On the Detection and Origin Identification of Slow-Paced Attacks in Forensic Investigation

• Main Authors: Li-Ming Chen, 陳力銘
• Other Authors: Wanjiun Liao
• Format: Others
• Language: en_US
• Published: 2013
• Online Access: http://ndltd.ncl.edu.tw/handle/34688492506716645515

博士 === 國立臺灣大學 === 電機工程學研究所 === 101 === A slow-paced attack, such as slow worm or bot, can remain undetectable indefinitely by slowing down the pace of its movement. Detecting slow attacks based on traditional anomaly detection techniques may yield high false alarm rates. Moreover, the long lifespan of a slow-paced attack is also challenging the forensic investigation because it is hard to get a high quality dataset for the analysis. In this dissertation, we study the detection and forensics problems of a slow-paced attacks in the aspect of temporal and spatial analysis of network activities. We first discuss the problem and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in the identification of the attack origin. We further develop a contact-based data reduction method to filter out attack-irrelevant data and only retain evidence relevant to potential attacks for a postmortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of attack-irrelevant network traffic and successfully identify attack origin. For the forensics, we track outbound connections of hosts by using a time series. Our assumption is that since attacks are usually controlled by pre-programmed computer codes, their behaviors have regularity. Although the correlation among slow attacks'' connections is temporally weak; the regularity of these connections remains preserved in the time series. Accordingly, we focus on time series spectrum analysis, and propose a detection method to identify peculiar spectral patterns which can represent the occurrence of a recurring and persistent activity in the time domain. We use both synthesized traffic and real-world traffic to evaluate our method. The results show that our method is efficient and effective in detecting slow-paced persistent activities even in a noisy environment with legitimate traffic. Future attacks are anticipated to be more sophisticated and stealthy to evade intrusion detection techniques which aggravate the security risks. In this dissertation, we try to understand and defend the potential threat of a slow-paced stealthy attack in the aspect of malware detection and forensics. We find that although the attack behavior is blend in with a huge amount of legitimate events, we can still identify the evidence of the attack and enhance the security of the monitored network environment.