Security System for KOREN/APII-Testbed

A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed

Security System for KOREN/APSecurity System for KOREN/AP

II-TestbedII-Testbed

Sungkwan Youm

Korea Univ.


Research GoalResearch Goal

Deploy attack defense system to KOREN for improving

security

Yearly Plan2003 : Security system design and algorithm proposalProposal of dynamic and adaptive detecting algorithmDesign system which detects and defends attack Implementation of signature detector

2004 : Implementation of system and deployment of KOREN Implementation of dynamic detecting component Implementation of agent, manager


System ArchitectureSystem Architecture

Signature Detector

Security DB

Libcap

Anomaly Detector

Elementary classification

Adaptive classification

Filtering

Manager

attack

Server

VisualizationFlow isolation

AGENT

To another agent

NetFlow


Configuration for Security Agent Configuration for Security Agent

Protected ServerAgent

Agent

Agent Agent

AgentAnotherNetwork

Filtering

FilteringFiltering

Detecting

User

KOREN

attack

attack

Filtering


Signature DetectorSignature Detector

Using Snort

Perform as NIDS

Optimize RuleSet

Deployed in Suwon, Deajeo

n

Suwon

Daegu

Daejeon

BusanKwangju

SnortServer

Seoul

Seoul XP

SnortServer


Signature Detector Detection ResultsSignature Detector Detection Results

<Signature ><Classification >

<Total#> Sensor# < Src.Addr. >

< Dest.Addr. > <First> < Last >

[arachNIDS][snort] ICMP PING CyberKit 2.2 Windows

misc-activity

4690 (15%) 1 299 1 2003-11-21 20:19:39

2003-11-24 19:18:41

[snort] SCAN Squid Proxy attempt attempted- recon

12 (0%) 1 2 1 2003-11-22 08:06:48

2003-11-24 03:17:13

url[snort] SCAN SOCKS Proxy attempt attempted-recon

30 (0%) 1 5 1 2003-11-22 08:06:48

2003-11-24 09:25:26

[snort] SCAN Proxy (8080) attempt attempted-recon

12 (0%) 1 2 1 2003-11-22 08:06:48

2003-11-24 03:17:13

[cve][icat][bugtraq][snort] BAD-TRAFFIC IP Proto 103 (PIM)

non-standard-protocol

25792 (84%)

1 2 1 2003-11-21 20:18:55

2003-11-24 19:18:36

url[bugtraq][bugtraq][snort] MS-SQL Worm propagation attempt

misc-attack

2 (0%) 1 1 1 2003-11-23 06:19:00

2003-11-23 06:19:00

[snort] ICMP superscan echo attempted-recon

2 (0%) 1 1 1 2003-11-23 20:02:04

2003-11-23 20:02:04

[arachNIDS][snort] ICMP PING NMAP attempted-recon

2 (0%) 1 1 1 2003-11-23 21:20:50

2003-11-23 21:20:50

[cve][icat][cve][icat][cve][icat][snort] SNMP public access u 에

attempted-recon

2 (0%) 1 1 1 2003-11-24 23:13:27

2003-11-24 23:13:27

Alert List

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=sig_a

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=sig_d

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=class_a

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=class_d

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=occur_a

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=occur_d

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=saddr_d

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=daddr_a

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=daddr_d

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=first_d

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=last_a

http://203.255.255.94/acid/acid_stat_alerts.php?caller=&sort_order=last_d

http://www.whitehats.com/info/ids154

http://www.snort.org/snort-db/sid.html?sid=483

http://203.255.255.94/acid/acid_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1

http://203.255.255.94/acid/acid_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D=1&sig_type=1

http://203.255.255.94/acid/acid_stat_uaddr.php?addr_type=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=1


http://203.255.255.94/acid/acid_qry_alert.php?submit=%230-%282-8%29































http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0567

http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0567

http://www.securityfocus.com/bid/8211






























http://www.whitehats.com/info/ids162












Anomaly Detection AlgorithmAnomaly Detection Algorithm

Entropy

Measure randomness of packet attribute (ex. Source address)

Maintain average of entropy

Detect attack with threshold setting

Chi-square test

Measure distribution of attribute

Use anomaly detection of various packet attributes

H = - i = 1

n

pi log pi

x2 = i = 1

B(Ni - ni )2

ni


Anomaly Detection MechanismAnomaly Detection Mechanism

Incoming traffic(attack and normal

packets)

Using single detecting algorithm(entropy)with low accuracy

Using multipledetecting algorithms(chi-square)with high accuracy

ElementaryClassificatio

n

AdaptiveClassificatio

n

Filtering Manager

SuspiciousSignature

MaliciousSignature

Suspicious

Malicious

Incoming traffic(attack and normal

packets)

Secure packets


Anomaly Detection MechanismAnomaly Detection Mechanism

Elementary classification

Apply suspicious signature with high sensitive

Classification achieved widely about attack packets

Reduce congestion problem of network

Use entropy calculation with low threshold value

Adaptive classification

Apply malicious signature with high sensitive

Reduce error detection rate

Use chi-square test with high threshold value


Flowchart of Signature CreationFlowchart of Signature Creation

Pick up next packet attributes (as sa or ma)

Calculate entropy ofpacket attribute, sa and compare with average

Exceed threshold?

Update average value of entropy

Create suspicioussignature based onpacket attribute, sa

Do number of packets that belong

to suspicious signatureexceed

upper-bound threshold n?

Filtering based onsignatures

Calculate chi-squarevalue of packet attributema and update average

Calculate chi-square valueof packet attribute ma of

suspicious packets

Exceed threshold?

