Trend

1
Trend Techniques ofIntruder Traceback

• Dong-il Seo
• Team Manager ETRI

2
Contents

• Backgrounds
• What is the Traceback Technologies?
• IP Packet Traceback
• Connection Traceback
• Host-based Traceback System
• Network-based Traceback System
• Active Network based Traceback System
• Trend Conclusion

3
Backgrounds
4
21C. Environment of Information and Communication

• ltltInternet Ubiquity, Social Paradigm Shift, Cyber
  Society gtgt

IP over Any Networks
Wireless
Multiple Service Infrastructure
Adaptive
Everything over Internet
CyberReal
3D, E- M-Commerce
Tele-immersion
Secure Cyber Society
Cyber Society
New Applications - 4C - (E) Commerce -
Communication - Community - Contents
5
Trends of Cyber Terror Technologies

• Unification of Hacking Tech. and Virus Tech.
• Autonomy, Intelligence, Popularization,
  Distribution, Large Scale, Encapsulation
• Hacktivism From Personal Purpose To Political,
  Social, Military, Industrial Purpose

Virus Tech. Area
Hacking Tech. Area
6
Explosion of Incidents
Q1. 2002 26,829
CERT/CC Incidents Statistics
http//www.cert.org
Incidents
50000 20000 10000 4000 3000 2000 1000 0
1992 1993 1994 1995 1996 1997 1998
1999 2000 2001
Year
7
Limitation of Countermeasure
Active Hacking Defense Tech. is Needed

• Should Limit the Hacking Trial, Itself
• Need the Developments of Intruder Traceback
• System

Limitation of Security Products

• Passive Response
• Cant Limit the Hacking Trial, Itself
• Cant Do the Active Response

So, The Active Hacking Defense Tech. Is Urgently
Needed
8
Why Traceback System?

• Basic System of Active Hacking Defense Tech.
• Real-Time Traceback
• Immediate Response
• Can Find and Supplement the Vulnerable System on
  the Traceback Path
• Can Make the Hacker to be Hesitated on The
  Hacking Trial
• Can Reduce the Number of Hacking Trial

Network 3
Hacker PC Network 1
Internet
Traceback Path
Network 2
Attack Connection
9
What is the Traceback Technologies?
10
What is the Traceback System?
Definiton
A System for finding the hackers real
location on the network autonomously.
Classification

• IP Packet Traceback System
• Traceback the Real Source that send the IP
  Address Spoofed packet
• Connection Traceback System
• Traceback the Real Source of Detoured Intrusion

11
IP Packet Traceback

• The Solution of IP Address Spoofing Problem
• A method to find the real sending position of IP
  spoofed packet in DoS attack
• A method to find the previous system in the
  Connection Chain
• Focused in the method that uses the intermediate
  routers

Internet
Host A
2
3
4
Host B
1
Header Info
Src addr Host A
Dst addr Host B
Data
Real Path
Header Info
Src addr Host A
Dst addr Host B
Data
Spoofed Path
Hacker
Host C
12
Connection Traceback

• Traceback to find the real source of detoured
  attack
• Detoured Attack An attack that is done via
  several systems
• Cant find the information for hackers real
  location only with Host As audit trail
• More important than the IP Traceback

Hacker
Internet
Only can find the information of the Host A
Host B
Can find the information of the Hacker
Attack Path
Real Attack Connection
Host A
13
Current Traceback Tech.(1)
Connection Traceback
Manual Method
Log Analysis of Compromised System ?
Identification of the Attack System ? Log
Analysis of the Attack System ? Identification of
the Previous Attack System ? Iteration
Depend upon Only the Log Files
Too Much Time Consume Process
Need Many Experts
Geographical Problem
Inefficient
Cant find the hackers real position though only
one system cant be identified on the Traceback
Path
The Quick and Accurate Real-Time Traceback System
is Needed
14
Current Traceback Tech.(2)
Features of Current Products

• Simple IP Information Traceback
• Traceback of Detoured Attack is Impossible
• Gather Only the Information of Intruders IP
  Address
• Cant Apply to the Current Internet Environment
• Traceback for the Special Cases

Current Products

• A com. Illegal Intruder Traceback System
• Requirement Traceback module should be
  installed in every system in the Internet
• B com.
• Web-based Hacker Traceback System
• Efficient to the web hacking that uses the Proxy
  Sever
• Etc.

