matching tcp/ip packet to detect stepping-stone intrusion
DESCRIPTION
Matching TCP/IP Packet to Detect Stepping-stone Intrusion. Jianhua Yang TSYS School of Computer Science Edward Bosworth Center for Information Assurance Education Columbus State University. Layout. Background Related Work SWAM algorithm Compare with SDC Conclusion and future work. - PowerPoint PPT PresentationTRANSCRIPT
Matching TCP/IP Packet toMatching TCP/IP Packet toDetect Stepping-stone Detect Stepping-stone
IntrusionIntrusionJianhua YangJianhua Yang
TSYS School of Computer ScienceEdward BosworthEdward Bosworth
Center for Information Assurance Education
Columbus State University
04/22/23 Columbus State University 1/24
LayoutLayout Background Related Work SWAM algorithm Compare with SDC Conclusion and future work
04/22/23 Columbus State University 2/24
1. Background
04/22/23 Columbus State University
How to attack other computers? Interactive Non-interactive
Interactive attack Direct Indirect
3/24
Indirect attack
Monitor PointStepping-stones
Stepping-stone Intrusion
Attacker
Victim
04/22/23 Columbus State University
Stepping-stone Intrusion Detection
4/24
A detection model
Incoming Connection
Outgoing Connection
04/22/23 Columbus State University 5/24
2. Related Work Content-based (Thumbprint) [1]
Time-based (ON-OFF)[2] Deviation-based[3]
Packet number based [4,7]
Watermark-based [5,6]
One dimension Random-Walk [Yang-13]
04/22/23 Columbus State University 6/24
Another model
Stepping-stone
Send-Echo
Send-Ack
Ratio=RTT (Send_Ack) / RTT(Send-Echo)
04/22/23 Columbus State University 7/24
The problems
Length estimation Measure bar Absorbing
04/22/23 Columbus State University 8/24
Matching TCP Packet
Step-function (Packet-matching)[8-yang]
Fluctuation estimation [9-yang]
Clustering-Partitioning algorithm [10-yang,
11-yang]
04/22/23 Columbus State University 9/24
SDC (Standard deviation based Cluster Matching)
RTT distribution
Figure 1: A distribution of RTT for a connection chain
-0. 05
0
0. 05
0. 1
0. 15
0. 2
0. 25
0. 3
0. 35
0. 4
0. 45
135000 140000 145000 150000 155000 160000 165000
RTT value(μsec)
Pro
bab
ilit
y
04/22/23 Columbus State University 10/24
How SDC works
S={s1, s2, s3, s4}
={1099702684, 1099772525, 1099909440, 1099928524}
E={e1, e2, e3, e4}
={1099828523, 1099898019, 1100036000, 1100058999 }
S1={125839, 195335, 333316, 356315},
S2={55998, 125494, 263475, 286474},
S3={-80917, -11421, 126560, 149559},
S4={-100001, -30505, 107476, 130475}.04/22/23 Columbus State University 11/24
Basic Idea to do SDC
S={s1, s2, …, sn} E={e1, e2, …, em}
S1={s1e1, s1e2,…, s1em},S2={s2e1, s2e2,…, s2em},…Sn={sne1, sne2,…,
snem }.
Combination Clusters
Get the smallest one
Standard Deviation Computing
04/22/23 Columbus State University 12/24
complexity
mn
04/22/23 Columbus State University
Example: 80 send packets 115 echo packets 11580 =7.175e+164 clusters
13/24
SWAM (sliding window packet matching algorithm)
S = {s1, s2, s3, s4, s5, s6, s7, s8, s9, s10} E = {e1, e2, e3, e4, e5, e6, e7, e8, e9, e10, e11, e12, e13, e14} Window size =3
04/22/23 Columbus State University
Q= {s1, s2, e1, s3, e2, s4, e3, e4, s5, e5, s6, e6, e7, s7, e8, e9, s8, e10, s9, e11, e12, s10, e13, e14}
Q1= {s1, s2, e1, s3, e2, s4, e3, e4, s5, e5, s6, e6, e7, s7, e8, e9, s8, e10, s9, e11, e12, s10, e13, e14}
14/24
Comparison
04/22/23 Columbus State University
For the previous exampleSDC: number of clusters = 1410 = 289254654976
SWAM: number of clusters = 210 = 1024
0.00000035%
15/24
General Comparison
04/22/23 Columbus State University
n
wi
wi
n
m
i
2
11
16/24
Live Sliding Window
Why use LSW? Possible?
