Beyond%20the%20perimeter:%20the%20need%20for%20early%20detection%20of%20Denial%20of%20Service%20Attacks - PowerPoint PPT Presentation

About This Presentation
Title:

Beyond%20the%20perimeter:%20the%20need%20for%20early%20detection%20of%20Denial%20of%20Service%20Attacks

Description:

An Intrusion Detection system was used to analyze events of interest. ... The infected hosts inside the network tried to connect to the internet and thus ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 21
Provided by: abh119
Learn more at: http://web.cs.wpi.edu
Category:

less

Transcript and Presenter's Notes

Title: Beyond%20the%20perimeter:%20the%20need%20for%20early%20detection%20of%20Denial%20of%20Service%20Attacks


1
Beyond the perimeter the need for early
detection of Denial of Service Attacks
  • John Haggerty,Qi Shi,Madjid Merabti
  • Presented by
  • Abhijit Pandey

2
Outline
  • Introduction
  • The Perimeter Model and DOS
  • DOS A Case Study
  • Early Detection of Dos Attacks Beyond the
    Perimeter
  • Conclusion and Future Work

3
Introduction
  • Dos attacks prevent a user from performing
    his/her computing functions
  • They overwhelm the victim host to the point of
    unresponsiveness.
  • Current countermeasures
  • Firewalls, Intrusion Detection Systems

4
New approach for DOS prevention
  • IDS Firewalls part of victim system, they can
    only respond to an attack and cannot prevent them
    from happening. Thus when attacks are detected
    services are shut down
  • The communication medium beyond the perimeter is
    used to identify the attack signatures

5
Two main classifications of Attack
  • Resource Starvation
  • Ex TCP syn flodding uses up victims resources
    with half open requests, so no new requests are
    processed
  • Bandwidth Consumption
  • Ex ICMP flodding or UDP flodding which consumes
    bandwidth.

6
The perimeter model and DOS
  • Firewalls
  • They implement Access control and audit functions
    at the interface. They are conduit that network
    traffic passes through both into and out of
    network perimeter.
  • The security policies are enforced by means of
    packet filters using IP addresses ,ports, flags,
    interfaces etc

7
The perimeter model and DOS
  • Intrusion Detection Systems
  • They detect violations of the security policies
    within the trusted domain and thus identifies the
    host misusing the system without authorization
    and takes action against such attacks

8
Failure of Perimeter Model
  • If the firewall is unable to respond, the attack
    may degrade or halt the services of the perimeter
    model.
  • For IDS, the aim of attack is not to fill the
    bandwidth and deny legitimate users but to log
    all suspicious packets. Thus a lot of spurious
    packets fill up the log event and fill all hard
    disk

9
DOS a case study
  • An Intrusion Detection system was used to analyze
    events of interest.
  • A positive is when the recorded attack equates to
    an actual EOI(Events of Interest) whereas the
    false positive is when the event is recorded as
    an attack but is not.409 positive attacks were
    recorded and 1084 false positives
  • The 409 positives were generated by a worm
    attempting to infect other servers by sending a
    crafted HTTP get request

10
(No Transcript)
11
Result of case study
  • The infected hosts inside the network tried to
    connect to the internet and thus all traffic was
    routed to the firewall.
  • The firewalls hard-disk was filled with spurious
    information, neither the external users could
    come in nor the internals go out.
  • The firewall crashed.

12
Detection of DOS beyond the perimeter
  • Requirements
  • A mechanism to be devised that detects and
    responds to the attack prior to its reaching the
    perimeter.
  • Abnormal vs normal traffic not defined.
  • Thus effective detection beyond the perimeter in
    the communication medium difficult.

13
X total no of packets directed at h. Y time
period packets directed to h S packets that match
a particular signature.
14
(No Transcript)
15
Signatures
  • The signatures in Early detection are different
    from perimeter model
  • Attack pattern A high rate of data transfer over
    a period of time to consume available bandwidth.
  • Signature to distinguish TCP Syn flood as
    different from flash crowds in which some
    connections do get established. Thus traffic is
    gradual increase and gradual decrease for flash
    crowds.

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
Future Work
  • The more quantitative relationship between
    different dos attack signatures is required.
  • Attack detection must identify positives and
    false positives to be effective and affect the
    legitimate user.
  • Central control and administration of defense
    mechanism as well as signature updates and policy
    management required.

20
Conclusion
  • Current defense perimeter security model
    consisting of firewalls and IDS which are located
    on the target system.
  • The case study showed when devices are located
    on the target system , it is not an effective
    defense.
  • Detecting DOS beyond the perimeter is effective
    but needs future work.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Beyond%20the%20perimeter:%20the%20need%20for%20early%20detection%20of%20Denial%20of%20Service%20Attacks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!