Communications Research Centre Canada
www.crc.gc.ca
Common menu bar links
RSS Feeds
Publication Abstracts
Conference Papers
Frédéric Massicotte, Mathieu Couture, Annie De Montigny-Leboeuf, "Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation", 21st Annual Computer Security Applications Conference, Tucson, Arizona, December 2005.
Abstract— Since the DARPA Intrusion Detection Evaluation Data Set have been made available in 1998, and then updated in 1999 and 2000, it seems that no other significant freely available data sets have been provided to allow benchmarking of Intrusion Detection Systems (IDS). Even if those traffic traces are still used by the security research community, they have not been updated since. The absence of additional data is mainly due to the cumbersomeness of the task. To address those issues and facilitate certain aspects of this task, we developed a strategy to rapidly generate and collect a large number of attack traffic traces for intrusion detection system testing and evaluation. In this paper, we present a controlled network infrastructure developed at CRC that allows us to generate attack traffic traces.
Frédéric Massicotte, Mathieu Couture, Lionel Briand, Yvan Labiche, "Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases", 3rd Annual Conference on Privacy, Security and Trust, Fredericton, New Brunswick, Canada, October 2005.
Abstract— Intrusion Detection Systems (IDS) use different techniques to reduce the number of false positives they generate. Simple network context information such as the communication session state has been added in IDS signatures to only raise alarms in the proper context. However, this is often not sufficient and more network context information needs to be added to these Stateful IDS (SIDS) signatures to reduce the number of false positives. IDS are also used with other network monitoring systems such as Vulnerability Detection Systems (VDS) and vulnerability databases in centralized correlation systems to determine the importance of an alarm. The correlation mechanism relies on the accuracy of a standardized relationship between IDS signatures, VDS signatures and the vulnerability databases. In this paper, we study the strength of the relationships between Snort signatures, Nessus scripts and the Bugtraq vulnerability database, as well as their potential for information correlation and for deriving network context that could be incorporated in intrusion detection signatures.
Mathieu Couture, Béchir Ktari, Frédéric Massicotte, Mohamed Mejri, "A Declarative Approach to Stateful Intrusion Detection and Network Monitoring", 2nd Annual Conference on Privacy, Security and Trust, Fredericton, New Brunswick, Canada, October 2004.
Abstract— In this paper we present a new approach to stateful intrusion detection. It is based on a temporal logic which has the capability to express temporary properties, which are properties lying between events. The detection of those events can in turn depend of others temporary properties. The aim of this logic is to model knowledge gathering. It is basically propositional logic, to which we’ve added a single temporal operator, which allows to define limits of temporary properties.
Mathieu Couture, Béchir Ktari, Frédéric Massicotte, Mohamed Mejri, "Détection d’intrusion et acquisition passive d’information", 3rd Conference on Security and Network Architectures, La Londe, Cote d ‘Azur, France, June 2004.
Abstract— Real-time network intrusion detection systems based on rule sets, such as Snort, are efficient to recognize attacks that are detectable within a single packet. However, the language expressing the signatures is sometimes not well adapted for attack scenarios involving multiple packets, such as denial of service attacks. In this paper, we describe a method for extending the Snort’s signature language in order to express complex attack scenarios. The enhancement proposed allows expressing, in a simple manner, what would otherwise require programming (e.g. programming of Snort pre-processors). The language may also be used to passively collect information about the network components. Operating system fingerprinting techniques are examples of information gathering mechanisms that can be implemented with this language. Moreover, the language could be used as a low-level language for specifying security policies regarding network usage and components configuration.
Annie De Montigny-Leboeuf, Frédéric Massicotte, "Passive Network Discovery for Real Time Situation Awareness", NATO/RTO Adaptive Defence in Unclassified Networks, Toulouse France, April 2004.
