Objectives

‰ Understand the prominent security challenges in

a dynamic environment
‰ Understand the range of vulnerabilities and
threats that thwart the information system
‰ Learn proactive countermeasures that can be
used to guarantee the required security level
‰ Learn ways to improve response and recovery
capabilities in the case of occurrence of security
incidents

Mohamed Hamdi

1
Part I: Security
Fundamentals

Mohamed Hamdi

2
 The need for security
‰ Many companies rely on information and
communication technologies for their daily
business and private communication
‰ Electronic services are increasingly developed
and deployed
‰ Thousands of attacks per year are conducted
against these infrastructures resulting in huge
losses
‰ Securing information systems is an urgent need

Mohamed Hamdi

The number of services which are (partially or completely) provided via modern communications
infrastructures and information systems is growing explosively. Unfortunately, as these systems
get more sophisticated, so do the attacks carried out against them. Effectively, it appears that
every attack is linked to one or more specific services. This chapter addresses the relationship
between the attacker’s goals and the characteristics of the target service. More precisely, several
factors such as the proportionality of the complexity of the attack process to the budget spent to
conduct it will be investigated. Finally, novel attack trends will explored based on intruder activity
during the last years.

3
 Security services
‰ A security service enhances the security of the
data processing and the information transfer of
an organization. It thwarts security attacks and
encompasses the use of security mechanisms
‰ Service classes: Many classes can be
considered. The most important are
confidentiality, authentication, integrity, non-
repudiation, access control, availability,
anonymity, and data freshness

Mohamed Hamdi

1. Confidentiality requires that the information in a computer system, as well as the transmitted
information, is accessible in read mode only by authorized parties
2. Authentication requires that the origin of a message is correctly identified, with assurance
that the identity is not false
3. Integrity requires that computer systems assets and transmitted information are accessible in
write mode only by authorized parties
4. Non-repudiation requires that neither the sender nor the receiver of a message is able to
deny the transmission
5. Access control requires that access to information is controlled by or for the target system
6. Availability requires that the information system assets can be accessed by authorized
parties when needed
7. Anonymity requires that the identity of the sender or the receiver is hidden to non-authorized
parties
8. Data freshness requires that the data transmitted between two parties has been generated
during the active session

4
 Vulnerability
‰ A feature or a combination of features of a
system that allows an adversary to place the
system in a state that is contrary to its normal
behavior
‰ “A vulnerability is a feature or bug in a system or
program which enables an attacker to bypass
security measures.”
Schultz Jr. et al. 1990
‰ A vulnerability is “an aspect of a system or
network that leaves it open to attack”
CERT 1993

Mohamed Hamdi

5
 Classifying vulnerabilities
‰ Application-level vulnerabilities
– Operating systems
– Web applications (e.g., servers, servlets)
– Database applications
– Network protocol implementations
‰ Protocol vulnerabilities
‰ Human-related vulnerabilities
‰ Equiment miconfiguration (i.e firewall, router, switch
…)
‰ Weak password protection
‰ Confidentiality violations

Mohamed Hamdi

Information systems’ weaknesses can be categorized into application-level vulnerabilities,

protocol vulnerabilities, and human-related vulnerabilities. In the following, this classification is
illustrated through a set of relevant examples.
1. Application-level vulnerabilities
1. Operating systems: A weakness in the Windows NT volatile memory management
system allows a normal user to locally acquire administrator privileges using the
getadmin tool.
2. Web applications (e.g., servers, servlets): A vulnerability in the IE’s embedded code
mechanism in HTML code generates a buffer overflow providing remote access to the
attacker (with the privilege of the service owner).
3. Database applications: A vulnerability in the Apache PL/SQL module (integrated in
the Oracle 9i AS) grants non-authenticated access via the web administration
interface. Cert Vulnerability Note VU#611776
4. Network protocol implementations: Various implementation of the RADIUS
authentication protocol include buffer overflow vulnerabilities at the hash function
level.
2. Protocol vulnerabilities:
1. When a message is forwarded by a SMTP server, no verification is performed
concerning the source address.
2. Passwords protecting private mail boxes are sent in plaintext to the POP server.
3. Human-related vulnerabilities: Human errors are particularly harmful when they relate to
security misconfigurations or software development faults. Although the security policy
implemented in the firewall might be correct, the security administrator can translate it to the
firewall language in an erroneous manner, leading to security flaws. In addition, most of the
buffer overflow vulnerabilities effectively originate from errors made at the software
development stage.

6
 Threats, intrusions, alerts
‰ Threat: Any event that can result in a loss
for the target system
‰ Intrusion: An activity that does not respect
the system’s security policy
‰ Alert: A description of an attack which is
achieved by monitoring several system
parameters.

Mohamed Hamdi

Generally, a threat is any event that can result in a loss for the target system. It can be
malevolent, accidental, or even due to a natural disaster. Threat modeling is an important practice
that provides the capability to secure a network environment. It is critical to be aware of the types
of threats and how to reduce or mitigate the risk both in systems and applications on network
devices.
To explain what an intrusion is, some fundamentals about security policy should be given. In its
broadest definition, a security policy consists of a set of rules that define how critical assets should
be secured. Based on this definition, an intrusion in an information system can be thought of as an
activity that does not respect the system’s security policy. In other terms, an action that violates
one or more security property (i.e., confidentiality, integrity, availability) of the protected system is
considered as an intrusion. As an extension to this reasoning, an attack against a communication
network is not perceived as an intrusion if it does not violate the security rules of the target
system. In this case of figure, the attack is not detected at time and the only information available
for the response team is the intrusion outcome; consequently, novel rules should be appended to
the security policy to prevent future occurrences of the experienced attack.
An alert can be loosely defined as a description of an attack which is achieved by monitoring
several system parameters. Alert generation is an event which is triggered by the occurrence of a
network attack. The main role of alert generation is that it allows the security analyst to identify the
attacks that are carried out against the system to proceed to the appropriate reaction. However,
the alert-attack association is never certain and a single alert can be related to more than one
attack. Hence, mechanisms to determine the most probable attack linked to a specific alert should
be available. Generally, the decision errors that confuse the alert-based incident response break
into two categories: (1) false positives (i.e., an alert is generated in the absence of a network
attack), and (2) false negatives (i.e., no alert is generated while an attack did occur).

7
 Attacks
‰ An abstract concept which is represented
by some pieces of information that may
vary according to the situation
‰ Threat: outcome, probability
‰ Intrusion: elementary actions, composition
rules
‰ Alert: FP probability, FN probability,
alert/attack weight
Mohamed Hamdi

It comes from the previous discussion that a network attack is rather an abstract concept which is
represented by some pieces of information that may vary according to the situation. For instance,
in the context of threat analysis, the information one is seeking is the knowledge of whether a
security breach has been experienced, and, if the answer is positive, what are the probability and
the impact. Conversely, when studying an alert, the main concern is to identify the malicious
action that is being carried out in order to react at the convenient moment and in a cost-effective
manner. Despite the pervasiveness of network attacks, several fundamental characteristics
should be taken into consideration independently from the way the attack is viewed.

8
 Caracterizing digital
attacks
‰ Digitalattacks have additional properties
with regard to traditional ones
‰ Coordination
‰ Tracing difficulty

‰ Rapid propagation

‰ Self-propagation

‰ Remote execution

‰ Weakness of the legal frameworks

Mohamed Hamdi

9
 Most known attacks
‰ Password attacks
‰ Malicious codes
‰ Sniffing
‰ Scanning
‰ Identity spoofing
‰ Denial of service
‰ Integrity violations
‰ Intrusions

Mohamed Hamdi

10
 Attack features
‰ Coordination: the attacker often combines
multiple elementary attacks or uses
several external resources
‰ difficult to detect, difficult to characterize
‰ Incomplete knowledge: an amount of
uncertainty always characterizes the
attack events
‰ Versioning: the attack scheme is kept
modulo slight modifications
Mohamed Hamdi

Analyzing attack common features is helpful in the sense that it conveys a better understanding of
both the attacker behavior and the defense capabilities. The most prominent attack
characteristics can be summarized in the following points:
1. Coordination: To achieve a major objective, the attacker often combines multiple elementary
attacks or uses several external resources. This is due to the fact that organized attacks
aiming at disrupting critical infrastructure are beyond the capabilities of a single attacker.
Therefore, multiple attackers can cooperate by resource sharing, task allocation, and
synchronization. Obviously, such attacks are more difficult to detect and to counter.
2. Threats and alerts, which are often used to select the optimal set of countermeasures for a
specific attack scenario, are characterized by an amount of uncertainty. This uncertainty
should be taken into consideration when making decisions based on threat or alert
representation of network attacks. Practically, threats and alerts are used to select the best
set of countermeasures according to a cost-benefit balance. On the one hand, modeling a
threat allows thwarting the attack before its occurrence by adding rules to the security policy.
On the other hand, alerts provide a strong means for reacting against intrusions.
3. Versioning: Statistics show that attack schemes seldom vary. Attackers often introduce
several slight modifications on the attack tool in order to adapt to the existing vulnerabilities or
to bypass the protection mechanisms.

11
 Active/passive attacks
‰ Active attacks: involve some modification of the
data stream or the creation of a false stream
‰ Passive attacks: provide information about the
information system
‰ Footprinting: creating a complete profile of an
organization’s security capabilities
‰ Scanning: determining what systems are alive and
reachable from the network
‰ Enumeration: identifying the accounts allowing to
access the victim information system

Mohamed Hamdi

Similarly to physical attacks, a network attack is commonly carried out through two phases. The
first phase, called reconnaissance, consists in collecting the necessary information in
preparation for the effective attack activity. The second phase, which is the actual attack,
consists in conducting the actions that lead to the final attacker objectives. Customarily, active
attacks occur in the second phase whilst passive attacks are carried out during the early
attack steps.
1. Active attacks: These attacks can have many schemes and achieve different goals (e.g.,
violating confidentiality, compromising integrity). They encompass several modification of the
transmitted streams or the creation of active connections that do not conform with the ‘normal’
system behaviour.The most important categories of active attacks include: session
highjacking, password cracking, malicious codes, denial of service, and buffer overflow.
2. Passive attacks: These attacks are conducted to methodically gather information about the
information system of the victim organization. They basically break into three categories:
1. Footprinting
2. Scanning
3. Enumeration
It is noteworthy that several scanning and enumeration techniques can, in some situations, be
considered as active attacks.

12
 Footprinting
‰ Footprinting activities break into four
categories:
‰ Identifying the major activities supported by
the information system
‰ Enumerating the networks and the associated
domain names
‰ DNS interrogation

‰ Network reconnaissance

Mohamed Hamdi

Footprinting basically aims at gathering general information about the target information system.
The objective is to facilitate the next attack steps in the sense that their complexity is reduced.
Four fundamental footprinting activities can be considered:
1. Identifying the major activities supported by the information system: Organizations’ web
servers often aid the attackers in finding useful information. Therefore, HTML pages are
scrupulously reviewed y attackers in order to extract coarse information about the victim
organization. Moreover, the source code of these HTML pages is of utmost importance to the
attacker because items hidden within comment clauses (e.g., “<”, “!”) often conceal important
data. To this end, downloading a mirror of the website of interest can be performed to
scrutinize the source code offline.
2. Enumerating the networks and the associated domain names: Using the different options of
the “whois”-based queries allows the attacker to glean useful information about the registrar,
the organization, the domain name, the network, or even the point of contact.
3. DNS interrogation: The real problem with DNS queries occurs when an organization does not
use a public/private DNS mechanism to segregate their external DNS information (which is
public) from its internal, private DNS information. In this case, internal hostnames and IP
addresses are disclosed to the attacker. Providing internal IP address information to an
untrusted user over the Internet is akin to providing a complete blueprint, or roadmap, of an
organization’s internal network.
4. Network reconnaissance: The objective of this step is to determine the network topology as
well as potential access paths to the victim network. The “traceroute” command is often used
to this purpose.

13
 Scanning
‰ The objectives of the scanning activity are
basically:
‰ Identifying both the TCP and UDP services
running on the target system
‰ Identifying the type of operating system of the
target system
‰ Identifying specific applications or versions of
a particular service

Mohamed Hamdi

The attacker can gather many kinds of valuable information using the following scanning
mechanisms:

1. ICMP-based scanning techniques: Ranging from ‘ping sweeps’ to more clever ICMP queries,
these techniques primarily allow to know which hosts are alive within a portion of the network,
but they can also provide more accurate information. For example, with the UNIX tool
icmpquery (http://packetstorm.securify.com/UNIX/scanners/icmpquery.c) – or icmpush
(http://packetstorm.securify.com/UNIX/scanners/icmpush22.tgz), you can request the time on
the system (to see the time zone the system is in) by sending an ICMP type 13 message
(TIMESTAMP). And you can request the netmask of a particular device with the ICMP type 17
message (ADDRESS MASK REQUEST). The netmask of a network card is important because
you can determine all the subnets being used.
2. Port scanning: The major objectives of port scanning is to identify listening TCP and UDP ports
on the target system. However, they can also extend to operating system identification. The
most known port scanning techniques include active stack fingerprinting, TCP SYN scanning,
TCP connect scanning, TCP FIN scanning, TCP Null scanning, TCP Xmas Tree scanning,
TCP ACK scanning, TCP window scanning, TCP RPC scanning, and UDP scanning.

14
 Enumeration
‰ Enumerating activities aim at:
‰ Poorly protected network resources and shares
‰ Weakly authenticated active user accounts
‰ Vulnerable applications and operating systems
‰ Enumerating techniques are operating system-
specific
‰ Information is gathered through active
connections to target systems and directed
queries

Mohamed Hamdi

When conducting enumerating activities, the attacker may look for:

1. Poorly protected network resources and shares: The ‘net view’ command is a great example of
a built-in enumeration tool. It is a simple NT/2000 command-line utility that will list domains
available on the network and then lay bare all machines in a domain.
2. Weakly authenticated active user accounts: Many applications and operating systems provide
non-authenticated user accounts. Even though such accounts do not offer full privileges to the
user, they remain among the most useful (from the attacker perspective) vulnerabilities.
Moreover, services like ‘NetBios’ may reveal information about users and groups.
3. Vulnerable applications and operating systems: ‘Banner grabbing’ is a technique allowing to
identify the operating system or the applications that are installed on the target system.
Identifying the software and version running on the victim machine is often enough to start the
vulnerability identification process. Particularly, these data allow the attacker to refine his
research when looking for ‘exploitable’ weaknesses.

15
 Buffer overflows

Source: P-A. Fayolles, Glaume, ‘A Buffer Overflow Study,

Attacks and Defenses,’ 2002.

Mohamed Hamdi

Buffer overflow attacks exploit the procedure call flow to execute non-authorized commands.
From one point of view, a procedure call alters the flow of control just as a jump does, but unlike a
jump, when finished performing its task, a function returns control to the statement or instruction
following the call. Basically, a buffer overflow is the result of stuffing more data into a buffer than it
can handle. It allows the attacker to change the return address of a function so that he can change
the flow of execution of the program. Typically, the return pointer of a given function is replaced by
the address of the non-authorized process (or command) that the attacker wants to execute.
Buffer overflow-based attacks can be categorized into stack overflow, heap overflow, stack
overrun, and heap overrun.

16
 Denial-of-Service
‰ DoS attacks aim at stopping the access to
a specific service to legitimate and
authorized users
‰ The outcome of DoS attacks is
proportional to the importance of the victim
service
‰ Most of DoS attacks rely on the flooding
principle

Mohamed Hamdi

Denial-of-Service attacks use the nature of a communication protocol and flood a target with a
specific packet. Three major examples of flooding attacks are considered in the following:
- SYN flood: The SYN flood attack consists simply in sending a large number of SYN packets and
never acknowledging any of the replies (i.e., SYN-ACK). This violation of the TCP handshake
leads the recipient to accumulate more records of SYN packets than his software (implementing
the TCP/IP stack) can handle. The most popular version of the attack does not reveal the actual
IP address of the hacker. In fact, the return address associated with the initial SYN packets is in
this case not valid; therefore, the victim would return the SYN-ACK packet to an address that does
not respond or even does not exist.
A technical fix, called SYNcookie, has been found and incorporated in the Linux OS in 1996
(since, it has been extended to some other OSs). Rather than keeping a copy of the incoming
SYN packet, the victim simply uses a sequence number that is derived from the sequence number
of the attacker (i.e., the host that initiates the connection).
- Smurf attack: This attack exploits the Internet Control Message Protocol (ICMP), which enables
users to send an echo packet to a remote host to check whether it is alive. The problem arises
with broadcast addresses that correspond to more than one host. Some implementations of the
Internet protocols respond to pings to both the broadcast address and their local address (the idea
was to test a LAN to gather the hosts that are alive). The attack is to construct a packet with the
source address forged to be that of the victim, and send it to a number of Smurf amplifiers that will
each respond (if alive) by sending a packet to the target, and this can swamp the target with more
packets than it can cope with.
- Tribe Flood Network (TFN): TFN is made up of client and daemon programs, which implement a
distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood,
and Smurf style attacks. The attacker(s) control one or more clients, each of which can control
many daemons. The daemons are all instructed to coordinate a packet based attack against one
or more victim systems by the client. This reduces the chances of the victim to ‘survive’ to the
flooding attack because he would face hundreds (even thousands) of machines instead of a single
attacker. This type of attack has also the characteristic to hide the identity of the attack source.

17
 Spoofing attacks
‰ The attacker fakes his identity as that of a
legitimate user
‰ The most known spoofing techniques include:
‰ IP address spoofing
‰ ARP address spoofing
‰ Session highjacking
‰ DNS spoofing
‰ Sequence number spoofing
‰ DNS Spoofing
‰ Phishing
Mohamed Hamdi

In a spoofing attack, a user appears to be someone else i.e. the attacker fakes his identity as that
of a legitimate user. Because of spoofing, that attacker is able to manipulate packets so that they
appear to come from another system or network. Thus, spoofing could include spoofing an
internal network IP address or return email address. This attack technique is customary used to
prepare for perpetrating flooding or other denial of service attacks. Spoofing covers a large
category of computer attacks. It basically stands for identity falsification or masquerading. This
attack class includes IP address spoofing, session highjacking, Domain Name Service (DNS)
spoofing, sequence number spoofing, and replay attacks.
For example, in the case of sequence number spoofing, the attacker must monitor the packets
sent from A to B and then guess the sequence number of the packets. Then the attacker knocks
out A with a S attack and injects his own packets, claiming to have the address of A. A's firewall
can defend against spoof attacks when it has been configured with knowledge of all the IP
addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives from
an interface that is not known to be connected to that interface. Many carelessly designed
protocols are subject to spoof attacks, including many of those used on the Internet.
Another kind of spoofing is "web page spoofing," also known as phishing. In this attack, a web
page is reproduced almost as it is to another server but is owned and operated by someone else.
This attack is intended to blind the victims into thinking that they are connected to a trusted site.
Typically, a payment system's login page might be spoofed allowing the attacker to harvest user
names and passwords. This is often performed with the aid of DNS cache poisoning in order to
direct the user away from the legitimate site and into the false one. Once the user puts in his
password, the attack-code reports a password error, and then redirects the user back to the
legitimate site.

18
Preventive security

Mohamed Hamdi

19
Reactive security

Mohamed Hamdi

20
 Further readings
‰ M. Hamdi, N. Boudriga, “Network Attacks,” The
Handbook of Computer Networks, Vol. 3, EiC: Hossein
Bidgoli, John Wiley & Sons, ISBN: 0471784613, 2007.
‰ J. Scambray, S. McClure, G. Kurtz, “Hacking Exposed,”
Osborne/Mc Graw Hill, ISBN: 0 - 07
- 219214
- 3, 2001.

