UT researcher develops new method for detection of malicious data streams




By looking for suspicious traffic patterns, it is possible to detect compromised or taken over systems without any Internet connected device to have to monitor separately. This research has shown the University of Twente.

Flow-detection The study titled Flow-based Compromise Detection was performed by Rick Hofstede Group Design and Analysis of Communication Systems. “With traditional intrusion detection only look to any attack on each client in a network which can be quite tricky if you have more than thirty clients, such as UT,” Hofstede tells Tweakers.

With the latter there is an additional difficulty because it is virtually impossible on such large networks to gain access to all the devices, and each device to provide intrusion detection separately. “At a very safe and relatively small area, you could put on each machine intrusion detection,” says Hofstede.

To be on such a large network where securing a machine is not possible yet to know which attacks actually cause problems, is compromise detection via flow data much more practical. “With compromise detection you know which attack is successful, then you get the hosts on the network.”

“The flow-based method has one or a number of sensors, typically in the edge routers , with which we say on the basis of behavior, or there has been a compromise or take-over.”

To apply this technique, the researchers made use of their own open source software that works on the basis of IPFIX, a standard that builds on NetFlow, a Cisco technology. “Instead of that you look into individual packages, you look for metadata,” says Hofstede. “Who communicates with whom, how long to analyze it lasted, and so on. You do not look at the payload of communication and so you need much less data. In addition, much less privacy sensitive. Instead of all IP connections on to store, you do actually have to save one line. So you have very scalable monitoring. ”

When asked whether it is not a widely used technique, Hofstede says the compromised detection part a ‘naturally’ is simple thought, but is applied almost anywhere. “The traditional detection systems can be checked that, but network-based systems, such as flow-based systems do not. In this we are the first to have done that,” says Hofstede.

“To show that it actually works, we have chosen a particular approach. Scientific research must always be validated. That was very difficult for us because so few people are doing. You can measure so difficult yourself to data others why we have an open source. intrusion detection system designed with the hope that the community may have wanted to work with us that was a hit because it is already used worldwide now;.. of small software businesses to another level, there are national computer emergency response teams or certs using our tool. we have chosen an unusual way of validation. ”

SSHCure logo Hofstede did not just work. For software he worked with Luuk Hendriks and another colleague, Anna Sperotto, was promoted earlier on the subject to identify brute-force attacks on SSH clients. Hofstede used include information that thesis to the work of the team. “Therefore the name of the software SSHCure .”

He indicated that another reason is that techniques such as NetFlow and IPFIX are: “Virtually choose any high-end router supports those protocols and thereby have an very broad support that is also the main reason for the flow. -based approach. ”

The system focuses on brute-force attacks. Often works that attacks based on Dictionary- or dic- tionary lists of login names and passwords. At the network level, then a scan detected a large network range, such as a scan on port 22. If the daemon then detects its goals, finishing the attacker dictionary lists. If the attacker at a client knows inside out, the client can accept.

“That concept of different phases of an attack is very clearly reflected in the dissertation and was invented by Anna. That we have just adopted. We developed the layer on top, namely detecting whether or not a compromise has occurred.”

The entire study is to back found at the University of Twente.



In: Technology & Gadgets Asked By: [15196 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »