Weekly Presentation 3
Download
Report
Transcript Weekly Presentation 3
Multi-Route Anomaly detection using
Principal Component Analysis
Adnan Iqbal
Superviser
Dr. Waqar Mahmood
21-06-05
The concept
Idea is to discover anomalies in the whole
network and then to compare these network
wide anomalies with those of single route
anomalies
To find out relationship between network wide
anomalies and its constituent single route
anomalies
Summary
Discover a scheme that can be used to get
relationship between network wide anomalies
and single route anomalies
Implement the scheme
Perform Regularization of Data
Apply the scheme to suitable routes
Analyze Results
Analysis of Data used in Anomaly Detection
Study of MIT Lincoln Lab intrusion detection
data (Completed)
Current Work
Current Work
Study of MIT Lincoln Lab intrusion detection
data (contd)
Data Sets
1998
1999
2000
Dataset 2000
2000 data set (scenario based)
LLDOS 1.0 - Scenario One
LLDOS 2.0.2 - Scenario Two
Windows NT Attack Data Set
Data is in multiple files
Tcpdump of inside
Tcpdump of DMZ
Syslog of different hosts
Scenario 1 Data Set
DDoS Level 1.0
Adversary :Novice
Goal:Install components for, and carry out, a DDOS attack
Defender: Naive
Spread over multiple phases
Phases of Attack - 1
Phase 1: The adversary performs a scripted IPsweep
of multiple class C subnets on the Air Force Base.
The following networks are swept from address 1 to
254:
172.16.115.0/24,
172.16.114.0/24,
172.16.113.0/24, 172.16.112.0/24. The attacker ICMP
echo-requests in this sweep and listens for echoreplies to determine which hosts are "up".
Phase 2: Those hosts that are found to be alive in the
previous phase probed to determine which ones are
configured to run the "sadmind" remote administraion
tool.
Phases of Attack - 2
Phase 3: The attacker then tries to break into those
hosts that are found to be running the sadmind
service in the previous phase. The attacker needs to
execute two commands, one to "cat" an entry onto
the victim's /etc/passwd file and one to "cat" an entry
onto the victim's /etc/shadow file. The new root user's
name is 'hacker2' and hacker2's home directory is set
to be /tmp. To test weather or not a break-in was
sucessful, the attack script attempts a login, via
telnet, as hacker2, after each set of two breakin
attempts. When sucessful the attackers script moves
on to the next potential victim.
Phases of Attack - 3
Phase 4: Entering this phase, the attack script has built a list of
those hosts on which it has sucessfully installed the 'hacker2'
user. These are mill (172.16.115.20), pascal (172.16.112.50),
and locke (172.16.112.10). For each host on this list, the script
performs a telnet login, makes a directory on the victim called
"/tmp/.mstream/" and uses rcp to copy mstream server software.
The attacker also installs a ".rhosts" file for themselves in /tmp,
so that they can rsh in to startup the binary programs. On the
first victim on the list, the attacker also installs the "master-sol"
software, which is the mstream master. After installing the
software on each host, the attacker uses rsh to startup first the
master, and then the servers. as they come up, each server
"registers" with the master that it is alive. The master writes out
a database of live servers to a file called "/tmp/.sr".
Phases of Attack - 4
Phase 5: In the final phase, the attacker manually launches the
DDOS. This is peformed via a telnet login to the victim on which
the master is running, and then, from the victim, a "telnet" to port
6723 of the localhost. Port 6723/TCP is the port on which the
master listens for connections to its user-interface. After entering
a password for the user-interface, the attacker is given a prompt
at which he/she enters two commands. The command "servers"
causes the UI to list the mstream servers which have registerd
with it and are ready to attack. the command "mstream
131.84.1.31 5" causes a DDOS attack, of 5 second duration,
against the given IP address to be launched by all three servers
simulataneously. The mstream DDOS consists of many, many
connection requests to a variety of ports on the victim. All
packets have a spoofed, random source IP address. The
attacker then logs out. The tiny duration was chosen so that it
would be possible to easily distribute tcpdump and audit logs of
these events -- to avoid them being to large. In real life, one
might expect a DDOS of longer duration, several hours or more.
LLDDoS v 2.0.2
ADVERSARY: Novice -- scripted attack, fairly blatant
ADVERSARY_GOAL: Install components for, and
carry out, a DDOS attack
DEFENDER: Naive -- sunrpc allowed through
firewall, HINFO DNS records contain some valid host
information.
DIFFERENCES FROM VERS. 1.0:
The main difference between 2.0.2 and 1.0 is that in
2.0.2 the attacker probes for host, platform, operating
system by doing DNS HINFO queries, rather than
sweeping IP's and rpc ports, and that they break-into
one host at Eyrie first, then fan out from there, rather
than attacking each host individually.
Phases of Attack v 2.0.2
Probe of mill.eyrie.af.mil, Eyrie's public DNS server, via the
HINFO query
Breakin-to mill.eyrie.af.mil via the sadmind exploit
FTP upload of mstream DDoS software and attack script, to
break-into more Eyrie hosts.
Initiate attack on other Eyrie hosts: Telnet to
mill.eyrie.af.mil, setup DDoS master and initiate probing and
attack of other Eyrie hosts. Probes are via the HINFO record
query and attacks are via the sadmind exploit. Two break-ins
are attempted: robin.eyrie.af.mil (a linux host listed as Solaris
in the HINFO, breakin fails!) and pascal.eyrie.af.mil (breakin
succeeds since the host is Solaris!)
Launching the DDoS: Telnet to mill, telnet to localhost port
6723, connect to the master, and launch attack at www.af.mil.
Data Files
For every phase different files
For each phase
.fulllist - ASCII
.list - ASCII
.warn - ASCII
.dump
.tcpdump-out-dump
.xml - it has alerts
Future Work
Analysis of Fermi Lab Data