9. 11. 2010 Network Security HardeningNetwork Security Hardening FrameworkFramework Martin Drašar drasar@ics.muni.cz 2 Problem...Problem... 3 Problem...Problem... Attacks 4 Presenation OutlinePresenation Outline Current detection methods The aspect-based detection WitchdOCtoR – the distributed bruteforcer Goals of thesis 5 Deep Packet InspectionDeep Packet Inspection Analysis of individual packets Signature-based method Very good at detecting known attacks Cannot detect anything new Does not scale well – unsuitable for multigigabit networks 6 Behavioral AnalysisBehavioral Analysis Analysis of aggregated data Looking for abnormalities in network traffic Statistical methods Time series Principal component analysis In theory – can detect unknown attacks, can reasonably detect known attacks and scales well In real life – scales well 7 The Aspect-based Detection I.The Aspect-based Detection I. Takes various traffic descriptors as an input addresses, ports, protocols, entropy, … Sources Switches Routers Probes Other methods 8 The Aspect-based Detection II.The Aspect-based Detection II. Aspect – subset of available traffic descriptors Feature of traffic n-dimensional array 9 The Aspect-based Detection III.The Aspect-based Detection III. Aspects analyzed for deviations Arbitrary methods for detection Best suited for non-linear filters detect static deviations and linear filters detect deviations in trends 10 The Aspect-based Detection IV.The Aspect-based Detection IV. Recomposition of analyzed aspects Correlation of findings in each aspect Deviations are composed and influence each other 11 The Aspect-based Detection V.The Aspect-based Detection V. Composed deviations form vector space that has areas with significantly higher values Three types of areas: Safe Suspicious Attack Attack identification Automatic Manual Heuristic 12 The Aspect-based Detection – ConclusionThe Aspect-based Detection – Conclusion Novel method for attack detection Highly parallel Fast Extensible Can incorporate other detection methods Scaling well 13 WitchdOCtoR I.WitchdOCtoR I. There is a need to test and verify the security of a network Current tools have several downsides with regards to large networks Usually not suitable for: parallel bruteforcing adaptive bruteforcing distributed attacks DDoS simulation And if so – not in one package 14 WitchdOCtoR II.WitchdOCtoR II. Main features Cooperative Scalable Platform independent Easy on resources Extensible Secure 15 Goals of the ThesisGoals of the Thesis The implementation and the evaluation of the aspect-based detection framework Preparation of a distributed deployment of the WitchdOCtoR Research of new types of silent and adaptive bruteforce methods Research of metrics allowing to identify attacks based on their proximity to an attack subspace