Transcript Hybrid Intelligent Systems for Detecting Network

Network Programming and
Network Security
Lane Thames
Graduate Research Assistant
Outline for Today
Discuss Network security and how it
relates to network programming
After the presentation, we will go to DNAL
to tour our data center. Then we are going
to hack some computers :>)
Network Programming
What is the Goal?
Sending data to and
from hosts via TCP/IP
over a network.
Client—Server
Source—Sink
A
B
C
Information Security
NETWORK
SECURITY
Firewall
IDS
IPSEC (VPN)
Encryption….
COMPUTER
SECURITY
Firewall
Virus Protection
Encryption…
Data flowing thru the
network
Data on a machine
Definitions
Virus?
Passive malware that is embedded within
a program. Will not execute on its on. You
have to run the “host” program. After
being activated, it attempts to spread to
other programs and hosts (usually via
email)
Definitions
Worm?
Acitve malware that can spread on its own
using a network. Takes advantage of
some exploit (usually an anomaly known
as buffer overflow)
The Infamous Buffer
So, how does a worm take advantage of
an exploit?
send(sockfd,&buffer,sizeof(buffer),0);
recv(sockfd,&buffer,sizeof(buffer),0);
What if the receiving buffer keeps getting
data added beyond its boundary?
OVERFLOW—overwrite data beyond the
boundary and causes problems.
Common Types of Computer
Attacks
Buffer Overflow Attacks—used for local and
remote root exploits



The ultimate goal is to redirect program control flow
which causes the computer to execute carefully
injected malicious code (example to follow)
Code can be crafted to elevate the privileges of a
user by obtaining super user (root) privileges (demo
in the lab afterwards)
Note: These exploits can create a “propagation
medium” for worms
Common Types of Attacks
Denial of Service (DoS)


Exhaust a computer’s resources: e.g. TCP
SYN flooding attack. (3-way handshake
exploit)
Consume a computer’s available networking
bandwidth: e.g. ICMP Smurf Attack (IP
spoofing and ICMP)
TCP SYN Flooding Attack—what
happens?
ICMP Smurf Attack
Victim
Subnet Slaves
Master
Spoof IP with the IP of the Victim
Why will this program crash?
Buffer Overflow-Stack Image
buf
SFP
Return Address
* str = buffer
Rest of Stack
Overflow buf with *str
so that the Return
Address (RA) is
overwritten
If carefully designed,
the RA is overwritten
with the address of
the injected code
(contained in the *str
input—shell code)
Buffer Overflow
After running the
program on XP we
get the famous
Microsoft alert
In Linux you get
“Segmentation Fault”
Buffer Overflow—Exception Info
Buffer Overflow—Stack Trace
So, How does the worm work (in a
nutshell)?
Programmer finds a flaw in a program, i.e. a server using
a buffer where length is not checked.
Calculate approximate return address for the given
machine.
Create a buffer that holds copies of the desired address,
followed by a NOP (No Operation code) sled, and then
followed by the code to be executed, and create the
code needed to send the buffer to server’s running the
flawed program.
The code injected into the buffer is a replica of the
original program.
Generic Example
buf
0xbfffff00
Return Address
0xbfffff00
buffer
0xbfffff00
data
NOP sled
data
Replication code
What are we doing in Network
Security?
Created a Honynet—a network of
computers waiting to be hacked.
Network Monitoring—monitor the
Honeynet with packet sniffers, traffic
monitors, and host-based monitoring
software
Artificial Intelligence Classifier—make
intelligent security decisions based on the
data collected by the monitors
The Network Setup
AI Classifier—Hybrid System
Architecture
Init. Train. Data
Bayesian/SOM
Classifier
Monitored Data
SOM Training
Modified Data
IDS
Struct. Developer
Struct. File
Processed Data
Bayesian Trainer
Classification
File
Related Grad Classes
ECE 6607—Computer Communication
Networks (Dr. Abler)
ECE 6612—Network Security (Dr. John
Copeland) (Real time hacking competition)
ECE 8833—Intelligent Systems (Dr. Ashraf
Saad)
Questions?
Want to go hack a computer and
see some of this stuff in action?