liberate n
play

liberate, (n): A library for exposing (tra ffi c-classification) - PowerPoint PPT Presentation

Dec 30, 2022 •369 likes •1.54k views

liberate, (n): A library for exposing (tra ffi c-classification) rules and avoiding them e ffi ciently Fangfan Li , Abbas Razaghpanah, Arash Molavi Kakhki, Arian Akhavan Niaki, David Cho ff nes, Phillipa Gill, Alan Mislove 1 Traffic management 2

  1. Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

  2. Design Evasion techniques • Observation: • ‘Match and forget’ behavior • Incomplete views of the connection • Inert packet insertion * : Tra ffi c processed only by a classifier but not endpoint App B is classified as App A Using a small TTL value * Christian Kreibich et al. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. 13

  3. Design Evasion techniques SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  4. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  5. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  6. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  7. Design Evasion techniques • Observation: • Each packet is searched independently for matching contents • Splitting/Reordering : splitting the matching contents across multiple packets SYN TCP 80 TCP 80 App A is unclassified SYN, ACK ACK TCP 80 IPID 1 OFF 0 GE TCP 80 IPID 1 OFF 2 T TCP 80 IPID 1 OFF 4 /A TCP 80 IPID 1 OFF 6 \r\n TCP 80 Fragmenting the IP packet 14

  8. Design Evasion techniques SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  9. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  10. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  11. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  12. Design Evasion techniques • Observation: • Classifiers do no retain classification results indefinitely • Flushing : causing the classifier to remove the classification state for the flow SYN TCP 80 SYN, ACK TCP 80 App B is unclassified ACK TCP 80 SEQ 1 GET /B TCP 80 Inserting large delays 15

  13. Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 16

  14. Implementation Server liberate App Proxy Replay Server 17

  15. Implementation • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17

  16. Implementation Phase 1 • Phase 1: liberate does the analysis using a replay server Server liberate App Proxy Phase 1 Replay Server 17

  17. Implementation • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Phase 2 Server Server Phase 2 liberate liberate App App Phase 2 Proxy Proxy Phase 1 Phase 1 Replay Server Replay Server 17

  18. Implementation Phase 1 Phase 2 • Phase 1: liberate does the analysis using a replay server • Phase 2: liberate applies evasion technique to tra ffi c in-flight Phase 2 Server liberate App Phase 2 Proxy Phase 2 Phase 1 Server liberate App Phase 2 Proxy Phase 1 Replay Server Replay Server 17

  19. Outline • Design and implementation • Tra ffi c-classification rules detection • Evasion techniques • Implementation • Evaluation • E ff ectiveness across multiple networks 18

  20. Evaluation Testbed and in the wild liberate Client Server 19

  21. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server 19

  22. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  23. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  24. Evaluation Testbed and in the wild • Testbed evaluation liberate Client Server • Evaluation “in the wild” liberate Client Server 19

  25. Evaluation Results 20

  26. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  27. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  28. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  29. Evaluation Example result table Technique Test case 1 Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Payload Reordering Reverse the transmission of first two fragments Classification flushing 21

  30. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification 22

  31. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22

  32. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes 22

  33. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow 22

  34. Evaluation Testbed results Technique Testbed Example technique IP Lower TTL to only reach classifier Inert packet TCP Wrong sequence number insertion UDP Wrong checksum Payload Splitting Break packet into two IP fragments Payload Reordering Reverse the transmission of first two fragments Classification flushing TTL-limited RST packet before classification • E ffi ciency: • One-time overhead (phase 1) : 13 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • All types of techniques were e ff ective in testbed 22

  35. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification 23

  36. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow 23

  37. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified 23

  38. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification 23

  39. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23

  40. Evaluation T mobile ‘Binge On’ Technique Testbed T mobile Example technique IP Lower TTL to only reach classifier Inert packet TCP insertion UDP Break packet into five TCP segments Payload Splitting Reverse the transmission of first two segments Payload Reordering Classification flushing TTL-limited RST packet before classification • Classified video (HTTP/S) was throttled to 1.5 Mbps and zero-rated • E ffi ciency: • One-time overhead (phase 1) : 30 minutes • Run-time overhead (phase 2) : tens of bytes per flow • E ff ectiveness: • UDP tra ffi c (e.g., Youtube video in QUIC) was not classified • Breaking packet into 5 TCP segments evaded classification • Reversing the order of initial packets was e ff ective 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Liberate Your Data Francois Laborie CMO Head of Partner Engagement November 22 nd 2017 Our