Mohamed Hamdi

21
Part II: Preventive
countermeasure
techniques

Mohamed Hamdi

22
 1- Firewalls
‰ ‘’The basic function of a firewall is to screen
network communications for the purposes of
preventing unauthorized access to or from a
computer network’’
Strassberg et al. “Firewalls: the Complete Reference” 2002
‰ A firewall allows defining multiple security
domains
‰ A firewall has the following properties:
‰ All communications should pass through the firewall
‰ Only authorized traffic is permitted
‰ Security mechanisms should protect the firewall itself
from attacks

Mohamed Hamdi

23
 Assessing the firewall
technology
‰ Firewall strengths
‰ Enforcing security policies
‰ Restrict access to specific services
‰ Log the access activity
‰ Firewall weaknesses
‰ Attacks can be embedded in the normal system
behaviour
‰ Efficiency depends on the implemented rules (i.e.,
security policy)
‰ High- speed traffic can not be fully inspected by the
firewall

Mohamed Hamdi

24
 Firewall technologies
‰ Fourfirewall technologies are commonly
considered
‰ Packet filters
‰ Application gateways

‰ Circuit-level gateways

‰ Stateful packet-inspection engines

Mohamed Hamdi

25
 Packet filtering (1)
‰ Based on packet header, the firewall decides to:
‰ Pass the packet to an adjacent security domain
‰ Drop the packet
‰ Reject the packet
‰ The set of rules (security policy) should take into
consideration
‰ Source and destination IP addresses
‰ Transport and network protocols
‰ Source and destination port numbers

Mohamed Hamdi

26
 Packet filtering (2)
‰ Advantages
‰ Little overhead
‰ Reduced cost

‰ Good traffic management

‰ Disadvantages
‰ Direct external/internal connectivity
‰ Weak perimeter security

‰ Low scalability

‰ Vulnerable to spoofing attacks

Mohamed Hamdi

27
 Application gateways
‰ Log information about
‰ Origin, address, destination, time, duration
‰ The client program talks to the application
gateway instead of the real server
‰ The client program should include
‰ Proxy-aware application software
‰ Proxy-aware operating system software

‰ Proxy-aware user procedures

‰ Proxy-aware routers

Mohamed Hamdi

28
 Stateful packet inspection
engines
‰ Packet is inspected to determine whether it is
part of an existing, established communication
flow
‰ Depending on the protocol, the packet may be
inspected further
‰ If the packet does not have a corresponding
entry in the connection table, the firewall will
inspect the packet against the configured rule
set
‰ The firewall typically uses timers and TCP FIN
packet inspection to determine when to remove
the connection from the connection table
Mohamed Hamdi

29
 2- Cryptography-Based
Security
‰ Cryptography is the study of mathematical
techniques related to aspects of
information security such as
confidentiality, data integrity, entity
authentication, and data origin
authentication
‰ Cryptanalysis is the science of recovering
the plaintext from cipher-text without
possessing the key

Mohamed Hamdi

30
 Generic cryptographic
scheme

where EKey1 (P) = C, DKey2 (C) = P

‰ Symmetric algorithms
‰ Key1 = Key2, or are easily derived from each other.
‰ Asymmetric or public key algorithms
‰ Different keys, which cannot be derived from each other.
‰ Public key can be published without compromising private
key.
‰ Encryption and decryption should be easy, if keys are
known.
Mohamed Hamdi

31
 Encryption scheme
‰ An encryption scheme consists of two sets
{Ee : ke ∈ K }, and {Dd : kd ∈ K } verifying
∀ke ∈K , ∃! kd ∈K Ekd = Ek−e1

‰ Building an encryption scheme requires fixing

a message space M, a ciphertext space C,
and a key space K, as well as encryption
transformations {Ee : ke ∈ K } and
corresponding decryption transformations
{Dd : kd ∈ K }.

Mohamed Hamdi

32
 Perfect secrecy
‰ Perfect encryption scheme can exist only if
the secret information k is as long as the
plaintext [Shannon, 1943]
‰ P = {p1,..,pn}, C = {c1,..,cq}
‰ p(pi) = Pr[‘transmit pi’]
‰ p(pi|cj) = Pr[‘recover pi from cj’]

‰ Perfect secrecy is achieved if p(pi|cj) = p(pi)

Mohamed Hamdi

33
 Perfect authenticity
‰ Impersonation attack: The adversary forms a
fraudulent cryptogram cl without knowledge about the
authentic cryptogram cj
‰ Substitution attack: The adversary forms a fraudulent
cryptogram cl having some knowledge about the
authentic cryptogram cj
‰ Perfect authenticity can not be rigorously achieved
(Pr[‘impersonation’] ≥ card(P)/card(C))
‰ “Perfect authenticity” is achieved if, and only if,

− I ( k ,c j )
min(Pr[' impersonat ion ' ], Pr[' substituti on ' ]) = 2

Mohamed Hamdi

34
 Modern cryptography
‰ The assumption that the adversary has
unlimited computing resources is abandoned
‰ Encryption, decryption, and the adversary are
modeled by probabilistic algorithms
‰ The running time of the encryption,
decryption, and the adversary algorithms are
measured as functions of a security
parameter s

Mohamed Hamdi

35
 Stream ciphers
‰ For a plaintext P = x1x2x3x4x5… and a key k=
k1k2k3k4…, there exists a function f and an encryption
algorithm Et such that
C = Ek1 ( x1 ) Ek2 ( x2 )....
ki = f (k , xi ,..., xi −1 )

‰ The values k1, k2, k3,…. are called the key streams
‰ Synchronous cipher is the one where the key

stream does not depend on the plaintext

‰ The period of a key stream is a value d such as ki+d

= ki
Mohamed Hamdi

36
 Synchronous Vs self-
synchronizing stream ciphers
(1)

‰ Keystreams are generated independently of the message

stream
‰ Encryption does not induce error propagation
‰ Mechanisms for perfect synchronization are provided

Mohamed Hamdi

37
 Synchronous Vs self-
synchronizing stream ciphers
(2)

‰ Keystream generation depends on n previous cipher text

digits
‰ Error propagation is limited
‰ Resynchronizing is possible

Mohamed Hamdi

38
 Block Ciphers
‰ Block ciphers simultaneously encrypt groups of characters
of a plaintext message using a fixed encryption
transformation
‰ Memoryless, i.e. the same function (and the same key) is
used to encrypt successive blocks
‰ Some modes of use:
‰Electronic Code Book ECB:
‰Each plaintext block is encrypted independently
‰The blocks of encrypted messages are not linked

‰Cipher Block Chaining CBC

‰Output of one enciphering step is used to modify the
input of the next

Mohamed Hamdi

39
 Design characteristics for
block ciphers
‰ Choice of block length n
‰ n too long ⇒ complex algorithm, performance loss
‰ n too short ⇒ weak encryption, easy to attack

‰ modern variants use n = 40…256 bit, 64-bit is a right

compromise
‰ Definition of encryption function ek
‰ Good algorithms can be published, data are protected by hiding
the key
‰ Choice of the key length of k
‰k too short ⇒ systematic testing of all valid keys (Brute Force
attack)
(Against Brute Force attacks a minimum of 70-bit is necessary)
Mohamed Hamdi

40
Data Encryption Standard (DES)
64 bit input
1. Initial block 56 bit key kDES
permutation
Generate 16
per-round keys
48 bit k1
Round 1
3. Encryption in 16
identical rounds:
48 bit k2
Round 2

48 bit
Round 16
k16
Additional step: swap 2. Generation
of round keys
Left and right halves

64 bit output
4. Final block
permutation
Mohamed Hamdi

41
 Step 1 and 4: input and output
permutations
Input permutation (IP) Output permutation (IP-1)

58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32
60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31
62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30
64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29
57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28
59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27
40 goes to 1
61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26
63 55 47 39 31 23 15 7 1 goes to 40 33 1 41 9 49 17 57 25

Mohamed Hamdi

42
 Step 3 : one DES round
Encryption: decryption:

64 bit input block 64 bit input block

32 bit Li 32 bit Ri 32 bit Li+1 32 bit Ri+1

Cipher Cipher
function function

+ +

32 bit Li+1 32 bit Ri+1 32 bit Li 32 bit Ri

64 bit output block 64 bit output block

Mohamed Hamdi

43
 Step 3: cipher function -
substitution
‰ Expand 32-bit input block Ri to a 48 input block Ri’
‰ Divide 32-bit input block into 8 chunks of 4 bit

‰ Expansion: enhance segments of 4-bit with their neighbour

bits to 6 bit

1 2 3 4 5 6 7 8 9 32

32 1 2 3 4 5 4 5 6 7 8 9

Mohamed Hamdi

44
 Step 3 : cipher function: S-
Boxes for substitution

0 0 0 1 0 1

0000 0001 0010 0011 0100 . 1111

00 1110 0100 1101 0001 0010 . 0111

01 0000 1111 0111 0100 1110 . 1000

10 0100 0001 1110 1000 1101 . 0000

11 1111 1100 1000 0010 0100 . 1101

Outputs of S-Boxes are combined into a 32 bit block

Mohamed Hamdi

45
 RSA
1. Choose 2 large prime numbers, p and q, of
equal length, compute p x q = n, which is
the public modulus
2. Choose a random public key, e, so that e
and (p-1)(q-1) are relatively prime
3. Compute e x d = 1 mod (p - 1)(q - 1) are
relatively prime
4. Thus, C = Pe mod n, P = Cd mod n
where P is the plaintext and C is the cipher-text.

Mohamed Hamdi

46
Elliptic Curve Cryptography
(ECC)
‰ Elliptic Curve: y2 = x3 + ax + b
‰ Addition is the counterpart of modular
multiplication, and Multiplication is the
counterpart of modular exponentiation.
‰ Two points, P and R, on the elliptic curve
where P = KR, and finding K is hard problem
as for discrete logarithm problem.
‰ 160-bits is equivalent to 1024-bit RSA key.

Mohamed Hamdi

47
Cryptographic Attacks (1)
1. Brute Force
2. Known Plaintext
3. Chosen Plaintext
4. Adaptive Chosen Plaintext
5. Ciphertext Only
6. Chosen Ciphertext
7. Adaptive Chosen Ciphertext

Mohamed Hamdi

48
Cryptographic Attacks (2)
8. Birthday Attack
9. Meet-in-the-Middle
10. Man-in-the-Middle
11. Differential Cryptanalysis
12. Linear Cryptanalysis
13. Differential Linear Cryptanalysis
14. Factoring
15. Statistical
Mohamed Hamdi

49
 3 - Virtual Private Networks
‰A method of ensuring private, secure
communication between hosts over an
insecure medium using tunneling
‰ Often established between geographically
separate locations (not a necessary
condition)
‰ Via tunneling and software drivers,
computer is logically directly connected to
a network that it is not physically a part of
Mohamed Hamdi

A private network is composed of computers owned by a single organization that share

information specifically with each other. They're assured that they are going to be the only ones
using the network, and that information sent between them will (at worst) only be seen by others
in the group. The typical corporate Local Area Network (LAN) or Wide Area Network (WAN) is an
example of a private network. The line between a private and public network has always been
drawn at the gateway router, where a company will erect a firewall to keep intruders from the
public network out of their private network, or to keep their own internal users from perusing the
public network.
VPNs allow you to create a secure, private network over a public network such as the Internet.
They can be created using software, hardware, or a combination of the two that creates a secure
link between peers over a public network. This is done through encryption, authentication, packet
tunneling, and firewalls. In this chapter we'll go over exactly what is meant by each of these and
what roles they play in a VPN; we'll touch upon them again and again throughout the book.
Because they skirt leased line costs by using the Internet as a WAN, VPNs are more cost-
effective for large companies, and well within the reach of smaller ones.

