John Haggerty

DiDDeM: a system for early detection of TCP SYN flood attacks

This paper presents the distributed denial-of-service detection mechanism (DiDDeM) system for early detection of denial-of-service attacks. The design requirements of the system are posited to demonstrate the requirements for an early detection system. An overview of the system is presented to show how these requirements are met. DiDDeM provides a two-tier detection approach. First, pre-filters (PFs) filter traffic for possible attacks. This is achieved through the application of both stateful and stateless signatures utilising routing congestion algorithms. Second, command and control (C/sup 2/) servers provide intra- and inter-domain co-operation and response to contain an attack within the routing infrastructure. The results for stateful and stateless signature detection of TCP SYN flood attacks are presented.

Early detection and prevention of denial-of-service attacks: a novel mechanism with propagated traced-back attack blocking

A major threat to the information economy is denial-of-service (DoS) attacks. These attacks are highly prevalent despite the widespread deployment of perimeter-based countermeasures. Therefore, more effective approaches are required to counter the threat. This requirement has motivated us to propose a novel, distributed, and scalable mechanism for effective early detection and prevention of DoS attacks at the router level within a network infrastructure. This paper presents the design details of the new mechanism. Specifically, this paper shows how the mechanism combines both stateful and stateless signatures to provide early detection of DoS attacks and, therefore, protect the enterprise network. More importantly, this paper discusses how a domain-based approach to an attack response is used by the mechanism to block attack traffic. This novel approach enables the blockage of an attack to be gradually propagated only through affected domains toward the attack sources. As a result, the attack is eventually confined within its source domains, thus avoiding wasteful attack traffic overloading the network infrastructure. This approach also provides a natural way of tracing back the attack sources, without requiring the use of specific trace-back techniques and additional resources for their implementation.

FORSIGS: Forensic Signature Analysis of the Hard Drive for Multimedia File Fingerprints

Computer forensics is emerging as an important tool in the fight against crime. Increasingly, computers are being used to facilitate new criminal activity, or used in the commission of existing crimes. The networked world has seen increases in, and the volume of, information that may be shared amongst hosts. This has given rise to major concerns over paedophile activity, and in particular the spread of multimedia files amongst this community. This paper presents a novel scheme for the automated analysis of storage media for digital pictures or files of interest using forensic signatures. The scheme first identifies potential multimedia files of interest and then compares the data to file signatures to ascertain whether a malicious file is resident on the computer. A case study of the forsigs application presented within this paper demonstrates the applicability of the approach for identification and retrieval of malicious multimedia files.

Managing corporate computer forensics

Many organizations now have an IT security strategy in place covering the management of IT security facilities and activities within the organization. Computer forensics has previously been an activity limited mainly within the bounds of law enforcement agencies. However, commercial organizations are increasingly making use of computer forensics in areas such as fraud, money laundering, the accessing or distribution of pornography, or harassment. In this article we outline a framework for the management of computer forensic facilities and activities within a corporate setting.

Conflict Free Address Allocation Mechanism for Mobile Ad Hoc Networks

A mobile ad-hoc network (MANET) can be implemented anywhere where there is little or no communication infrastructure, or the existing infrastructure is inconvenient to use. A number of people with mobile devices may connect together to form one large group. Later on, they may split into smaller separate groups and partitions may merge if necessary. Network partitions and merges are potentially frequent occurrences in MANETs, hence address auto-configuration is an important requirement. In this paper we present a mechanism for address auto-configuration in MANETs, which is capable of assigning conflict-free addresses in a dynamic and distributed manner. Also we propose novel mechanisms to address MANET partition and merging.

Beyond the perimeter: the need for early detection of denial of service attacks

The threat to organisations from network attacks is very real. Current countermeasures to denial of service (DoS) attacks rely on the perimeter model of network security. However, as the case study and analysis in this paper make apparent, the perimeter model, which relies on firewalls and intrusion detection systems, is unable to provide an effective defence against DoS attacks. Therefore, there is a need for a new approach; one that identifies an attack beyond the perimeter. We present such an approach. We achieve early detection of DoS attacks by the identification of traffic signatures which indicate that an attack is underway. As these signatures can be identified outside the perimeter, appropriate measures can be taken to prevent the attack from succeeding. We use examples of DoS attacks and a case study to demonstrate the applicability of our approach.

Determining Culpability in Investigations of Malicious E-mail Dissemination within the Organisation

Investigating cases of e-mail misuse within an organization (e.g. sexist / racist content, offensive material, etc.) to determine culpability can be a complex process. Such investigations are less likely to result in a formal prosecution, but are more likely to end in disciplinary action. In a criminal investigation, the evidence is collected, analyzed and then presented to the court. In an internal corporate forensics investigation, management must not only assess evidence to determine culpability, but must also determine appropriate levels of corporate discipline to be applied. These range from informal verbal warnings through formal verbal and written warnings, to suspension or termination of employment. Such a process may often be conducted by management who have no experience of the investigatory process. The social network analysis approach presented in this paper can be used not only to analyze and appreciate what can be a complex sequence of events involved in e-mail misuse, but also to determine levels of culpability.

Statistical Signatures for Early Detection of Flooding Denial-of-Service Attacks

A major threat to the information economy is denial-of-service attacks. Despite the widespread deployment of perimeter model countermeasures these attacks are highly prevalent. Therefore a new approach is posited; early detection. This paper posits an approach that utilises statistical signatures at the router to provide early detection of flooding denial-of-service attacks. The advantages of the approach presented in this paper are threefold: analysing fewer packets reduces computational load on the defence mechanism; no state information is required about the systems under protection; and alerts may span many attack packets. Thus, the defence mechanism may be placed within the routing infrastructure to prevent malicious packets from reaching their intended victim in the first place. This paper presents an overview of the early detection-enabled router algorithm and case study results.

Protocol Specification for Conflict Free MANET Address Allocation Mechanisms

A mobile ad-hoc network (MANET) is a group of mobile hosts communicating with each other via wireless links without infrastructure. Dynamic and distributed network operations are desirable for deploying MANETs due to host mobility. Many schemes have been proposed for address generation and configuration but these are without their problems. In this paper we evaluate the mechanisms of our conflict free address configuration protocol in comparison to other existing MANET auto configuration protocols. Also, we present the main distributed algorithm for new host address configuration and MANETs merging. Finally, we evaluate the protocol to demonstrate the applicability of the approach.

Data Authentication and Trust Within Distributed Intrusion Detection System Inter-Component Communications

Networks are a fundamental technology for users and businesses alike. In order to achieve security in ever-increasing distributed environments, recent advances in intrusion detection have led to the development of distributed intrusion detection systems (DIDS). A key concern in these systems is that inter-component communication of data regarding potential network intrusions must be authenticated. Thus, a level of trust is maintained within the distributed system that data has not been altered by a malicious intruder. This paper presents a novel scheme that provides security in the transmission of data between DIDS components. A key consideration in the provision of this security is that of the computational and network overhead that this data transfer incurs. Therefore, this paper presents a scheme that ensures the high level of trust required within DIDS, and as demonstrated by a case study, with minimal computational or network impact.