1 / 43

Trend & Techniques of Intruder Traceback

Trend & Techniques of Intruder Traceback. Dong-il Seo Team Manager ETRI. Contents. Backgrounds What is the Traceback Technologies? IP Packet Traceback Connection Traceback Host-based Traceback System Network-based Traceback System Active Network based Traceback System Trend & Conclusion.

mfurman
Télécharger la présentation

Trend & Techniques of Intruder Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trend & Techniques ofIntruder Traceback Dong-il Seo Team Manager ETRI

  2. Contents • Backgrounds • What is the Traceback Technologies? • IP Packet Traceback • Connection Traceback • Host-based Traceback System • Network-based Traceback System • Active Network based Traceback System • Trend & Conclusion ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  3. Backgrounds ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  4. Integration Convergence Internet Ubiquity 21C. Environment of Information and Communication IP over Any Networks <<Internet Ubiquity, Social Paradigm Shift, Cyber Society >> Wireless Multiple Service Infrastructure Adaptive Everything over Internet CyberReal 3D, E- & M-Commerce Tele-immersion Secure Cyber Society Cyber Society New Applications - 4C - (E) Commerce - Communication - Community - Contents ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  5. Trends of Cyber Terror Technologies • Unification of Hacking Tech. and Virus Tech. • Autonomy, Intelligence, Popularization, Distribution, Large Scale, Encapsulation • Hacktivism : From Personal Purpose To Political, Social, Military, Industrial Purpose Virus Tech. Area Hacking Tech. Area ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  6. 2,412 2,134 52,658 21,756 9,859 3,734 1,334 2,340 2,573 773 Explosion of Incidents Q1. 2002 26,829 CERT/CC Incidents Statistics http://www.cert.org Incidents 50000 … 20000 10000 … 4000 3000 2000 1000 0 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 Year ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  7. Limitation of Countermeasure Active Hacking Defense Tech. is Needed • Should Limit the Hacking Trial, Itself • Need the Developments of Intruder Traceback System Limitation of Security Products • Passive Response • Can’t Limit the Hacking Trial, Itself • Can’t Do the Active Response So, The Active Hacking Defense Tech. Is Urgently Needed ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  8. Why Traceback System? • Basic System of Active Hacking Defense Tech. • Real-Time Traceback • Immediate Response • Can Find and Supplement the Vulnerable System on the Traceback Path • Can Make the Hacker to be Hesitated on The Hacking Trial • Can Reduce the Number of Hacking Trial Network 3 Hacker PC – Network 1 Internet Traceback Path Network 2 Attack Connection ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  9. What is the Traceback Technologies? ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  10. What is the Traceback System? Definiton A System for finding the hacker’s real location on the network autonomously. Classification • IP Packet Traceback System • Traceback the Real Source that send the IP Address Spoofed packet • Connection Traceback System • Traceback the Real Source of Detoured Intrusion ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  11. IP Packet Traceback • The Solution of IP Address Spoofing Problem • A method to find the real sending position of IP spoofed packet in DoS attack • A method to find the previous system in the Connection Chain • Focused in the method that uses the intermediate routers Internet Host A 2 3 4 Host B 1 Real Path Spoofed Path Hacker Host C ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  12. Connection Traceback • Traceback to find the real source of detoured attack • Detoured Attack : An attack that is done via several systems • Can’t find the information for hacker’s real location only with Host A’s audit trail • More important than the IP Traceback Hacker Internet Only can find the information of the Host A Host B Can find the information of the Hacker Attack Path Real Attack Connection Host A ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  13. Current Traceback Tech.(1) Connection Traceback Manual Method Log Analysis of Compromised System  Identification of the Attack System  Log Analysis of the Attack System Identification of the Previous Attack System Iteration Depend upon Only the Log Files Too Much Time Consume Process Need Many Experts Geographical Problem Inefficient Can’t find the hacker’s real position though only one system can’t be identified on the Traceback Path The Quick and Accurate Real-Time Traceback System is Needed ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  14. Current Traceback Tech.(2) Features of Current Products • Simple IP Information Traceback • Traceback of Detoured Attack is Impossible • Gather Only the Information of Intruder’s IP Address • Can’t Apply to the Current Internet Environment • Traceback for the Special Cases Current Products • A com. – Illegal Intruder Traceback System • Requirement : Traceback module should be installed in every system in the Internet • B com. • Web-based Hacker Traceback System • Efficient to the web hacking that uses the Proxy Sever • Etc. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  15. IP Packet Traceback ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  16. Example of IP Packet Traceback Advanced and Authenticated Marking Schemes for IP Traceback • Analysis • The technology for finding real source of DOS attack • Improved method of IP Marking Scheme with Edge Sampling • Advanced Marking Scheme, Authenticated Marking Scheme • Paper • Dawn Xiaodong Song and Adrian Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback”, Computer Science Department, Univ. of California, Berkeley IP Marking Scheme with Edge Sampling Advanced Marking Scheme Authenticated Marking Scheme Fragment Marking Scheme Can apply to only the case when the DoS attack is done in one system • Restore the router • information in the • 16bits(using hash • function) • Packet marking • Authentication IP Packet Traceback ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  17. Connection Traceback ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  18. Classification of Connection Traceback Host-based Traceback • Traceback module should be installed in every system in the Internet • Using the installed traceback module  Traceback with authentication of the connection request system  Traceback by analyzing the log in the system • Can’t Apply to the Current Internet Environment Network-based Traceback • Traceback by extracting the information from packets on the network • Requirement : Traceback module should be installed in the position that can • monitor all packets Active Network based Traceback • Only can apply to Active Network • IDIP, Sleepy Watermark Tracing, Etc. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  19. Host-based Traceback System ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  20. Traceback Module Host-based Traceback System • Traceback module should be installed in every system in the Internet` • Can’t Apply to the Current Internet Environment • Papers • CIS(Caller Identification System) • AIAA(Autonomous Intrusion Analysis Agent) • Etc. Hacker Only can find the information of the Host A Internet Host B Can find the information of the Hacker Attack Path Real Attack Connection Host A ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  21. UserID-1 UserID-2 UserID-(n-1) UserID-n CIS(Caller Identification System) • The Caller Identification System is basically made up of • A network connection request filter(ETCPW) located between the TCP/UDP and the servers in the application layer and • An authentication server(CIS) whose function is to grant any connection request only after authentication of caller and his or her network trace have been verified • Problems • Network load increasing, problem of integrity and privacy • H.T.Jung, “Caller Identification System in the Internet Environment”, Proceedings of the USENIX Security Symposium IV, 1993 … path Inform Verify ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  22. Agent Agent Agent Autonomous Intrusion Analysis Agent • Analysis • Find the hacking evidence and attack system by using the AIAA that can autonomously analyze the log in the compromised system • AIAA would be installed by administrator of the systems in the connection chain AIAA Server … Attacker (n-1) victim (n) victim ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  23. (n) path (n-1) path Tracing Back Using Attack Methods • Traceback by Reverse Attacking • Systems on the Path • Has Backdoors made by Attackers • Has Vulnerability can attacked by agents • check point • Legal ? • Ethics ? Attack Paths Attacker … Trace Back Victim ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  24. Network-based Traceback System ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  25. Network-based Traceback System • Traceback by extracting the information from packets on the network ==> Construct Connection Chain • Can apply to the current Internet Environment • Traceback module should be installed in the position that can monitor all packets Hacker Only can find the information of the Host A Internet Host B Traceback Module A Traceback Module B Can find the information of the Hacker Attack Path Real Attack Connection Host A ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  26. Connection Chain Definition • When a user on a computer H0 logs into another computer H1 via a network, a TCP connection C1 is established between them. When the user logs from H1 into another computer H2, and then H3, . . . , Hn successively in the same way, TCP connections C2, C3, . . ., Cn are established established respectively on each link between the computers. We call this sequence of connections C = (C1, C2, . . . , Cn) a connection chain H2 H1 H3 C3 C2 C4 C1 Network H0 Hn Cn Algorithm to identify the relations between connections • Thumbprints : Holding Intruders Accountable on the Internet • Sequence Number Deviation : Finding a Connection Chain for Tracing Intruders • Timing-Based Algorithm : Detecting Stepping Stones ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  27. Thumbprints • Idea • All the transmitted data in connections would be same if the connections are in the same connection chain • Thumbprints • A small quantity of data which have been effectively summarized from a certain section of a connection’s collected contents Compromised system Problems TCP Connection Internet 1. Can’t apply to the encrypted packet 2. False Positive, False negative Hacker Data : “ls” Victim Data : “ls” Data : “ls” ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  28. Timing based Algorithm • Idea • Strikingly distinct distribution of the spacing between user key stokes can be detected • All the connections would have the same interval between ON and OFF period • All the connections would be changed to ON period from OFF period at the almost same time • Notation • OFF period : there is no data traffic on a flow for more than Tidle seconds • ON period : Interval which is Not the OFF period Internet Hacker Victim Compromised system TCP Connection ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  29. Sequence Number • Paper • K. Yoda and H. Etoh, "Finding a Connection Chain for Tracing Intruders", In F. Guppens, Y. Deswarte, D. Gollamann, and M. Waidner, editors, 6th European Symposisum on Research in Computer Security - ESORICS 2000 LNCS -1985, Toulouse, France, Oct 2000. • Idea • Define the deviation for on packet stream on a connection from another, and implement a system to compute deviations. • If a deviation is small, the two connections must be in the same connection chain. Internet Hacker Victim Compromised system TCP Connection ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  30. On Going Project iTREX • Corp. : Silicon Defense – IDS development Corp. • Project : iTREX(Internet TRap and Trace EXperiments) • Approach: intend to develop methods that would allow victims of attacks to trace intruders across the Internet, even when those intruders use encrypted logins through a chain of hosts to disguise themselves New Idea • Correlation methods to compare connections based solely on timing and header information which should be possible to implement at wire speed. • Distributed protocols to allow a set of co-operating routers to trace the source of an attack through an extended connection. • To implement a working trap and trace facility for the internet. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  31. Active Network based Traceback ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  32. Community Neighborhood 1 Discovery Coordinator Boundary Controller Neighborhood 3 Neighborhood 2 Boundary Controller Boundary Controller CITRA(1) • Infrastructure for integrating network-based intrusion detection systems, firewall, and routers to trace attacks back to their true source and block the attacks close to that source. • CITRA Community are administrative domains controlled by a management component called a Discovery Coordinator. • CITRA Communities consist of interconnected neighborhoods. • CITRA uses the IDIP protocol for centralized reporting of intrusion-related events, attack traceback, and automated response. CITRA(Cooperative Intrusion Traceback and Response Architecture) IDS CITRA Community ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  33. CITRA(2) • IDIP initial intrusion response • CITRA-enabled detector detects an attack • The detector sends a traceback message to each CITRA neighbor • Each boundary controller and host along the potential path of an attack uses the network audit trail to determine if the packets associated with the attack passed through it. If so, the device sends a traceback message to its neighbors ① ③ ② ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  34. CITRA(3) • IDIP (Intruder Detection and Isolation Protocol) • IDIP is organized into two primary protocol layers: the IDIP application layer and the IDIP message layer • The application layer protocol accomplishes intrusion tracking and containment through three major message types: (1) trace, (2) report, and (3) Discovery Coordinator directive IDIP Application IDIP Backplane Neighborhood Management - Node status • IDIP Message Layer • Reliable Delivery • Duplicate Removal • Multicast Support • Time Management IDIP Cryptographic Service - Authentication - Integrity - Privacy Key Management User Datagram Protocol Internet Protocol IDIP Backplane architecture ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  35. CITRA(4) • IDIP Application • One IDIP node in a community executes the Discovery Coordinator application. All IDIP nodes execute an IDIP agent application. • Discovery Coordinator application • When an IDIP node sends or processes a trace message it sends a copy of the attack description and responses to the Discovery Coordinator to know the path of the attack and the response taken by each component along the attack path. IDIP Detection Interface • IDIP Generic Agent • Message Processing • Connection search • Cost model Discovery Coordinator Core Service Correlation Engines Response Manager Response Engines Other Application IDIP Audit Data Component – Specific Functions Service blocking Discovery Coordinator API IDIP Audit IDIP Backplane IDIP Backplane IDIP Generic agent architecture Discovery Coordinator application view ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  36. Self-Extension Monitoring(1) • Idea • Self – Extension Monitoring observes the intruder’s activities at the host level. • If the intruder moves into another host, network level monitoring is carried out through program replication into the host as needed • Approach based on the Shadowing mechanism for monitoring hacking activities. Monitoring Approach • Host-level Monitoring • Host-level monitoring that observes the specified user on a single host and records the log. • The tty hijacking method is used to monitor the user at the host level. • Network-level Monitoring • network-level monitoring tools use connection hijacking to monitor and control the user’s activities. • There are several network-level monitoring tools with more functions, and these include IP-watcher on the UNIX system, hunt on the Linux and T-sight on Windows NT. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  37. Self-Extension Monitoring(2) • IIS (Intruder Identification System) • IIS is developed on the basis of the Self-Extension Monitoring using the Shadowing and Replication Mechanisms. • This systems aims at disclosing the intruder’s identity accurately, and is composed of a single server(Intruder Identification Server) and unspecified several clients(Intruder Identification Client). Overview of IIS ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  38. Sleepy Watermark Tracing(1) • Paper • X. Wang, D. Reeves, S. F. Wu, and J. Yuill, "Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework", Proceedings of IFIP Conference. on Security, Mar. 2001. • Active Network based Solution • Use the watermarked reply packet ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  39. Sleepy Watermark Tracing(2) • Step 1 : Insert the watermark in the reply packets • Step 2 : Detect the watermarked packet • Quick and Accurate Traceback is Possible Watermark SWT SWT reply Packet Watermarked Packet Watermarked Packet Watermarked Packet SWT Active Network Hacker ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  40. Sleepy Watermark Tracing(3) Pros. • Do not increase the network load • No False-Positive • Low False-Negative • Real-Time Traceback Cons. • Working only on the Active Network  Can’t apply to the current Internet • Lack of research into the watermark for network packet ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  41. Trend & Conclusion ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  42. Trend & Conclusion Future Works • The model that can apply to the current Internet should be developed • Real-time traceback system is needed to actively defense the hacking Active Anti-Hacking System Research • Main Research Field : Traceback System • Host/Network/Active Network based Traceback System • Difficult to apply to the current Internet Current Information Security Env. The Quick and Accurate Real-Time Traceback System that is Urgently Needed • Can’t Limit the Hacking Trial, Itself • Active Hacking Defense Tech. is Needed ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  43. Q & A Thank you very much !!! ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

More Related