• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ids.bouvry
 

Ids.bouvry

on

  • 629 views

 

Statistics

Views

Total Views
629
Views on SlideShare
629
Embed Views
0

Actions

Likes
1
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ids.bouvry Ids.bouvry Presentation Transcript

    • Network Security Pascal Bouvry Faculty of Sciences, Technology and Communication University of Luxembourg
    • Plan
      • Overview of Intrusion Detection Systems (IDS)
        • Host and Network-based Detection
        • On-line and Off-line Detection
      • IDS Techniques
        • Misuse Detection / SNORT
        • Anomaly Detection / ANN, Artificial Immune Systems
      Standard Networks (eg TCP-IP) New Generation Networks (Self-Organizing Networks)
      • Trust Definition
      • Example: Trust based service enhancement
      • Goals of network security
      Introduction
    • Network Security
      • Goals
        • Authentication
        • Confidentiality
        • Integrity
        • Access Control
        • Availability
      • From 2000 CSI/FBI Computer Crime and Security Survey of 643 US Organizations
        • 90% of respondents detected computer security breaches within last 12 months
        • 74% acknowledged financial losses due to computer breaches
        • 70% reported a variety of serious computer security breaches other than viruses, laptop theft, or “net abuse”
        • Quantified financial losses from 273 respondents totaled $265,589,940
        • “ Case studies have shown that a vast majority of attacks originate from within an organization. In fact, some studies state that as much as 70% of all attacks from someone within an organization or from someone with inside information (such as an ex-employee).”
          • Chris Brenton, Mastering Network Security , c. 1999, SYBEX Network Press, p.6.
    • IDS
    • CERT IODEF Incident Object Description and Exchange Format
    • Attacker’s tools
      • “ Standard” tools
        • Scanner
        • Sniffer
        • Password crackers
      • Handmade tools exploiting vulnerabilities
        • Viruses
        • Trojan horses
        • Worms
        • Backdoors
      • Social Engineering (Phishing)
    • Outline of a standard attack
      • Gain access to a user account
      • Gain access to the root/super user rights
      • Replace binaries to set-up a back-door
      • Use the backdoor for illegal activities
    • Special attacks
      • Denial of Service (DoS) attacks
        • DoS attacks have one goal – to knock your service off the net.
          • Crash your host
          • Flood your host
          • Flood the network connecting to your host
    • Smurf DoS Attack
      • Send ping request to broadcast addr (ICMP Echo Req)
      • Lots of responses:
        • Every host on target network generates a ping reply (ICMP Echo Reply) to victim
        • Ping reply stream can overload victim
      DOS Examples: Dan Boneh gateway DoS Source DoS Target 1 ICMP Echo Req Src: Dos Target Dest: brdct addr 3 ICMP Echo Reply Dest: Dos Target
    • TCP Handshake C S SYN C SYN S , ACK C ACK S Listening Store data Wait Connected
    • TCP SYN Flood I: low rate (DoS bug) C
      • Single machine :
      • SYN Packets with random source IP addresses
      • Fills up backlog queue on server
      • No further connections possible
      SYN C1 SYN C2 SYN C3 SYN C4 SYN C5 S
    • IDS: Placement
      • Host-based IDS (HIDS) and its problems:
        • Computationally expensive
        • No overview of network traffic (local scope)
      • Network-based IDS (NIDS) and its problems:
        • One-point of failure of entire network security
        • Requires dedicated hardware with high capabilities
        • Cannot verify encrypted traffic
    • IDS: Processing & Response
      • On-line Detection and its problems:
        • Less sophisticated detection methods
      • Off-line Detection
        • Delayed reaction
      • Passive response:
        • Defense system needs additional mechanisms to react for alarms
      • Active response:
        • Legal issues
    • Detailed network config
    • IDS: General problems
      • Efficiency
        • Packet loss
        • Alert data is very hard to analyze due to size and poor presentation
      • Accuracy
        • Variety of attacks
        • High amounts of false alarms
        • Constant change in the network environment
      • Tradeoff
    • Information Sources
      • Network traffic
        • Sampled
        • Whole
        • Features
      • Audit trail
        • User commands
        • System calls
        • Login information
        • Application usage
    • Data
      • A set of communication protocols
      • Source of information – headers of selected protocols:
        • IP, ICMP, TCP, UDP
    • IDS Approaches
      • Security assessment
        • Checklist of soft versions & patches
        • Change detection (hashes)
      • Misuse detection
        • Pattern/Signature recognition
        • Eg SNORT
      • Anomaly Detection
        • AIS
    • Signature-based - SNORT
    • Introduction to Snort
      • Snort is a:
      • packet sniffer
      • packet logger
      • Network IDS
      • Snort can act as partial Host-based IDS
      • Snort sensors can be correlated to
      • act as Distributed IDS
    • Architecture (1)
      • Main goal is to monitor TCP/IP traffic
