Network Intrusion Goals and Methods

Similar documents
Intrusion Techniques

Statistical Aspects of Intrusion Detection

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Správa sítí I Bezpečnost a řízení přístupu

Curso: Ethical Hacking and Countermeasures

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

Ethical Hacking and Prevention

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Computer Security: Principles and Practice

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

11. Security Techniques on Smart Cards

CS System Security 2nd-Half Semester Review

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Firewalls, Tunnels, and Network Intrusion Detection

CSE 565 Computer Security Fall 2018

Chapter 7. Denial of Service Attacks

CSE 565 Computer Security Fall 2018

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Network Security. Chapter 0. Attacks and Attack Detection

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Raj Jain. Washington University in St. Louis

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

PRODUCT GUIDE Wireless Intrusion Prevention Systems

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

The Protocols that run the Internet


IDS: Signature Detection

Network Security. Thierry Sans

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Vidder PrecisionAccess

Computer Security: Principles and Practice

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Intelligent and Secure Network

Endpoint Security - what-if analysis 1

Ethical Hacker Foundation and Security Analysts Course Semester 2

Phishing Read Behind The Lines

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Security and Authentication

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Modern IP Communication bears risks

13 Ways Through A Firewall What you don t know will hurt you

NETWORK SECURITY. Ch. 3: Network Attacks

Gladiator Incident Alert

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

COMPUTER NETWORK SECURITY

GCIH. GIAC Certified Incident Handler.

Managing Rogue Devices

Basic Concepts in Intrusion Detection

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

9. Security. Safeguard Engine. Safeguard Engine Settings

Understanding Cisco Cybersecurity Fundamentals

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Certified Ethical Hacker (CEH)

Accounting Information Systems

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

Denial of Service (DoS)

Internet Security: Firewall

Observation by Internet Fix-Point Monitoring System (TALOT2) for May 2011

NETWORK THREATS DEMAN

Bank Infrastructure - Video - 1

ECCouncil Certified Ethical Hacker. Download Full Version :

Today s challenge on Wireless Networking. David Leung, CISM Solution Consultant, Security Datacraft China/Hong Kong Ltd.

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

JPCERT/CC Incident Handling Report [October 1, 2015 December 31, 2015]

Dynamic Datacenter Security Solidex, November 2009

Comprehensive datacenter protection

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 12 May 2018

Configuring attack detection and prevention 1

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

V8 - CEH v8 - Certified Ethical Hacker. Course Outline. CEH v8 - Certified Ethical Hacker. 03 Feb 2018

CSC 574 Computer and Network Security. TCP/IP Security

Introduction to Security. Computer Networks Term A15

CHAPTER 8 SECURING INFORMATION SYSTEMS

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Access Controls. CISSP Guide to Security Essentials Chapter 2

CIH

Chapter 11: It s a Network. Introduction to Networking

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Networking Security SPRING 2018: GANG WANG

Business Continuity Management

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Transcription:

Network Intrusion Goals and Methods Mgr. Rudolf B. Blažek, Ph.D. Department of Computer Systems Faculty of Information Technologies Czech Technical University in Prague Rudolf Blažek 2010-2011 Network Security MI-SIB, ZS 2011/12, Lecture 4 The European Social Fund Prague & EU: We Invest in Your Future

Cíle a metody síťových útoků Mgr. Rudolf B. Blažek, Ph.D. Katedra počítačových systémů Fakulta informačních technologií České vysoké učení technické v Praze Rudolf Blažek 2010-2011 Síťová bezpečnost MI-SIB, ZS 2011/12, Přednáška 4 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnosf

Network Intrusion Goals and Methods Trends in Attack Goals and Methods 3

Trends in Attack Goals and Methods Trends in Attack Goals and Methods Source: Breach Security, Web Hacking Incidents Database Report 2007 4

Trends in Attack Goals and Methods Attack Goals 2011 2007 Source: Breach Security, Web Hacking Incidents Database Report 2007 & 2011 Figu 5

Trends in Attack Goals and Methods Trends in Attack Goals and Methods Source: Breach Security, Web Hacking Incidents Database Report 2007 6

