AT&T Center for Internet Research at ICSI (ACIRI)
About the talk:
In this talk we look at two different problems in intrusion detection: detecting "backdoors" (standard protocols running on non-standard ports) installed by attackers to ease their subsequent return to a system they've compromised; and detecting an attacker's use of a series of compromised hosts, or "stepping stones", to launder their activities through a chain of compromised hosts. In both cases, we are interested in detecting the activity by passively monitoring a site's Internet access link, and for each we analyze traffic traces in an attempt to find characteristic signatures of the activities that set them apart from the vast quantity of other, legitimate activity in the traffic stream.
We find that for both problems we can develop detection algorithms that work surprisingly well for a useful subset of the problem domain. However, the success of the algorithms is tempered by the discovery that large sites have many users who routinely access what are in fact benign backdoors and legitimate stepping stones. Hence, backdoor and stepping stone detection also requires a significant policy component for separating allowable access from surreptitious access.
About the speaker:
Vern Paxson is a senior scientist with the AT&T Center for Internet Research at the International Computer Science Institute in Berkeley, CA, and a staff scientist at the Lawrence Berkeley National Laboratory, having received his B.S. from Stanford University and his M.S. and Ph.D. from UC Berkeley. His research focusses on Internet measurement and network intrusion detection. He serves on the editorial board of IEEE/ACM Transactions on Networking, and has been active in the IETF, chairing working groups on performance metrics, TCP implementation, and endpoint congestion management, as well as serving on the IESG as an area director for Transport.
For more information:
Slides in PostScript format