50
 Tunneling
‰ Putting one type of packet inside another
‰ Both parties must be aware of tunnel for it
to work
‰ Tunnels are practically built using some
means of encryption to secure
communications
‰ IPSec
‰ SSH

Mohamed Hamdi

Many VPN packages use tunneling to create a private network, including several that we review in
this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol (PPTP), the Layer 2
Forwarding Protocol, and IPSec's tunnel mode. VPNs allow you to connect to a remote network
over the Internet, which is an IP network. The fact is, though, that many corporate LANs don't
exclusively use IP (although the trend is moving in that direction).
Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use
IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible
protocols. The packet within the packet could be of the same protocol or of a completely foreign
one. For example, tunneling can be used to send IPX packets over the Internet so that a user can
connect to an IPX-only Novell server remotely.
With tunneling you can also encapsulate an IP packet within another IP packet. This means you
can send packets with arbitrary source and destination addresses across the Internet within a
packet that has Internet-routable source and destination addresses. The practical upshot of this is
that you can use the reserved (not Internet-routable) IP address space set aside by the Internet
Assigned Numbers Authority (IANA) for private networks on your LAN, and still access your hosts
across the Internet.

51
 RA versus SS VPNs
‰ Remote-Access
‰ The typical example of this is a dial-up
connection from home or for a mobile worker,
who needs to connect to secure materials
remotely
‰ Site-to-Site
‰ The typical example of this is a company that
has offices in two different geographical
locations, and wants to have a secure
network connection between the two
Mohamed Hamdi

52
VPN-based security services

‰ VPNs can provide Confidentiality, Integrity,

and Authenticity
‰ VPNs provide anti-replay features
‰ Security against determined hacker
depends largely upon underlying protocols
used

Mohamed Hamdi

53
 VPN architectures
‰ Thefollowing architectures are often
considered to establish tunnels
‰ Gateway to gateway
• Using two VPN aware Gateways
‰ End host to gateway
• End host uses VPN Software
‰ End host to end host
• Both hosts use software
‰ End host to concentrator
Mohamed Hamdi

54
 Introduction to IPSec
‰ Designed to combat specific shortcomings
in IP
‰ Address forgery
‰ Payload Modification

‰ Replay

‰ Sniffing

‰ Created to add Authentication,

Confidentiality, and Integrity to IP traffic

Mohamed Hamdi

IP packets have no inherent security. It is relatively easy to forge the addresses of IP packets, modify the contents of IP
packets, replay old packets, and inspect the contents of IP packets in transit. IP-level security implements
functions to fulfill three major security properties: authentication, confidentiality, and integrity. The authentication
mechanisms guarantee that a received packet was, in fact, transmitted by the party specified by the source address
in the packet header. In addition, the integrity mechanism allows to check if the packet has been altered in transit.
The confidentiality functionalities enable communicating parties to encipher the transmitted data in order to
prevent third parties from getting read access to sensitive information.
IPSec can be used in many contexts including the following:
1. Establishing secure connection between a company’s headquarter and its branch office(s): A company can build
IPSec-based virtual private networks over a public network (e.g., Internet) to transmit sensitive data between the
headquarter and the branch offices. Such solution allows basically to save costs and network management
overhead.
2. Getting secure remote access to company’s network: An employee can gain secure access over the Internet to the
private company’s network. This allows to reduce the cost of toll charge because the user makes a local call to the
Internet Service Provider (ISP) to connect to the company’s network.
3. Establishing end-to-end secure connections between hosts: Network applications requiring the protection of
sensitive data can use IPSec functions in order to provide secure connectivity between two hosts where the
application is installed.

55
 Security Association
‰A one way relationsship between a sender
and a receiver
‰ Identified by three parameters:
‰ Security Parameter Index (SPI)
‰ IP Destination address

‰ Security Protocol Identifier

‰ SAs are established and managed using

key management protocols
Mohamed Hamdi

The concept of a security association (SA) is fundamental to IPSec. An SA is a relationship

between two or more entities that describes how the entities will use security services to
communicate securely. IPSec provides many options for performing network encryption and
authentication. Each IPSec connection can provide encryption, integrity, authenticity,
or all three. When the security service is determined, the two IPSec peers must determine exactly
which algorithms to use (for example, DES or 3DES for encryption, MD5 or SHA
for integrity). After deciding on the algorithms, the two devices must share session keys. As you
can see, there is quite a bit of information to manage. The security association is the
method that IPSec uses to track all the particulars concerning a given IPSec communication
session.
A separate pair of IPSec SAs are set up for AH and ESP transform. Each IPSec peer agrees to
set up SAs consisting of policy parameters to be used during the IPSec session. The SAs are
unidirectional for IPSec so that peer 1 will offer peer 2 a policy. If peer 2 accepts this policy, it will
send that policy back to peer 1. This establishes two one-way SAs between
the peers. Two-way communication consists of two SAs, one for each direction. Each SA consists
of values such as destination address, a security parameter index (SPI),
the IPSec transforms used for that session, security keys, and additional attributes such as IPSec
lifetime. The SAs in each peer have unique SPI values that will be recorded in the
Security Parameter Databases of the devices.

56
 SA parameters
‰ The parameters defining a SA are
‰ Sequence number counter
‰ Sequence number overflow

‰ Antireplay window

‰ Lifetime

‰ Mode

‰ Tunnel parameters

‰ PMTU parameters

Mohamed Hamdi

57
 Security policy Database
‰ Usedto relate SAs to IP traffic
‰ SPD entries consist of:
‰ Parameters defining a subclass of IP traffic
(selectors)
‰ SA pointers

‰ An
interaction between the SPD and the
SADB should exist

Mohamed Hamdi

58
Outbound vs Inbound policy
(1)
‰ Outbound IPSec policy
‰ Compare selector fields (in the packet) to
SPD entries, retrieve SA pointers in case of
match
‰ Determine the appropriate SA(s) for the
packet (SADB queries)
‰ Apply the required IPsec processing

Mohamed Hamdi

59
Outbound vs Inbound policy
(2)
‰ Inbound IPSec policy
‰ If the packet does contain any IPSec header
• SPD is checked (using selector fields) for the appropriate
policy
• The potential action are ‘discard’, ‘bypass’, or ‘apply’
‰ If the packet contains an IPSec header
• The IPSec layer extracts the SPI, the source IP address, and
the destination IP address from the packet
• SADB queries are performed to appropriately decapsulate
the packet

Mohamed Hamdi

60
Outbound vs Inbound policy
(3)

Mohamed Hamdi

61
 AH and ESP
‰ AH provides proof-of-data origin on
received packets, data integrity, and anti-
replay protection
‰ ESP provides all that AH provides in
addition to optional data confidentiality and
limited traffic confidentiality

Mohamed Hamdi

The method of protecting IP datagrams or upper-layer protocols uses one of the IPSec protocols, the encapsulating
security (ESP), or the authentication header (AH). AH provides proof-of-data origin on received packets, data integrity,
and anti-replay protection while ESP provides, in addition to the services offered by AH, optional data confidentiality
and limited traffic confidentiality. The IPSec authentication functions allow a networked system to authenticate IP
traffic so that it can be filtered appropriately. They also prevent IP spoofing attacks.

62
 AH (1)
‰ Authentication Header protocol
‰ Offers Authenticity and Integrity
‰ Uses cryptographic hash

• Covers entire packet, including static header fields

‰ If any part of original message changes, it will
be detected
‰ Does not encrypt message

‰ Can be used to authenticate –

• Prevents IP Spoofing
Mohamed Hamdi

Authentication Header (AH) provides authentication and integrity to the datagrams passed
between two systems. It achieves this by applying a keyed one-way hash function to the datagram
to create a message digest. If any part of the datagram is changed during transit, it will be
detected by the receiver when it performs the same one-way hash function on the datagram and
compares the value of the message digest that the sender has supplied. The one-way hash also
involves the use of a secret shared between the two systems, which means that authenticity can
be guaranteed.
AH can also enforce antireplay protection by requiring that a receiving host sets the replay
bit in the header to indicate that the packet has been seen. Without this protection, an
attacker might be able to resend the same packet many times:

63
 AH (2)

Mohamed Hamdi

The format of the authentication header contains:

9 a 8-bit Next Header field: indicates what follows the AH header. In the transport mode, it is the value of the upper
layer protocol being protected (e.g. UDP, TCP). In tunnel mode, it is the value 4 for IPv4 and 41 in IPv6.
9 a 8-bit Payload length field: indicates the length of the header itself in 32-bit words minus 2.
9 a 16-bit Reserved field: for future use. It is currently set to zero.
9 a 32-bits SPI field: along with the destination address of the outer IP header, it is used to identify the SA used to
authenticate this packet on the receiver side.
9 a 32-bit sequence number field: indicates a monotonically increasing counter that is identical to that used in ESP.
It services for the anti-replay procedure
9 The authentication data field: is a variable-length it is the value of the upper layer protocol being protected (e.g.
UDP, TCP). In tunnel mode, it is the value 4 for IPv4 and 41 in IPv6.
AH considers different policies for outbound and inbound traffic:
1. Outbound processing: When an outbound SA is created, the sequence number counter is initialized to 0. Prior to
construction of an AH header using this SA, the sequence is incremented. The remaining fields of AH header are
filled in with their appropriate value – SPI assigned from SA, next field is assigned the value of the type of data
following the Ah header, the payload length is assigned the number of 32-bit words minus 2. Padding may be
needed depending on the requirements of the authenticator or for alignment reasons. The Ah header must be a
multiple of 32 bits for IPv4 and 64 bits for IPv6. AH protected IP packet is then output. Depending on the size of
the packet, the packet might fragmented , prior to placing it.
2. Inbound processing: Reassembly may be required prior to AH input processing., if the protected packet was
fragmented. The first step to do when processing any IPSec packet is to find the SA that was used to protect it. The
SA is again identified by the destination address of the IP header, the protocol, and the SPI of AH header. If no SA
is found, the packet is discarded. A sequence number check is then made. The antireplay check determines
whether this packet is new or received too late. If it fails this check, the packet is discarded. The sequence number
of the sliding window can be advance if necessary.

64
 ESP (1)
‰ Authentication Header protocol
‰ Offers Authenticity and Integrity
‰ Uses cryptographic hash

• Covers entire packet, including static header fields

‰ If any part of original message changes, it will
be detected
‰ Does not encrypt message

‰ Can be used to authenticate –

• Prevents IP Spoofing
Mohamed Hamdi

Encapsulating Security Payload (ESP) is a security protocol used to provide confidentiality

(encryption), data origin authentication, integrity, optional anti-replay service, and limited
traffic flow confidentiality by defeating traffic flow analysis.
Deciding whether to use AH or ESP in a given situation might seem complex, but it can be
simplified to a few rules, as follows. When you want to make sure that data from an
authenticated source gets transferred with integrity and does not need confidentiality, use the AH
protocol. If you need to keep data private (confidentiality), then you must use ESP.
ESP will encrypt the upper-layer protocols in transport mode and the entire original IP datagram in
tunnel mode so that neither are readable from the wire. However, ESP can now
also provide authentication for the packets.

