Network Security Analytics PDF
Document Details
Uploaded by Deleted User
Idris Adjerid
Tags
Summary
This presentation covers various aspects of network security. It details different types of network attacks, including Ping of Death and SYN flooding, along with methods for network intrusion. The key concepts of DNS and its security vulnerabilities are thoroughly explained.
Full Transcript
Networking & Security Idris Adjerid Network Attacks 2 Ping of Death 3 SYN Flooding Recall the normal handshaking process: Source: Wikimedia Commons 4 SYN Flooding When the server receive...
Networking & Security Idris Adjerid Network Attacks 2 Ping of Death 3 SYN Flooding Recall the normal handshaking process: Source: Wikimedia Commons 4 SYN Flooding When the server receives the first SYN, it makes an entry in its state table reflecting the half-open connection Table updated as SYN/ACK and ACK occur Entry persists until FIN-FIN/ACK-ACK teardown complete What happens if a system doesn’t complete the handshake? 5 SYN Flooding Source: Wikimedia Commons 6 Statistical Network Attacks Domain Name System (DNS) DNS translates host names to IP addresses It’s far easier to remember www.vt.edu than 129.74.12.51! Hierarchical database structure Root DNS Servers com DNS servers org DNS servers edu DNS servers pbs.org mit.edu vt.edu yahoo.com amazon.com DNS servers DNS servers DNS servers DNS servers DNS servers Source: Jörg Liebeherr 8 Types of Name Servers Two main types of servers Authoritative – maintains the data Master – where the data is edited Slave – where data is replicated to Caching – stores data obtained from an authoritative server No special hardware necessary Name Server Architecture You can think of a name server as part of: database server, answering queries about the parts of the name space it knows about (i.e., is authoritative for), cache, temporarily storing data it learns from other name servers, and agent, helping resolvers and other name servers find data DNS Poisoning Recall that DNS provides IPhostname mappings Essential to the operation of the Internet What if you can inject false information into an organization’s DNS server? e.g. trick VT’s DNS server into thinking that you are bankofamerica.com 15 DNS Poisoning Dan Kaminsky announced a major flaw in DNS at BlackHat 2008 Depends upon transaction ID guessing; and Referral records Basically, trick the server into thinking that you are the authoritative source for arbitrary addresses 16 How it Works Step 1 — Bad guy sends a DNS query to the victim nameserver for the hostname it wishes to hijack. Step 2a — Knowing that the victim will shortly be asking ns1.bankofsteve.com (as directed from the root/GTLD servers) for an IP address, the bad guy starts flooding the victim with forged DNS reply packets. All purport to be from ns1.bankofsteve.com, but include the answer with the IP of badguy's fraudulent webserver. Steps 2b & 3 — Root/GTLD servers provide referral to ns1.bankofsteve.com. This may be multiple queries, but we're showing just one for simplicity. Step 4 — victim nameserver asks ns1.bankofsteve.com for the IP address of www.bankofsteve.com, and it uses query ID 1001 (one higher than the previous query). Step 5 — the real nameserver provides a legitimate response to this query, with QID=1001. But if the bad guy has successfully matched the query ID in the step 2a flood, this legal reply arrives too late and is ignored. Oops. Step 6 — With the bogus IP address (of the bad guy's webserver) in cache it provides this poisoned answer to the requesting DNS client. Boom. Step 7 (not illustrated) — future DNS clients asking for www.bankofsteve.com will receive the same fraudulent answer. Source: Steve Friedl Wireless Security 19 In the News In the News one card accidentally associated with Newbury Network's unsecured access point every 90 seconds. Sixty-seven percent of the 1,008 wireless networks found near Madison Square Garden had no encryption enabled. Aetna, Coca Cola, DKNY, Olympus, Applebee's, Burger King, the New York State of Appeals, the New York Film Academy, Columbia University, New York University's Stern School of Business, and Starbucks. Why Should We Care? Source: David Wagner, UC Berkeley 22 Medical Device Hacking Hacking Insulin Pumps Insulin Pump – Small computer – Controls the flow of insulin into the wearer’s body Jay Radcliffe, at BlackHat, demonstrated an attack – Able to remotely control this pump from half a mile away – Possible to increase/decrease dose to fatal levels How Did He Do It? Pump has a wireless command link – Intended to link with blood glucose monitoring system Command link uses the device serial number for authentication Uses “simple, proprietary encryption”, and “requires no password” What Does the Manufacturer Say? “In the reported instance, the researcher had in-depth knowledge about the product he