In our quest to better understand network tra#c dynamics, we examine Internet chat systems. Although chat as an application does not contribute huge amounts of tra#c, chat systems are known to be habit-forming. This implies that catering to such users can be a promising way of attracting them, especially in low bandwidth environments such as wireless networks.

Providing security support for large ad hoc wireless networks is challenging due to their unique characteristics, such as mobility, channel errors, dynamic node joins and leaves, and occasional node break-ins. In this report, we exploit these characteristics and present our design that sup-ports ubiquitous security for mobile nodes, scales to network size, and is robust against adversary break-ins. In our design, we distribute the functionality of conventional security servers, specifi-cally the authentication services, so that each individual node can potentially provide other nodes certification services. Centralized management is minimized and the nodes in the network col-laboratively self-secure themselves. We propose a suit of fully distributed and localized protocols that facilitate practical deployment. Our protocols also feature communication efficiency to con-serve the wireless channel bandwidth, and independency from both the underlying transport layer protocols and the network layer routing protocols.

As network security is a growing concern, system administrators lock down their networks by closing inbound ports and only allowing outbound communication over selected protocols such as HTTP. Hackers, in turn, are forced to find ways to communicate with compromised workstations by tunneling through web requests. While several tools attempt to analyze inbound traffic for denial-of-service and other attacks on web servers, Web Tap’s focus is on detecting attempts to send significant amounts of information out via HTTP tunnels to rogue Web servers from within an otherwise firewalled network. A related goal of Web Tap is to help detect spyware programs, which often send out personal data to servers using HTTP transactions and may open up security holes in the network. Based on the analysis of HTTP traffic over a training period, we designed filters to help detect anomalies in outbound HTTP traffic using metrics such as request regularity, bandwidth usage, interrequest delay time, and transaction size. Subsequently, Web Tap was evaluated on several available HTTP covert tunneling programs as well as a test backdoor program, which creates a remote shell from outside the network to a protected machine using only outbound HTTP transactions. Web Tap’s filters detected all the tunneling programs tested after modest use. Web Tap also analyzed the activity of approximately thirty faculty and students who agreed to use it as a proxy server over a 40 day period. It successfully detected a significant number of spyware and adware programs. This paper presents the design of Web Tap, results from its evaluation, as well as potential limits to Web Tap’s capabilities.

Abstract not found

Abstract The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This “Secondary Path ” supplements the “Main Path ” by integrating sampling and richer forms of filtering into a NIDS’s analysis. We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding “heavy hitter ” traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease. 1

Abstract — The basic objective of this work is to assess the utility of two supervised learning algorithms AdaBoost and RIPPER for classifying SSH traffic from log files without using features such as payload, IP addresses and source/destination ports. Pre-processing is applied to the traffic data to express as traffic flows. Results of 10-fold cross validation for each learning algorithm indicate that a detection rate of 99 % and a false positive rate of 0.7 % can be achieved using RIPPER. Moreover, promising preliminary results were obtained when RIPPER was employed to identify which service was running over SSH. Thus, it is possible to detect SSH traffic with high accuracy without using features such as payload, IP addresses and source/destination ports, where this represents a particularly useful characteristic when requiring generic, scalable solutions. I.

{cvwright,fabian,masson} at jhu dot edu We present improved techniques for the identification of unknown TCP connections in wide-area Internet traffic using Profile Hidden Markov Models. Specifically, we built mixture models using a k-means clustering approach to find component behavior patterns in the traffic traces. These mixture models allow us to better recognize protocols that tend to exhibit more than one characteristic behavioral pattern. Moreover, our models use only those features that remain intact after encryption, namely packet sizes and inter-arrival times. Using a vector quantization approach to combine these features in a single model, we show how to substantially increase recognition accuracy over prior work — in some cases well over 30 percent. 1

In this paper we present a novel intrusion detection system which makes use of behavior profiles to identify HyperText Transfer Protocol (HTTP) tunneling activities. Behavior profiles correspond to inherent attributes of application network sessions. Our system evaluates network behaviors at two di#erent levels: a local multi-packet level and a session level. When suspicious behavior is detected, a verification module performs a detailed analysis of the corresponding session data. Currently, our system detects both malicious and unauthorized HTTP tunneling activities. Our experimental results show the e#ectiveness of our system and demonstrate the validity of using packet features for anomaly detection.

2. Related Work...................................................................................................................2

Chipsets refer to a set of specialized chips on a computer's motherboard or an expansion card [12]. In this paper we present a proof of concept chipset level rootkit/network backdoor. It interacts directly with network interface card hardware based on a widely deployed Intel chipset 8255x, and we tested it successfully on two different Ethernet cards with this chipset. The network backdoor has the ability to both covertly send out packets and receive packets, without the need to disable security software installed in the compromised host in order to hide its presence. Because of its low-level position in a computer system, the backdoor is capable of bypassing virtually all commodity firewall and host-based intrusion detection software, including popular, widely deployed applications like Snort and Zone Alarm Security Suite. Such network backdoors, while complicated and hardware specific, are likely to become serious threats in high profile attacks like corporate espionage or cyber terrorist attacks.