network security - carleton universitykranakis/it/cf/ek2.pdf · 2007. 12. 2. · • scanning worm...
TRANSCRIPT
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1
Network
Security
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 2
Collaboration with
• Frank Akujobi
• Michel Barbeau
• Joaquin Garcia-Alfaro
• Jyanthi Hall
• John Lambadaris
• Paul Vanorschoot
• Tao Wan
• David Whyte
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 3
Outline
The Network is a complex dynamical system whose securityrequires the interaction of multiple techniques.
• DNS (Domain Name Server)
• BGP (Border Gateway Protocol)
• NEM (Network Exposure Maps)
• Endpoint-Driven Intrusion Detection
• RFF (Radio Frequency Fingerprinting)
• RFID (Radio Frequency ID)
• Sensor Networks
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 4
DNS
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 5
Problem
• Scanning worm propagation can occur extremely fast
– Recall Slammer infected 90 % of vulnerable Internet hostsin less than 10 mins.
• Automated countermeasures are required for wormcontainment and suppression
• Current worm propagation detection methods are limited by:
– Speed of detection
– Inability to detect zero-day worms
– Inability to detect slow scanning worms
– High false positive rate
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 6
Characteristics
• Scanning worms can employ a variety of strategies to infectsystems
– Topological scanning
– Slow scanning
– Fast scanning
• So far, all make use of a pseudo random generated 32-bitnumbers to determine their targets
• The use of numeric IP addresses does not require a DNS lookup
• Violation of typical network behavior (i.e. DNS)
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 7
Detection Approach
• Most legitimate traffic uses the alphanumeric equivalent of anIP address and thus requires a DNS lookup
• Hosts within a domain use their respective DNS servers for IPtranslations
• As the network traffic leaves the network boundary it caneasily be determined if a DNS request was involved
• If no DNS query is detected for a con-attempt it is consideredanomalous
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 8
BGP
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 9
Routing on the Internet
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 10
Common BGP Security Goals
• Data Origin Authentication
– BGP Speaker Authentication
– AS Number Authentication
• Data Integrity (of control messages)
• Message Truthfulness
– Prefix Ownership Verification
– AS-PATH Verification
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 11
Proposals for BGP Security
• Problem: for r := [prefix,AS − path] how do we secure theoperation
f(rtt, r) = rtt+1?
• S-BGP
• soBGP
• psBGP (pretty secure BGP)
– A Centralized Trust Model for AS# Authentication
– A Decentralized Trust Model for Prefix OwnershipVerification
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 12
NEM
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 13
Attribution-based Scanning Detection
• Variety of scanning detection techniques
– Observing connection failures
– Abnormal network behavior
– Connections to darkspace
– Increased connection attempts
• Majority of these rely on correlating scanning activity based onthe perceived last-hop
• Focus of detection is who is scanning instead of what is beingscanned
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 14
Attribution is not practical!
• Attribution is not practical for an increasing number ofsophisticated scanning techniques
• Focus on attribution overlooks critical components of anyobserved scanning campaign:
– What are my adversaries looking for?
– Has the network behavior changed as a result of beingscanned?
• Exemplar technique: Darkports and Exposure Maps
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 15
Exposure Maps and Darkports (Intended Capabilities)
• Scanning detectionSophisticated and simple
• Active ResponseNetwork awareness allows for fine grained response
• Network Discovery and Asset ClassificationExposure Profiles
• Network Change DetectionTrans-darkports and changes in exposure profile
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 16
HEM (Host Exposure Map)
• Associated with a fixed IP address (host), is the set of portsobserved responding to external connection attempts within apredefined period.
• For each active host i in the network, HEMi is a set ofelements each of which begins with the IP address of i, followedby a port number j; there is such an element for each portj
that has responded to a connection attempt within apredefined period.
• In symbols, we can abbreviate this asHEMi = {IPi : portj | portj was observed responding}.
