statistical opportunities in network security
play

Statistical Opportunities in Network Security David J. Marchette - PowerPoint PPT Presentation

Feb 20, 2024 •237 likes •644 views

Statistical Opportunities in Network Security David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 < > - + Interface 2003 p.1/36 Outline Intro to Network Data Monitoring Denial of Service Attacks

  1. Statistical Opportunities in Network Security David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 < > - + Interface 2003 – p.1/36

  2. Outline Intro to Network Data Monitoring Denial of Service Attacks Passive Fingerprinting User Profiling I am just going to give a very brief introduction to these topics. < > - + Interface 2003 – p.2/36

  3. Network Data Data is in the form of packets collected off a network (with tcpdump). Each session (web page, telnet, etc.) consists of (many) packets. Each packet contains: Header information used for transmission and control. Data. We will be concerned with only the header information. < > - + Interface 2003 – p.3/36

  4. Network Loads An example of the kind of volume we are looking at: A network of around 10,000 computers connected to the Internet. On January 31, 2002, during the hour from noon to 1pm there were: 7,614,419 IP packets. 150,000 sessions. Network data are large and complex. < > - + Interface 2003 – p.4/36

  5. What’s in a Header? Source and Destination IP addresses. Protocol of the packet. Information on the application (port numbers). Transmission control flags. Error states and information (ICMP). Fragmentation information. Various values for routing and control. < > - + Interface 2003 – p.5/36

  6. A Few Areas for Statistics Estimating the number of attacks on the Internet. Determining the operating system of the machine that sent a packet. Profiling users and detecting masqueraders. < > - + Interface 2003 – p.6/36

  7. Denial of Service Attacks on the Internet Denial of Service attacks seek to deny access to servers (web servers, etc). Many of these attacks operate by flooding the victim computer with a large number of packets or connection requests. Traditionally, in order to determine the number of attacks during any period, we needed to rely on self-reporting. This is particularly bad in computer security, where there is an incentive to under-report. < > - + Interface 2003 – p.7/36

  8. Another Approach A class of denial of service attacks allow detection via passive monitoring. These attacks result in the victim sending out packets (responses) to random hosts on the Internet. By monitoring these unsolicited packets, we can estimate the number of attacks. < > - + Interface 2003 – p.8/36

  9. Backscatter Cartoon Victim Typical Denial of Service Attack: Syn Flood. Attacker floods the victim with connection requests. Attacker(s) The Internet < > - + Interface 2003 – p.9/36

  10. Backscatter Cartoon Victim Attackers send spoofed SYN packets Attacker(s) The Internet < > - + Interface 2003 – p.9/36

  11. Backscatter Cartoon Victim Victim responds with SYN/ACK packets Attacker(s) The Internet < > - + Interface 2003 – p.9/36

  12. Backscatter Cartoon Victim Sensors at the spoofed addresses see the response packets us Attacker(s) The Internet < > - + Interface 2003 – p.9/36

  13. Some Observations We observe a subset of the response packets. Estimation requires that we understand the model. Perusal of attack software indicates that random (uniform) selection of (spoofed) IP addresses is common. Unsolicited response packets may also be an attack against the monitored network. We’d also like to estimate the effect of the attack. The attacks evolve, and this approach may need modification or be invalid in the future. < > - + Interface 2003 – p.10/36

  14. Assumptions We assume (and perusal of some attack code bears this out) that the spoofed IP addresses are selected at random (independently, identically distributed, uniformly from all possible addresses). Given this, we can estimate the size of the attack, the number of attacks we are likely to miss, etc. Are these assumptions valid? We will look at a few examples using the “looks random” test. < > - + Interface 2003 – p.11/36

  15. A Victim < > - + Interface 2003 – p.12/36

  16. Another Victim < > - + Interface 2003 – p.13/36

  17. Another Victim 60000 50000 40000 Spoofed IP 30000 20000 10000 0 0.00 0.05 0.10 0.15 Time (hours) < > - + Interface 2003 – p.14/36

  18. Modeling and Classification We need good models of the spoofing process(es). These can help classify the attacks (identify the attack code). Given these models, we can estimate the size of the attack. These models are also necessary to estimate the number of attacks that are not observed at the sensor(s). < > - + Interface 2003 – p.15/36

  19. Number of Attacks Observed Sept 1 −− 17 Sept 19 −− Oct 15 40 40 30 30 number of attacks number of attacks 20 20 10 10 0 0 5 10 15 20 25 30 35 40 45 Days Days < > - + Interface 2003 – p.16/36

  20. Number of Attacks Observed Oct 28 −− Dec 12 Jan 1 −− 31 40 40 30 30 number of attacks number of attacks 20 20 10 10 0 0 0 10 20 30 40 50 60 0 5 10 15 20 25 30 Days Days < > - + Interface 2003 – p.17/36

  21. Comments Something happened to change the volume of attacks in mid September. These are only “big” attacks (those where the sensor sees more than 10 packets). These are only attacks against web servers. At the peak, there were more than 30 victims, over a period of a month. By January, things were back to “normal”. < > - + Interface 2003 – p.18/36

  22. Passive Fingerprinting The protocols specify what a host must do in response to a packet or when constructing a packet. These specifications are not complete: there are several choices that a computer is free to make. These choices are made differently (to some extent) by different operating systems. By monitoring these, one can guess the operating system. The idea is to examine packets coming to the monitored network, and determining the operating system of the sending machine. < > - + Interface 2003 – p.19/36

  23. Time To Live One such choice is the time to live (TTL) value. This is a byte (value 0–255) set when the packet is constructed. Each router decrements the TTL. If the TTL is 0, the router drops it, and sends an error message. Different operating systems choose different default values for TTL. We never observe the original TTL: we observe the TTL minus a random number (corresponding to the number of routers in the route it took). < > - + Interface 2003 – p.20/36

  24. Why Do We Care? It’s fun. Passive validation of the accreditation database. A machine that appears to change it’s operating system may be evidence of an attack (specially crafted packets). The operating system of an attacker can indicate the likely attack software. In very rare scenarios this could be used to craft a response. < > - + Interface 2003 – p.21/36

  25. The Experiment Data collected on 3806 machines over a period of about 6 months. Features such as: mean TTL, mean type-of-service, window size, IP ID and sequence number increment, min/max source port, number of IP options, which options, whether DF flag set. Data split into a training and a test set evenly (split so that each OS had the same number in training and test). Operating system classed as: Generic DOS, Irix, Generic Apple, Mac, Solaris, Windows. OS designation comes from an accreditation database (unknown amount of inaccuracy). Ran k -nearest neighbor classifiers on training data, best was k = 3 . < > - + Interface 2003 – p.22/36

  26. Some Data 1.0 0.8 0.6 0.4 0.2 0.0 x1 x2 x3 x4 x5 < > - + x6 x7 x8 x9 x10 x11 Interface 2003 – p.23/36

  27. Some Results 3-NN classifier dos irix linux apple mac solaris windows dos 0 0 0 0 2 0 32 irix 0 16 0 0 0 0 1 linux 0 0 25 0 0 0 0 apple 0 0 0 0 3 0 3 mac 0 0 0 0 31 0 0 solaris 0 0 0 0 0 27 0 windows 1 0 6 0 3 0 1753 Bottom line error: 0.027. Worst case error: 0.074. < > - + Interface 2003 – p.24/36

  28. Reduced Classes 3-NN dos → windows apple → mac. windows irix linux mac solarisw windows 1786 0 6 5 0 irix 1 16 0 0 0 linux 0 0 25 0 0 mac 3 0 0 34 0 solaris 0 0 0 0 27 Bottom line error: 0.008. Worst case error: 0.056. < > - + Interface 2003 – p.25/36

  29. Summary Very simple classifier works quite well. Windows dominates. Better data collection is necessary. The sub-classes are available (Windows NT vs 98 vs 2000...). Active fingerprinting can determine these quite well. Passive fingerprinting is undetectable and adds nothing to the load on the network. < > - + Interface 2003 – p.26/36

  30. Network User Profiling Tracking users by their network activity can provide an indication of suspicious or dangerous behavior. Network activity involves: Applications used (web, ftp, telnet, ssh, etc.). Servers accessed. Amount of data transfered. Temporal information. I do not consider (but could) web pages visited, etc. < > - + Interface 2003 – p.27/36

  31. Web Servers Visited I construct an intersection graph according to the web servers visited by each user. The vertices of the graph are the users. There is an edge between two users if they visit the same web server (during the period under consideration). This is computed over the full time period over which the data were collected (3 months). < > - + Interface 2003 – p.28/36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
CS 598: Network Security Matthew Caesar January 29, 2013 1 Why secure data centers?

