1. No category

Presentation

Security System for
KOREN/APII-Testbed
Sungkwan Youm
Korea Univ.
A Study of TE for
KOREN/APII-Testbed
Research Goal
Deploy attack defense system to KOREN for improving
security
Yearly Plan
2003 : Security system design and algorithm proposal
 Proposal of dynamic and adaptive detecting algorithm
 Design system which detects and defends attack
 Implementation of signature detector
2004 : Implementation of system and deployment of
KOREN
 Implementation of dynamic detecting component
 Implementation of agent, manager
A Study of TE for
KOREN/APII-Testbed
System Architecture
Server
AGENT
Filtering
Manager
Security DB
To another agent
Libcap
Signature Detector
NetFlow
Visualization
Flow
isolation
Anomaly Detector
Elementary classification
attack
Adaptive classification
A Study of TE for
KOREN/APII-Testbed
Configuration for Security Agent
Detecting
KOREN
Protected Server
Agent
Filtering
Agent
Another
Network
Filtering
attack
Agent
Filtering
Filtering
Agent
Agent
attack
User
A Study of TE for
KOREN/APII-Testbed
Signature Detector
Seoul
Using Snort
Seoul XP
Perform as NIDS
Optimize RuleSet
Suwon
Snort
Server
Deployed in Suwon,
Daegu
Deajeon
Snort Daejeon
Server
Busan
Kwangju
A Study of TE for
KOREN/APII-Testbed
Signature Detector Detection Results
Alert List
<Signature >
<Classification >
<Total#>
Sensor#
< Src.
Addr. >
< Dest.
Addr. >
<First>
< Last >
[arachNIDS][snort] ICMP PING CyberKit 2.2
Windows
miscactivity
4690 (15%)
1
299
1
2003-11-21 20:19:39
2003-11-24 19:18:41
[snort] SCAN Squid Proxy attempt
attemptedrecon
12 (0%)
1
2
1
2003-11-22 08:06:48
2003-11-24 03:17:13
url[snort] SCAN SOCKS Proxy attempt
attemptedrecon
30 (0%)
1
5
1
2003-11-22 08:06:48
2003-11-24 09:25:26
[snort] SCAN Proxy (8080) attempt
attemptedrecon
12 (0%)
1
2
1
2003-11-22 08:06:48
2003-11-24 03:17:13
nonstandardprotocol
25792 (84%)
1
2
1
2003-11-21 20:18:55
2003-11-24 19:18:36
miscattack
2 (0%)
1
1
1
2003-11-23 06:19:00
2003-11-23 06:19:00
[cve][icat][bugtraq][snort] BAD-TRAFFIC
IP Proto 103 (PIM)
url[bugtraq][bugtraq][snort] MS-SQL
Worm propagation attempt
[snort] ICMP superscan echo
attemptedrecon
2 (0%)
1
1
1
2003-11-23 20:02:04
2003-11-23 20:02:04
[arachNIDS][snort] ICMP PING NMAP
attemptedrecon
2 (0%)
1
1
1
2003-11-23 21:20:50
2003-11-23 21:20:50
[cve][icat][cve][icat][cve][icat][snort]
SNMP public access u에
attemptedrecon
2 (0%)
1
1
1
2003-11-24 23:13:27
2003-11-24 23:13:27
A Study of TE for
KOREN/APII-Testbed
Anomaly Detection Algorithm
Entropy
n
H =
-
pi log pi
i = 1
Measure randomness of packet attribute (ex. Source address)
Maintain average of entropy
Detect attack with threshold setting
Chi-square test
B
x
2
=
i = 1
( N i - ni )
ni
2
Measure distribution of attribute
Use anomaly detection of various packet attributes
A Study of TE for
KOREN/APII-Testbed
Anomaly Detection Mechanism
Incoming traffic
(attack and normal packets)
Elementary
Classification
Adaptive
Classification
Suspicious
Signature
Malicious
Signature
Using single
detecting algorithm
(entropy)
with low accuracy
Using multiple
detecting algorithms
(chi-square)
with high accuracy
Filtering Manager
Malicious
Suspicious
Incoming traffic
Secure packets
(attack and normal packets)
A Study of TE for
KOREN/APII-Testbed
Anomaly Detection Mechanism
Elementary classification
Apply suspicious signature with high sensitive
Classification achieved widely about attack packets
Reduce congestion problem of network
Use entropy calculation with low threshold value
Adaptive classification
Apply malicious signature with high sensitive
Reduce error detection rate
Use chi-square test with high threshold value
A Study of TE for
KOREN/APII-Testbed
Flowchart of Signature Creation
Pick up next packet attributes (as sa or ma)
Calculate entropy of
packet attribute, sa and
compare with average
Update average
value of entropy
Calculate chi-square
value of packet attribute
ma and update average
No
Exceed threshold?
Calculate chi-square value
of packet attribute ma of
suspicious packets
Yes
Create suspicious
signature based on
packet attribute, sa
No
Exceed threshold?
Yes
Yes
Do number of
packets that belong
to suspicious signature
exceed
upper-bound threshold n?
Create malicious signature
by adding ma to suspicious
signature
No
Filtering based on
signatures
A Study of TE for
KOREN/APII-Testbed
Anomaly Detection Process
Example of detection process