04/22/23 Columbus State University 17/24
How to use LSW?
Determine the size of SLW by Gap between si and sj
04/22/23 Columbus State University 18/24
Why SWAM works?
Six facts from TCP/IP protocol For details, please read the paper
Section 3.1 Motivation.
04/22/23 Columbus State University 19/24
Conclusion
SWAM works and more efficient than SDC in terms of Matching TCP/IP packets.
04/22/23 Columbus State University 20/24
Future work Using SWAM to compute the length of
a connection chain.
04/22/23 Columbus State University 21/24
References [1] Staniford-Chen, S., and Todd Heberlein, L.: Holding Intruders Accountable on the Internet. Proc. IEEE Symposium on
Security and Privacy, Oakland, CA, USA (1995) 39-49. [2] [YZ00] Zhang, Y., and Paxson, V.: Detecting Stepping Stones. Proc. of the 9th USENIX Security Symposium, Denver,
CO, USA (2000) 171-184. [3] Yoda, K., and Etoh, H.: Finding Connection Chain for Tracing Intruders. Proc. 6th European Symposium on Research in
Computer Security, Toulouse, France (2000) 31-42. [4] Blum, A., Song, D., and Venkataraman, S.: Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds.
Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France (2004) 20-35.
[5] X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, “Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework,” Proceedings of 16th International Conference on Information Security, Paris, France, June 2001, pp. 369-384.
[6] X. Wang, D. Reeves, and S. Wu, “Inter-Packet Delay-based Correlation for Tracing Encrypted Connections through Stepping Stones,” Proceedings of 7th European Symposium on Research in Computer Security, Lecture Notes in Computer Science. Zurich, Switzerland, October 2002, Vol. 2502, pp. 244-263.
[7] T. He and L. Tong, “Detecting Encrypted Interactive Stepping-Stone Connections,” Proc. 2006 IEEE International Conference on Acoustics, Speech, and Signal Processing, Toulouse, France, May 2006.
04/22/23 Columbus State University 22/24
Cont. [8] Jianhua Yang, Shou-Hsuan Stephen Huang, "A Real-Time Algorithm to Detect Long Connection Chains of Interactive
Terminal Sessions," Proceedings of 3rd ACM International Conference on Information Security (Infosecu'04), Shanghai, China, November 2004, pp. 198-203. (Accepting rate=25%)
[9] Jianhua Yang, Shou-Hsuan Stephen Huang, "Charactering and Estimating Network Fluctuation for Detecting Interactive Stepping-Stone Intrusion," the Proceedings of International Conference on Communication, Network and Information Security, Phoenix, Arizona, November 2005, pp. 70-75. (Accepting rate=34%).
[10] Jianhua Yang, Shou-Hsuan Stephen Huang, Ming D. Wan, "A Clustering-Partitioning Algorithm to Find TCP Packet Round-Trip Time for Intrusion Detection," Proceedings of 20th IEEE International Conference on Advanced Information Networking and Applications (AINA 2006), Vienna, Austria, April 2006, Vol. 1, pp 231-236.(Accepting rate=30%).
[11] Jianhua Yang, Stephen Huang, “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., pp 137-144, Vol. 26 (2007).
[12] Guoqing Zhao, Jianhua Yang, Long Ni, Gurdeep S. Hura, and Shou-Hsuan Stephen Huang, "Correlating TCP/IP Interactive Sessions with Correlation Coefficient to Detect Stepping-Stone Intrusion," to be published in the Proceedings of 23nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2009), Bradford, UK, May 2009.
[13] Jianhua Yang, Byong Lee, Shou-Hsuan Stephen Huang, "Monitoring Network Traffic to Detect Stepping-Stone Intrusion," the Proceedings of 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), Okinawa, Japan, pp 56-61 March 2008.
04/22/23 Columbus State University 23/24
Thanks!Questions?
04/22/23 Columbus State University 24/24