mitacs-pints prediction in interacting systems project leader : michael kouriztin
TRANSCRIPT
MITACS-PINTSPrediction In Interacting Systems
Project Leader : Michael Kouriztin
Network Security
Search and Rescue
DefenceInvestingEnvironmental
Monitoring
Fraud Detection
Nonlinear Filtering
Modeling
Observing
Countering Espionage in Cyber-Warfare: Detecting Stealthy Portscans
Jarett Hailes
Surrey Kim
Michael Kouritzin
Wei Sun
5th MITACS IT-Theme MeetingOctober 19, 2003
OutlineOutline
Problem of detecting stealthy port scansProblem of detecting stealthy port scans
SimulationsSimulations
Clustering model & Filtering equationClustering model & Filtering equation
Computer workable approximationComputer workable approximation
Port scanning: method for discovering network vulnerabilities
Reconnaissance stage of a hacker attacks.
“Probes” target network via sending packets
Port ScanningPort Scanning
Stealthy TechniquesStealthy Techniques
Slow Scans : to obscure the attack, an attacker could do the scan very slowly.
Multiple source scans : : using multiple sourcesusing multiple sources Idle scanning : bouncing scans from dumb "zombie"
host.
Spoofed Source IP : sending large number of packets with only one as the real source.
Current SolutionsCurrent Solutions
Existing solutions are : Existing solutions are :
Prone to false alarms and miss detectsProne to false alarms and miss detects
Easily foiled by new scanning techniquesEasily foiled by new scanning techniques
Insufficient information (black and white Insufficient information (black and white solutions)solutions)
Cause for unacceptable downtimeCause for unacceptable downtime
Extensive human management requiredExtensive human management required
End goalEnd goal : to probe 30 ports on 10 hosts. : to probe 30 ports on 10 hosts.
Scanning TechniqueScanning Technique: Half-open SYN Scan : Half-open SYN Scan and tand to obscure the attack : may use multiple computers (i.e. source IP may use multiple computers (i.e. source IP
addresses).addresses). may use may use dumb "zombie" host to bounce
scans. slows down scan rateslows down scan rate sends 300 packets in random ordersends 300 packets in random order
Example Example
Detection ProblemDetection Problem
To detect whether or not there is a port To detect whether or not there is a port scanner present.scanner present.
Via Filtering and Bayesian Model selectionVia Filtering and Bayesian Model selection
Only SYN packets are consideredOnly SYN packets are considered(i.e. No packet flag information used yet)(i.e. No packet flag information used yet)
Assume the traffic rates for target hostsAssume the traffic rates for target hosts
Portscan Detector ResultsPortscan Detector Results
0.000.050.100.150.200.250.300.350.400.450.50
%
0 1 2 3 4 5 6 7 8 9 10
Number of PortScans Detected
Number of PortScans Detected for 10 PortScans Simlation (20 runs)
Portscan Detector ResultsPortscan Detector Results
0.00
0.05
0.10
0.15
0.20
0.25
0.30
%
0 1 2 3 4 5 6 7 8 9 10
Number of False Positives
Number of False Positives for 10 PortScan Simulation (20 runs)
Traffic SummaryTraffic Summary
Signal to Noise Ratio
0
100000
200000
300000
400000
500000
600000
700000
800000
900,000
1,000,000
Nu
mb
er
of
Pa
ck
ets
Normal NetworkTraffic Packets : 923,424
Port ScannerPackets : 428
Challenges and Future WorkChallenges and Future Work
Enormous State Space Enormous State Space ::
Localization Localization : :
IP spoofingIP spoofing : Stealthy hacker scans all : Stealthy hacker scans all ports certain number of times, decreasing ports certain number of times, decreasing scan rate and using to reduce suspicionscan rate and using to reduce suspicion
Clustering ModelClustering ModelModel packet traffic as Model packet traffic as marked point processmarked point process with with marks, i.e. packet headers – (Destination, Source, marks, i.e. packet headers – (Destination, Source, Flags), in Flags), in Network traffic mixture of two types Network traffic mixture of two types Normal traffic rate: Normal traffic rate: Malicious & stealthy traffic rate: Malicious & stealthy traffic rate: depends on all previous scans depends on all previous scans Hacker can have stealthy strategy – e.g. scan Hacker can have stealthy strategy – e.g. scan
network host port over so many daysnetwork host port over so many daysWhich packets are due to port scansWhich packets are due to port scans??
