Robert Koch

Behavior-based intrusion detection in encrypted environments

In recent years the Internet has evolved into a critical communication infrastructure that is omnipresent in almost all aspects of our daily life. This dependence of modern societies on the Internet has also resulted in more criminals using the Internet for their purposes, causing a steady increase of attacks, both in terms of quantity as well as quality. Although research on the detection of attacks has been performed for several decades, todays systems are not able to cope with modern attack vectors. One of the reasons is the increasing use of encrypted communication that strongly limits the detection of malicious activities. While encryption provides a number of significant advantages for the end user like, for example, an increased level of privacy, many classical approaches of intrusion detection fail. Since it is typically not possible to decrypt the traffic, performing analysis w.r.t. the presence of certain patterns is almost impossible. To overcome this shortcoming we present a new behavior-based detection architecture that uses similarity measurements to detect intrusions as well as insider activities like data exfiltration in encrypted environments.

Command Evaluation in Encrypted Remote Sessions

Intrusion Detection Systems (IDS) are integral components for the detection of malicious code and attacks. Detection methods can be differentiated in signature-based and anomaly-based systems. While the former ones search for well-known patterns which are available in a database, the latter ones build a model of the normal behavior of a network and later on attacks can be detected by measuring significant deviation of the network status against the normal behavior described by the model. Often this requires the availability of the payload of the network packets. If encryption protocols like SSL or SSH are used, searching for attack signatures in the payload is not possible any longer and also the usage of behavior based techniques is limited: Statistical methods like flow evaluation can be used for anomaly detection, but application level attacks hidden in the encrypted traffic can be undetectable. At the moment, only a few systems are designed to cope with encrypted network traffic. Even so, none of these systems can be easily deployed in general because of the need for protocol modifications, special infrastructures or because of high false alarm rates which are not acceptable in a production environment. In this paper, we propose a new IDS for encrypted traffic which identifies command sequences in encrypted network traffic and evaluates the attack possibility of them. The encrypted traffic is clustered and possibilities for different commands are calculated. Based on that, command sequences are analysed. The system evaluates probabilities for commands and command sequences and the likeliness for an attack based on the identified sequences without a decryption of the packets. Because of only using statistical data gathered from the network traffic, the system can be deployed in general. The current prototype of the system focuses on the command evaluation.

Towards multi-layered intrusion detection in high-speed networks

Traditional Intrusion Detection approaches rely on the inspection of individual packets, often referred to as Deep Packet Inspection (DPI), where individual packets are scanned for suspicious patterns. However, the rapid increase of link speeds and throughputs - especially in larger networks such as backbone networks - seriously constrains this approach. First, devices capable of detecting intrusions on high-speed links of 10 Gbps and higher are rather expensive, or must be built based on complex arrays. Second, legislation commonly restricts the way in which backbone network operators can analyse the data in their networks. To overcome these constraints, flow-based intrusion detection can be applied, which traditionally focuses only on packet header fields and packet characteristics. Flow export technologies are nowadays embedded in most high-end packet forwarding devices and are widely used for network management, which makes this approach economically attractive.

Geolocation and Verification of IP-Addresses with Specific Focus on IPv6

Geolocation, the mapping of a network entity with its geographical position is used frequently in today’s internet. New location aware applications like e-commerce, web site content and advertisements are just some examples of what has appeared since the last couple of years. Regarding network security, Geolocation also has a significant impact, since it offers possibilities for advanced network security (e.g., including sophisticated geo-based attack correlation/classification). However, determining the physical position of a network entity is challenging, as there is no inherent relationship between an IP address and its geographical location. In addition, with the introduction of IPv6, the address space is enhanced by a factor of 296 making the process far more complex in comparison to IPv4. Although numerous techniques for Geolocation are existing, each strategy is subject to certain restrictions. Therefore, this publication illustrates and evaluates different approaches of Geolocation. Furthermore, strategies to obtain additional information related to the location of IP addresses are examined. After considering procedures how to verify the achieved data and following the ideas of Endo et al., we are designing an architecture for a combination of different methods for optimized Geolocation. Finally we introduce and evaluate our Proof of Concept called geolabel, a tool capable of mapping IPv4 as well as IPv6 addresses to certain geographical locations on a country level.

Towards integrity measurement in virtualized environments — A hypervisor based sensory integrity measurement architecture (SIMA)

Today, the security of virtualization is based on the isolation properties provided by the hypervisor. This security-by-isolation concept depends on the high integrity of each virtual system as well as a trustworthy host system. Erroneous implementation or conceptional failure limits this isolation mechanism. Today the strength of the isolation can only be guaranteed after a boot operation. Missing is a permanent surveillance of the separation mechanisms during the system operation. That is the main subject of our proposal. We suggest the integration of a sensory integrity measurement architecture (SIMA) for this purpose. SIMA consists of trusted virtual sensors and an analyzing sink to monitor the integrity of the system permanently during operation.

