Password attack.

Download Report

Transcript Password attack.

An Agent-based Bayesian
Forecasting Model for
Enhancing Network
Security
J. PIKOULAS, W.J. BUCHANAN, Napier University, Edinburgh, UK.
M. MANNION, Glasgow Caledonian University, Glasgow, UK.
K. TRIANTAFYLLOPOULOS, University of Warwick, UK.
Hacking methods:
IP spoofing.
Packet-sniffing.
Password attack.
Sequence number prediction
attacks.
Session hi-jacking attacks.
Shared library attacks.
Social Engineering attacks.
Technological vulnerability attack.
Trust-access attacks.
IP
spoofing
Network
Network
gateway
gateway
Computer
allowed access
IP address: w.x.y.z
Internet/
Internet/
Network
Network
Hacker steals the allowed IP
address and uses it
to get into the network
Disallowed access
IP address: w.x.y.z
‘TELNET sys.com’
‘Login:’
Packet
sniffing
‘fred_b’
‘Password:’
‘’qwerty’
User logs into a
remote system, without
knowing the hacker is
listening to all communications
Hacker listens to
the TELNET connection
and determines the
password as it is sent as
text
Packet
sniffing
Hacking methods:
IP spoofing.
Packet-sniffing.
Password attack.
Sequence number prediction
attacks.
Session hi-jacking attacks.
Shared library attacks.
Social Engineering attacks.
Technological vulnerability attack.
Trust-access attacks.
Mr Hacker
tampers with the local
or networked libraries
Shared
library
User accesses dynamic
libraries when running
an application program
Dynamic
Dynamiclibraries,
libraries,
such
suchas:
as:
••WINSOCK.DLL
WINSOCK.DLL(PC)
(PC)
••USER32.DLL
USER32.DLL(PC)
(PC)
Static
Staticlibraries,
libraries,
such
suchas:
as:
••WIN32API.LIB
WIN32API.LIB(PC)
(PC)
••X11.lib
X11.lib(UNIX)
(UNIX)
User accesses static
libraries when compiling
an application program
Mr Hacker possibly receive all communications
sent, or even sees a mirror of the user’s screen
Password
attack
IsIsititApple?
Apple?
IsIsititOrange?
Orange?
IsIsititBanana?
Banana?
Password?
Password?
Password?
Password?
Password?
Password?
Social
engineering
I’ll help you access your e-mail.
What’s your e-mail password?
Ooh. It’s not working. Ah.
There’s a cable disconnected
here. Wonder who did that?
What’s your login password?
I’m just testing something.
E-mail attacks
or verbal social attacks
E-mail Message
To: Fred
From: Sys [email protected]
Message:
For System Administrative purposes,
please send me your password.
Security programs:
Security enhancement
software. Enhances the
operating system’s security.
Authentication and
encryption software. Such as
Kerebos, RSA, and so on.
Security monitoring
software.
Network monitoring
software.
Firewall software and
hardware.
Firewall
Site 3
Monitoring
Monitoring
Software
Software
Site 2
Firewall
Firewall
Firewall
Firewall
IPIP
TCP/UDP
TCP/UDP
INCOMING
Allowed Disallowed
OUTGOING
Allowed Disallowed
Protocol (TCP/UDP)
Source Port
Destination Port
Source IP address
Destination IP address
Encryption and
authentication
Security
enhancement
Operating
System
Site 1
Security
Enhancement
INFO
User’s public key is
used to encrypt data
Encrypted
data
ENCR
INFO
User’s private key is
used to decrypt data
Private
key
Public
key
Private
key
Public
key
Problem with existing security
methods:
Centralized. They tends to be
based on a central server, which
can become the target of an
attack.
No real-time response. They
tend not to be able to respond
to events as they occur, and rely
on expert filtering.
No ability to foresee events.
Denial-ofservice
Many external accesses eventually reduce
the accessibility of the server: such as with
Yahoo.com, eBay, Amazon, CNN,
ZDNet and Excite (Feb 2000).
Financial losses
(2000/01)
Centralized
Centralized
security can
lead to attacks
as the central
resource
becomes the
focus
of attacks
Central
storage
Central
server
Firewall
Financial losses (2000/01):
1. Virus (70%).
2. Net abuse (45%).
3. Laptop theft (45%).
4. Denial of service (21%)
5. Unauthorized access (16%).
6. System penetration (14%).
7. Sabotage (12%).
Agent-based distributed
security system:
Agents work independently
from the server. This reduces
the workload on the server, and
also the dependency on it.
Agents download the user
profile from the server. The
agents can then learn the profile
of the user and update it when
they log-out.
Agents can be responsible
for security.
Centralized
Distributed
agent-based
Agent-based distributed
security system with
forecasting
Core
Core
Core
Agent
User
User
profile
User
profile
User
profile
profile
Agent monitors
Current usage
Core agent
sends forecasting
information
User
Agent
Agent reports
any changes
In behaviour
Agent
compares
usage with
forecast
User agent
returns the
updated model
to the user
User agent
updates the
forecasting
model
User logs
off
Agent environment topology
Sensor. Monitors software
applications.
Transmitter. Sends information
to the server.
Profile reader. Reads the users
historical profile.
Comparator. Compares user’s
history with the information read
by the sensor.
GUI
Communication
thread