CS 598: Network Security Matthew Caesar January 29, 2013 1 Why secure data centers?

Lecture 3: Data Center and Enterprise Network Security CS 598: Network Security Matthew Caesar January 29, 2013 1 Why secure data centers? Consolidation brings many benefits Easier management, statistical multiplexing

1.51k views • 103 slides
Challenges and Opportunities Challenges and Opportunities Presented at the FANRPAN HASSP

Challenges and Opportunities Challenges and Opportunities Presented at the FANRPAN HASSP

Domestication of the Harmonised Seed Security Project (HASSP) through the Food, Agriculture and Natural R Resources Policy Analysis Network(FANRPAN) P li A l i N t k(FANRPAN) Challenges and Opportunities Challenges and Opportunities

676 views • 53 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
John Moore CTO and SVP of Engineering Job security, job opportunities. Additional sources

John Moore CTO and SVP of Engineering Job security, job opportunities. Additional sources

John Moore CTO and SVP of Engineering Job security, job opportunities. Additional sources of income. Continued learning Define your goals Choose where to network Give it time Twitter Facebook Linked in

223 views • 11 slides
Modeling, prediction and diagnosis for network security Alfred Hero University of Michigan 1.

Modeling, prediction and diagnosis for network security Alfred Hero University of Michigan 1.

Modeling, prediction and diagnosis for network security Alfred Hero University of Michigan 1. Network monitoring and tomography 2. Science of security: opportunities 3. Concluding remarks Alfred Hero NSF-IARPA SOS Workshop Nov 2008 1.

432 views • 18 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm Harry Crane Based on Chapter 5 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html

443 views • 31 slides
Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools &amp; Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
Legislative Audit Workshop Cybersecurity in the Year 2020 Jim Edman Chief Information Security

Legislative Audit Workshop Cybersecurity in the Year 2020 Jim Edman Chief Information Security

Legislative Audit Workshop Cybersecurity in the Year 2020 Jim Edman Chief Information Security Officer Miguel Penaranda Deputy CISO 5/19/2020 Critical Cyber Security Recommendations Backup Your Data Apply Automatic Updates &amp; Patches

655 views • 27 slides
DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1

DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1

www.nviso.be DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1 Demo time 2 Threat actor groups 3 Nation states 4 Hacktivism 5 Organized cyber crime 6 The bad competitor 7 The Internet of

777 views • 42 slides
PORTFOLIO OF SERVICES Who is mrHouston? 360 Our story We have been maximizing our clients

PORTFOLIO OF SERVICES Who is mrHouston? 360 Our story We have been maximizing our clients

PORTFOLIO OF SERVICES Who is mrHouston? 360 Our story We have been maximizing our clients value for over 18 years. We are a key player in ICT management. Who we are Our multidisciplinary, highly qualified team is composed of 50 people.

402 views • 24 slides
Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan

Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam Seenivasan &amp; Rabin Karki 1 Simple Question How prevalent are denial-of-service

886 views • 50 slides
The Superintendents Worst Fear ESC Region 1 Finance Advisory Council November 10

The Superintendents Worst Fear ESC Region 1 Finance Advisory Council November 10

The Superintendents Worst Fear ESC Region 1 Finance Advisory Council November 10 Superintendents Imagine having to notify parents or employees that their personal privacy has been violated!!!!!! Martin Yarborough BS, MEd, PhD (Tarleton

759 views • 55 slides
Not-a-Bot Improving Service Availability in the Face of Botnet Attacks Overview Introduction

Not-a-Bot Improving Service Availability in the Face of Botnet Attacks Overview Introduction

Not-a-Bot Improving Service Availability in the Face of Botnet Attacks Overview Introduction to the problem Architecture of NAB A way to attest human-generated traffic Use of attestation to mitigate presented problems Results

418 views • 25 slides
What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is

What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is

R egional C yber C rime U nit DC Louise Gibson Prepare, Prevent &amp; Protect What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is enhanced in scale or Crimes that can only be committed solely reach by use

316 views • 9 slides
Obligations and Disputations Positio Burleys thesis An Obligational Sophism The Responsio

Obligations and Disputations Positio Burleys thesis An Obligational Sophism The Responsio

Obligations and Disputations Stephen Read Obligations Practice-based Philosophy of Logic and Disputations Walter Burley Obligational Mathematics, Amsterdam 31 Aug - 2 Sep 2009 Disputations The Responsio Antiqua Obligations and

1.62k views • 121 slides

More recommend