Security System for Encrypted Environments (S2E2)

The percentage of encrypted network traffic increases steadily not only by virtual private networks of companies but also by protocols like SSH or SSL in the private sector. Traditional intrusion detection systems (IDS) are not able to cope with encrypted traffic. There are a few systems which are able to handle encrypted lines but none of them is applicable in general because of changed network protocols, a restricted application range (e.g., only able to find protocol-specific attacks) or very high false alarm rates. We propose a new IDS for nonintrusive, behavior-based intrusion- and extrusion detection in encrypted environments.

A Revised Attack Taxonomy for a New Generation of Smart Attacks

The last years have seen an unprecedented amount of attacks. Intrusions on IT-Systems are rising constantly - both from a quantitative as well as a qualitative point of view. Well-known examples like the hack of the Sony Playstation Network or the compromise of RSA are just some samples of high-quality attack vectors. Since these Smart Attacks are specifically designed to permeate state of the art technologies, current systems like Intrusion Detection Systems (IDSs) are failing to guarantee an adequate protection. In order to improve the protection, a comprehensive analysis of Smart Attacks needs to be performed to provide a basis against emerging threats.Following these ideas and inspired by the original definition of the term Advanced Persistent Threat (APT) given by U.S. Department of Defense, this publication starts with defining the terms, primarily the group of Smart Attacks. Thereafter, individual facets of Smart Attacks are presented in more detail, before recent examples are illustrated and classified using these dimensions. Next to this, current taxonomies are presented including their individual shortcomings. Our revised taxonomy is introduced, specifically addressing the latest generation of Smart Attacks. The different classes of our taxonomy are discussed, showing how to address the specifics of sophisticated, modern attacks. Finally, some ideas of addressing Smart Attacks are presented.

User identification in encrypted network communications

Encrypting network traffic is a normal procedure to protect information for exchange. This prevents tapping and manipulation but it also hampers intrusion as well as data leakage and misuse detection. Obtaining knowledge about users of encrypted communications is, however, beneficial in terms of monitoring access, security and accounting reasons. Thus, the objective is to provide evidence of the source of actions, especially to detect insiders and illegal connections, without the necessity of decrypting the network traffic. We propose a novel architecture to identify users of encrypted traffic in a network environment of a company. It is based on statistical evaluation of monitored network packets. The proposed approach utilizes and combines two main aspects, the mode of operation of remote sessions and the keystroke dynamics of users. Aspects such as capturing and clustering network traffic, generating user profiles and patterns, and statistical analysis are part of the architecture.

Data control in social networks

Social networks are very popular for several years and are one of the most important communication channels in the Internet today. Facebook and Twitter are well-known examples. According to a study of the Nielsen Company, communication on social networks already has overtaken the use of Email. Numerous users are releasing a lot of private information and details about their daily habits and lifestyle, trusting the correct treatment and protection of their data as appointed in the terms of usage. Furthermore, not only private communication but also in the commercial environment, advertising and business contacts are done by social networks and are increasingly important. On the other side, headlines of data leakage are appearing day-to-day. Also, the creation of user profiles or disposition of posted messages is an upcoming and fast evolving threat. The use of protected connections like TLS is not enough, because the data itself presented on the servers of the social networks is not secured. Yet, there is no solution for ensuring the confidentiality of the user data stored on a public server and accessible for a specific user group on the one side and being fully transparent and without any server-side requirements for the protection on the other side. Therefore, new concepts are necessary to enable the users to protect their own information by themselves without the need for cooperation of the service provider. We propose a new concept for securing shared information on public servers in a transparent manner. A first prototype for the Firefox browser and the social network Facebook was built and tested very successfully. It has a modular design and therefore it is easy to include new websites or cryptographic modules. The mode of operation is transparent for the user and very easy to use. By the use of our encryption concept, the user can control the distribution of her data in an easy and effective way.

Fast Learning Neural Network Intrusion Detection System

Assuring the security of networks is an increasingly challenging task. The number of online services and migration of traditional services like stocktrading and online payments to the Internet is still rising. On the other side, criminals are attracted by the values of business data, money transfers, etc. Therefore, safeguarding the network infrastructure is essential. As Intrusion Detection Systems (IDS) had been in the focus of a numerous of researches for the last years, several sophisticated solutions had been found. Very capable IDS are based on neural networks. However, these systems lack of an adaptability to dynamic changing environments or require a protracted learning phase before they are operational. The approach is to overcome these restrictions by introducing a modular neural network based on pre-processed components supplemented by static policies. By that, it is possible to overcome long-lasting learning phases.