65
 ESP (2)

Mohamed Hamdi

The ESP header is composed of the following fields:

9 32-bit SPI: SPI combined with destination address, protocol, in the preceding header identifies the
appropriate SA.
9 Sequence number: provides anti-replay services to ESP
9 Initialization Vector (IV): variable number of 32-bit words, which may be that an encryption
algorithm may require.
9 Protected data: the actual data being protected by ESP is contained in this field.
9 Pad field: variable length field, preferably filled with random bits, used to maintain boundaries
(certain modes of encryption algorithms may require that the input to the cipher be a multiple of its
block size
9 Pad Length: 8-bit, indicates the total length of the Padding field
9 Next Header: 8-bit, indicates the type of data that is contained in the payload data field (e.g., 4
indicates IP-in-IP).
9 Authentication data field: used to hold the result of data integrity check
As for AH, ESP implements different policies for outbound and inbound connections. These policies
depend on the used mode (transport or tunnel).

66
 Transport mode

Real IP Header IP Options IPSec Header Payload (For example, TCP and Payload)

Could be either

ESP Header Encrypts Over

Or

AH Header

Authenticates Over

Mohamed Hamdi

The transport mode protects only the payload portion of the datagram. The use of transport mode
in both AH and ESP is detailed in the following:
1. Transport mode AH: The AH is inserted after the original IP header and before the IP payload
(e.g., TCP segment). Authentication features cover the entire packet, excluding mutable fields
in the IP header that are set to zero for MAC calculation. In the specific case of IPv6, AH is
considered as an end-to-end payload, meaning that is not processed by intermediate routers.
Hence, the AH appears after the IPv6 base header and the hop-by-hop, routing, and fragment
extension headers.
2. Transport mode ESP: ESP is used, in this case, to encrypt and optionally authenticate the
payload of the IP datagram. The ESP header is inserted before the upper layer header (e.g.,
ICMP, TCP, UDP) and an ESP trailer is placed after the packet payload. If the packet is
authenticated, the ESP authentication data field is added after the ESP trailer. The entire
transport-layer segment plus the ESP trailer are encrypted. Authentication covers the
transport-layer segment as well as the ESP trailer and the ESP header. For IPv6 packets, ESP
is considered as an end-to-end payload which is not processed by intermediate routers.
Hence, the ESP header appears after the IPv6 base header and the hop-by-hop, routing, and
fragment extension headers. Encryption cover the IPv4 ciphertext in addition to the destination
options extension header, if it occurs after the ESP header. Authentication covers the IPv6
ciphertext plus the ESP header.

67
 Tunnel mode

GW IP Header IPSec Header Real IP Header Payload (For example, TCP and Payload)

Could be either

ESP Header Encrypts Over

Or

AH Header

Authenticates Over

Mohamed Hamdi

The tunnel mode protects both the header and the payload of the IP datagram. The use of this
mode in AH and ESP is described in the following:
1. Tunnel mode AH: The entire original IP packet is authenticated, and the AH is inserted
between the original IP header and a new gateway IP header. The inner IP header carries the
ultimate source and destination addresses, while the outer (i.e., gateway) IP header may carry
different IP addresses (e.g., addresses of the security gateways). Authentication covers the
entire inner packet, including the original inner IP header. The outer IP header is protected
except for mutable fields.
2. Tunnel mode ESP: The entire packet is encrypted and the ESP header is added at the
beginning of the datagram. Because the IP header contains the destination address and
possible source routing directives, it is necessary to add a new header that will contain
sufficient information for routing. In fact, intermediate routers would be unable to process
packets with encrypted headers. Obviously, the information contained in the outer header
should not be useful for carrying out traffic analysis attacks.

68
 SA combination schemes
‰ One SA can not perform both AH and ESP
‰ Separate security policies can be needed
between end-hosts and gateways
‰ SAs can be combined in two ways
‰ Transport adjacency
‰ Iterated tunneling

Mohamed Hamdi

One can not implement both AH and ESP using a single SA. In addition, an individual SA can not
be used to implement different policies between end-hosts and gateways. In that cases,
multiple SAs should be combined for the same IP traffic. The sequence of SAs through which
the IP traffic should be processed is refered to as ‘SA bundle’.
Practically, SAs can be combined according to two schemes:
1. Transport adjacency: Refers to the case where multiple security protocols are applied to the
same packet without modifying the tunneling architecture. This mechanism supports only one
level of combination. Furthermore, the computational overhead is not important because IPSec
processing is performed only at the destination end-host.
2. Iterated tunneling: Refers to the implementation of different IPSec tunnels between different
sites. These tunnels can implement different security policies. Obviously, this technique
supports multiple embedded tunnels.
It is noteworthy that these two mechanisms can be combined (e.g., a transport SA can be
established between hosts and tunnel SA can be considered between intermediate gateways).
One extremely important feature is the order in which confidentiality and authentication are
applied to the IP datagram.

69
 Key management
‰ IPSec framework mandates support for
both automated and manual KM
‰ IKE is used to dynamically create SAs
‰ IKE is based on a framework defined by
the Internet security association and key
management (ISAKMP), and implements
two key management protocols Oakley
and SKEME

Mohamed Hamdi

Prior to an IP packet being secured by IPSec, a security association must exist. The IKE is used to create SAs
dynamically IKE negotiates SAs on behalf of IPSec and populates SADB IKE is based on a framework defined by the
Internet security association and key management (ISAKMP), and implements two key management protocols Oakley
and SKEME
Oakley could be utilized to achieve a secure key exchange. SKEME is another key exchange protocol, in which the
parties use public key to authenticate each other and share components of the exchange. Each side encrypts a random
numbers in the public key of the peer and both random numbers (after decryption) contribute to the ultimate key.

70
 ISAKMP
‰ Defines procedures and packet formats to
establish, negotiate, modify, and delete SAs
‰ Defines payloads to express certain constructs
during an exchange like hash digests, pseudo-
random nonces, certificates, or SAs
‰ Other payloads are defined to enable notification
data, such as error conditions to be passed to
peer, and delete messages to be passed
instructing a peer to delete an SA

Mohamed Hamdi

As it has been detailed in the previous slides, two security associations are set up between the
cryptographic end-points before beginning to exchange datagrams. The Internet Security
Association and Key Management Protocol (ISAKMP) defines generic protocol formats and
procedures for the negotiation of security parameters and for entity authentication. The ISAKMP
specification defines two basic types of exchanges: Phase 1 exchanges, which are used to
negotiate master SAs, and Phase 2 exchanges, which use master SA to establish other security
associations.
Phase 1 exchange establishes an ISAKMP “security association”. The concept of this SA has some
similarities to an IPSec. The peers must first negotiate their terms, a method to authenticate them, and
parameters in which to establish them. The SA is then used to authenticate subsequent Phase 2.
Phase 2 establishes SAs for other protocols. ISAKMP describes five exchanges. Each exchange has a
slightly different goals and accomplishes them in differing numbers of steps The first step of any exchange
is an exchange of cookies ( 8-byte, pseudo-random numbers generated by each ISAKMP entity and
assigned to each remote peer. Each cookie is unique to the remote peer and also to the particular exchange
in which it is defined. The purpose of the cookies is to provide ‘freshness’ to the exchange.

71
 ISAKMP header

Mohamed Hamdi

There are 13 distinct payloads defined by ISAKMP. They all begin by the same generic 32- bit header. ISAKMP
defines payloads to express certain constructs during an exchange like hash digests, pseudo-random nonces,
certificates, or SAs. Other payloads are defined to enable notification data, such as error conditions to be passed to
peer, and delete messages to be passed instructing a peer to delete an SA.
The basic structure of the ISAKMP message contains the following fields:
1. Initiator and responder cookie: Uniquely identify an ISAKMP exchange or an ISAKMP security association. They
also provide limited protection against denial-of-service attacks by not responding to a specific system’s requests
after a certain number of aborted attempts have been made. This basically allows to control the computational
capabilities available on the system.
2. Next payload: Specify the type of the ISAKMP payload that follows the header.
3. Major and minor version: Identify the protocol version of the current message.
4. Exchange type: Indicates the type of ISAKMP exchanges that is conducted with the current message. There are
five pre-defined exchange types that will be detailed further.
5. Flags: Contain bits to indicate specific characteristics. The ‘encrypt’ bit indicates whether the payload following
the message is encrypted. The ‘commit’ bit indicates a key exchange. The ‘authenticate only’ bit indicates that the
payload of the message is authenticated but not encrypted.
6. Message identifier: Identifies messages that belong to different protocol runs and therefore allows a simultaneous
negotiation of multiple security associations.
7. Message length: Indicates the total length of the current message including the ISAKMP header and all payloads.
8. ISAKMP generic payload: Contains the message payload. A single ISAKMP message can contain multiple chained
payloads. The payload type field of the following message is always indicated in the next payload field of the
preceding payload or in the ISAKMP protocol header.

72
 ISAKMP exchanges (1)

Source: W. Stallings, “Cryptography and Network Security,” Prentice Hall, 1999.

Mohamed Hamdi

ISAKMP proposes five default exchange types that are described in the following:
•Base exchange: Allows key exchange and authentication material to be transmitted together.
This minimizes the number of exchanges at the expense of not providing identity protection. The
first two messages provide cookies and establish an SA with agreed protocol and transforms; both
sides use a nonce to ensure against replay attacks. The last two messages exchange the key
material and user IDs, with the AUTH payload used to authenticate keys, identities, and the
nonces from the first two messages.
•Identity protection exchange: Expands the Base Exchange to protect the users’ identities. The
first two messages establish the SA. The next two messages perform key exchanges, with nonces
for replay protection. Once the session key has been computed, the two parties exchange
encrypted messages that contain authentication information, such as digital signatures and
optionally certificates validating the public keys.
•Authentication only exchange: Used to perform mutual authentication, without a key exchange.
The first two messages establish the SA. Moreover, the responder uses the second message to
convey its ID and uses authentication to protect the message. The initiator sends the third
message to transmit its authenticated ID.

73
 ISAKMP exchanges (2)

Source: W. Stallings, “Cryptography and Network Security,” Prentice Hall, 1999.