Abstract— Network security analysts are confronted with numerous ambiguities when interpreting alerts produced by security devices. Even with the increased accuracy of these tools, analysts still have to sort through a tremendous number of potential security events in order to maintain the desired level of assurance. This paper describes how passive network discovery and persistent monitoring can provide significant contextual information valuable to network security professionals responsible for protecting the network. Techniques discussed include the capability to discover active nodes, their operating systems, the role they carry out, their system uptime, the services they offer, the protocols they support, and their IP network configuration. An attractive feature of this approach is that it focuses on mechanisms that do not rely on access to user data. While this is rarely a concern for the intruder, it can be of the utmost importance to the security analyst. One of the main interests in using a passive approach is that the information gathering process has no impact on the bandwidth or on the monitored assets. This is in contrast with active scanning techniques that are often noisy and intrusive. Passive techniques can be used at all times, allowing near real-time awareness of the security posture of ever-changing networks, and thus helping network administrators remain in control and anticipate upcoming security problems. A network monitoring prototype has been developed to test the techniques described in this paper.
F. Massicotte, T. Whalen and C. Bilodeau, "Network Mapping Tool for Real-Time Security Analysis", NATO/RTO Symposium on Real-time Intrusion Detection, Lisbon Portugal, May 2002.
Abstract— This paper introduces a prototype network mapping tool that can be used along with intrusion detection systems to provide, in real-time, a comprehensive picture of network topology. This software tool can generate descriptions for both physical and logical connectivity of network components. It also provides positive identification of the operating systems running on the networked machines, as well as state and configuration information about the hosts and their connectivity. The mapping of a network is performed by following a series of automated steps, that use a number of elements to query network components: built-in networking protocols (ICMP, ARP, NetBIOS, DNS), standardized management protocols (SNMP), freely-available mapping tools (nmap, Xprobe), and a number of CRC-developed intelligence databases and programs for analysing the results returned from queries. The artificial intelligence component takes a set of possible paths and creates a full network map. A network monitoring component updates a database of connections between machines and displays current and past communications links on a graphical interface. It is also able to determine when a new machine has been added to the network, which is a vital part of updating the network map. Integrating these informationgathering tools makes network mapping highly accurate and up-to-date, allowing for real-time analysis of attacks and changes in topology.
Annie De Montigny-Leboeuf, Tim Symchych, Network Traffic Flow Analysis, in Proceedings of the Canadian Conference on Electrical and Computer Engineering 2006 (CCECE06), Page: 639-642, Ottawa, May 2006.
Abstract—Thousands of diverse applications and services flow daily over networks used by governments, industry, and private users. Attacks can be hidden within these information flows by disguising malicious network traffic to appear to be legitimate. Generally, TCP or UDP based protocols can be mapped to specific network services. However, intruders do hide unauthorized activity by using non-standard protocols or standard protocols in non-standard ways to avoid detection. This paper describes current work and future directions that the Network Security Research Group at the Communication Research Centre (CRC) will take to identify flows of information that disguise attacks. Research challenges include uncovering unauthorized activities in high-speed, high-volume network links and within protocols that are intended to obscure the details of the information carried.
Annie De Montigny-Leboeuf, Mathieu Couture, and Frederic Massicotte, Traffic Behaviour Characterization Using NetMate, (poster), in Proceedings of RAID 2009, LNCS 5758, pp. 367-368, Sept 2009. © Springer-Verlag Berlin Heidelberg 2009.
Abstract— Previous studies have shown the feasibility of deriving simple indicators of file transfers, human-interactivity, and other important behavioural characteristics. We are proposing a practical implementation and use of such indicators with NetMate. In its current state as a work in progress, our extended version of NetMate will already be of interest to network security practitioners conducting incident analysis. The tool can be used to post-process traffic traces containing suspicious flows in order to obtain a behavioural description of the incident and surrounding traffic activities. With further development, the approach has great potential for other use cases such as intrusion detection, insider threat detection, and traffic classification.
Technical Notes and Reports
Mathieu Couture, Frédéric Massicotte and Daniel Rea, "Last Minute Traffic Forwarding for Malware analysis in a Honeynet", CRC Technical Note CRC-TN-2010-001, June 2010.
Abstract— One way to analyze malware samples is to execute them within a honeynet which, in some cases, is isolated from the Internet. In order to emulate the Internet, some or all of the traffic generated by the malware samples must then be forwarded to the various hosts of the honeynet. As IP addresses and TCP/UDP ports used by the malware samples are not known prior to malware execution, careful decisions have to be made regarding the configuration of the forwarding device. In this paper, we address the problem of traffic forwarding in an isolated honeynet for the purpose of malware analysis. We identify key aspects of the problem, describe the specifications and implementation highlights of a software module addressing the identified aspects, and present a case study performed using a corpus of 25118 malware samples. The core component of our module is a mechanism called Last Minute Destination Network Address Translation (LM-DNAT). It allows the forwarding device configuration to be postponed until the last minute by testing the validity of the destination address and port of a connection while it is being established.
Mathieu Couture, Frédéric Massicotte, "Studying Malware in an Isolated Network Sandbox", CRC Technical Note CRC-TN-2009-02, September 2009.
Abstract—A sandbox is a software tool allowing the safe monitoring of the execution of malicious software (malware), or more generally, programs that cannot be trusted. Most of the time, a sandbox is implemented in a virtual machine or a simulated operating system and allows to study the behavior of the program from the host's point of view. Over the years, we have developed a suite of tools that we came to consider as a network sandbox, i.e. a sandbox that allows us the study of a program's behavior from the network perspective. In this paper, we present results from a specific experiment conducted in our network sandbox using various malware samples. We believe that a network sandbox brings helpful information which, combined with the information brought by a host sandbox, provides a more complete view of the mechanisms that are taking place during the execution of malware.
Annie De Montigny-Leboeuf, "Flow Attributes For Use In Traffic Characterization", CRC Technical Note, CRC-TN-2005-003, December 2005.
Abstract— Attackers disguise their activities in order to evade detection and circumvent network security measures. The work presented in this document builds upon earlier work on traffic profiling to reveal the nature of a flow based on its behaviour. An important step, which is the focus of the document, consists of identifying relevant and discriminative flow attributes for use in traffic characterization. We have developed a number of indicators that portray essential communication dynamics, based solely on information that can be gathered from monitoring packet headers. The indicators are lightweight and the characteristics measured can be interpreted from domain knowledge. A tool is under development at the Communications Research Centre Canada to demonstrate the relevance of the flow attributes in characterizing network traffic. In particular, the tool includes the capability to describe the traffic and recognize a number of ubiquitous protocols. Several of the protocols we experimented with are in essence very similar, but were found to be distinguishable with the indicators presented herein. Preliminary assessment shows us that the derived tool is useful as is, and may lead with further research to a number of applications.
Mathieu Couture, Frédéric Massicotte, "Systèmes et languages de détection d’intrusions", CRC Technical Report, CRC-RP-2005-001, July 2005.
Abstract— This report is a state of the art about scenario based intrusion detection systems. The focus is on the language used to express their signatures. Five categories have been identified, among which we have classified each of the thirteen studied systems. Once this done, we identify ten properties considered desirable for an intrusion detection system signature language.
Annie De Montigny-Leboeuf, "A Multi-Packet Signature Approach to Passive Operating System Detection", Joint CRC/DRDC Technical Report, CRC-TN-2005-001 / DRDC-Ottawa-TM-2005-018, December 2004.
Abstract— Remote operating system discovery can provide valuable contextual information regarding the computers connected to the network. In particular, operating system discovery can help identify potential vulnerable computers or may help prioritize alarms and responses in times of attack.. The Network Security Research Group at the Communication Research Centre (CRC) has developed novel techniques for passive operating system discovery. The methodology developed allows deriving signatures spread over multiple packets. The tests are conducted passively on regular traffic. They are non-intrusive and do not rely on access to application or user data. Because they are passive, the techniques do not consume bandwidth and do not disrupt network assets. Over a dozen tests have been developed to analyse headers of packets seen on a network. The tests are conducted on various types of protocol headers: ARP, IP, ICMP, UDP and TCP. The prototype includes a database containing the «fingerprints» of close to 200 versions of operating systems. This document describes the prototype, focussing on the techniques behind each individual test. The document also contains some preliminary results obtained from real user traffic.
