Upload
magnus-rose
View
238
Download
0
Tags:
Embed Size (px)
Citation preview
Research DirectionResearch Direction
Advisor: Frank,Yeong-Sung LinPresented by Jia-Ling Pan
2010/10/21 1NTUIM OPLAB
AgendaAgenda
IntroductionProblem Description
2010/10/21 2NTUIM OPLAB
IntroductionIntroduction
2010/10/21 3NTUIM OPLAB
Worm attacksWorm attacksDefinition
◦‘‘A network worm is a piece of malicious code that propagates over a network without human assistance and can initiate actively attack independently or depending on file-sharing.”─ [1]
◦ [1] Kienzle DM and Elder MC. “Recent worms: a survey and trends”, Proceedings of the 2003 ACM workshop on Rapid malcode, October 2003.
2010/10/21 4NTUIM OPLAB
Worm characteristicsWorm characteristics Information collection:
◦ Collect information about the local or target network.
Probing: ◦ Scans and detects the vulnerabilities of the
specified host, determines which approach should be taken to attack and penetrate.
Communication:◦ Communicate between worm and hacker or among
worms. Attack:
◦ Makes use of the holes gained by scanning techniques to create a propagation path.
Self-propagating:◦ Uses various copies of worms and transfers these
copies among different hosts.
2010/10/21 NTUIM OPLAB 5
Decentralized Information Decentralized Information SharingSharingCooperative attack detection and
countermeasures using decentralized information sharing.
Use of epidemic algorithms to share attack information and achieve quasi-global knowledge about attack behaviors.◦ [2] Guangsen Zhang and Manish Parashar, “Cooperative
detection and protection against network attacks using decentralized information sharing”, Cluster Computing, Volume 13, Number 1, Pages 67-86, 2010.
2010/10/21 NTUIM OPLAB 6
Decentralized Information Decentralized Information SharingSharingThe mechanism should be easy to
deploy, robust, and highly resilient to failures.
Gossip based mechanisms provide potentially effective solutions that meet these requirements.
Consider dissemination of information in a network to be similar to the spread of a rumor or of an infectious disease in a society.
2010/10/21 NTUIM OPLAB 7
Decentralized Information Decentralized Information SharingSharingIf all the nodes in this distributed
framework have common knowledge about the network attack behaviors, then network attacks can be perfectly detected.
However, achieving common knowledge requires completely synchronized and reliable communication, which is not feasible in a practical distributed system.
2010/10/21 NTUIM OPLAB 8
Decentralized Information Decentralized Information SharingSharingIn a distributed decentralized attack
detection system, each detection node will only have a partial view of the system.
Using an asynchronous, resilient communication mechanism to share local knowledge, the system can achieve quasi-global knowledge.
With this knowledge, every detection node can acquire sufficient information about attacks and as a result, the attacks can be detected effectively.
2010/10/21 NTUIM OPLAB 9
Decentralized Information Decentralized Information SharingSharing
◦AS level◦Overlay network
2010/10/21 10NTUIM OPLAB
Unknown worm behavioral Unknown worm behavioral detectiondetectionDetecting unknown worm activity in
individual computers while minimizing the required set of features collected from the monitored computer.
While all the worms are different, we wanted to find common characteristics by the presence of which it would be possible to detect an unknown worm.◦ [3] R. Moskovitch, Y. Elovici, and L. Rokach, “Detection of unknown
computer worms based on behavioral classification of the host”, Computational Statistics & Data Analysis, Volume 52, Issue 9, Pages 4544-4566, May 2008.
2010/10/21 NTUIM OPLAB 11
Worm origin identificationWorm origin identificationPresent the design of a Network ForensicAlliance (NFA), to allow multiple
administrative domains (ADs) to jointly locate the origin of epidemic spreading attacks.
Can find the origin and the initial propagation paths of a worm attack, either within an intranet or on the Internet as a whole, by performing post-mortem analysis on the traffic records logged by the networks.
[5]Yinglian Xie, Sekar V., Reiter M.K. and Hui Zhang, “Forensic Analysis for Epidemic Attacks in Federated Networks”, Proceedings of the 2006 14th IEEE International Conference on Network Protocols, November 2006.
2010/10/21 NTUIM OPLAB 12
Problem DescriptionProblem Description
2010/10/21 13NTUIM OPLAB
Problem DescriptionProblem DescriptionAttacker attributesDefender attributesAttack-defense scenarios
2010/10/21 14NTUIM OPLAB
Attacker attributesAttacker attributesObjective
◦Using worms to get a clearer map of network topology information or vulnerability, and eventually compromise core nodes.
Budget◦Node compromising◦Worm injection
2010/10/21 NTUIM OPLAB 15
Attacker attributesAttacker attributesAttack mechanisms
◦Node compromising Next hop selection criteria:
Link degree High link degree ─ information seeking
Link utilization Low link utilization ─ stealth strategy
◦Worm injection Candidate selection criteria:
Link traffic High link traffic ─ high rate worm injection Low link traffic ─ low rate worm injection
2010/10/21 NTUIM OPLAB 16
Defender attributesDefender attributesObjective
◦Protect core nodesBudget
◦General defense resources(ex: Firewall, IDS)
◦Worm profile distribution mechanisms
◦Worm source identification methods
2010/10/21 NTUIM OPLAB 17
Defender attributesDefender attributesDefense mechanisms
◦Node protection◦Unknown worm detection & profile
distribution◦Worm origin identification
2010/10/21 NTUIM OPLAB 18
ScenariosScenarios
2010/10/21 NTUIM OPLAB 19
Firewall
AS node
Core AS node
Profile generationType1 wormType2 worm
G
D
J
I
F
C
E
A
B
H
ScenariosScenarios
2010/10/21 NTUIM OPLAB 20
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
H
Attacker B
Attacker A
attacker
Node compromise
Node compromise
Profile generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 21
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
H
Node compromise
Attacker A
attacker
Worm injection
Profile generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 22
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Worm propagation
Profile generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 23
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Profile generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 24
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Node compromise Profile
generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 25
Firewall
AS node
Core AS node
Profilegeneration
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
Attacker
Detect unknown worm behavior
Profile distributi
on
Worm origin
identification
Worm origin identification
ScenariosScenarios
2010/10/21 NTUIM OPLAB 26
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Worm injection
Profile generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 27
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Worm propagation
Profile generation
ScenariosScenarios
2010/10/21 NTUIM OPLAB 28
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Detect unknown worm behavior
Profile distributi
onWorm origin
identification
Profile generationWorm origin identification
ScenariosScenarios
2010/10/21 NTUIM OPLAB 29
Firewall
AS node
Core AS node
Type1 wormType2 worm
G
D
J
I
F
C
E
A
B
HAttacker A
attacker
Profile generation
Thanks for your listening
2010/10/21 NTUIM OPLAB 30