Qualifications
Currently a Doctoral Student, Tohoku University. B.Sc,
IUT, Bangladesh, 2003. International Baccalaureate, United World College of the Atlantic UWCAC, UK, 96-98. Expertise and Research Interests
NIDSs: Attacks against encrypted protocols are becoming increasingly
popular. They pose a serious challenge to the conventional Intrusion
Detection Systems (IDSs) which heavily rely on inspecting the network packet
fields and are consequently unable to monitor encrypted sessions. IDSs can
be broadly categorized into two types: signature based and anomaly based
IDSs. The signature based IDSs rely on previous attack signatures but often
render ineffective against new attacks. On the other hand, anomaly based
detection systems depend on detecting the change in the protocol behavior
which is caused by an attack. So the latter can be employed to detect novel
attacks and therefore are often preferred over their signature based
counterparts. We have envisioned an anomaly based IDS which can detect
attacks against popular encrypted protocols such as SSH and SSL. Our system
creates a normal behavior profile and uses non-parametric Cusum algorithm to
detect deviation from the normal profile. Upon detecting anomaly, the
proposed mechanism generates an alert and sets a delay to the protocol
response. The effectiveness of the proposed detection scheme is verified via
simulations. Additionally, the encrypted attack-traffic makes tracing the source of the attack substantially more difficult. We have also addressed these issues and devised a traceback mechanism to track back attackers against encrypted protocols. In our efforts to combat attacks against cryptographic protocols, we have integrated a traceback mechanism at the monitoring stubs (MSs), which we previously introduced in detecting the attacks. While we previously focused on strategically placing monitoring stubs to detect attacks against encrypted protocols, in this work we aim in equipping the MSs with a traceback feature. In our approach, when a MS detects an attack, it starts tracing back to the root of the attack. The traceback mechanism relies on monitoring the extracted features at different MSs, i.e., in different points of the target network. At each MS, the monitored features over time provides a pattern which is compared or correlated with the monitored patterns at the neighboring MSs. A high correlation value in the patterns observed by two MSs indicate that the attack traffic propagated through the network elements covered by these MSs. Based on these correlation values and prior knowledge of the network topology, we can then construct a path back to the attacking hosts. My next focus is to make a more robust detection and traceback scheme, all integrated into the MSs. KeywordsResearch Keywords:Encrypting Protocols, Network Security, Traceback, IDSs, NS-2, Qualnet.PublicationsAwards and Merits
Last Updated: 26/11/2009 |