Penn CIS 700 - Forensic Analysis for Epidemic Attacks in Federated Networks

Unformatted text preview:

1Forensic Analysis for Epidemic Attacks in Federated NetworksPresented by Gaurav Shah(Based on slides by Yinglian Xie and Michael Hsiao)Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui ZhangCarnegie Mellon University1Forensic Analysis for Epidemic Attacks in Federated NetworksPresented by Gaurav Shah(Based on slides by Yinglian Xie and Michael Hsiao)Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui ZhangCarnegie Mellon University2Internet Attacks2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection2Internet AttacksWorm Infection Distributed DoS2Internet AttacksWorm Infection Distributed DoS2Internet AttacksWorm Infection Distributed DoS3Many More Potential AttacksDifferent time scalesSeconds, hours, daysDifferent meansVarious security exploitsDifferent propagating methodsRandom scan, hit list scanPotentially infect a large number of nodes before an “explicit” or “real” attack4The Structure of AttacksModern attacks are multi-levelLarge scale: difficult to defendHidden trail: difficult to identify initial launch pointWorm Infection Distributed DoSAttackersIdentified VictimsInvolved hosts(e.g., zombies)5Existing ApproachesFirewallIntrusion detectionIdentify compromised hosts[Paxson 98], [Roesch 99], [Staniford 96], [Jung 04]IP tracebackTrace to the source of a packet[Snoeren 01], [Savage 00], [Bellovin 01], [Burch 00]Build better perimeter or find only the lowest level of activities5Existing ApproachesFirewallIntrusion detectionIdentify compromised hosts[Paxson 98], [Roesch 99], [Staniford 96], [Jung 04]IP tracebackTrace to the source of a packet[Snoeren 01], [Savage 00], [Bellovin 01], [Burch 00]Build better perimeter or find only the lowest level of activities5Existing ApproachesFirewallIntrusion detectionIdentify compromised hosts[Paxson 98], [Roesch 99], [Staniford 96], [Jung 04]IP tracebackTrace to the source of a packet[Snoeren 01], [Savage 00], [Bellovin 01], [Burch 00]Build better perimeter or find only the lowest level of activities6Network ForensicsKeep communication recordsPermit post-mortem analysis of patterns across network and timeScope: Internet and IntranetCorrect weak points in a network perimeterDeter future similar attacks7Attacks utilize indirectionAttackers and victims must communicate for the attack to propagateIndependent of attacksVisible to the networkGlobally correlate the communication events General across all types of attacksApplicable to different attack propagation speedsPossible with/without attack signatureHost Contact Graph and Attack Trees8Node before infectionNode in infected stateNormal edgeCausal edgeattack edgeNon−causal t3 t4 t5 t6 t7HostsHGFEDCBATimet1 t2 t8IFigure 1: Example of host contact graph showing the communicationbetween hosts. Attack edges are shown as arrows in black (both solidand dashed). Filled nodes correspond to hosts in an infected state.ABt1Et2Ft4Ct3Dt5Ht7Gt6It8Figure 2: Example showing the causal tree, whichcontain causal edges with timestamps from thehost contact graph.3 Problem FormulationWe model the network communication between end-hostsusing a directed ho st contac t graph. The nodesof the graph, where is the set of all hosts inthe network andis time. Each directed edge representsa network flow between two end hosts at a certain time,where the flow has a finite duration, and involves transferof one or more packets. We represent each edge by a tu-plewhere is the host that initiatesthe communication (the source of the flow),is thehost that receives the communication (the destination of theflow), and, are the start and end times of the flow.Edge is thus from node to node .We have found that including time in the model is impor-tant, as a single hostthat becomes infected duringan attack behaves differently before the time it is infectedthan it does afterwards.Figure 1 shows the host contact graph of a hypotheticalnetwork undergoing an attack. Time advances left to right.Each node (marked as a circle) in the graph corresponds tothe state of a host at a certain time. The nodes on the samehorizontal line show how the state of one host changes overtime, and the nodes on the same vertical line represent thestates of different hosts at the same time.Each directed edge in Figure 1 represents a network flow.If a flow does not carry an infectious payload, we call thatedge a normal edge. We define an edge as an attack edge(highlighted in the figure as either dashed or solid arrows) ifit corresponds to a flow that carries attack traffic, whether ornot the flow is successful in infecting the destination host.While a worm attack may induce a large number of attackflows in the network, only a few flows actually advance theattack by successfully infecting a new host. We define anedge as a causa l edge (highlighted as a solid arrow) if itcorresponds to a flow that actually infects its destination.For example, at time, host D has attack edges to bothhosts G and B. However, only the edge from D to G is acausal edge because G is infected by this contact, whereasB was infected earlier before time.The causal tree formalizes the concept of epidemic at-tack spread. The causal tree is formed by extracting thecausal edges from the host contact graph and projecting theedges along the time axis. To be consistent with the notionof time in the host contact graph, we consider causal edgesoccurring earlier in time as edges in the higher levels of thecausal tree. Figure 2 shows the causal tree for the attack inFigure 1, with each edge annotated with a timestamp. Theedge with timestampfrom the worm origin A is thus atthe highest level of the tree.Given a host contact graph, the goal of our algorithm is toidentify a set of e dges that, with high proba bilit y, are edgesfrom the top level(s) (i.e., initial in time) of the causal tree.Among the hosts listed as the sources of these edges will bethe origin of the attack (or the host at which the attack firstentered the intranet). It is critical that the technique have areasonably low false-negative rate, so that the returned setcontains at least one top level causal edge that identifies theattack origin. It is desirable that the technique have a lowfalse-positive rate, so that the returned set does not includemany normal edges, attack edges that do not infect the


View Full Document

Penn CIS 700 - Forensic Analysis for Epidemic Attacks in Federated Networks

Documents in this Course
Load more
Download Forensic Analysis for Epidemic Attacks in Federated Networks
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Forensic Analysis for Epidemic Attacks in Federated Networks and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Forensic Analysis for Epidemic Attacks in Federated Networks 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?