Defending against Probe-Response Attacks

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) Pub Date : 2017-05-08 DOI:10.23919/INM.2017.7987436

Emmanouil Vasilomanolakis, Noorulla Sharief, M. Mühlhäuser

{"title":"Defending against Probe-Response Attacks","authors":"Emmanouil Vasilomanolakis, Noorulla Sharief, M. Mühlhäuser","doi":"10.23919/INM.2017.7987436","DOIUrl":null,"url":null,"abstract":"With the increase in the sophistication of cyberattacks, collaborative defensive approaches such as Collaborative IDSs (CIDSs) have emerged. CIDSs utilize a multitude of heterogeneous monitors to create a holistic picture of the monitored network. Nowadays, a number of research institutes and companies deploy CIDSs that publish their alert data publicly, over the Internet. Such systems are important for researchers and security administrators as they provide a source of real-world alert data for experimentation. However, a class of attacks exist, called Probe-Response Attacks (PRAs), which can significantly reduce the benefits of a CIDS. In particular, such attacks allow an adversary to detect the network location of the monitors of a CIDS. In this paper, we first study the related work and analyze the various mitigation techniques for defending against PRAs. Subsequently, we propose a novel mitigation mechanism that improves the state of the art. Our method, namely the Shuffle-based PRA Mitigation (SPM), is based on the idea of shuffling the watermarks, so-called markers, which the adversary requires to successfully perform a PRA. By doing so the whole process of the attack is disrupted leading to a very small number of identified monitors. Our experimental results suggest that our proposed method significantly reduces the impact of a PRA whilst it does not introduce a trade-off for the usability of the data produced by the CIDS.","PeriodicalId":119633,"journal":{"name":"2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/INM.2017.7987436","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

With the increase in the sophistication of cyberattacks, collaborative defensive approaches such as Collaborative IDSs (CIDSs) have emerged. CIDSs utilize a multitude of heterogeneous monitors to create a holistic picture of the monitored network. Nowadays, a number of research institutes and companies deploy CIDSs that publish their alert data publicly, over the Internet. Such systems are important for researchers and security administrators as they provide a source of real-world alert data for experimentation. However, a class of attacks exist, called Probe-Response Attacks (PRAs), which can significantly reduce the benefits of a CIDS. In particular, such attacks allow an adversary to detect the network location of the monitors of a CIDS. In this paper, we first study the related work and analyze the various mitigation techniques for defending against PRAs. Subsequently, we propose a novel mitigation mechanism that improves the state of the art. Our method, namely the Shuffle-based PRA Mitigation (SPM), is based on the idea of shuffling the watermarks, so-called markers, which the adversary requires to successfully perform a PRA. By doing so the whole process of the attack is disrupted leading to a very small number of identified monitors. Our experimental results suggest that our proposed method significantly reduces the impact of a PRA whilst it does not introduce a trade-off for the usability of the data produced by the CIDS.

查看原文本刊更多论文

防范探测-响应攻击

随着网络攻击的日益复杂，协同防御方法如协同入侵防御系统(CIDSs)已经出现。cids利用大量异构监视器来创建被监视网络的整体图像。如今，许多研究机构和公司部署了通过Internet公开发布警报数据的cids。这样的系统对研究人员和安全管理员很重要，因为它们为实验提供了真实世界警报数据的来源。然而，存在一类称为探测-响应攻击(Probe-Response attacks, PRAs)的攻击，它们会大大降低CIDS的好处。特别是，这种攻击允许攻击者检测CIDS监视器的网络位置。在本文中，我们首先研究了相关工作，并分析了防御pra的各种缓解技术。随后，我们提出了一种新的缓解机制，以改善目前的现状。我们的方法，即基于Shuffle-based PRA Mitigation (SPM)，是基于对水印(即所谓的标记)进行洗牌的思想，攻击者需要这些水印才能成功执行PRA。这样一来，整个攻击过程就被打乱了，只发现了极少数已查明的监测员。我们的实验结果表明，我们提出的方法显着降低了PRA的影响，同时它没有引入对CIDS产生的数据可用性的权衡。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)

自引率

0.00%

发文量