Trends in Attack Goals and Methods Figure 2 Attack Methods Used 2007 2011 Source: Breach Security, Web Hacking Incidents Database Report 2007 & 2011 7

Weaknesses Used Application Weaknesses Used Figu Source: Breach Security, Web Hacking Incidents Database Report 2011 8

Summary Application Weaknesses, Attack Methods, Outcomes Outcome Attack Method Application Weakness Government Defacement (26%) SQL Injection (24%) Improper Input Handling (26%) Finance Monetary Loss (64%) Stolen Credentials (36%) Insufficient Authentication (59%) Retail Credit Card Leakage (27% SQL Injection (27%) Improper Input Handling (27%) Source: Breach Security, Web Hacking Incidents Database Report 2011 9

Further Reading Application Weaknesses vs. Attack Methods Attack -> Application Weakness DoS/Brute Force -> Insufficient Anti-automation Example: http://www.some.site/app/accountdetails.aspx?userid=xyz SQL Injection -> Improper Input Handling XSS -> Improper Output Handling Read: Threat classification http://projects.webappsec.org/w/page/13246978/threat %20Classification Source: Breach Security, Web Hacking Incidents Database Report 2011 10

Types of Network Intrusions Types of Network Intrusions 11

Types of Network Intrusions Main Types of Network Intrusions Man-in-the-Middle attacks (MiM) ARP, DHCP, DNS, WiFi Deauthentication, fake SSL certs Denial of service attacks TCP SYN, DHCP, Botnets, IP Spoofing (TCP packet bounce) Port scanning Usually a preparation for attacks on system and software Hybrid attacks Carried over the network, but not exploiting net protocols E.g. password cracking, buffer overflows, worms, SQL injection, cross-site scripting 12

Types of Network Intrusions External vs. Insider Intrusions External Network Intrusions Performed by attackers outside the LAN or CAN Include port scanning, denial of service, password cracking But also worm intrusions, buffer overflows, etc... Can often be detected by relatively simple methods Signature detection Rule based detection Various statistical approaches 13

Types of Network Intrusions External vs. Insider Intrusions Insider Network Intrusions Performed by attackers INSIDE the company A spy employee paid by a competitor An unhappy employee, or one who is getting fired A social engineer Attacker who penetrated computers in a subsidiary (e.g. external attacks like worms, key loggers) Extremely hard to detect Attackers are very smart, act like regular users Advanced methods are needed, e.g. behavioral, statistical 14

Types of Network Intrusions U.S. DoE Backbone Network Fusion Center in Oak Ridge IDS Sensor Chicago New York IDS Sensor IDS Sensor Sunnyvale IDS Sensor Washington Atlanta IDS Sensor IDS Sensor El Paso Corporate Backbone IDS Communication 15

Examples Network Attack Examples 16

Examples In the second half of 2007, 58 percent of all vulnerabilities affected Web applications Symantec Today over 70% of attacks against a company s web site or web application come at the application layer not the network or the system layer. -- Gartner 17

Examples Man-in-the Middle Attacks Discussed before Can use ARP, DNS, WiFi or other protocols Encrypted connections like SSH or HTTPS hijacked via fake public keys (fake identity) Goals of MiM attacks: Capture login names and passwords Record or hijack connections both in a LAN and to the outside world 18

Denial-of-Service Attacks Denial-of-Service Attacks DoS attacks flood a server/network host with requests or data To prevent other clients from accessing the server To overload and crash the server, host or device (router, switch) Often DoS attacks are distributed Carried out by bots (robots) a.k.a. zombie computers Computers become zombies after infection by worms or viruses Infected zombies are controlled e.g via chat rooms Some experts claim: DoS attacks are obvious or unimportant. 19

Denial-of-Service Attacks Denial-of-Service Attacks Important scenarios when DoS attacks represent a serious threat: Mission Critical Networks (financial, medical, military networks) Customers of large ISPs Wireless networks (WiFi, etc.) There is need for early DoS detection DoS flooding attacks remain the subject of intensive research 20

Intrusion Detection An Example Experimental Results: Detection of DOS Attacks (continued from last lecture) 21

Intrusion Detection Denial-of-Service Attacks Ad-hoc Detection of DoS Attacks Observing network performance degradation or outage Phone calls from users who are unable to access their e-mail or Experience many dropped or sluggish connections Centers often monitor the number of dropped connections Monitoring of some reasonable network characteristic Link saturation (suspects an attack if a customer's link becomes 98% utilized) Number of flows per a host and port (trigger alert if a host has too many connections on a single port) 22

Intrusion Detection Denial-of-Service Attacks Ad-hoc Detection of DoS Attacks Signature based detection Only detects selected sets of DOS attacks. Tremendous false alarm rates Frequently missed detections, especially of unknown attacks. Questions: How do you decide what thresholds to use? What about false alerts? 23

Intrusion Detection Denial-of-Service Attacks How to Measure Intrusion Detection System Performance? Probability of false alarm and probability of successful detection? How long period are we considering? False alarms will occur for sure when we monitor the network for a long period Attacks that stop quickly are harder to detect than longterm intrusions Even very weak attacks should be detected if they last long enough 24

Intrusion Detection Denial-of-Service Attacks Packet Interarrival Times TCP-SYN Flood Average numbers of TCP packets per second: Normal traffic: 43.94 Modified attack traffic: 56.97 Sampling period: 0.1 seconds Optimized MNA-CUSUM: ε opt = 0.113 Time between packet arrivals (seconds) 25

Intrusion Detection Sequential Statistical Detection Sequential Statistical Learning Sequential NP-CUSUM statistic Historical estimate of E(X n ) S n = max{0, S n 1 + X n µ εˆθ n }, S 0 = 0 A network characteristic observed in the n th time interval: Number of UDP packets in a size bin Number of packets of a particular type (TCP SYN, ICMP or ARP packets) Number of failed connections Level of link saturation An estimate of E(X n ) under attack Tuning parameter 26

Intrusion Detection Sequential Statistical Detection Sequential ID Algorithm with Reflection S k attack begins attack detected threshold possible false alarms update information detection delay time 27

Intrusion Detection Sequential Statistical Detection Resampling of Interarrival Times Observed sequence of random variables (or vectors): X1, X2,... Some network characteristics observed at times t1, t2,... Examples: packets sizes, numbers of TCP SYN, ICMP or ARP packets, numbers of failed connections, levels of link saturation etc. Classical Resampling (Bootstrap, Permutation Tests): Resample X1, X2,..., Xn and construct sequential statistic Repeat the process and estimate the FAR (no attack) and ADD (attack) FAR = False Alarm Rate ADD = Average Detection Delay 28

Intrusion Detection Sequential Statistical Detection Optimization of the MNA-CUSUM procedure 25 20 15 ADD 25 10 20 15 5 10 5 0 0.2 0 3 3.5 4 4.5 5 5.5 6 6.5 7 7.5 8 0.15 -log(far) 0.1 0.05 0 3 4 5 6 7 8 29

Intrusion Detection Sequential Statistical Detection Optimization of MNA-CUSUM procedure 4.7 4.6 Observed Value Approximation 4.5 Slope of operating characteristics line 4.4 4.3 4.2 4.1 4 3.9 3.8 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 Epsilon (optimal value = 0.058815) 30

Intrusion Detection Sequential Statistical Detection Comparison of the Optimized Non- Parametric and Ad-hoc Tests Optimized Test Not Optimized Test 1000 1600 900 800 Time of attack: 113.98 sec Time of detection: 120.00 sec Detection delay: 6.02 sec Avg. TFD: 1680.00 sec Epsilon: 0.1130 1400 1200 Time of attack: 113.98 sec Time of detection: 150.30 sec Detection delay: 36.32 sec Avg. TFD: 1680.00 sec 700 Sequential Statistic S(k) 600 500 400 Sequential Statistic S(k) 1000 800 600 300 400 200 100 200 0 0 20 40 60 80 100 120 140 160 180 200 Time (seconds) 0 0 20 40 60 80 100 120 140 160 180 200 Time (seconds) 31

Intrusion Detection Sequential Statistical Detection Performance of the Detection Procedure 80 70 Epsilon=0 Epsilon=0.020 Epsilon=0.050 Epsilon=0.113 60 50 ADD 40 30 20 10 0 2 3 4 5 6 7 8 9 -log(far) 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback