CPE6510 - Missouri University of Science and Technologyweb.mst.edu/~cetinkayae/teaching/CPE6510Spring2017/CPE6510-S2017...Department of Electrical & Computer Engineering Missouri University

© Egemen K. Çetinkaya

Resilient NetworksMissouri S&T University CPE 6510

Network Security Attacks

Egemen K. Çetinkaya

Department of Electrical & Computer Engineering

Missouri University of Science and Technology

[email protected]

http://web.mst.edu/~cetinkayae/teaching/CPE6510Spring2017

23 March 2017 rev. 17.0 © 2014–2017 Egemen K. Çetinkaya


Network Security AttacksOutline

• Overview

• Security flaw taxonomy

• Denial of service attacks

MST CPE 6510 – Network Security Attacks23 March 2017 2


Network Security AttacksOverview

• Overview





Security OverviewDefinition

• Security– property of a system and measures taken

– protect itself from unauthorized access or change

– subject to policy

23 March 2017 MST CPE 6510 – Network Security Attacks 4


Security OverviewRelationship to Resilience Disciplines

RobustnessComplexity

Challenge Tolerance

Traffic

Tolerance

legitimate flash crowd

attack DDoS

Disruption

Tolerance

energy

connectivity

delay mobility

environmental

Survivability

Fault Tolerance

(few random)

many targetted

failures

Trustworthiness

Security nonrepudiabilityconfidentiality

availability integrity

AAA

authenticity

authorisabilityauditability

reliability maintainability safety

Performability

QoS measures

Dependability



SecurityVulnerability

• Vulnerability– flaw or weakness in system

– design, implementation, controls, operation, or management

– could be exploited

– to violate security policy

[CNSS-4009-2006] [S2007]

note relation to definition with respect to faults

– internal fault that allows an external fault to cause an error[Laprie-1994], [ALR+2004]



SecurityThreats

• Threat– entity, circumstance, capability, action, or event

– with potential to violate security and cause harm

[CNSS-4009-2006] [S2007]

– potential challenge that might exploit a vulnerability



SecurityThreat Analysis

• Threat– entity, circumstance, capability, action, or event

– with potential to violate security and cause harm

[CNSS-4009-2006] [S2007]

– potential challenge that might exploit a vulnerability

• Threat analysis– examination of information and analysis of actions

– to identify potential threats

– identifying probability of occurrence and consequences

[CNSS-4009-2006] [S2007]



SecurityChallenges

• Challenge : adverse event or condition that might

– violate security policy including availability

– impact dependability

– impact performability

three aspects of trustworthiness



SecurityAttackers

• Adversary?– entity that attacks a system

• Cracker? (also spelled kracker)– someone who tries to break into someone else’s system

• Hacker? (cracker ≠ hacker)– someone working on computers and make cool things

• Intruder?– entity that tries to gain unauthorized access

• Packet monkey? (deprecated)– someone who floods a system for a DOS condition

• Script kiddy?– someone who uses existing scripts, but not innovative


[S2007]


SecurityMotivation for Attackers

• Experimental curiosity e.g. Morris Worm 1988

• Pride and power

• Commercial advantage

• Extortion and criminal gain

• Random protest e.g. similar to Unabomber in 1980s

• Political protest e.g. Anonymous hacktivists

• Terrorism e.g. Al-Qaeda

• Cyber warfare e.g. Stuxnet


[WPS+2003]


Security FlawsBug and Flaw

• Bug– inadvertently introduced security flaw in a program

• Flaw– part of a program that can cause security violation

– can be inserted:

• intentionally

• accidentally

• Flaws correspond to faults [LBM+1994]



Security FlawsMalicious Logic

• Malicious logic– hardware, firmware, or software that is intentionally

included or inserted in a system for a harmful purpose

• Examples?


[S2007]





• Examples?

– trapdoor

– Trojan horse

– logic bomb

– virus

– worm


[S2007]





• Malware: a contraction of malicious software– depreciated term


[S2007]


Security FlawsTrapdoor

• Trapdoor (also known backdoor)

– computer system feature that provides access to resources

– usually hidden or not well-known

– can be:

• an unintentional flaw

• a mechanism deliberately installed by the system's creator

• a mechanism surreptitiously installed by an intruder (spyware)

• spyware usage is slang and depreciated

• Maintenance hook – special instructions in software allowing easy maintenance

and additional feature development

– should be removed in live implementation23 March 2017 MST CPE 6510 – Network Security Attacks 16

[S2007]


Security FlawsCryptographic Trapdoor Function

• Trapdoor function (aka: trap-door one-way function)

– easy to compute in one direction, difficult in opposite

• Example 1:

– consider padlock and key

– locking is easy, does not require key

– to unlock, you need the key – trapdoor information

• Example 2:

– 133 is product of two prime numbers. What are they?

– if the trapdoor information is 19

– the other prime number is …


[DH1976]


Security FlawsTrojan Horse

• Trojan horse– a computer program that appears to have a useful function

– but also has a hidden and potentially malicious function that

– evades security mechanisms

• Almost any malicious code is Trojan

– since malicious code needs to be disguised


[S2007]

[http://en.wikipedia.org/wiki/Trojan_Horse]


Security FlawsLogic Bomb

• Logic bomb (or time bomb)

– malicious logic activates when specified conditions are met

• time or event triggers detonation

• otherwise remains dormant

– usually intended to cause denial of service

• crash system

• delete files

• degrading system response time

• Some cases resulting in imprisonment– http://en.wikipedia.org/wiki/Logic_bomb


[S2007]


Security FlawsVirus

• RFC 4949 [S2007]

– self-replicating computer software infecting another program• usually hidden and malicious logic

– a virus cannot run by itself• host program be run to make the virus active

• Scholarly papers [QW2005]

– “A virus is a piece of code that adds itself to other programs, including operating systems. It cannot run independently—it requires that its ‘host’ program be run to activate it.”

• Symantec [http://www.symantec.com/docs/TECH98539]

– it must execute itself

– it must replicate itself23 March 2017 MST CPE 6510 – Network Security Attacks 20


Security FlawsNotable Viruses

• File infector viruses

– infect executable code (.exe files); e.g. Jerusalem, Cascade

• Boot sector viruses

– infect the system area of a disk; e.g. Michelangelo, Stoned

• Master boot record viruses

– memory resident viruses; e.g. AntiExe, Unashamed

• Multipartite viruses

– infect boot records & program files; e.g. Anthrax, Tequilla

• Macro viruses

– infect data files; e.g. W97M.Melissa, WM.NiceDay


[http://www.symantec.com/docs/TECH98539]


Security FlawsViruses Taxonomy

• Target formats

– executable viruses or document viruses

• Target component or device

– boot or device drivers viruses• note that BIOS viruses fall under boot sector (boot viruses)

• Programming language

– assembly, code source, script viruses

• Nature of the final payload

– spy, corruption, deletion, destruction viruses

• Operation

– combined viruses, psychological viruses (hoaxes, jokes)23 March 2017 MST CPE 6510 – Network Security Attacks 22

[F2005]


Security FlawsWorm

• RFC 4949 [S2007]

– a computer program that can run independently

– can propagate a complete working version of itself

– may consume system resources destructively

• Symantec [http://www.symantec.com/docs/TECH98539]

– worms are programs that replicate themselves

– does not require a host file• virus requires spreading of an infected host file

– worms generally exist inside of other files• often Word or Excel documents

– usually worms release a document that is already infected • the entire document will travel from computer to computer



Security FlawsNotable Worms

• E-mail worms – also utilize IRC, AOL IM, MSN, P2P

– Christmas Tree, 1987

– Nimda, 2001

• Windows file sharing worms

– ExploreZip, 1999

• Traditional worms

– Morris, 1988

– Code Red, 2001

– Slammer, 2003


[KE2003]


Network Security AttacksSecurity Flaw Taxonomy

• Overview





Security FlawsTaxonomy

• Taxonomies establish common language

• Many taxonomies exist to day23 March 2017 MST CPE 6510 – Network Security Attacks 26

[HH2005]

[L2002]


Security FlawsTaxonomy

• Genesis

• Time of introduction

• Location


[LBM+1994]


Security Flaw TaxonomyGenesis

• Intentional

– malicious

• e.g. Trojan horse, trapdoor, logic bomb

– non-malicious

• e.g. covert channel

• Inadvertent

– validation error

– domain error

– serialization/aliasing

– inadequate identification/authentication

– boundary condition violation


[LBM+1994]


Security Flaw TaxonomyTime of Introduction

• During development

– requirement/specification/design

– source code

– object code

• During maintenance

• During operation


[LBM+1994]


Security Flaw TaxonomyLocation

• Software

– operating system• system initialization• memory management• process management/scheduling• device management• file management• identification/authentication

– support• privileged utilities• unprivileged utilities

– application

• Hardware


[LBM+1994]


TaxonomyPassive and Active Attacks

• Passive attacks

– attempts to learn or make use of the information

– but does not impact system resources

– difficult to detect

• Examples ?

• Active attacks


[S2014]



• Passive attacks




• Examples

– wiretapping

• telephone conversations

• e-mails

– traffic analysis

• Defensive mechanism ?

• Active attacks23 March 2017 MST CPE 6510 – Network Security Attacks 32

[S2014]



• Passive attacks




• Examples

– wiretapping

• telephone conversations

• e-mails

– traffic analysis

• Encryption is defensive mechanism

• Active attacks23 March 2017 MST CPE 6510 – Network Security Attacks 33

[S2014]



• Passive attacks

• Active attacks

– modify the existing communication

– insertion of false information in the communication

– difficult to prevent

• Examples ?


[S2014]



• Passive attacks

• Active attacks

– modify the existing communication

– insertion of false information in the communication

– difficult to prevent

• Examples

– replay

– masquerade

– modification of messages

– denial of service


[S2014]


TaxonomyOrigin of Attacks

• Insider attacks

– initiated by an entity inside the security perimeter

– difficult to penetrate into the organizationbut easier to launch the attack, can be costly

• Outsider attacks

– initiated by an entity outside of the security perimeter


[S2014]


Network Security AttacksDenial of Service Attacks

• Overview





Denial of ServiceIntroduction

• Service– system behavior as perceived by the system user [L1994]

• DoS – Denial of Service

– explicit attempt to prevent the legitimate use of a service

• DDoS – Distributed Denial of Service

– deploys multiple attacking entities



Denial of ServiceImpact

• Two forms of DoS attacks

– sending one or more packets to exploit a vulnerability

• e.g. ?

– use massive volumes of useless traffic to occupy resources

• e.g. ?



Denial of ServiceAttack Types

• Two forms of DoS attacks

– sending one or more packets to exploit a vulnerability

• e.g.: ping-of-death: malformed ICMP message

– use massive volumes of useless traffic to occupy resources

• e.g.: ping flood: overwhelm target by ICMP messages

• Generally ping service is disabled for outsiders

• Massive volumes require more resources for attacker



Distributed Denial of ServiceAttack Stages

• A typical DDoS attack contains two stages:

• First stage:

– compromise vulnerable systems that are available

– install attack tools in these compromised systems

– also known as turning these computers to zombies or bots

• Second stage:

– through a secure channel

– the attacker sends an attack command to the zombies

– source IP address spoofed for identification

• Attacks can utilize 100,000s zombies

– Code Red worm utilized over 300 K zombies23 March 2017 MST CPE 6510 – Network Security Attacks 41


Distributed Denial of ServiceAttack Mechanisms


[MR2004]


Distributed Denial of ServiceDefense Mechanisms


[MR2004]


Security AttacksOthers

• Spam unsolicited marketing wasting time & resources

• First commercial instance in 1994

– Canter and Siegel “Green Card Lottery – Final One?” incident

• Mechanisms

– filtering

– counterattack

– fee restructuring


[http://en.wikipedia.org/wiki/Laurence_Canter_and_Martha_Siegel]


Security AttacksSpam Distribution


[http://www.symantec.com/security_response/landing/spam]


References and Further Reading

• [MR2004] Jelena Mirkovic and Peter Reiher, “A Taxonomy of DDoSAttack and DDoS Defense Mechanisms,” ACM SIGCOMM Computer Communication Review, Volume 34, Issue 2, pp. 39 – 53, April 2004.

• [PLR2007] Tao Peng, Christopher Leckie, and KotagiriRamamohanarao, “Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems,” ACM Computing Surveys, Volume 39, Issue 1, Article 3, April 2007.

• [LBM+1994] Carl E. Landwehr, Alan R. Bull, John P. McDermott, and William S. Choi, “A Taxonomy of Computer Program Security Flaws,” ACM Computing Surveys, Volume 26, Issue 3, pp. 211 – 254, September 1994.

• [S2014] William Stallings, Cryptography and Network Security: Principles and Practice, 6th edition, Prentice Hall, 2014.




• [S2007] Robert W. Shirey, “Internet Security Glossary, Version 2,” FYI 36, RFC 4949, August 2007.

• [DH1976] Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, Volume 22, No. 6, pp. 644 – 654, Nov 1976.

• [KE2003] Darrell M. Kienzle and Matthew C. Elder, “Recent worms: a survey and trends," ACM Workshop on Rapid Malcode (WORM), pp. 1 –10, 2003.

• [WPS+2003] Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham, “A taxonomy of computer worms," ACM Workshop on Rapid Malcode (WORM), pp. 11 – 18, 2003.

• [QW2005] Sihan Qing and Weiping Wen, “A survey and trends on Internet worms," Computers & Security, Volume 24, No. 4, pp. 334 –346, 2005.




• [L2002] Howard Lipson, "Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Special Report CMU/SEI-2002-SR-009, 2002.

• [HH2005] Simon Hansman and Ray Hunt, "A taxonomy of network and computer attacks," Computers & Security, Volume 24, No. 1, pp. 31 –43, Feb. 2005.

• [F2005] Eric Filiol, Computer viruses: from theory to applications, Springer, 2005. (doi: 10.1007/2-287-28099-5)

• http://www.symantec.com/security_response

• http://www.symantec.com/docs/TECH98539



End of Foils


Documents

CPE6510 - Missouri University of Science and Technologyweb.mst.edu/~cetinkayae/teaching/CPE6510Spring2017/CPE6510-S2017...Department of Electrical & Computer Engineering Missouri University