Mohamed Hamdi

•Aggressive exchange: minimizes the number of exchanges at the expense of not providing
identity protection. In the first message, the initiator proposes an SA with associated offered
protocol and transform options. The initiator also begins the key exchange and provides its ID. In
the second message, the responder indicates its acceptance of the SA with a particular protocol
and transform, completes the key exchange, and authenticates the transmitted information. In the
third message, the initiator transmits an authentication result that covers the previous information,
encrypted using the shared secret session key.
•Informational exchange: Used for one way transmission of information for SA management.

74
 4- Access Control
Techniques
‰ Set of procedures (hardware, software,
administrators) user to monitor access to
systems, identify users requesting access,
record access attempts, and grant or deny
access based on pre-established rules
and policies

Mohamed Hamdi

Access control is the collection of mechanisms that permits the managers of a system to exercise
a directing or restraining influence over the behavior, use, and content of the system. This control
is employed to achieve the security objectives of the system, such as data integrity and
confidentiality.
Access is the ability to do something with a computer resource (e.g., use, change, or view).
Access control is the means by which the ability is explicitly enabled or restricted in some way
(usually through physical and system-based controls). Computer-based access controls are called
logical access controls. Logical access controls can prescribe not only who or what (e.g., in the
case of a process) is to have access to a specific system resource but also the type of access that
is permitted. These controls may be built into the operating system, may be incorporated into
applications programs or major utilities (e.g., database management systems or communications
systems), or may be implemented through add-on security packages. Logical access controls
may be implemented internally to the computer system being protected or may be implemented in
external devices.

75
 Access control types
‰ Discretionary
Access Control
‰ Mandatory Access Control
‰ Role-Based Access Control

Mohamed Hamdi

76
 Discretionary access control

‰ Restricts access to objects based solely

on the identity of users who are trying to
access them
Individuals Resources
Application
Server 1 Access List

Name Access
Server 2 Ali Yes
Mohamed No
Server 3 Salah Yes

Mohamed Hamdi

DAC constitutes a means of restricting access to objects based on the identity of subjects and/or
groups to which they belong. The controls are discretionary in the sense that a subject with a
certain access permission is capable of passing that permission (perhaps indirectly) on to any
other subject (unless restrained by mandatory access control).
According to this principle, subject has authority to specify what objects are accessible (e.g., use
of ACL). This technique is very common in the commercial contexts because of its flexibility.

77
 Mandatory access control
(1)
‰ MAC mechanisms assign a security level
to all information, assign a security
clearance to each user, and ensure that all
users only have access to that data for
which they have a clearance

Principle: Read Down Access

equal or less Clearance
Write Up Access
equal or higher Clearance

Mohamed Hamdi

MAC is means of restricting access to objects based on the sensitivity (as represented by a label)
of the information contained in the objects and the formal authorization (i.e., clearance) of subjects
to access information of such sensitivity.
Authorization of subject’s access to an object depends on labels (sensitivity levels), which indicate
a subject’s clearance, and the classification or sensitivity of the relevant object. Every object is
assigned a sensitivity level/label and only users authorized up to that particular level can access
the object. Access depends on rules and not only the identity of subjects and objects. Only an
administrator may change the category of a resource (e.g., even owners are not allowed to do).

78
Mandatory access control
(2)

Individuals Resources

Server 1
“Top Secret”

Server 2
“Secret”

Server 3
“Classified”

Mohamed Hamdi

79
 Role-based access control
(1)
‰ A user has access to an object based on the
assigned role
‰ Roles are defined based on job functions
‰ Permissions are defined based on job authority
and responsibilities within a job function
‰ Operations on an object are invocated based on
the permissions
‰ The object is concerned with the user’s role and
not the user

Mohamed Hamdi

80
Role-based access control
(2)
Individuals Roles Resources

Role 1
Server 1

Role 2 Server 2

Server 3
Role 3

Users change frequently, Roles remain unchanged

Mohamed Hamdi

81
 5- SSL/SSH
‰ The transport layer provides efficient and
reliable transmission services

‰ Additional security services are needed

‰ Security protocols running on reliable transport

service represent session layer protocols

Mohamed Hamdi

82
 SSL (Secure Sockets
Layer)
‰ SSL is a secure data exchange protocol providing
‰ Privacy between two Internet applications
‰ Authentication of server (authentication of browser optional)
‰ Uses enveloping: RSA used to exchange DES keys
‰ SSL Handshake Protocol
‰ Negotiates symmetric encryption protocol, authenticates
‰ SSL Record Protocol
‰ Packs/unpacks records, performs encryption/decryption
‰ Does not provide non-repudiation

Mohamed Hamdi

The SSL protocol was first designed with the primary goal of protecting sessions of the
HyperText Transfer Protocol (HTTP). However, it can actually be used to secure any
application that runs over TCP. SSL Version 3.0 offers the following services:
•Entity authentication: Prior to any communication between client and server, an
authentication exchange is performed to verify the identity of the peer entity either only to
the client or also to the server. After successful authentication, an SSL session is
established between two entities.
•Confidentiality of user data: If agreed during negotiation of the SSL session, the user data
is encrypted. SSL offers a range of algorithms for this purpose (i.e., cipher suite).
•Data origin authentication and data integrity: Each message is secured using a
cryptographic hash function. SSL Version 3.0 originally used prefix-suffix mode for this
purpose although there was some security concerns about it. Either MD5 or SHA can be
negotiated as the underlying cryptographic hash function.
As for the OSI model, SSL uses the notion of sessions. Prior to actual communication,
client and server establish a session in which the parameters for securing the
communication are negotiated. As in the OSI model, a session can run over multiple
transport layer connections.
The SSL protocol itself uses two important protocols: a record protocol, and a handshake
protocol. The record protocol is used as the basis for data exchange in SSL sessions. Its
tasks include the fragmentation of user data into plaintext blocks, called records, no longer
than 214 octets, the optional compression of plaintext blocks, and the optional encryption
and authentication of plaintext blocks. The handshake protocol is used for entity
authentication and session negotiation. A session can be negotiated so that it can be
duplicated or resumed at a later time, thus allowing an established cryptographic context
to be reused.

8352
 SSL architecture

INITIALIZES SECURE ERROR HANDLING

COMMUNICATION

HANDLES COMMUNICATION
WITH THE APPLICATION

Protocols
INITIALIZES COMMUNCATION
BETWEEN CLIENT & SERVER
HANDLES DATA
COMPRESSION

Mohamed Hamdi

8452
 SSL Record Content

SOURCE: http://www.microsoft.com/library/media/1033/technet/

Mohamed Hamdi

The above figure illustrates the content of SSL records. The content type field identifies the SSL
protocol contained in the record. For instance, the following codes are used:
•Change cipherspec (20)
•Alert (21)
•Handshake (22)
•Application data (23)
The version field refers to the SSL protocol version (e.g., major=3,minor=0). The length field
contains the length of user data in octets. The maximum user data length is 210+214.

85
 SSL Record Protocol

Mohamed Hamdi

The outbound record protocol is executed according to the following steps:

1. The application data is fragmented into frames of a maximum length of 214 octets. More than
one message of the same protocol can be assembled into a single frame.
2. The fragments are then compressed. Although the compression process is optional, it can be
negotiated at session establishment. However, the data is compressed for transmission only if
it does not produce a length of more than 210.
3. A MAC of the compressed fragment is computed such that:
MAC = H(WriteMacSecret||pad2||H(WriteMacSecret||pad1||seqnum||length||data)).
4. The resulting data is encrypted using the method that has been negotiated at session
establishment. Depending on the adopted encryption scheme, the data should be expanded to
a multiple of specific block length. The data is then sent to the service interface of the transport
protocol.
The inverse steps are processed for inbound SSL traffic.

86
 SSL Handshake Protocol

Mohamed Hamdi

The above figure presents a detailed overview of SSL session negotiation.

1. The first message contains a ‘ClientHello’, which combines the protocol version used by the
client, a random number, a potential session ID, a list of cipher suites supported by the client
and a list of allowable compression methods.
2. The server responds to this request with a ‘ServerHello’, the optional message elements
‘ServerCertificate’, ‘CertificateRequest’, ‘ServerKeyExchange’, as well as ‘ServerHelloDone’
that concludes the message. The ‘ServerHello’ combines the supported protocol version, a
random number, a potential ID along with the cipher suite and the compression method
selected by the server to secure the session.
3. The client responds by sending its certificate (if required), a ‘ClientKeyExchange’, an optional
‘CertificateVerify’, and ‘ChangeCipherSpec’. The ‘ChangeCipherSpec’ element is used by the
client to indicate that all subsequent message elements it sends are protected with the
negotiated cipher suite.
4. The server sends ‘ChangeCipherSpec’ messages to signal that the negotiated cipher suite has
been adopted to protect subsequent data.
5. The client and the server exchange ‘Finished’ messages.

87
 Cipher Suite
‰ For public-key, symmetric encryption and certificate
verification we need
‰ public-key algorithm
‰ symmetric encryption algorithm
‰ message digest (hash) algorithm
‰ This collection is called a cipher suite
‰ SSL supports many different suites
‰ Client and server must decide on which one to use
‰ The client offers a choice; the server picks one

Mohamed Hamdi

8852
 Cipher Suites
SSL_NULL_WITH_NULL_NULL = { 0, 0 } INITIAL (NULL) CIPHER SUITE

PUBLIC-KEY SYMMETRIC HASH

ALGORITHM ALGORITHM ALGORITHM

SSL_RSA_WITH_NULL_MD5 = { 0, 1 } CIPHER SUITE CODES USED

IN SSL MESSAGES
SSL_RSA_WITH_NULL_SHA = { 0, 2 }
SSL_RSA_EXPORT_WITH_RC4_40_MD5 = { 0, 3 }
SSL_RSA_WITH_RC4_128_MD5 = { 0, 4 }
SSL_RSA_WITH_RC4_128_SHA = { 0, 5 }
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = { 0, 6 }
SSL_RSA_WITH_IDEA_CBC_SHA = { 0, 7 }
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = { 0, 8 }
SSL_RSA_WITH_DES_CBC_SHA = { 0, 9 }
SSL_RSA_WITH_3DES_EDE_CBC_SHA = { 0, 10 }

Mohamed Hamdi

SSL supports three methods for negotiating a pre-master secret from which other session
keys are derived:
1. RSA-protected negotiation: A pre-master secret is randmoly cretaed by the client,
encrypted using the public key of the server, and sent to the server. The server does
not send a separate ‘KeyExchange’ message element of its own to the client as it is not
actively involved in creating the shared secret.
2. Diffie-Hellman: This involves the execution of a conventional Diffie-Hellman key
negotiation protocol with the pre-master key derived from the shared secret gcsmod(n),
where c is the client’s secret and s is the server’s secret.
3. Fortezza: Fortezza is a non-published method that was developed by the NSA and
supports key escrow for government agencies.