Communication
thread
Core
connection
engine
Predictor
Sensor
Profile
reader
GUI
Communication
thread
Communication
thread
Communication
thread
Comparator
Transmitter
Traditional method of forecasting against Bayesian
forecasting
Traditional method of generating user profile for applications
Usage over
login period
New user
profile
´ Requires large amounts
of storage
´ Gaps in data reduces
prediction
Averaging
User
logins
t
t
Forecasting method of generating user profile for applications
ü Less storage
ü Faster processing
t
Current
forecasted model
t
Current
user profile
t
New user
profile
Prediction model:
Observation stage.
In this stage the model is monitoring the user and records its
behaviour.
Evaluation stage.
One-step prediction.
Prediction number
(z)
Application usage (%)
In this stage the model makes a prediction and also monitors
Bayesian
b
Bayesian
the user actual movements and calculatesd,the
result. This stage
method
method
is critical, because the model modifies itself according to the
environment that it operates in.
In this stage the model makes a single step prediction. For
example, assume that the user is logged in for 15 times and the
model is configured, and it is ready to start predicting user
moves. Instead of making a five or ten step prediction, like other
mathematical models, our model makes a prediction for the
next step. When the user logs in and out of our model, it takes
the actual behaviour of the user, compares it with the one step
prediction that it has performed before and calculates the error.
So the next time a prediction is made for this user it will
include also the data of the last user behaviour. With
thissize (n)
Window
procedure we maximise the accuracy of the prediction system.
Window
Window
stored
storedwhen
when
user
userlogs
logsoff
off
Time unit (i)
Sample parameters:
n = 15
z=5
Time unit = 1 hour
Forecasting calculation
d, b
Bayesian
Bayesian
method
method
Prediction number
(z)
Application usage (%)
Prediction
parameters:
n –Window size.
z – Prediction number.
t – time unit.
Window size (n)
Window
Window
stored
storedwhen
when
user
logs
user logsoff
off
SampleTime unit (i)
parameters:
n = 15
Sample parameters:
z=5
n = 15
z = 5t = 1 hr
Time unit = 1 hour
d, b
Bayesian
Bayesian
method
method
Intervention
Intervention
Additional exceptional data
(varies the sensitivity of system)
wt
Intervention
Application usage (%)
Useful in responding to
exception data, such as
when there is not
enough data about a
user.
Time unit (i)
Window size (n)
Window
Window
stored
storedwhen
when
user
logs
user logsoff
off
Sample parameters:
n = 15
z=5
Time unit = 1 hour
Prediction for Application 1 (using model)
Invasion time (hours)
0.5
0.45
Using
prediction
model
Learning
phase
0.4
0.35
Parameters:
n = 15
z=5
Time unit = 1 hour
Real
observations
0.3
0.25
0.2
0.15
0.1
0.05
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20
Time (hours)
Prediction for Application 1 (using ARIMA)
Invasion time (hours)
0.5
0.45
Using
ARIMA model
Learning
phase
0.4
0.35
Parameters:
n = 15
z=5
Time unit = 1 hour
Real
observations
0.3
0.25
0.2
0.15
0.1
0.05
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20
Time (hours)
User profile
Variation of
prediction window
(1 to 100)
Variation of time unit
(10 min to 1 hour)
Experiments
Experiments
Quality of
prediction
(variance
vector)
Variation of Window
size (10 to 500)
Comparison
ARIMA
ARIMA
Quality of
prediction
(variance
vector)
Experimental specification
d, b
Bayesian
Bayesian
method
method
Intervention
Intervention
Additional exceptional data
(varies the sensitivity of system)
wt
Application usage (%)
Variation of
prediction window
(1 to 100)
Variation of Window size
(10 to 500)
Variation of time unit (10 min to 1 hour)
Bayesian mathematics:
Yt  Ft  t  vt ,
w t ~ N[0,Wt ],
vt ~ N[0, ],
 t  Gt t 1  w t ,
'
Yt  Ft  t  v , vt ~ N[0, ],
'
'
'
t
As we see in the following equation we are introducing a parameter matrix, an
random matrix with left variance matrix , right variance matrix.
 t   t 1   t ,
The mean of the influence of 1 ,Y1 fromD0 , our initial info.
C 0 : Dispersion of the above influence.
S 0 : No meaning, and is an auxiliary quantity for
St
.
n0 :
nt
No meaning, and is an auxiliary quantity for
.
St
b:
Factor of the influence of the data to the estimate
.
d
: Factor of the influence of the data to the estimatemt .
Ft :
A basic quantity that expresses the linearity of the model and gives
different trends to the several values ofYt , both for time series analysis (what has
happened in the past) and forecasting (what will happen in the future).
m0 :
Conclusions:
Fast and simple model.
It requires less preparation than other models.
Provides good prediction results.
Requires very little storage of user activity.
Small increase in CPU processing.
Only a 1-2% increase in CPU processing has been
measured.
Model learns with very little initial settings.
Other models require some initial parameter settings to
make them work well.