detecting a cyber-attack source in real time r. romanyak 1), a. sachenko 1), s. voznyak 1), g....
TRANSCRIPT
![Page 1: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/1.jpg)
DETECTING A CYBER-ATTACK SOURCE IN REAL TIME
R. Romanyak1), A. Sachenko1), S. Voznyak1), G. Connolly2), G. Markowsky2)
1) Ternopil Academy of National Economy2) Department of Computer Science, U. of Maine
![Page 2: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/2.jpg)
The Web Neighborhood Watch Project
• This project seeks to identify websites belonging to dangerous people such as terrorists
• In addition to the artificial intelligence components, there is a need for locating the website in physical space
• At last year's conference, work was presented on using the distributed traceroute approach to help locate computers physically
![Page 3: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/3.jpg)
• Not only is locating computers physically important for the Web Neighborhood Watch Project, but for dealing with cyber-attacks in general
• Current methods for tracking Internet-based attacks are primitive.
• It is almost impossible to trace sophisticated attacks using current tools.
Locating Computers in Physical Space
![Page 4: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/4.jpg)
Intruders
Attack Sophistication andIntruder Technical Knowledge
High
Low
1980 1986 1992 1998 2004
IntruderKnowledge
AttackSophistication
Cross site scripting
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools“stealth” / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Staged
Auto Coordinated
![Page 5: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/5.jpg)
Techniques for Physically Locating Computers
• Whois
• Traceroute
• Distributed Traceroute
• Time Delay Method (new)
![Page 6: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/6.jpg)
Whois Limitations
• Whois contains information about top-level domains only
• Distributed databases are not always connected
![Page 7: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/7.jpg)
Traceroute Limitations
• It does not take advantage of the fact that there typically exist several different paths to the target computer
• Executing a single trace from a single location tends to produce results that are geographically insufficient
![Page 8: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/8.jpg)
Distributed Traceroute Limitations
• The results are not always as accurate as one would want
• This approach cannot be applied when the attacker uses intermediate hosts with software redirectors to make a cyber-attack
![Page 9: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/9.jpg)
Time Delay Method (new)
• Based on the concept that the most recent computer from which the attack was received was either:– a) The actual attacking computer– b) An intermediate host being used with
redirection software
• Choosing between a) and b) is based on comparing the time delay between the attacking computer (AC) and the victim computer (VC) to the most recent time delay
![Page 10: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/10.jpg)
A Cyber-attack using Redirectors
Ttotal = t1 + t2 + t3 +…+tn+ tn+1,
ti - the time delay of the i-th link
Attacking Computer
Redirector 1t1 t2
t3
tntn+1
Redirector 2
… Redirector n Victim Computer
![Page 11: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/11.jpg)
Experimental Results
• The following servers were used:– TANE (Ternopil Academy of the National
Economy, Ukraine, 217.196.166.105)– Kiel University (Germany, 134.245.52.122)– HTTL (Home To good service and
Technology Ltd, London, England, 217.34.204.1)
![Page 12: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/12.jpg)
Direct connection
![Page 13: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/13.jpg)
Time Delays From HTTL to TANE
0.00E+00
2.00E+05
4.00E+05
6.00E+05
8.00E+05
1.00E+06
1 3 5 7 9 11 13 15 17 19 21 23 25 27
IP-packets
tim
e d
elay
s, μ
s
![Page 14: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/14.jpg)
Time Delays from TANE to HTTL
0.00E+00
2.00E+05
4.00E+05
6.00E+05
8.00E+05
1.00E+06
1 3 5 7 9 11 13 15 17 19 21 23 25 27
IP-packets
tim
e d
ela
ys
, μ
s
![Page 15: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/15.jpg)
Connection using redirector
![Page 16: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/16.jpg)
Time Delays from HTTL to TANE using Kiel-redirector
0.00E+00
2.00E+06
4.00E+06
6.00E+06
8.00E+06
1.00E+07
1 3 5 7 9 11 13 15 17 19 21 23 25 27
IP-packets
tim
e d
ela
ys
, μ
s
![Page 17: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/17.jpg)
Conclusion
• The Time Delay Method has the ability to locate a remote computer in real time based on delays in IP packet travel
• The Time Delay Method can also be used to analyze the nature of the links involved in the attack chain
![Page 18: DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National](https://reader036.vdocuments.net/reader036/viewer/2022070306/5516b503550346f6208b53ce/html5/thumbnails/18.jpg)
Contact Information
Roman Romanyak: [email protected]
Anatoly Sachenko: [email protected]
Serhiy Voznyak: [email protected]
Gene Connolly: [email protected]
George Markowsky: [email protected]