15
IP Packet Traceback
16
Example of IP Packet Traceback
Advanced and Authenticated Marking Schemes for
IP Traceback

• Analysis
• The technology for finding real source of DOS
  attack
• Improved method of IP Marking Scheme with Edge
  Sampling
• Advanced Marking Scheme, Authenticated Marking
  Scheme
• Paper
• Dawn Xiaodong Song and Adrian Perrig, Advanced
  and Authenticated Marking
• Schemes for IP Traceback, Computer Science
  Department, Univ. of California,
• Berkeley

IP Marking Scheme with Edge Sampling
Advanced Marking Scheme
Authenticated Marking Scheme

• Fragment Marking Scheme
• Can apply to only the case when
• the DoS attack is done in one
• system

• Packet marking
• Authentication

• Restore the router
• information in the
• 16bits(using hash
• function)

IP Packet Traceback
17
Connection Traceback
18
Classification of Connection Traceback
Host-based Traceback

• Traceback module should be installed in every
  system in the Internet
• Using the installed traceback module
• ? Traceback with authentication of the connection
  request system
• ? Traceback by analyzing the log in the system
• Cant Apply to the Current Internet Environment

Network-based Traceback

• Traceback by extracting the information from
  packets on the network
• Requirement Traceback module should be
  installed in the position that can
• monitor all packets

Active Network based Traceback

• Only can apply to Active Network
• IDIP, Sleepy Watermark Tracing, Etc.

19
Host-based Traceback System
20
Host-based Traceback System

• Traceback module should be installed in every
  system in the Internet
• Cant Apply to the Current Internet Environment

• Papers
• CIS(Caller Identification System)
• AIAA(Autonomous Intrusion Analysis Agent)
• Etc.

Hacker
Only can find the information of the Host A
Internet
Host B
Can find the information of the Hacker
Attack Path
Real Attack Connection
Host A
21
CIS(Caller Identification System)

• The Caller Identification System is basically
  made up of
• A network connection request filter(ETCPW)
  located between the TCP/UDP and the servers in
• the application layer and
• An authentication server(CIS) whose function is
  to grant any connection request only after
• authentication of caller and his or her
  network trace have been verified
• Problems
• Network load increasing, problem of integrity
  and privacy
• H.T.Jung, Caller Identification System in the
  Internet Environment, Proceedings of the
• USENIX Security Symposium IV, 1993

path
Inform
Verify
22
Autonomous Intrusion Analysis Agent

• Analysis
• Find the hacking evidence and attack system by
  using the AIAA that can
• autonomously analyze the log in the
  compromised system
• AIAA would be installed by administrator of the
  systems
• in the connection chain

AIAA Server

Attacker
(n-1) victim
(n) victim
23
Tracing Back Using Attack Methods

• Traceback by Reverse Attacking
• Systems on the Path
• Has Backdoors made by Attackers
• Has Vulnerability can attacked by agents
• check point
• Legal ?
• Ethics ?

Attack Paths
Attacker

Trace Back
Victim
24
Network-based Traceback System
25
Network-based Traceback System

• Traceback by extracting the information from
  packets
• on the network gt Construct Connection
  Chain
• Can apply to the current Internet Environment
• Traceback module should be installed in the
  position
• that can monitor all packets

Hacker
Only can find the information of the Host A
Internet
Host B
Traceback Module A
Traceback Module B
Can find the information of the Hacker
Attack Path
Real Attack Connection
Host A
26
Connection Chain
Definition

• When a user on a computer H0 logs into another
  computer H1 via a network, a TCP connection
• C1 is established between them. When the user
  logs from H1 into another computer H2, and then
• H3, . . . , Hn successively in the same way,
  TCP connections C2, C3, . . ., Cn are established
• established respectively on each link between
  the computers. We call this sequence of
  connections
• C (C1, C2, . . . , Cn) a connection chain

H2
H1
H3
C3
C2
C4
Network
C1
H0
Hn
Cn
Algorithm to identify the relations between
connections

• Thumbprints Holding Intruders Accountable on
  the Internet
• Sequence Number Deviation Finding a Connection
  Chain for Tracing Intruders
• Timing-Based Algorithm Detecting Stepping Stones

27
Thumbprints

• Idea
• All the transmitted data in connections would be
  same if the connections are
• in the same connection chain
• Thumbprints
• A small quantity of data which have been
  effectively summarized from a certain
• section of a connections collected contents

Compromised system
Problems
TCP Connection
Internet
1. Cant apply to the encrypted packet 2.
False Positive, False negative
Hacker
Data ls
Victim
Data ls
Data ls
28
Timing based Algorithm

• Idea
• Strikingly distinct distribution of the spacing
  between user key stokes can be
• detected
• All the connections would have the same interval
  between ON and OFF period
• All the connections would be changed to ON period
  from OFF period at the almost
• same time
• Notation
• OFF period there is no data traffic on a flow
  for more than Tidle seconds
• ON period Interval which is Not the OFF period

Internet
Hacker
ls Tidle cd
Victim
ls Tidle cd
Compromised system
ls Tidle cd
TCP Connection
29
Sequence Number

• Paper
• K. Yoda and H. Etoh, "Finding a Connection Chain
  for Tracing Intruders",
• In F. Guppens, Y. Deswarte, D. Gollamann, and
  M. Waidner, editors, 6th
• European Symposisum on Research in Computer
  Security - ESORICS 2000
• LNCS -1985, Toulouse, France, Oct 2000.
• Idea
• Define the deviation for on packet stream on a
  connection from another,
• and implement a system to compute deviations.
• If a deviation is small, the two connections must
  be in the same connection chain.

Internet
Hacker
ls(142) cd(128)
Victim
ls(142) cd(128)
Compromised system
ls(142) cd(128)
TCP Connection
30
On Going Project
iTREX

• Corp. Silicon Defense IDS development Corp.
• Project iTREX(Internet TRap and Trace
  EXperiments)
• Approach
• intend to develop methods that would allow
  victims of attacks to trace intruders
• across the Internet, even when those intruders
  use encrypted logins through a
• chain of hosts to disguise themselves

New Idea

• Correlation methods to compare connections based
  solely on timing and header
• information which should be possible to
  implement at wire speed.
• Distributed protocols to allow a set of
  co-operating routers to trace the source of an
  attack
• through an extended connection.
• To implement a working trap and trace facility
  for the internet.

31
Active Network based Traceback
32
CITRA(1)

• Infrastructure for integrating network-based
  intrusion detection systems, firewall,
• and routers to trace attacks back to their
  true source and block the attacks close
• to that source.
• CITRA Community are administrative domains
  controlled by a management
• component called a Discovery Coordinator.
• CITRA Communities consist of interconnected
  neighborhoods.
• CITRA uses the IDIP protocol for centralized
  reporting of intrusion-related
• events, attack traceback, and automated
  response.

CITRA(Cooperative Intrusion Traceback and
Response Architecture)
IDS
CITRA Community
33
CITRA(2)

• IDIP initial intrusion response
• CITRA-enabled detector detects an attack
• The detector sends a traceback message to each
  CITRA neighbor
• Each boundary controller and host along the
  potential path of an attack uses the network
  audit trail to determine if the packets
  associated with the attack passed through it. If
  so, the device sends a traceback message to its
  neighbors

?
?
?
34
CITRA(3)

• IDIP (Intruder Detection and Isolation Protocol)
• IDIP is organized into two primary protocol
  layers the IDIP application layer and the IDIP
  message layer
• The application layer protocol accomplishes
  intrusion tracking and containment through three
  major message types (1) trace, (2) report, and
  (3) Discovery Coordinator directive