Entropy (About source address)
Entropy Average
Current Entropy
Signature
7(threshold 8)
8.7
{Src=201.170.123.6}
Chi-square (about packet length)
Chi-square Average
Current Chi-square value
Signature
1200(threshold 1300)
2000
{leng=1-64byte}
A Study of TE for
KOREN/APII-Testbed
Anomaly Detector Architecture
Monitoring
Tool
Agent
Detecting
Module 1
Packet attributes
Source address
Destination address
Source port number
Destination port number
Protocol
Detecting
Module 2
Detecting
Module n
Anomaly Detection Manager
Suspicious,
Malicious Signature
Filtering Manager
A Study of TE for
KOREN/APII-Testbed
Signature Detector Testing (DDoS)
Testing Environment
Target
Master
Agent
Agent
Snort : impossible to
detect attack packet
(203.255.255.94, Daejeon)
Snort : possible to detect control message
(163.180.118.68, Suwon)
A Study of TE for
KOREN/APII-Testbed
Signature Detector Testing (DDoS)
TFN2K icmp possible communication detection
ID
< Signature >
< Timestamp >
#150-(2-3872)
[snort] tfn2k icmp possible
communication
2003-11-22 14:18:52
#151-(2-3871)
[snort] tfn2k icmp possible
communication
#152-(2-3870)
#153-(2-3869)
<Source Address>
< Dest.Address >
< Layer 4Proto >
163.180.118.68
163.180.118.98
ICMP
2003-11-22 14:18:52
163.180.118.68
163.180.118.98
ICMP
[snort] tfn2k icmp possible
communication
2003-11-22 14:18:53
163.180.118.68
163.180.118.98
ICMP
[snort] tfn2k icmp possible
communication
2003-11-22 14:18:53
163.180.118.68
163.180.118.98
ICMP
<Source Address>
< Dest.Address >
< Layer 4Proto >
DDoS TFN client command BE detection
ID
< Signature >
< Timestamp >
#156-(2-3866)
[snort] DDOS TFN client
command BE
2003-11-22 14:18:56
163.180.118.98
163.180.118.68
ICMP
#157-(2-3865)
[snort] DDOS TFN client
command BE
2003-11-22 14:18:56
163.180.118.98
163.180.118.68
ICMP
#158-(2-3864)
[snort] DDOS TFN client
command BE
2003-11-22 14:18:56
163.180.118.98
163.180.118.68
ICMP
#159-(2-3863)
[snort] DDOS TFN client
command BE
2003-11-22 14:18:57
163.180.118.98
163.180.118.68
ICMP
#160-(2-3862)
[snort] DDOS TFN client
command BE
2003-11-22 14:18:57
163.180.118.98
163.180.118.68
ICMP
#161-(2-3863)
[snort] DDOS TFN client
command BE
2003-11-22 14:18:57
163.180.118.98
163.180.118.68
ICMP
A Study of TE for
KOREN/APII-Testbed
Anomaly Detector Algorithm Testing (DDoS)
Testing Environment
Local Network
(Normal Traffic)
DDoS Attack(TFN2K)
Attribute DB
Monitoring Tool
(Libcap, NetFlow)
Source Address
Destination Address
Source Port Num
Destination Port Num
Victim
Packet Length
A Study of TE for
KOREN/APII-Testbed
Analyze
Packet, Flow’s
attribute
using
detecting
algorithm
Anomaly Detector Testing (DDoS)
About Packet Attributes
Chi-Square Value for Packet Length
10
9
8
7
6
5
4
3
2
1
0
2500
Chi-Square Value
Entropy Value
Entropy Value for Source IP address
2000
1500
1000
500
0
1
21
41
61
81
Packet Number(500)
101
121
1
11
21
Packet Number(250)
A Study of TE for
KOREN/APII-Testbed
31
41
Anomaly Detector Testing (DDoS)
Chi-Square Value for Source Port Number
1200
1600
1400
1200
1000
800
600
400
200
0
1000
Chi-Square Value
Chi-Square Value
Chi-Square Value for Destination Address
800
600
400
200
1
11
21
Packet Number(250)
31
0
1
11
21
Packet Number(250)
In this case, packet length is not valid attribute
A Study of TE for
KOREN/APII-Testbed
31
Anomaly Detector Testing (DDoS)
About Flow Attributes
Chi-Square Value for Flow Length
9
8
7
6
5
4
3
2
1
0
Chi-Square Value
Entropy Value
Entropy Value for Source IP Address(Flow)
1
21
41
61
81
101
1600
1400
1200
1000
800
600
400
200
0
1
11
21
Flow Number(250)
Flow Number(250)
A Study of TE for
KOREN/APII-Testbed
31
41
Anomaly Detector Testing (DDoS)
Chi-Square Value for Source Port Number(Flow)
Chi-Square Value for Destination Address(Flow)
1200
Chi-Square Value
Chi-Square Value
1500
1000
500
0
1
11
21
Flow Number(250)
31
1000
800
600
400
200
0
1
Need to set threshold value lower
A Study of TE for
KOREN/APII-Testbed
11
21
Flow Number(250)
31
Conclusion
Signature Detector detect well-known attack
Anomaly Detector detect DDoS attack that can’t detect
by Signature Detector
Security system will improve KOREN’s security
A Study of TE for
KOREN/APII-Testbed
Future Works
Monitor malicious traffic using signature detector
Design filtering manager
Implement detecting module
A Study of TE for
KOREN/APII-Testbed

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz