat rooms Some experts claim: DoS attacks are obvious or unimportant. 19
Denial-of-Service Attacks Denial-of-Service Attacks Important scenarios when DoS attacks represent a serious threat: Mission Critical Networks (financial, medical, military networks) Customers of large ISPs Wireless networks (WiFi, etc.) There is need for early DoS detection DoS flooding attacks remain the subject of intensive research 20
Intrusion Detection An Example Experimental Results: Detection of DOS Attacks (continued from last lecture) 21
Intrusion Detection Denial-of-Service Attacks Ad-hoc Detection of DoS Attacks Observing network performance degradation or outage Phone calls from users who are unable to access their e-mail or Experience many dropped or sluggish connections Centers often monitor the number of dropped connections Monitoring of some reasonable network characteristic Link saturation (suspects an attack if a customer's link becomes 98% utilized) Number of flows per a host and port (trigger alert if a host has too many connections on a single port) 22
Intrusion Detection Denial-of-Service Attacks Ad-hoc Detection of DoS Attacks Signature based detection Only detects selected sets of DOS attacks. Tremendous false alarm rates Frequently missed detections, especially of unknown attacks. Questions: How do you decide what thresholds to use? What about false alerts? 23
Intrusion Detection Denial-of-Service Attacks How to Measure Intrusion Detection System Performance? Probability of false alarm and probability of successful detection? How long period are we considering? False alarms will occur for sure when we monitor the network for a long period Attacks that stop quickly are harder to detect than longterm intrusions Even very weak attacks should be detected if they last long enough 24
Intrusion Detection Denial-of-Service Attacks Packet Interarrival Times TCP-SYN Flood Average numbers of TCP packets per second: Normal traffic: 43.94 Modified attack traffic: 56.97 Sampling period: 0.1 seconds Optimized MNA-CUSUM: ε opt = 0.113 Time between packet arrivals (seconds) 25
Intrusion Detection Sequential Statistical Detection Sequential Statistical Learning Sequential NP-CUSUM statistic Historical estimate of E(X n ) S n = max{0, S n 1 + X n µ εˆθ n }, S 0 = 0 A network characteristic observed in the n th time interval: Number of UDP packets in a size bin Number of packets of a particular type (TCP SYN, ICMP or ARP packets) Number of failed connections Level of link saturation An estimate of E(X n ) under attack Tuning parameter 26
Intrusion Detection Sequential Statistical Detection Sequential ID Algorithm with Reflection S k attack begins attack detected threshold possible false alarms update information detection delay time 27
Intrusion Detection Sequential Statistical Detection Resampling of Interarrival Times Observed sequence of random variables (or vectors): X1, X2,... Some network characteristics observed at times t1, t2,... Examples: packets sizes, numbers of TCP SYN, ICMP or ARP packets, numbers of failed connections, levels of link saturation etc. Classical Resampling (Bootstrap, Permutation Tests): Resample X1, X2,..., Xn and construct sequential statistic Repeat the process and estimate the FAR (no attack) and ADD (attack) FAR = False Alarm Rate ADD = Average Detection Delay 28
Intrusion Detection Sequential Statistical Detection Optimization of the MNA-CUSUM procedure 25 20 15 ADD 25 10 20 15 5 10 5 0 0.2 0 3 3.5 4 4.5 5 5.5 6 6.5 7 7.5 8 0.15 -log(far) 0.1 0.05 0 3 4 5 6 7 8 29
Intrusion Detection Sequential Statistical Detection Optimization of MNA-CUSUM procedure 4.7 4.6 Observed Value Approximation 4.5 Slope of operating characteristics line 4.4 4.3 4.2 4.1 4 3.9 3.8 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 Epsilon (optimal value = 0.058815) 30
Intrusion Detection Sequential Statistical Detection Comparison of the Optimized Non- Parametric and Ad-hoc Tests Optimized Test Not Optimized Test 1000 1600 900 800 Time of attack: 113.98 sec Time of detection: 120.00 sec Detection delay: 6.02 sec Avg. TFD: 1680.00 sec Epsilon: 0.1130 1400 1200 Time of attack: 113.98 sec Time of detection: 150.30 sec Detection delay: 36.32 sec Avg. TFD: 1680.00 sec 700 Sequential Statistic S(k) 600 500 400 Sequential Statistic S(k) 1000 800 600 300 400 200 100 200 0 0 20 40 60 80 100 120 140 160 180 200 Time (seconds) 0 0 20 40 60 80 100 120 140 160 180 200 Time (seconds) 31
Intrusion Detection Sequential Statistical Detection Performance of the Detection Procedure 80 70 Epsilon=0 Epsilon=0.020 Epsilon=0.050 Epsilon=0.113 60 50 ADD 40 30 20 10 0 2 3 4 5 6 7 8 9 -log(far) 32