tampered with, such as the serial number of both the insulin pump and remote device, and he TURNED ON the wireless feature. Additionally, he had access to specialized equipment which he used to rebroadcast the RF signal in a controlled environment.” Is that good enough for you? Would you wear one? That’s not all, of course In 2008, US researchers at the Medical Device Security Center demonstrated that the unencrypted pacemaker control radio signal can be hijacked allowing an attacker to: Turn it off Use it to shock the user’s heart Wireless Networking WiFi (Wireless Fidelity) networking Governed by IEEE 802.11 standard Uses plaintext Service Set Identifiers (SSIDs) to identify available networks Sent out using a “beacon” SSID doesn’t have to be broadcast 28 Disable SSID Broadcast A Typical Wifi Network The Problem: Security! ? Wireless networking is just broadcast radio communication – Hence anyone with the right radio can eavesdrop, inject traffic 31 Firesheep Browser plugin that steals session cookies Attacks sites that don’t use SSL Very easy over unencrypted Wifi – why? 32 Wireless Encryption Options No encryption Wired Equivalent Privacy (WEP) WiFi Protected Access (WPA2) Pre-shared Key, or Enterprise for organizations RADIUS 33 Wired Equivalent Privacy (WEP) Two key options: 40-bit key (or WEP-64) 104-bit key (or WEP-128) Both use the RC4 stream cipher Both use a 24-bit cleartext initialization vector (IV) 24 bits = 224 = 16,777,216 possibilities 34 Hacking WEP #1 Capture encrypted network traffic and store the IVs as they fly by Eventually, IVs will be reused Capture enough duplicates and you can reverse- engineer the WEP key Takes a long time 35 Hacking WEP #2 Another attack relies upon the fact that some IVs are inherently weak Maybe one out of every 500 packets Each one can reveal a part of the WEP key Piece together the key using 500-1,000 weak IVs 36 Kismet Source: SecurityFocus.com 37 Hacking WEP #3 August 2004: KoreK releases WEP statistical analysis attack Doesn’t depend upon weak IVs, but rather the number of unique IVs Around 200,000 for WEP-64 Around 500,000 for WEP-128 38 For a network with average load traffic, the FMS attack would need roughly 40 days in order to find the key (4 millions packets needed), whereas Korek's attacks in addition to stimulation of the network load, reduce this time under 15 minutes (325'000 packets needed) for a 128 bits key (104 bits secret key). Aircrack Source: SecurityFocus.com 40 WiFi Protected Access (WPA) Fixes the problems inherent in WEP Still uses RC4 w/128-bit key, but adds Temporal Key Integrity Protocol (TKIP) 41 Why WPA2 Strong encryption No current easy attacks Supported universally on modern hardware Prevents sniffing 42 So, how many people take these simple precautions? 43 Oh Wait 4-10 hours to break pin Linksys, Belkin, Buffalo, Netgear, TP-Link, ZyXEL, and Technicolor How…? Uses vulnerable Wi-Fi Protected Setup (WPS) tied to router pin. PIN request fails, the message sent back to the wireless device reveals whether the first half of the PIN is correct The last number of the PIN is a checksum for the rest of the PIN. Takes 11,000 guesses. When there’s only unsecure Wifi Use HTTPS Everywhere Use a VPN Be careful what you browse and access 46 KDD Data – Anomaly Detection https://www.tensorflow.org/datasets/catalog/kddcup99 KDD Example Data Analysis Attack Description Type DOS Utilizes resources of target entity R2L Unauthorized Remote Access U2R Escalate privilege for attacker Probe Seeks out vulnerabilities on the target Uses Neural Networks ( a common deep learning approach) Long Short Term Memory (LSTM Method) What is artificial intelligence? Artificial intelligence is the ability of a computer to perform tasks commonly associated with intelligent beings. Source: Lecture 1: Introduction to deep learning (CSC, Prace) What is machine learning? Machine learning is the study of algorithms that learn from examples and experience instead of relying on hard-coded rules and make predictions on new data. Source: Lecture 1: Introduction to deep learning (CSC, Prace) What is deep learning? Deep learning is a subfield of machine learning focusing on learning data representations as successive layers of increasingly meaningful representations. Source: Lecture 1: Introduction to deep learning (CSC, Prace) rce: Lecture 1: Introduction to deep learning (CSC, Prace) Image from https://blogs.nvidia.com/blog/2016/07/29/whats-difference-artificial-intelligence-machine-learning-deep-learning-ai/ urce: Lecture 1: Introduction to deep learning (CSC, Prace) “Traditional” machine learning: handcraft learned ed ca classifier features t Deep, “end-to-end” learning: learned learned learned low- mid- high- learned ca level level level classifier t features features features ource: Lecture 1: Introduction to deep learning (CSC, Prace) Results Questions?