Upload
noble-kidd
View
30
Download
2
Embed Size (px)
DESCRIPTION
Session 1341: Case Studies – Network Security. Research & Development. Moderator: Bryan Cline OPNET Technologies, Inc. Network Intrusion Simulation Using OPNET. Shabana Razak, Mian Zhou, Sheau-Dong Lang *. University of Central Florida and National Center for Forensic Science *. - PowerPoint PPT Presentation
Citation preview
Copyright © 2002 OPNET Technologies, Inc. 1
Session 1540: Case Studies – New Directions in Wireless Modeling
Session 1341: Case Studies – Network Security Research & Development
Moderator: Bryan ClineOPNET Technologies, Inc.
Copyright © 2002 OPNET Technologies, Inc. 2
Session 1540: Case Studies – New Directions in Wireless Modeling
Network Intrusion Simulation Using OPNET
Shabana Razak, Mian Zhou, Sheau-Dong Lang*
University of Central Florida
and National Center for Forensic Science*
Copyright © 2002 OPNET Technologies, Inc. 3
Session 1540: Case Studies – New Directions in Wireless Modeling
Simulation of Network Intrusion • Identify intrusion activities
• Evaluate effectiveness of IDS (Intrusion Detection System)
• Analyze network performance degradation due to IDS overhead
• Study issues related to simulation efficiency
Copyright © 2002 OPNET Technologies, Inc. 4
Session 1540: Case Studies – New Directions in Wireless Modeling
Our Approach to Intrusion Simulation
• Use MIT/Lincoln Lab’s TCPDUMP files
pre-process data source to extract packet inter-arrival times, duration of source data, a list of IP addresses
• Build a network model corresponding to the extracted IP addresses, and a firewall node
• Use OPNET to simulate source data, including intrusion detection using the firewall
Copyright © 2002 OPNET Technologies, Inc. 5
Session 1540: Case Studies – New Directions in Wireless Modeling
Example: Simulation of DOSNuke Attack
• It is a denial-of-service attack which sends Out-Of-Band data (MSG_OOB) to port 139 (NetBIOS), crashing a Windows NT system
• The attack’s signature contains a NetBIOS handshake followed by NetBIOS packets with the “urg” flag set
• The packet format of our OPNET simulation contains only the IP addresses, port numbers, and the flags
Copyright © 2002 OPNET Technologies, Inc. 6
Session 1540: Case Studies – New Directions in Wireless Modeling
DOSNuke Simulation: Network Model
The network model contains 10 virtual PCs (PC0 is hacker, PC1 is victim), and a firewall that filters packets to/from the victim
Copyright © 2002 OPNET Technologies, Inc. 7
Session 1540: Case Studies – New Directions in Wireless Modeling
DOSNuke Simulation: Packet Generator
Node structure of the packet generator
The attribute panel of the packet generator, with scripted packet inter-arrival times calculated from pre-processing the source data
Copyright © 2002 OPNET Technologies, Inc. 8
Session 1540: Case Studies – New Directions in Wireless Modeling
DOSNuke Simulation: Statistics of packet rates at firewall
Packet rates at the firewall that filters the DOSNuke attack packets, clearly showing initial and 3 later peaks
Copyright © 2002 OPNET Technologies, Inc. 9
Session 1540: Case Studies – New Directions in Wireless Modeling
Example: Simulation of ProcessTable Attack
Number of distinct port connections directed at the victim, clearly showing rapid increases during 3 time intervals
Copyright © 2002 OPNET Technologies, Inc. 10
Session 1540: Case Studies – New Directions in Wireless Modeling
Efficiency of intrusion simulation using OPNET
OPNET Simulation Time
0
2
4
6
8
10
12
30 60 70 80 90 100 114
Time duration of source data in seconds
OP
NE
T s
imu
lati
on
tim
e in
seco
nd
s
Simulation runs on a Pentium 4 PC, 1.5 GHz CPU and 256 MB RAM
Simulation time for ProcessTable attack with the durations of data file ranging from 30 to 114 seconds, and a total of 5525 packets (approx. linear growth)
Copyright © 2002 OPNET Technologies, Inc. 11
Session 1540: Case Studies – New Directions in Wireless Modeling
Conclusion and Further Research
• Our work demonstrated several applications of intrusion simulation using OPNET:
Detecting intrusions by displaying and identifying patterns of suspicious data packets Analyzing network performance and the intrusion detection overhead Evaluating the effectiveness of the IDS
• Further challenges include improving simulation efficiency, pre-processing source data using filtering strategies