Diseño de una metodología para la detección de ataques a infraestructuras informáticas basada en la correlación de eventos.

Se diseñó una metodología que permita detectar ataques informáticos a infraestructuras tecnológicas basada en la correlación de eventos. En la presente investigación se analizó la dificultad e incompatibilidad que presentan los logs generados por dispositivos activos de red en la realización de análisis de seguridad. Se analizaron diferentes marcas y modelos de dispositivos, así como técnicas de normalización de eventos con el fin de brindar una respuesta efectiva frente a los incidentes que se suscitan casi en tiempo real. Para la simulación de incidentes informáticos se analizaron las metodologías OSSTMM e ISAFF y su posterior adaptación a la metodología propuesta, teniendo como campo de acción el entorno nacional ecuatoriano y cumpliendo requerimientos teóricos del Acuerdo Ministerial número 166 publicado por la Secretaría Nacional de la Administración Pública en el Registro Oficial número 88 del mes de septiembre del año 2013. Para el diseño de la metodología se utilizó la tecnología de correlación de eventos Security Information and Event Management (SIEM), la cúal permite comparar, integrar y visualizar incidentes de seguridad en tempo real. Se simularon ataques informáticos a nivel de aplicación y de red, estos son: Escaneo de Puertos, SQL Injection, Denegación de Servicio, Command Injection, Buffer Overflow y Fuerza Bruta, mediante el análisis de los resultados a través de la técnica de estadística inferencial ANOVA con un nivel de significancia de 0.05, calculado al 95% fue posible determinar que la metodología para la detección de ataques informáticos a infraestructuras tecnológicas basada en la correlación de eventos permitió incrementar en un 47,8% la cantidad de detección de ataques a infraestructuras informáticas. Se recomienda la implementación de la metodología en infraestructuras críticas.A methodology which allows to detect cyber-attacks to technological infrastructures was designed based on the correlation of events. The current research work analyzes the difficulty and incompatibility that the logs generated by net active devices evidence in the development of the security analysis. Different device brands and models were analyzed, as well as techniques of events normalization aiming to give effective response to the events happening almost in realtime. For the simulation of cyber incidents, the OSSTMM and ISAFF methodologies were analyzed and its further adaptation to the proposed methodology, having as scope the Ecuadorian environment and fulfilling the theoretical requirements of the Ministerial Agreement number 166 published by the National Secretariat of Public Administration in the Official Registry number 88 from September 2013. For the design of the methodology, the technology of correlation of events Security Information and Event Management (SIEM) was used, this allows to compare, integrate and visualize security incidents in real-time. Cyber-attacks at application and net level were simulated, they are: Scanning of Ports, SQL injection, Denial of Service, Command Injection, Buffer Overflow and Brute Force, through the analysis of results by means of the inferential statistical technique ANOVA with a level of significance of 0,05, calculated at 95%, it was possible to determine that the methodology for the methodology to detect cyber-attacks to technological infrastructures based on the correlation of events allowed to increase the detection of attacks to cyber infrastructures in 47,8%. The implementation of the methodology in critical infrastructures is recommended

Sensor-Based Intrusion Detection for Intra-domain Distance-vector Routing

ABSTRACT Detection of routing-based attacks is difficult because malicious routing behavior can be identified only in specific network locations. In addition, the configuration of the signatures used by intrusion detection sensors is a timeconsuming and error-prone task because it has to take into account both the network topology and the characteristics of the particular routing protocol in use. We describe an intrusion detection technique that uses information about both the network topology and the positioning of sensors to determine what can be considered malicious in a particular place of the network. The technique relies on an algorithm that automatically generates the appropriate sensor signatures. This paper presents a description of the approach, applies it to an intra-domain distance-vector protocol and reports the results of its evaluation

Sensor-based intrusion detection for intra-domain distance-vector routing

Abstract Detection of routing-based attacks is difficult because malicious routing behavior can be identified only in specific network locations. In addition, the configuration of the signatures used by intrusion detection sensors is a time-consuming and error-prone task because it has to take into account both the network topology and the characteristics of the particular routing protocol in use. We propose an intrusion detection technique that uses information about both the network topology and the positioning of sensors to determine what can be considered malicious in a particular place of the network. The technique relies on an algorithm that automatically generates the appropriate sensor signatures. This paper presents a description of the approach, applies it to an intra-domain distance-vector protocol, and reports the results of its evaluation. Keywords: Routing Security, Intrusion Detection, Network Topology. 1 Introduction Attacks against the IP routing infrastructure can be used to perform substantial denial-of-service attacks or as a basis for more sophisticated attacks, such as man-in-the-middle schemes and non-blind spoofing. Given the insecure nature of the routing protocols currently in use, preventing these attacks requires modifications to the routing protocols, the routing software, and, possibly, the network topology itself. Because of the critical role of routing, there is a considerable inertia to this process. As a consequence, insecure protocols are still widely in use throughout the Internet

Mecanismos para mitigar riesgos generados por la intrusión en Routers de frontera basados en resultados de un Honeypot Virtual.