Thesis Supervised
Frédéric Massicotte, "Using Object-Oriented Modeling for Specifying and Designing a Network-Context Sensitive Intrusion Detection System", Master’s degree Thesis, Electrical Engineering, System and Computer Engineering Department, Carleton University, supervised by Lionel Briand and Yvan Labiche, August 2005.
Abstract— Intrusion Detection Systems (IDS) have the reputation of generating many false positives. To resolve this issue, several IDS vendors have decided to use a stateful approach to intrusion detection at the TCP session layer and the application layer. Such an approach allows to take into account the state of the session when an intrusion is detected. Since intrusions can only occur during specific session states, this in turn allows to reduce the number of false positives. However, a stateful approach could only reach its full potential if these Stateful IDS (SIDS) were able to correlate the intrusion information with additional network information gathered before the intrusion. The state of the sessions is not sufficient to reduce the number of false positives. Information such as the configuration of a system, its operating system, its role in the network and its active services is also needed by IDS to derive the context of an intrusion, correctly place the attack in this context and thus reduce false positives. In this thesis, we show how the Object Constraint Language can be used as an intuitive high-level language to specify passive network monitoring rules, allowing the addition of more context to network intrusion detection rules.
Mathieu Couture, "Détection d'intrusions et analyse passive de réseaux", Master’s degree Thesis, Computer Science, Computer Science and Software Engeneering Department, Laval University, in co-supervision at the Communications Research Centre Ottawa by Frédéric Massicotte, June 2005.
Abstract— In this thesis, we propose a new language dedicated to intrusion detection. It is a purely declarative language, based on a past-time linear temporal logic with first-order predicates. We do a review of thirteen intrusion detection languages followed by a list of ten properties that are desirable for an intrusion detection language. As opposed to the language we are proposing, none of the thirteen reviewed languages has all of those ten properties. Not only the proposed language is expressive enough to meet the targeted needs, it also comes with a model checking algorithm which runs in linear time with respect to the trace length and takes a constant amount of space. Those two properties allow to prevent the intrusion detection system from some flooding attacks.
Patrick Falardeau, "Improved Network Survivability Using An Enhanced Routing Protocol to Push Back a Distributed Denial of Service Attack", Master’s degree Thesis, Applied Science in Computer Engineering, Department of Electrical and Computer Engineering, Royal Military College of Canada, in co-supervision at the Communications Research Centre Ottawa by Frédéric Massicotte, July 2003.
Abstract— Denial of service is one of the many ways malicious users attack computers on a network. The thesis aims at finding a way to pushback a Distributed DoS (DDoS) attack in near real time. This thesis proposes to accomplish its goal by modifying and enhancing the OSPF routing protocol. It assumes that a third party performs the detection of the DDoS and that the aggregate information identifying the DDoS can be obtained. Using the OSPF protocol, a communication mechanism is developed to allow network routers to block or reduce malicious flows. Some existing quality of service (QoS) mechanisms are used to block the malicious traffic. When successful, the most upstream routers, within an Autonomous System (AS), block the malicious traffic while letting the legitimate users access the targeted and legitimate assets. The modified routing protocol is validated by analysing simulations performed with the Opnet Modeler software. The findings demonstrate that the proposed Pushback Algorithm is stable and the volume of additional traffic created by the Pushback Algorithm during an attack has minimal to no impact on the overall network. Some of the proposed modifications, on Cisco routers, translate into a very efficient convergence time of the Pushback mechanism to the edge routers. The Pushback Algorithm works well in an acyclic environment. However, the success of the Pushback Algorithm in a cyclic environment is not as obvious. Finally, the proposed Pushback mechanism is not reliant on frequent expert assessment and can be automated. Less human involvement is therefore required to fight DDoS attacks. These are encouraging findings if we want to win the battles against hackers.
»