      • Additional functionality can be added via preprocessor and detection plugins
      • Output can be handled by different tools to analyze, corelate and visualise attack data
      Ethernet Packet Decoder Preprocessors Detection Engine Output + snort add-ons
    • Architecture (2)
      • Network Architecture considerations:
      • NIDS placement require knowledge about network topology
      • Snort require a lot of effort for fine – tuning to reduce number false alerts; knowledge about monitored traffic is crucial
      • Switched networks and VLANs need special approach
      • Snort need to be secured due to its susceptibility to attacks
        • DoS (Stick, Snot)
        • Buffer overflow in RPC preprocessor
        • Integer overflow in stream reassembler
    • Detection Engine
      • Old detection engine is a three dimensional linked list of:
        • Rule headers: Src & Dst IP, Src & Dst Port, etc.
        • Rules: Detection function list, Metadata
        • Detection functions: Further specified parameters of signature
      RH N Df node Rule 1 Rule 1 RH N Rule 1 Rule 1 Df node ... ... Df node ...
    • Contributions (1)
      • Chih-Chiang Wu, Sung-Hua Wen and Nen-Fu Huang (2006)
      • „ Smart Architecture for High-Speed Intrusion Detection and Prevention Systems”
      • hardware-based pattern matching analyzed with Snort rules as example
      • S. Yusuf, W. Luk, M. K. N. Szeto and W. Osborne (2006)
      • „ UNITE: Uniform Hardware-Based Network Intrusion deTection Engine”
      • translation of Snort ruleset into hardware-based packet classification architecture
      • Sushant Sinha, Farnam Jahanian and Jignesh M. Patel (2006)
      • „ WIND: Workload-Aware INtrusion Detection”
      • optimization of detection engine by changing packet matching mechanisms
      • Bart Haagdorens, Tim Vermeiren and Marnix Goossens (2005)
      • „ Improving the Performance of Signature-Based Network Intrusion Detection Sensors by Multi-threading”
      • novel designs for a multi-threaded NIDS sensor and performance evaluation figures for a number of multi-threaded implementations Snort
      • Lingjuan Li, Wenyu Tang and Ruchuan Wang (2005)
      • „ A CBR Engine Adapting to IDS”
      • Case Based Reasoning is used to construct detection engine to deal with the variation of known attacks and reducing the false negative rate in rule based IDS, then applied to Snort
    • Contributions (2)
      • Geng Yang, Chunming Rong and Yunping Dai (2004)
      • „ A Distributed Honeypot System for Grid Security”
      • a distributed honeypot model using Snort
      • Chi-Hung Chi, Ming Li and Dongxi Liu (2004)
      • „ A Method to Obtain Signatures from Honeypots Data”
      • a scheme to automatically construct snort rules based on data captured by honeypots online
    • Short falling of this approach
      • Genetic Programming (GP) in evolving network attacks
      • (Kayacik, Heywood, Zincir-Heywood)
      • ID problem has been tackled concerning gathering information about all possible attacks
      • Relying on third party signatures can be insufficient ( known attacks )
      • IDS signatures can be prepared at once , for all variants of given attack
      • Over 2000 versions of attacks were developed, that were successful against Snort IDS
      • Remarks:
      • IDS can stay in constant dynamics, trying to find gaps in itself
      • Set of signatures can be easily extended
      • Udo Payer, Peter Teufl and Mario Lamberger (2005)
      • „ Hybrid Engine for Polymorphic Shellcode Detection”
      • a NN-based anomaly detection engine has been reinforced with data mining, trained and implemented as Snort plugin
    • Anomaly Detection
    • Approaches
      • Statistical Methods
        • Multivariate Statistical Analysis
        • SVD (Singular Value Decomposition) / time-patterns
      • Artificial Neural Networks
        • multi-layered perceptron
      • Artificial Immune Systems (AIS)
    • AIS: Paradigms
      • Self/Non-Self
      • Clonal Selection and Hypermutation
      • Immune Network Models
      • Danger Theory
    • Terms (1) Construction and shape space
    • Terms (2) Affinity and match
    • AIS: Self - Nonself
      • Immune system has ability to tell the difference between structures of its own and
      • foreign ones. Self – Nonself paradigm originates from this observation. It is
      • inspired by antibody (T-cells) generation mechanism.
      • Negative selection algorithm (Forrest)
        • Define Self as a set of objects to be monitored
        • Generate set of individuals that match no objects from Self
        • Continuously monitor Self for changes
      • When match occurs, a change to Self has been made, what indicates anomalous
      • situation.
    • AIS: Self – Nonself (2)
    • AIS (Seredynski/Bouvry)
    • Generation of anti-bodies (GA)
      • Individual:
      • Pair of vectors, low and high defining interval levels for every measured parameter;
      • Normalized to [0,1] n space;
      • Fitness calculation:
      • Coverage of self structures
      • Volume of detector
      • Coverage of developed detectors
    •  
    • Results on MIT data set Sliding window size = 1 Sliding window size = 3
    • AIS: Clonal selection
      • Inspired by adaptive immunologic response
      Rapid and radical changes in created individuals Cloning of the best individuals; number of clones corresponds to accuracy Choosing of the best individuals; affinity threshold must be exceeded
    • AIS: Immune networks
      • Hypothesis of Jerne – antibodies of immune system can stimulate and suppress
      • each other, creating idiotypic network. Antibodies present the same type of
      • recognizable elements as pathogenic structures. Immune
      • system is a network of antibodies reacting with each other.
    • AIS: Danger Theory (1)
      • Immune system treats many foreign elements surrounding world as self , i.e. air,
      • food, transplants. Additionally immune system does not attack structures that are
      • defined as self (autoimmune diseases). Notion of danger signals, that induce
      • immune response, has been introduced by Matzinger.
      • Immune system detects the presence of danger signals released by cells dying in unnatural circumstances ( necrosis , due to damage, infection, extreme conditions).
      • Danger signals are rising alert level of immune system, causing its response.
      • When cells die in natural way ( apoptosis ), they release safe signals, suppressing offensive actions of immune system.
    • AIS: Danger Theory ( 2 )
      • Maturation phase
      • Dendritic Cell (DC) resides inside the tissue
      • DC collect necrosis and apoptosis signals sent by surrounding cells
      • DC remains in this stage until certain amount of time or received signals
      • Presentation phase
      • DC maturates
      • Semi – matured DC presents signals that suppress immune response
      • Maturated DC presents signals, that stimulate immune response, additionally it changes its shape to better present malicious structures it encountered
    • AIS: Danger theory ( 3 )
      • Danger Theory approach (Aickelin, Greensmith, Twycross)
      • Area: Anomaly, NIDS, online analysis
      • Dendritic Cell (DC) is introduced as a sensor collecting both safe and danger signals. It matures after certain amount of time and depending on situation it activates of suppresses immune response. Dendritic Cell Algorithm (DCA), using Danger Theory approach is proposed as follows:
        • Create pool of DC’s
        • For each data sample
          • Choose subset from pool
          • For each DC in subset
            • Present data to DC
            • If DC matures as danger-stimulatory then send danger signal
            • create new DC
            • Else if DC matures as danger-suppressive then send safe signal
          • If number of safe signals > number of danger signals then data is normal
          • Else data is abnormal
    • IDS Conclusion
      • Misuse detection - pattern/signature recognition is widely used but is clearly not sufficient
        • Reactive approach
        • Database of patterns need to be updated
        • Packet loss may end with false negative error
      • Anomaly detection bases on statistics/heuristics lack clear proofs of efficiency but are already part of existing tools
        • Large false-positive rate
        • Training data needed
        • Statistic profile changes in time
      • IDS and Attacks co-evolve
    • Self organizing networks
    • T ypes of ad hoc networks PKI
    • Network properties
      • Ad hoc networks are likely to be formed with
      • small devices like laptops, PDAs, or smartphones
      • that rely on batteries
      •  energy conservation is an important issue
      • Nodes can also move , which means that the
      • topology of such a network may change quickly
      • in an unpredictable way.
      • No fixed architecture like base stations in traditional cellular networks or
      • access points in wireless LANs
      • Routing functionality is incorporated into mobile
      • nodes.
      • Devices can directly communicate with
      • each other only when they are located in their
      • radio range. Otherwise, intermediate nodes
      • should be used to forward packets
      • (m ulti hop communication )
      • Wireless network
    • Network properties: m ulti hop communication Let’s suppose that n ode A wants to communicate with node M . It should do the following: 1. find a route (using a routing protocol) 2. send packets using the path found by the routing protocol. In the source routing protocols sender specifies the full path to the destination. In the presented example, path from node M to node A includes nodes L-H-E
    • Trust Management
    • Definitions: trust
      • D . Gambetta defines trust in terms of mathematics as follows:
      • Trust (or, symmetrically, distrust) is a particular level of the subjective
      • probability with which an agent assesses that another agent or group
      • of agents will perform a particular action, both before he can monitor
      • such action (or independently or his capacity ever to be able to monitor it)
      • and in a context in which it affects his own action.
      • When we say we trust someone or that someone is trustworthy , we
      • implicitly mean that the probability that he will perform an action that is
      • beneficial or at least not detrimental to us is high enough for us to consider
      • engaging in some form of cooperation with him . Correspondingly when
      • we say that someone is untrustworthy
    • Selfish and malicious misbehavior
        • Selfishness : s ave Energy
        • Malice : Damage the Network
        • Need of power saving, temporary node/communication failures
      • What causes non-cooperation ?
      • PROBLEM: How to distinguish real need of power saving or temporary
      • failure and selfish behavior, fault tolerance... ?
    • Security related issues
    • Case study: routing
    • Sending various types of p a c kets :
      • Own packets – node is a source of such packets
      • goal use the most reliable path
      • Transit packets – packets forwarded on behalf of other nodes
      Spending energy for “helping others”
    • What is a selfish behavior?
      • Power consumption of a typical IEEE 802.11 wireless network card
      • Two ways of saving the energy:
        • discard traffic
        • sleep mode (best)
      Power consumption in different modes Example of a packet discard
    • Nature of wireless communications:
      • Node A can overhear communication between nodes B and C:
              • watchdog mechanism
      • A way of controlling neighborhood (“is node B actually forwarding packets ?…”)
      Multihop communication
    • Why is selfish behavior bad for the network? The correct operation of the network requires not only the correct execution of critical network functions by each participating node but it also requires that each node performs a fair share of the functions . No classical security mechanism can help counter a misbehaving node in this context.
      • Selfishness leads to l ack of cooperation in the network (loss of throughput)
    • Definitions: activity Activity describes how often node is available for routing purposes. Nodes joining the network or nodes spending a lot of time in sleep mode will have lower activity levels. Power consumption in different modes
    • Proposed Approach
    • How to cope with selfishness? This approach enforces cooperation because selfish nodes will not be able to use the network for their own purposes (because of their bad reputation or low activity ) The scheme: 1. Each node is collecting reputation data concerning the behavior of network participants 2. Using reputation data , trust and activity of other known node s can be calculated 3. When it receives a packet that should be forwarded, first it checks the trust and activity level s to the source of the packet (original sender) 4. If such a packet comes from a non-trusted or not active node than it is very likely that it is going to be d iscarded . Solution: enforce cooperation based on trust and activity
    • Overview Genetic Algorithm : a search tool
    • Game based model of the behavior of the network
      • Network : numerous games being played in which some nodes send
      • packets and some other are asked to forward the packets
      • (and can either drop or forward them)
      • Similar to iterated Prisoner's Dilemma under the Random Pairing game
      • For each behavior nodes receive payoffs
    • Reputation and Trust evaluation
    • Definition of the game
      • Game participants: source node and all intermediate nodes
    • Consequences of nodes decision represented by payoffs
      • After each game, all its participants receive payoffs
      • Two payoff tables are defined
        • For source node
        • For intermediate nodes
    • N ode and its „forwarding” strategy
      • What is the forwarding request strategy based on ?
        • trust level to the source node
        • activity level of the source node
    • Strategy: details
    • Tournament: evaluation of strategies
      • Each player (node)
      • is using a strategy .
      • The evolution scheme:
      • 1. Play in all tournament
      • environments
      • 2. Evaluate all strategies
      • 3. Evolve strategies
      • using a genetic algorithm
      Simulation of different network conditions
    • Experiments
    • Test parameters
      • Evolved strategies depend on the specified deployment context
      • Test environments (TE): different proportion between normal and selfish players (CSN)
      • Four test cases
    • The evolution of cooperation
    • Cooperation l evel: details
      • Example: 100 players ( strategies ) : normal players (NP) and
      • newer forwarding “constantly selfish players” (CSP)
      • Cooperation level in different environments
      • Response to forwarding requests
      • Evolved strategies
    • Conclusions
      • The correct operation of the network requires some level of
      • cooperation of its participants
      • There are several reasons for potential non-cooperative behavior: the main one is
      • the need of battery saving
      • The solution to selfish behavior: enforce cooperation by denying service to
      • non-cooperative nodes, cooperate only with nodes you trust
      • We propose d a game theoretic model of an ad hoc network
      • together with notion of trust and strategies
      • We show ed how such strategies can be evolve d using GA
    • Conclusion
    • Conclusion & Perspectives
      • We have some tools for securing networks, but this is definitely not enough! The race with attackers will continue.
      • New generation of networks bring new fundamental issues!
      • Things to come:
        • P2P IDS
        • Hybrid networks
        • Trust management
    • Thank you! Questions?