)(u),(
tu
S
),( tu
Filtering ApproachFiltering ApproachNew Nonlinear Filtering ApproachNew Nonlinear Filtering Approach Provides probabilistic informationProvides probabilistic information Other bwOther bw Choose acceptable ratio of miss detect to false alarmChoose acceptable ratio of miss detect to false alarm Asymptotically optimal Asymptotically optimal
Normal TrafficNormal Traffic
Poisson measurePoisson measure – randomly distributes points – randomly distributes points across marks, rates, timeacross marks, rates, time
Number of points in disjoint regions independentNumber of points in disjoint regions independent Desired expected number of points everywhereDesired expected number of points everywhere
Normal Traffic Normal Traffic = = Observation noiseObservation noise that must be that must be “filtered out’’“filtered out’’
itvASVU iiitvA],0[],0[),,(1
1111]),0[],,0[,(
)()(1),(],0[),0[
1)](,0[1 dsddutAYtA
u
Port ScanningPort Scanning
Buried in this noise is the Buried in this noise is the signalsignal = count = count of Port Scan packets at various marksof Port Scan packets at various marks
Port Scan signal or cluster:Port Scan signal or cluster:
ObservationObservation = observed traffic: = observed traffic:
)()(1),(],0[),0[
2)],(,0[ dsddutAtA
u s
),(),(),( 1 tAtAYtAY
Simulation ExampleSimulation Example
End goalEnd goal : to probe 30 ports on 10 target : to probe 30 ports on 10 target hosts.hosts.
Normal Traffic Rates :Normal Traffic Rates :
Cluster dependent scanning rate :Cluster dependent scanning rate :
HostHost 11 22 33 44 55 66 77 88 99 1010
1.00 1.00 0.001 0.001 0.005 0.005 1.01 1.01 1.01 1.01 2.0 2.0 2.0 2.0 0.02 0.02 0.01 0.01 0.02 0.02 )(u
Bayesian Model SelectionBayesian Model Selection
Detecting whether or not there is anomalous Detecting whether or not there is anomalous traffic on observed computer system.traffic on observed computer system.
Bayes factorBayes factor satisfies satisfies
Nonlinear FilteringNonlinear Filtering
GoalGoal: Approximate: ApproximateIdeaIdea:: Choose that does not depend on Choose that does not depend on Then, calculations are simple Then, calculations are simple
Reference probability measure methodReference probability measure method There is artificial probability Q where There is artificial probability Q where is is
Poisson measure with intensity Poisson measure with intensity P(A) = L(t) Q(A) for events A occuring by t; L P(A) = L(t) Q(A) for events A occuring by t; L
is martingaleis martingale
)),(|(),( tssYAPtA t
)(u
Filtering EquationFiltering EquationUnnormalized conditional port scan distributionUnnormalized conditional port scan distribution
Then, we approximateThen, we approximate
Real-world conditional probability satisfiesReal-world conditional probability satisfies
fttftf ),1(/),(),(
)),(|)()),(((),( tssYtLtfEtf Q
)()()(
)()),(
)(
),()((
)()),,()()((()0,(),(
],0[
],0[
dsduYuu
usf
u
uf
dsdusuufftf
tM u
tM
(1)
Workable Approximation (I)Workable Approximation (I)
Under general conditions Under general conditions and after modest workand after modest work we find and prove:we find and prove:
NNN as and
In probability on pathspace for each fixed observation Y, i.e. in quenched sense.
Here ),(
),()(
tf
tff
t
NtN
t
N
Workable Approximation (II)Workable Approximation (II)
;,...,1 , ;1
NNk
Nk
d
k
Nk dkCySC
N
Nd
NN LJ ,...,0
, allfor )(mean )(Let NiN
iN dijCjC
Equation (1) is still unworkable so we let
NC1NC2
NdN
C. . .
S
Ex: Suppose S is 1-dimensional
NK
0
1
. . .
Number of Packets in Each Cell
Workable Approximation (III)Workable Approximation (III)Substituting into (1) and approximating counting measures on S with counting measures on with at most LN particles, one finds
Here
jC Nf
)(
1)(
Nd
kNky 1}{
Workable Approximation (IV)Workable Approximation (IV)
,for
NNiDi Ny
iN JjjjK
and , )))((()))((()0( 00 jCPljCln NN
NN
Nj
processesPoisson t independen be , ,,NJj
Nj
Nj XX
• We also discretize amplitude to yield Markov chain
approximation
• Suppose is sequence satisfying
• Let
Nl Nl
Workable Approximation (V)Workable Approximation (V)Our Markov chain solves Our Markov chain solves
The approximation is given by:The approximation is given by:
)),()()()(
),(
)()()(()),()()(
)()(
)()(),(()0()(
)(],0[
)(
0
,],0[
0
,
dsduYsnuu
jKu
dssnduuXdsduYuu
snu
dssndujKuXntn
N
uejtS
uyN
S
tN
j
N
jtS
N
j
S
tN
jN
N
j
N
j
N
j
N
N
NJj
NN
NjN
t jKfl
tnf )(
)()(
NNj Jjn ,