1Forensic Analysis for Epidemic Attacks in Federated NetworksPresented by Gaurav Shah(Based on slides by Yinglian Xie and Michael Hsiao)Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui ZhangCarnegie Mellon University1Forensic Analysis for Epidemic Attacks in Federated NetworksPresented by Gaurav Shah(Based on slides by Yinglian Xie and Michael Hsiao)Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui ZhangCarnegie Mellon University2Internet Attacks2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection Distributed DoS2Internet AttacksWorm Infection Distributed DoS2Internet AttacksWorm Infection Distributed DoS3Many More Potential AttacksDifferent time scalesSeconds, hours, daysDifferent meansVarious security exploitsDifferent propagating methodsRandom scan, hit list scanPotentially infect a large number of nodes before an “explicit” or “real” attack4The Structure of AttacksModern attacks are multi-levelLarge scale: difficult to defendHidden trail: difficult to identify initial launch pointWorm Infection Distributed DoSAttackersIdentified VictimsInvolved hosts(e.g., zombies)5Existing ApproachesFirewallIntrusion detectionIdentify compromised hosts[Paxson 98], [Roesch 99], [Staniford 96], [Jung 04]IP tracebackTrace to the source of a packet[Snoeren 01], [Savage 00], [Bellovin 01], [Burch 00]Build better perimeter or find only the lowest level of activities5Existing ApproachesFirewallIntrusion detectionIdentify compromised hosts[Paxson 98], [Roesch 99], [Staniford 96], [Jung 04]IP tracebackTrace to the source of a packet[Snoeren 01], [Savage 00], [Bellovin 01], [Burch 00]Build better perimeter or find only the lowest level of activities5Existing ApproachesFirewallIntrusion detectionIdentify compromised hosts[Paxson 98], [Roesch 99], [Staniford 96], [Jung 04]IP tracebackTrace to the source of a packet[Snoeren 01], [Savage 00], [Bellovin 01], [Burch 00]Build better perimeter or find only the lowest level of activities6Network ForensicsKeep communication recordsPermit post-mortem analysis of patterns across network and timeScope: Internet and IntranetCorrect weak points in a network perimeterDeter future similar attacks7Attacks utilize indirectionAttackers and victims must communicate for the attack to propagateIndependent of attacksVisible to the networkGlobally correlate the communication events General across all types of attacksApplicable to different attack propagation speedsPossible with/without attack signatureHost Contact Graph and Attack Trees8Node before infectionNode in infected stateNormal edgeCausal edgeattack edgeNon−causal t3 t4 t5 t6 t7HostsHGFEDCBATimet1 t2 t8IFigure 1: Example of host contact graph showing the communicationbetween hosts. Attack edges are shown as arrows in black (both solidand dashed). Filled nodes correspond to hosts in an infected state.ABt1Et2Ft4Ct3Dt5Ht7Gt6It8Figure 2: Example showing the causal tree, whichcontain causal edges with timestamps from thehost contact graph.3 Problem FormulationWe model the network communication between end-hostsusing a directed ho st contac t graph. The nodesof the graph, where is the set of all hosts inthe network andis time. Each directed edge representsa network flow between two end hosts at a certain time,where the flow has a finite duration, and involves transferof one or more packets. We represent each edge by a tu-plewhere is the host that initiatesthe communication (the source of the flow),is thehost that receives the communication (the destination of theflow), and, are the start and end times of the flow.Edge is thus from node to node .We have found that including time in the model is impor-tant, as a single hostthat becomes infected duringan attack behaves differently before the time it is infectedthan it does afterwards.Figure 1 shows the host contact graph of a hypotheticalnetwork undergoing an attack. Time advances left to right.Each node (marked as a circle) in the graph corresponds tothe state of a host at a certain time. The nodes on the samehorizontal line show how the state of one host changes overtime, and the nodes on the same vertical line represent thestates of different hosts at the same time.Each directed edge in Figure 1 represents a network flow.If a flow does not carry an infectious payload, we call thatedge a normal edge. We define an edge as an attack edge(highlighted in the figure as either dashed or solid arrows) ifit corresponds to a flow that carries attack traffic, whether ornot the flow is successful in infecting the destination host.While a worm attack may induce a large number of attackflows in the network, only a few flows actually advance theattack by successfully infecting a new host. We define anedge as a causa l edge (highlighted as a solid arrow) if itcorresponds to a flow that actually infects its destination.For example, at time, host D has attack edges to bothhosts G and B. However, only the edge from D to G is acausal edge because G is infected by this contact, whereasB was infected earlier before time.The causal tree formalizes the concept of epidemic at-tack spread. The causal tree is formed by extracting thecausal edges from the host contact graph and projecting theedges along the time axis. To be consistent with the notionof time in the host contact graph, we consider causal edgesoccurring earlier in time as edges in the higher levels of thecausal tree. Figure 2 shows the causal tree for the attack inFigure 1, with each edge annotated with a timestamp. Theedge with timestampfrom the worm origin A is thus atthe highest level of the tree.Given a host contact graph, the goal of our algorithm is toidentify a set of e dges that, with high proba bilit y, are edgesfrom the top level(s) (i.e., initial in time) of the causal tree.Among the hosts listed as the sources of these edges will bethe origin of the attack (or the host at which the attack firstentered the intranet). It is critical that the technique have areasonably low false-negative rate, so that the returned setcontains at least one top level causal edge that identifies theattack origin. It is desirable that the technique have a lowfalse-positive rate, so that the returned set does not includemany normal edges, attack edges that do not infect the
View Full Document