Create malicious signatureby adding ma to suspicious

signature

Yes

Yes

Yes

No

No

No


Anomaly Detection ProcessAnomaly Detection Process

Example of detection processEntropy (About source address)

Entropy Average Current Entropy Signature

7(threshold 8) 8.7 {Src=201.170.123.6}

Chi-square (about packet length)

Chi-square Average Current Chi-square value Signature

1200(threshold 1300) 2000 {leng=1-64byte}


Anomaly Detector ArchitectureAnomaly Detector Architecture

Monitoring

ToolAgent

Anomaly Detection Manager

DetectingModule 1

Detecting

Module 2

Filtering Manager

Packet attributesSource addressDestination addressSource port numberDestination port numberProtocol Suspicious,

Malicious Signature

Detecting

Module n


Signature Detector Testing (DDoS) Signature Detector Testing (DDoS)

Agent AgentMaster

Control M

sg.

Control Msg.

Control Msg.

Snort : possible to detect control message (163.180.118.68, Suwon)

Attack Packet

Attack

Packet

Target

Snort : impossible to detect attack packet

(203.255.255.94, Daejeon)

Testing Environment


Signature Detector Testing (DDoS) Signature Detector Testing (DDoS)

ID < Signature > < Timestamp > <Source Address> < Dest.Address > < Layer 4Proto >

#150-(2-3872) [snort] tfn2k icmp possible communication

2003-11-22 14:18:52 163.180.118.68 163.180.118.98 ICMP


2003-11-22 14:18:52 163.180.118.68 163.180.118.98 ICMP


2003-11-22 14:18:53 163.180.118.68 163.180.118.98 ICMP


2003-11-22 14:18:53 163.180.118.68 163.180.118.98 ICMP

ID < Signature > < Timestamp ><Source Address>

< Dest.Address > < Layer 4Proto >

#156-(2-3866) [snort] DDOS TFN client command BE

2003-11-22 14:18:56 163.180.118.98 163.180.118.68 ICMP


2003-11-22 14:18:56 163.180.118.98 163.180.118.68 ICMP


2003-11-22 14:18:56 163.180.118.98 163.180.118.68 ICMP


2003-11-22 14:18:57 163.180.118.98 163.180.118.68 ICMP


2003-11-22 14:18:57 163.180.118.98 163.180.118.68 ICMP


2003-11-22 14:18:57 163.180.118.98 163.180.118.68 ICMP

TFN2K icmp possible communication detection

DDoS TFN client command BE detection

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=sig_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=sig_d

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=time_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=time_d

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=dip_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=dip_d

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=proto_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=proto_d

http://163.180.118.98/acid/acid_qry_alert.php?submit=%230-%281-53%29&sort_order=time_d


http://163.180.118.98/acid/acid_stat_ipaddr.php?ip=163.180.118.98&netmask32



http://163.180.118.98/acid/acid_stat_ipaddr.php?ip=163.180.96.2&netmask=32










http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=sig_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=sig_d

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=time_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=time_d

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=dip_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=dip_d

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=proto_a

http://163.180.118.98/acid/acid_qry_main.php?caller=&num_result_rows=42&current_view=0&sort_order=proto_d

























Anomaly Detector Algorithm Testing (DDoS) Anomaly Detector Algorithm Testing (DDoS)

Testing Environment

DDoS Attack(TFN2K)Local Network(Normal Traffic)

Monitoring Tool(Libcap, NetFlow) Source Address

Destination Address

Source Port Num

Destination Port Num

Packet Length

Attribute DB AnalyzePacket, Flow’s

attributeusing

detectingalgorithm

Victim


Anomaly Detector Testing (DDoS) Anomaly Detector Testing (DDoS)

About Packet Attributes

Entropy Value for Source IP address

0123456789

10

1 21 41 61 81 101 121

Packet Number(500)

Entr

opy

Valu

e

Chi- Square Value for Packet Length

0

500

1000

1500

2000

2500

1 11 21 31 41

Packet Number(250)

Chi

-Squ

are

Valu

e



In this case, packet length is not valid attribute

Chi-Square Value for Destination Address

0200400600800

1000120014001600

1 11 21 31

Packet Number(250)

Chi-

Squa

re V

alue

Chi- Square Value for Source Port Number

0

200

400

600

800

1000

1200

1 11 21 31

Packet Number(250)

Chi

-Squ

are

Valu

e



About Flow Attributes

Chi- Square Value for Flow Length

0200400600800

1000120014001600

1 11 21 31 41

Flow Number(250)C

hi-S

quar

e Va

lue

Entropy Value for Source IP Address(Flow)

0123456789

1 21 41 61 81 101

Flow Number(250)

Entro

py V

alue



Need to set threshold value lower

Chi- Square Value for Destination Address(Flow)

0

500

1000

1500

1 11 21 31

Flow Number(250)

Chi

-Squ

are

Valu

e

Chi- Square Value for Source Port Number(Flow)

0

200

400

600

800

1000

1200

1 11 21 31

Flow Number(250)

Chi-

Square

Valu

e


ConclusionConclusion

Signature Detector detect well-known attack

Anomaly Detector detect DDoS attack that can’t detect b

y Signature Detector

Security system will improve KOREN’s security


Future WorksFuture Works

Monitor malicious traffic using signature detector

Design filtering manager

Implement detecting module

Security System for KOREN/APII-Testbed

Documents

Transcript of Security System for KOREN/APII-Testbed