papers now available on detecting backdoors and stepping stones

[vern () ee lbl gov (Vern Paxson)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Yin Zhang & I have written a pair of papers that are to appear in this
August's USENIX security symposium:

        Detecting Backdoors:
                http://www.aciri.org/vern/papers/backdoor-sec00.ps.gz
                http://www.aciri.org/vern/papers/backdoor/index.html

        Detecting Stepping Stones:
                http://www.aciri.org/vern/papers/stepping-sec00.ps.gz
                http://www.aciri.org/vern/papers/stepping/index.html

Abstracts appended.

                Vern

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Detecting Backdoors

Yin Zhang (Cornell University) and Vern Paxson (ACIRI / LBNL)
yzhang () cs cornell edu, vern () aciri org

*Backdoors* are often installed by attackers who have compromised a system
to ease their subsequent return to the system. We consider the problem of
identifying a large class of backdoors, namely those providing interactive
access on non-standard ports, by passively monitoring a site's Internet
access link. We develop a general algorithm for detecting interactive
traffic based on packet size and timing characteristics, and a set of
protocol-specific algorithms that look for signatures distinctive to
particular protocols. We evaluate the algorithms on large Internet access
traces and find that they perform quite well. In addition, some of the
algorithms are amenable to prefiltering using a stateless packet filter,
which yields a major performance increase at little or no loss of
accuracy.  However, the success of the algorithms is tempered by the
discovery that large sites have many users who routinely access what are in
fact benign backdoors, such as servers running on non-standard ports not to
hide, but for mundane administrative reasons. Hence, backdoor detection
also requires a significant policy component for separating allowable
backdoor access from surreptitious access.

-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Detecting Stepping Stones

Yin Zhang (Cornell University) and Vern Paxson (ACIRI / LBNL)
yzhang () cs cornell edu, vern () aciri org

One widely-used technique by which network attackers attain anonymity and
complicate their apprehension is by employing stepping stones: they launch
attacks not from their own computer but from intermediary hosts that they
previously compromised. We develop an efficient algorithm for detecting
stepping stones by monitoring a site's Internet access link. The algorithm
is based on the distinctive characteristics (packet size, timing) of
interactive traffic, and not on connection contents, and hence can be used
to find stepping stones even when the traffic is encrypted. We evaluate the
algorithm on large Internet access traces and find that it performs quite
well. However, the success of the algorithm is tempered by the discovery
that large sites have many users who routinely traverse stepping stones for
a variety of legitimate reasons. Hence, stepping-stone detection also
requires a significant policy component for separating allowable
stepping-stone pairs from surreptitious access.