En la presente investigación se implementaron mecanismos para mitigar riesgos generados por la intrusión en Routers de frontera basados en resultados de un Honeypot Virtual. Se analizaron las principales vulnerabilidades y amenazas encontradas comúnmente en ambientes de red WAN, donde el dispositivo con mayor riesgo generado es el Router de Frontera o de Borde, específicamente en su protocolo SNMP. Para la construcción de la solución planteada, se analizó la Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información PAe - MAGERIT v.3, el paper de la revista científica IEEE Honeypot Router for routing protocols protection y el libro Honeypots tracking hackers, también se consideraron algunas recomendaciones de estándares y normas de seguridad en ambientes WAN. La solución llamada HONEYPOT-ROUTER-SNMP está enfocada en ataques como DDos, Rastreo de Puertos y Ataques de Fuerza Bruta, los cuales amenazan en gran porcentaje al impacto generado por el riesgo de seguridad del protocolo SNMP en sus 3 versiones; y consta de 2 componentes que son 1) Infraestructuras de solución (con 2 etapas a) Estudio y detección de vulnerabilidades y ataques, b) Aplicar la protección y medidas de seguridad) y 2) Mecanismos de Prevención (con los cuales se completan los pasos para la detección y prevención de amenazas). Mediante la solución propuesta se logró minimizar en un 95% las vulnerabilidades y riesgos que afectaban al buen funcionamiento del Router de Borde, con lo cual, se aumentó notablemente su disponibilidad y confiabilidad. Se recomienda la implementación de una solución de Administración de Correlación de Eventos después del IPS donde se emitirán alertas, las cuales deberán ser revisadas por el ente de seguridad designado por la organización.In the present investigation, the mechanisms to mitigate the risks generated by the intrusion in routers based on the results of a Virtual HoneyPot were implemented. The main vulnerabilities and threats were found commonly within network environments WAN, where the device with a bigger generated risk is the edge router, in its protocol SNMP specifically. For the construction of the planned solution, the Methodology of Analysis and the Risk Management of the Information Systems PAe-MAGERIT v.3 were analyzed, the scientific journal IEEE: “Honeypot Router for routing Protocol protection” and the book “Honeypots Tracking Hackers”. In addition, some standard recommendations and safety norms in environments WAN. The solution called HONEYPOT-ROUTER-SNMP is focused on attacks such as: DDos, Tracking of Ports, and Brute Force Attacks, which threat in a big percentage the impact generated by the risk of safety SNMP within its three versions, and consists of two components which are: 1) Infrastructures of solution (with two stages: a) Study and Detection of vulnerabilities and attacks and b) Apply the protection and safety measurements); and 2) Prevention Mechanisms (with which the steps are completed to detect and prevent threats). By using the solution of functioning of the edge router, with which, its availability and trustworthy increased, notoriously. It is recommended the implementing of a solution of Management of Event Correlation after the IPS, where the alerts will be emitted, which should be verified and in consequence designated by the organization

Development and Evaluation of Methodologies for Vulnerability Analysis of Ad-hoc Routing Protocols

This thesis presents a number methodologies for computer assisted vulnerability analysis of routing protocols in ad-hoc networks towards the goal of automating the process of finding vulnerabilities (possible attacks) on such network routing protocols and correcting the protocols. The methodologies developed are (each) based on a different representation (model) of the routing protocol, which model predicated the quantitative methods and algorithms used. Each methodology is evaluated with respect to effectiveness feasibility and possibility of application to realistically sized networks. The first methodology studied is based on formal models of the protocols and associated symbolic partially ordered model checkers. Using this methodology, a simple attack in unsecured AODV is demonstrated. An extension of the Strands model is developed which is suitable for such routing protocols. The second methodology is based on timed-probabilistic formal models which is necessary due to the probabilistic nature of ad-hoc routing protocols. This second methodolgy uses natural extensions of the first one. A nondeterministic-timing model based on partially ordered events is considered for application towards the model checking problem. Determining probabilities within this structure requires the calculation of the volume of a particular type of convex volume, which is known to be #P-hard. A new algorithm is derived, exploiting the particular problem structure, that can be used to reduce the amount of time used to compute these quantities over conventional algorithms. We show that timed-probabilistic formal models can be linked to trace-based techniques by sampling methods, and conversely how execution traces can serve as starting points for formal exploration of the state space. We show that an approach combining both trace-based and formal methods can have faster convergence than either alone on a set of problems. However, the applicability of both of these techniques to ad-hoc network routing protocols is limited to small networks and relatively simple attacks. We provide evidence to this end. To address this limitation, a final technique employing only trace-based methods within an optimization framework is developed. In an application of this third methodology, it is shown that it can be used to evaluate the effects of a simple attack on OLSR. The result can be viewed (from a certain perspective) as an example of automatically discovering a new attack on the OLSR routing protocol

Security in Distributed, Grid, Mobile, and Pervasive Computing

This book addresses the increasing demand to guarantee privacy, integrity, and availability of resources in networks and distributed systems. It first reviews security issues and challenges in content distribution networks, describes key agreement protocols based on the Diffie-Hellman key exchange and key management protocols for complex distributed systems like the Internet, and discusses securing design patterns for distributed systems. The next section focuses on security in mobile computing and wireless networks. After a section on grid computing security, the book presents an overview of security solutions for pervasive healthcare systems and surveys wireless sensor network security