Liberate Your Data Francois Laborie CMO Head of Partner Engagement November 22 nd 2017 Our

Liberate Your Data Francois Laborie CMO Head of Partner Engagement November 22 nd 2017 Our Vision Liberate industrial data to redefine the real world from daily routines to business models. 2 2 The Largest Companies by Market Cap The oil

735 views • 21 slides
Liberate T EX: Progress on Building a New T EX-Language Interpreter Doug McKenna

Liberate T EX: Progress on Building a New T EX-Language Interpreter Doug McKenna

Liberate T EX: Progress on Building a New T EX-Language Interpreter Doug McKenna Mathemaesthetics, Inc. Boulder, Colorado TUG 2014 The T EX Ecosystem Seems Fractured and Forked Theres T EX . . . or -T EX . . . or

410 views • 22 slides
Inspire. Empower. Liberate. Youth Media Action Coalition Taylor Novick-Finder ~ Josue Pasillas

Inspire. Empower. Liberate. Youth Media Action Coalition Taylor Novick-Finder ~ Josue Pasillas

Inspire. Empower. Liberate. Youth Media Action Coalition Taylor Novick-Finder ~ Josue Pasillas ~ Lucas Sandtroen Injustice anywhere is a threat to justice everywhere. - Martin Luther King Jr. Police Injustice Police injustice

202 views • 16 slides
Teaching The African Diaspora in an Independent Boarding School By Scott P. Styles

Teaching The African Diaspora in an Independent Boarding School By Scott P. Styles

Teaching The African Diaspora in an Independent Boarding School By Scott P. Styles Teacher of Humanities, St. Pauls School, Concord, NH, 03301 Relevance Liberate: Africa is rich culturally, intellectually, and historically, and

132 views • 9 slides
Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise 2.0? Enterprise 2.0 is the term for the technologies and business practices that liberate the workforce from the constraints of legacy

378 views • 36 slides
7/25/2009 We already learned that plants make their food during photosynthesis. Cellular

7/25/2009 We already learned that plants make their food during photosynthesis. Cellular

7/25/2009 We already learned that plants make their food during photosynthesis. Cellular Respiration Mitochondria liberate energy for the work that cells do, and chloroplasts capture sunlight energy for photosynthesis. . Animal cells get

55 views • 3 slides
Schema.org in Two Parts: From Use to Extension Part 1: Fit for a Bibliographic Purpose Richard

Schema.org in Two Parts: From Use to Extension Part 1: Fit for a Bibliographic Purpose Richard

DCMI/ASIS&T Joint Webinars Schema.org in Two Parts: From Use to Extension Part 1: Fit for a Bibliographic Purpose Richard Wallis Evangelist and Founder Data Liberate richard.wallis@dataliberate.com @rjw Richard Wallis

2.21k views • 195 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Information Leakage CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin

Information Leakage CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin

Information Leakage CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 25, 2013 Announcements / Goals HKN

934 views • 79 slides
+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel

+ Side Channel and Covert Channel A1acks on Microkernel Architectures WAMOS 2015 Advanced Opera3ng Systems Hochschule RheinMain Alexander Baumgrtner and

539 views • 25 slides
Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems

Side Channels Covert Channels References Side Channels and Covert Channels Daniel Bosk Department of Information and Communication Systems (ICS), Mid Sweden University, Sundsvall. 1st May 2017 Daniel Bosk MIUN ICS Side Channels and Covert

689 views • 32 slides
Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown:

Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown:

Mandatory Access Control Mandatory Access Control 1 DAC DAC and Trojan Horse d T j H Brown: read, write Employee Brown Read Employee Black Brown: read write Black, Brown: read, write REJECTED! Blacks Employee Black is not allowed

565 views • 38 slides
CCC Leadership in Embedded Security Workshop 2017 Tomas Vagoun Cybersecurity R&D

CCC Leadership in Embedded Security Workshop 2017 Tomas Vagoun Cybersecurity R&D

CCC Leadership in Embedded Security Workshop 2017 Tomas Vagoun Cybersecurity R&D Coordinator Na4onal Coordina4on Office for NITRD Strategic Plan for Federal Cybersecurity R&D Federal Cybersecurity R&D Goals S&T for effec5ve

530 views • 5 slides
Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique

Secure Multi-Execution Dominique Devriese Frank Piessens K.U.Leuven May 14, 2010 Dominique Devriese, Frank Piessens (K.U.Leuven) Secure Multi-Execution May 14, 2010 1 / 24 Secure Multi-Execution Outline Secure Multi-Execution

622 views • 29 slides
A new categorization system for side-channel attacks on mobile devices & more Veelasha

A new categorization system for side-channel attacks on mobile devices & more Veelasha

A new categorization system for side-channel attacks on mobile devices & more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

759 views • 55 slides
New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng

New methods for controlling timing channels Andrew Myers Cornell University (with Danfeng Zhang, Aslan Askarov) Timing channels e adversary can learn (a lot) from timing measurements. Known to exist Hard to detect Hard to prevent

639 views • 40 slides
ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY

ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY

On the Cost-Effectiveness of TrustZone Defense on ARM Platform NAIWEI LIU, WANYU ZANG, MENG YU, RAVI SANDHU UTSA ICS LAB; ROOSEVELT UNIVERSITY Contents Abstract and Introduction Related Work Cache-Based Security Threats and Attack

618 views • 25 slides
COMPGA11: Research in Information Security Steven Murdoch University College London based

COMPGA11: Research in Information Security Steven Murdoch University College London based

COMPGA11: Research in Information Security Steven Murdoch University College London based on a course by Tony Morton Term 2 2014/15 Course summary To develop an understanding of what research in information security is about,

460 views • 24 slides
on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim

on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim

Forensics in the SoNIC Project on Precise Realtime Software Access and Control of Wired Networks Ki Suh Lee, Han Wang, Hakim Weatherspoon Cornell University International Workshop on Trustworthiness, Accountability, and Forensics in the Cloud

693 views • 31 slides
Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21,

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21,

Wi-Fi Advanced Stealth Laurent BUTTI and Franck VEYSSET hack.lu, Luxembourg October 19-21, 2006 firstname[dot]lastname[AT]francetelecom[dot]com Who Are We? Network security geeks (?) in R&D labs Working for France Telecom -

610 views • 35 slides
Static Analysis of Security Properties by Abstract Interpretation cole normale suprieure,

Static Analysis of Security Properties by Abstract Interpretation cole normale suprieure,

Static Analysis of Security Properties by Abstract Interpretation cole normale suprieure, quipe Abstraction Mehdi Bouaziz Friday, May 11 2012 Static Analysis of Security Properties by Abstract Interpretation Mehdi Bouaziz, cole normale

839 views • 29 slides
Comprehensive Primary Care Program Participation in Oregon August 25, 2020 Lisa Miller, MPH,

Comprehensive Primary Care Program Participation in Oregon August 25, 2020 Lisa Miller, MPH,

Analyzing the Impact of Comprehensive Primary Care Program Participation in Oregon August 25, 2020 Lisa Miller, MPH, CPH, CPHQ LMiller@Comagine.org Comagine Health, formerly Oregon Health Care Quality Corporation, Qualis Health and

393 views • 15 slides
Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao

Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao

Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao Cheng + CPC Team {tao.cheng@ucl.ac.uk} Department of Civil, Environmental & Geoma@c

610 views • 14 slides
Consequence relations old and new Workshop Proofs Paris, 1 June, 2017 Rosalie Iemhoff

Consequence relations old and new Workshop Proofs Paris, 1 June, 2017 Rosalie Iemhoff

Consequence relations old and new Workshop Proofs Paris, 1 June, 2017 Rosalie Iemhoff Utrecht University 1 / 25 Logics A logic L can be given via semantics (algebras, Kripke models, valuations, . . . ), proof systems (sequent

566 views • 25 slides

More recommend