IDIP Application
IDIP Backplane
Neighborhood Management - Node status

• IDIP Message Layer
• Reliable Delivery
• Duplicate Removal
• Multicast Support
• Time Management

IDIP Cryptographic Service - Authentication
- Integrity - Privacy
Key Management
User Datagram Protocol
Internet Protocol
IDIP Backplane architecture
35
CITRA(4)

• IDIP Application
• One IDIP node in a community executes the
  Discovery Coordinator application. All IDIP nodes
  execute an IDIP agent application.
• Discovery Coordinator application
• When an IDIP node sends or processes a trace
  message it sends a copy of the attack description
  and responses to the Discovery Coordinator to
  know the path of the attack and the response
  taken by each component along the attack path.

IDIP Detection Interface

• IDIP Generic Agent
• Message Processing
• Connection search
• Cost model

Discovery Coordinator Core Service
Correlation Engines
Response Manager
Response Engines
Other Application
IDIP Audit Data
Component Specific Functions Service blocking
Discovery Coordinator API
IDIP Audit
IDIP Backplane
IDIP Backplane
IDIP Generic agent architecture
Discovery Coordinator application view
36
Self-Extension Monitoring(1)

• Idea
• Self Extension Monitoring observes the
  intruders activities at the host level.
• If the intruder moves into another host, network
  level monitoring is carried out
• through program replication into the host as
  needed
• Approach based on the Shadowing mechanism for
  monitoring hacking activities.

Monitoring Approach

• Host-level Monitoring
• Host-level monitoring that observes the specified
  user on a single host and records
• the log.
• The tty hijacking method is used to monitor the
  user at the host level.
• Network-level Monitoring
• network-level monitoring tools use connection
  hijacking to monitor and control the
• users activities.
• There are several network-level monitoring tools
  with more functions, and these
• include IP-watcher on the UNIX system, hunt
  on the Linux and T-sight on Windows NT.

37
Self-Extension Monitoring(2)

• IIS (Intruder Identification System)
• IIS is developed on the basis of the
  Self-Extension Monitoring using the Shadowing and
  Replication Mechanisms.
• This systems aims at disclosing the intruders
  identity accurately, and is composed of a single
  server(Intruder Identification Server) and
  unspecified several clients(Intruder
  Identification Client).

Overview of IIS
38
Sleepy Watermark Tracing(1)

• Paper
• X. Wang, D. Reeves, S. F. Wu, and J. Yuill,
  "Sleepy Watermark Tracing An Active
• Network-Based Intrusion Response Framework",
  Proceedings of IFIP Conference.
• on Security, Mar. 2001.
• Active Network based Solution
• Use the watermarked reply packet

39
Sleepy Watermark Tracing(2)

• Step 1 Insert the watermark in the reply
  packets
• Step 2 Detect the watermarked packet
• Quick and Accurate Traceback is Possible

Watermark
SWT
SWT
reply Packet
Watermarked Packet
Watermarked Packet
Watermarked Packet
SWT
Active Network
Hacker
40
Sleepy Watermark Tracing(3)
Pros.

• Do not increase the network load
• No False-Positive
• Low False-Negative
• Real-Time Traceback

Cons.

• Working only on the Active Network ? Cant apply
  to the current Internet
• Lack of research into the watermark for network
  packet

41
Trend Conclusion
42
Trend Conclusion
Future Works

• The model that can apply to the current Internet
• should be developed
• Real-time traceback system is needed
• to actively defense the hacking

Active Anti-Hacking System Research

• Main Research Field Traceback System
• Host/Network/Active Network based
• Traceback System
• Difficult to apply to the current Internet

Current Information Security Env.
The Quick and Accurate Real-Time Traceback System
that is Urgently Needed

• Cant Limit the Hacking Trial, Itself
• Active Hacking Defense Tech. is Needed

43
Q A
Thank you very much !!!