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 17
Endpoint Driven
Intrusion Detection
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 18
Intrusion Detection Techniques
• Signature-based
– Host anti-virus signature
– Network traffic profiling
• Anomaly-based
– Host anomalous behavior
– Network traffic anomalies
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 19
Requirement for effective detection and containment
• Verifiable detection of malicious intrusions
• Collaborative network-based containment
• Automated rapid response
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 20
Proposed detection technique
Detector agent (DA) running on detector endpoints (DEs)
• DEs located in distributed subnets or cells
• DA responds to anomalous host behavior
• DA sends alert to gateway router (GR)
• DA performs real-time recording of intrusion traffic profiles.
– srcIP, dstport, proto
– More flow characteristics can be recorded with deep packetinspection
• DA sends traffic profile records to GR
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 21
Radio Frequency
Fingerprinting
(RFF)
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 22
Radio Frequency Fingerprint
• Pioneered by the military to track movement of enemy troops.
• Designed to capture unique characteristics of the transceiver’sradio frequency energy, for identifying cell phones and otherdevices.
• Has been implemented, as an authentication mechanism, bycellular carriers (e.g. Bell Nynex), to combat cloning fraud.
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 23
Signal from a 802.11b Transceiver
0 500 1000 1500 2000 2500 3000 3500 4000 4500−1500
−1000
−500
0
500
1000
1500
2000LUCENT MODEL 404 − SIGNAL 20
Samples − Original Signal
Ampl
itude
TRANSIENT
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 24
RFF Transceiverprints
• Transceiverprints cannot be easily forged unless the entirecircuitry of a transceiver can be replicated.
• After extracting the transient its instantaneous amplitude,phase and frequency are obtained.
• Using these components, one or more features are extracted.This set of features represents a fingerprint of the transceiver,or in other words transceiverprint.
• The transceiverprint is, in turn, classified as belonging to oneof the profiled transceivers.
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 25
Intrusion Detection Framework (Two Phases)
1. Profiling
(a) Transient-, Component-, and Feature-Extractor
(b) Profile Definition and Update
2. Classification
(a) Identification of Transceivers
(b) Validation (Statistical Classifier, Decision Filter)
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 26
Transient Detection using Threshold (3Com Model 49)
0 1000 2000 3000 4000 5000 6000 7000 80000
0.5
1
1.5
2
2.5
Samples
Frac
tal D
imen
sion
3Com Model 49 − Signal 5
CHANNEL NOISE TRANSIENT
T/4 samples
m = 1
m = 2 ...
m = 3500 START OF TRANSIENT
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 27
Test Case for Threshold Detection
0 1000 2000 3000 4000 5000 6000 7000 80000
1
2
3
Frac
tal D
imen
sion
Fractal Trajectory
Samples
0 1000 2000 3000 4000 5000 6000 7000 80000
50
100
Dete
ctio
n Va
lue
( thr
esho
ld =
0.0
30)
0 1000 2000 3000 4000 5000 6000 7000 8000−100
−50
0
50
100
Start of Transient
Ampl
itude
3Com Model 49 − Signal 5
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 28
Radio Frequency
Identification
(RFID)
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 29
RFIDs to replace Barcodes
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 30
RFID Tags
• Radio frequency devices that transmit information (e.g., serialnumbers) to compliant readers in a contactless manner
• Classified in the literature as:
– Passive: transmission power is derived from reader
– Active: energy comes from on-board battery
– Semi-passive: battery to power microchips, but transmissionpower from reader
• Electronic Product Code (EPC) tags
– Main kind of tags spread on todays RFID supply chainapplications
– Passive UHF RFID tags
– EPCglobal inc: Main organization controlling development
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 31
RFID Issues
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 32
Open Problems
1. Threats to and by front-end components (i.e., tags and readers)
2. Attacks against the back-end components (i.e., middleware anddatabase systems)
3. Vulnerabilities of the ONS (Object Name Service) discoveryservice
• Heritage of well-known threats against DNS protocols
4. Privacy and security concerns during the receiving ofinformation
• Availability, confidentiality, and integrity limitations
• Moreover, necessity of a fine grained access control for theinteraction of principals
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 33
Sensor Networks
Canada France Meeting on Security, Dec 06-08
Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 34
Problems
• Given a layout of sensors produce predictable securityparameters in order to protect
– a given area
– a given border
Canada France Meeting on Security, Dec 06-08