8952
 SSL Encryption
‰ Premaster secret
‰ Created by client; used to “seed” calculation of encryption
parameters
‰ Very simple: 2 bytes of SSL version + 46 random bytes
‰ Sent encrypted to server using server’s public key
‰ Master secret
‰ Generated by both parties from premaster secret and random
values generated by both client and server
‰ Key material
‰ Generated from the master secret and shared random values
‰ Encryption keys
‰ Extracted from the key material

Mohamed Hamdi

9052
 Forming the Master
Secret
SERVER’S PUBLIC KEY
IS SENT BY SERVER IN
ServerKeyExchange

CLIENT GENERATES THE

PREMASTER SECRET
SENT BY SERVER
ENCRYPTS WITH PUBLIC IN ServerHello
KEY OF SERVER
SENT BY CLIENT
CLIENT SENDS PREMASTER IN ClientHello
SECRET IN ClientKeyExchange

MASTER SECRET IS 3 MD5

HASHES CONCATENATED
TOGETHER = 384 BITS

SOURCE: THOMAS, SSL AND TLS ESSENTIALS

Mohamed Hamdi

9152
 Forming the Key
Material
JUST LIKE FORMING
THE MASTER SECRET

EXCEPT THE MASTER ...

SECRET IS USED HERE
INSTEAD OF THE
PREMASTER SECRET

SOURCE: THOMAS, SSL AND TLS ESSENTIALS

Mohamed Hamdi

9252
Obtaining Keys from the
Key Material

SECRET VALUES SYMMETRIC KEYS INITIALIZATION VECTORS

INCLUDED IN MESSAGE FOR DES CBC ENCRYPTION
AUTHENTICATION CODES

SOURCE: THOMAS, SSL AND TLS ESSENTIALS

Mohamed Hamdi

9352
 Further readings
‰ Strassberg
‰ G. Schäfer, “Security in Fixed and Wireless Networks: an
Introduction to Securing Data Communications,” John Wiley & Sons,
ISBN: 0-470-86370-6, 2003.
‰ W. Stallings, “Cryptography and Network Security: Principles and
Practices,” Prentice Hall, ISBN: 0-13-869017-0, 1999.
‰ J.C. Foster, V.T. Liu, “Writing Security Tools and Exploits,”
Syngress, ISBN: 1-59749-997-8, 2006.
‰ J. Viega, G. McGraw, “Building Secure Software,” Addison-Wesley,
ISBN: 020172152X, 2002.
‰ A. Menezes, P. van Oorschot, S. Vantone, “Handbook of Applied
Cryptography,” CRC Press, 1996.
‰ B. Schneier, “Applied Cryptography,” John Wiley & Sons, ISBN:
0471128457, 1996.

Mohamed Hamdi

94
Exercises I

Mohamed Hamdi

95
Part III: Detection and
Reaction to Security
Incidents

Mohamed Hamdi

96
 1- Intrusion Detection and
Prevention Systems
‰ Intrusion detection
‰ Monitoring events
‰ Analyzing signs of intrusions

‰ Reporting alerts

‰ Intrusion prevention
‰ Attempting to stop the attack process

Mohamed Hamdi

Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analyzing them for signs of potential incidents, which are violations or imminent
threats of violation of computer security policies, acceptable use policies, or standard security
practices. Intrusion prevention is the process of performing intrusion detection and attempting to
stop detected potential incidents. Intrusion detection and prevention (IDPS) systems are primarily
focused on identifying potential incidents, logging information about them, attempting to stop
them, and reporting them to security administrators. In addition, organizations use IDPSs for other
purposes, such as identifying problems with security policies, documenting existing threats, and
deterring individuals from violating security policies. IDPSs have become a necessary addition to
the security infrastructure of nearly every organization.
IDPSs typically record information related to observed events, notify security administrators of
important observed events, and produce reports. Many IDPSs can also respond to a detected
threat by attempting to prevent it from succeeding. They use several response techniques, which
involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring
a firewall), or changing the attack’s content.

97
 Major functions
‰ Informationgathering
‰ Event analysis
‰ Report generation
‰ Automated response
‰ Stopping the attack
‰ Changing the environment

‰ Normalizing the attack flow

Mohamed Hamdi

The major functions that should be implemented in IDPSs are described below:
1. Information gathering: Information is usually recorded locally, and might also be sent to separate
systems such as centralized logging servers, security information and event management (SIEM)
solutions, and enterprise management systems. Generally, sensors are used to this purpose. Multiple
sensor implementations and architectures can be used depending on the characteristics of the protected
infrastructure.
2. Event analysis: The role of the analysis process is to analyze the events provided by the information
gathering components. The results of the analysis are sent back to the system as additional events,
typically representing alarms. Analysis encompasses the correlation, fusion, and elimination of security
alerts.
3. Report generation: Once an intrusion-related behavior is detected, the IDPS should notify the security
administrator about it. This notification, known as an alert, occurs through any of several methods,
including the following: e-mails, pages, messages on the IDP user interface, Simple Network
Management Protocol (SNMP) traps, syslog messages, and user-defined programs and scripts. A
notification message typically includes only basic information regarding an event; administrators need to
access the IDP for additional information.
4. Automated response: Intrusion prevention functionalities enable the system to stop several detected
attacks. Obviously, this presupposes the interoperability between the IDPS and other security tools, such
as firewalls. The major techniques that are currently used to prevent the occurrence of intrusions are:
1. Stopping the attack process: Examples of how this could be done are as follows:
• Terminate the network connection or user session that is being used for the attack
• Block access to the target (or possibly other likely targets) from the offending user
account, IP address, or other attacker attribute
• Block all access to the targeted host, service, application, or other resource
2. Changing the environment: The IDPS could change the configuration of other security controls
to disrupt an attack. Common examples are reconfiguring a network device (e.g., firewall,
router, switch) to block access from the attacker or to the target, and altering a host-based
firewall on a target to block incoming attacks. Some IDPSs can even cause patches to be
applied to a host if the IPS detects that the host has vulnerabilities.
3. Normalizing the attack flow: Some IDPS technologies can remove or replace malicious portions
of an attack to make it benign. A simple example is an IDPS removing an infected file
attachment from an e-mail and then permitting the cleaned email to reach its recipient. A more
complex example is an IDPS that acts as a proxy and normalizes incoming requests, which
means that the proxy repackages the payloads of the requests, discarding header information.
This might cause certain attacks to be discarded as part of the normalization process.

98
 IDPS categories
‰ IDPSs can be categorized according to
‰ Detection techniques
• Signature- based detection
• Anomaly- based detection
• Stateful protocol analysis
‰ Detection architectures
• Network- based detection
• Host- based detection

Mohamed Hamdi

Techniques used to perform intrusion detection break into three classes:

1. Signature-based detection: Misuse-based systems are equipped with a database of information (the
knowledge base) that contains a number of attack models (sometimes called “signatures”). The audit
data collected by the IDS is compared with the content of the database and, if a match is found, an alert
is generated. Events that do not match any of the attack models are considered part of legitimate
activities. The main advantage of misuse-based systems is that they usually produce very few false
positives: attack description languages usually allow for modeling of attacks at such fine level of detail
that only a few legitimate activities match an entry in the knowledge base. However, this approach has
drawbacks as well. First of all, populating the knowledge base is a difficult, resource intensive task.
Furthermore, misusebased systems cannot detect previously unknown attacks, or, at most, they can
detect only new variations of previously modeled attacks. Therefore, it is essential to keep the
knowledge base up-to-date when new vulnerabilities and attack techniques are discovered.
2. Anomaly-based detection: Anomaly-based systems are based on the assumption that all anomalous
activities are malicious. Thus, they first build a model of the normal behavior of the system (i.e., profile)
and then look for anomalous activities, i.e., activities that do not conform to the established model.
Anything that does not correspond to the system profile is flagged as intrusive. The major benefit of
anomaly-based detection methods is that they can be very effective at detecting previously unknown
threats. For example, suppose that a computer becomes infected with a new type of malware. The
malware could consume the computer’s processing resources, send large numbers of e-mails, initiate
large numbers of network connections, and perform other behavior that would be significantly different
from the established profiles for the computer.
3. Stateful protocol analysis: Stateful protocol analysis is the process of comparing predetermined profiles
of generally accepted definitions of benign protocol activity against observed events to identify
deviations.4 Unlike anomaly-based detection, which uses host or network-specific profiles, stateful
protocol analysis relies on vendor-developed universal profiles that specify how particular protocols
should and should not be used. The “stateful” in stateful protocol analysis means that the IDP is capable
of understanding and tracking the state of network, transport, and application protocols that have a
notion of state. Stateful protocol analysis can identify unexpected sequences of commands, such as
issuing the same command repeatedly or issuing a command without first issuing a command upon
which it is dependent. Another state tracking feature of stateful protocol analysis is that for protocols that
perform authentication, the IDPS can keep track of the authenticator used for each session, and record
the authenticator used for suspicious activity. This is helpful when investigating an incident. Some IDPSs
can also use the authenticator information to define acceptable activity differently for multiple classes of
users or specific users.

99
 Architectural issues (1)
‰ Typical IDPS components are:
‰ Sensors
‰ Management servers

‰ Consoles

‰ Database servers

Mohamed Hamdi

The typical components in an IDPS are as follows:

•Sensors: Sensors and agents monitor and analyze activity. The term sensor is typically used for
IDPS solutions that monitor networks, including network-based, wireless, and network behavior
anomaly detection technologies. The term agent is typically used for host-based IDPS
technologies.
•Management servers: A management server is a centralized device that receives information
from the sensors or agents and manages them. Some management servers perform analysis on
the event information that the sensors or agents provide and can identify events that the individual
sensors or agents cannot. Matching event information from multiple sensors or agents, such as
finding events triggered by the same IP address, is known as correlation. Management servers
are available as both appliance and software-only products. Some small IDP deployments do not
use any management servers, but most IDPS deployments do. In larger IDPS deployments, there
are often multiple management servers, and in some cases there are two tiers of management
servers.
•Consoles: A console is a program that provides an interface for the IDPS’s users and
administrators. Console software is typically installed onto standard desktop or laptop computers.
Some consoles are used for IDPS administration only, such as configuring sensors or agents and
applying software updates, while other consoles are used strictly for monitoring and analysis.
Some IDPS consoles provide both administration and monitoring capabilities.
•Database servers: A database server is a repository for event information recorded by sensors,
agents, and/or management servers. Many IDPS solutions provide support for database servers.

100
 Architectural issues (2)
‰ Network-based IDPSs Internet
‰ Inline architecture

Router

Management Switch
interface
Firewall
Monitoring
IDPS management switch Sensor points

Switch

Management Console
server Private
network

Mohamed Hamdi

An inline sensor is deployed so that the network traffic it is monitoring must pass through it, much
like the traffic flow associated with a firewall. In fact, some inline sensors are hybrid firewall/IDP
devices, while others are simply IDPSs. The primary motivation for deploying IDPS sensors inline
is to enable them to stop attacks by blocking network traffic. Inline sensors are typically placed
where network firewalls and other network security devices would be placed—at the divisions
between networks, such as connections with external networks and borders between different
internal networks that should be segregated. Inline sensors that are not hybrid firewall/IDPS
devices are often deployed on the more secure side of a network division so that they have less
traffic to process. The above figure shows such a deployment. Sensors can also be placed on the
less secure side of a network division to provide protection for and reduce the load on the dividing
device, such as a firewall.

101
 Architectural issues (3)
‰ Signature-based IDPSs Internet
‰ Passive architecture

Router
Sensor
Network
Switch
tap
Firewall

Sensor Switch

IDPS management switch

Private
Spanning network
port
Management Console
server

Mohamed Hamdi

A passive sensor is deployed so that it monitors a copy of the actual network traffic; no traffic
actually passes through the sensor. Passive sensors are typically deployed so that they can
monitor key network locations, such as the divisions between networks, and key network
segments, such as activity on a demilitarized zone (DMZ) subnet. Passive sensors can monitor
traffic through various methods, including the following:
•Network Tap. A network tap is a direct connection between a sensor and the physical network
media itself, such as a fiber optic cable. The tap provides the sensor with a copy of all network
traffic being carried by the media. Installing a tap generally involves some network downtime, and
problems with a tap could cause additional downtime. Also, unlike spanning ports, which are
usually already present throughout an organization, network taps need to be purchased as add-
ons to the network.
•Spanning Port. Most switches have a spanning port, which is a port that can see all network
traffic going through the switch. Connecting a sensor to a spanning port can allow it to monitor
traffic going to and from many hosts. Although this monitoring method is relatively easy and
inexpensive, it can also be problematic. If a switch is configured or reconfigured incorrectly, the
spanning port might not be able to see all the traffic. Another problem with spanning ports is that
their use can be resource-intensive; when a switch is under heavy loads, its spanning port might
not be able to see all traffic, or spanning might be temporarily disabled. Also, most switches have
only one spanning port, and there is often a need to have multiple technologies, such as network
monitoring tools, network forensic analysis tools, and other IDP sensors, monitor the same traffic.

102
 Architectural issues (4)
‰ Host-based IDSs
Internet

Router
Network
Switch
tap
Public servers with
DMZ switch Firewall
HB IDPS agents
IDPS management switch Switch

Private
Management Console network
server

Mohamed Hamdi

Host-based IDPS agents are most commonly deployed to critical hosts such as publicly
accessible servers and servers containing sensitive information. However, because agents are
available for various server and desktop/laptop operating systems, as well as specific server
applications, organizations could potentially deploy agents to most of their servers and
desktops/laptops. Some organizations use host-based IDPS agents primarily to analyze activity
that cannot be monitored by other security controls. For example, network-based IDPS sensors
cannot analyze the activity within encrypted network communications, but host-based IDPS
agents installed on endpoints can see the unencrypted activity.
Moreover, most IDPS agents alter the internal architecture of the hosts on which they are
installed. This is typically done through a shim, which is a layer of code placed between existing
layers of code. A shim intercepts data at a point where it would normally be passed from one
piece of code to another. The shim can then analyze the data and determine whether or not it
should be allowed or denied. Host-based IDPS agents may use shims for several types of
resources, including network traffic, filesystem activity, system calls, Windows registry activity,
and common applications (e.g., e-mail, Web).
Some host-based IDPS agents do not alter the host architecture. Instead, they monitor activity
without shims, or they analyze the artifacts of activity, such as log entries and file modifications.
Although less intrusive to the host, reducing the possibility of the IDPS interfering with the host’s
normal operations, these methods are also generally less effective at detecting threats and often
cannot perform any prevention actions.
One of the important decisions in selecting a host-based IDPS solution is whether to install agents
on hosts or use agent-based appliances. From a detection and prevention perspective, installing
agents on hosts is generally preferable because the agents have direct access to the hosts’
characteristics, often allowing them to perform more comprehensive and accurate detection and
prevention. However, agents often support only a few common OSs; if a host does not use a
supported OS, an appliance can be deployed instead. Another reason to use an appliance instead
of installing an agent on a host is performance; if an agent would negatively impact the
performance of the monitored host too much, it might be necessary to offload the agent’s
functions to an appliance.

103
 IDSs in the wireless context

Stations Stations

Access point Access point

Sensors

IDPS management switch

Management Console
server

Mohamed Hamdi

The typical components in a wireless IDPS solution are the same as a network-based IDPS: consoles,
database servers (optional), management servers, and sensors. All of the components except sensors have
essentially the same functionality for both types of IDPS. Wireless sensors perform the same basic role as
network-based IDPS sensors, but they function very differently because of the complexities of monitoring
wireless communications.
Unlike a network-based IDPS, which can see all packets on the networks it monitors, a wireless IDPS works
by sampling traffic. There are multiple frequency bands to monitor, and each band is separated into
channels. It is not currently possible for a sensor to monitor all traffic on a band simultaneously; a sensor
has to monitor a single channel at a time. When the sensor is ready to monitor a different channel, the
sensor must shut its radio off, change the channel (known as hopping), then turn its radio on. The longer a
single channel is monitored, the more likely it is that the sensor will miss malicious activity occurring on other
channels. To avoid this, sensors typically hop frequently, so that they can monitor each channel a few times
per second. To reduce or eliminate hopping, specialized sensors are available that use several radios and
high-power antennas, with each radio/antenna pair monitoring a different channel. Because of their higher
sensitivities, the high-power antennas also have a larger monitoring range than regular antennas. Some
implementations coordinate hop patterns among sensors with overlapping ranges so that each sensor
needs to monitor fewer channels.
Wireless IDPS components are typically connected to each other through a wired network. As with a
network-based IDPS, a separate management network or the organization’s standard networks can be used
for wireless IDPS component communications. Because there should already be a strictly controlled
separation between the wireless and wired networks, using either a management network or a standard
network should be acceptable for wireless IDP components. Also, some wireless IDPS sensors (particularly
mobile ones) are used standalone and do not need wired network connectivity.
Choosing sensor locations for a wireless IDPS deployment is a fundamentally different problem than
choosing locations for any other type of IDPS sensor. If the organization uses WLANs, wireless sensors
should be deployed so that they monitor the RF range of the organization’s WLANs (both APs and Stations),
which often includes mobile components such as laptops and PDAs. Many organizations also want to
deploy sensors to monitor physical regions of their facilities where there should be no WLAN activity, as well
as channels and bands that the organization’s WLANs should not use, as a way of detecting rogue APs and
ad hoc WLANs. Other considerations, such as physical security, sensor range, wired connection availability,
and AP location, can be thought of for selecting wireless sensor locations.

104
2- Analyzing Security Alerts

Mohamed Hamdi

105
 Alert correlation
‰ Provides more succinct and high-level view of
occurring or attempted intrusions
‰ Transforms sensor alerts into intrusion reports
‰ Implements two classes of correlations
functions:
‰ Functions that correlate events that occur close in
time and space
‰ Functions that operate on events corresponding to an
attack scenario that evolves over several hours, and
that includes alerts generated on different hosts
Mohamed Hamdi

Alert correlation is a process that takes as input the alerts produced by one or more intrusion
detection sensors and provides a more succinct and high-level view of occurring or attempted
intrusions. The main objective is to produce intrusion reports that capture a high-level view of the
activity on the network without losing security-relevant information.
The alert correlation process consists of a collection of components that transform sensor alerts
into intrusion reports. Because alerts can refer to different kinds of attacks at different levels of
granularity, the correlation process cannot treat all alerts equally. Instead, it is necessary to
provide a set of components that focus on different aspects of the overall correlation task.
Some of the components can operate on all alerts, independent of their type. These components
are used in the initial and final phase of the correlation process to implement general functionality
that is applicable to all alerts. Other components can only work with certain classes of alerts.
These components are responsible for performing specific correlation tasks that cannot be
generalized for arbitrary alerts.
The correlation process implements components which are based on specific functions, which
operate on different spatial and temporal properties. That is, some of the components correlate
events that occur close in time and space (e.g., alerts generated on one host within a small time
window), while others operate on events that represent an attack scenario that evolves over
several hours and that includes alerts that are generated on different hosts (e.g., alerts that
represent large-scale scanning activity). It is natural to combine events that are closely related
(spatially and temporally) into composite alerts, which are in turn used to create higher-level
alerts.

106
 Meta-alert
‰ Results from multiple related alerts
‰ Has the same semantics as elementary alerts but its
content is derived from their attributes
‰ Points to the alerts that were aggregated to produce the
meta
- alert

Mohamed Hamdi

When two or more related alerts are merged as part of the alert correlation process, the result is
called a meta-alert. A meta-alert is similar to an alert
but its contents (e.g., the victims of an attack) are derived as a function of the attributes of the
merged alerts. Each meta-alert also contains references to all of the alerts that were merged to
produce the meta-alert. The decision of whether alerts should be merged or not is dependent on
the particular component of the correlation process and on the values of relevant attributes of
these alerts.
A meta-alert can be further merged with other alerts (either sensor alerts or meta-alerts), resulting
in a hierarchical structure, which can be represented as a tree. The most recent meta-alert is the
root node in this tree, and all successor nodes can be reached by following the references to the
merged alerts. All intermediate nodes in the tree are meta-alerts, while all leaves are sensor
alerts. The purpose of meta-alerts is to aggregate information of related attacks and present a
single alert instance that summarizes all the relevant information to a human analyst.
Whenever the correlation system considers a meta-alert and a sensor alert as candidates for
merging, it first attempts to merge the root of the meta-alert
with the sensor alert. If the root alert cannot be merged, all its successor alerts are independently
considered for merging. The process of finding appropriate alert candidates for merging is
repeated recursively until an alert that can be merged with the sensor alert is found, or until a leaf
alert is reached. The idea behind this approach is the fact that a meta-alert represents the
complete attack information of all its successor nodes. Therefore, alerts are considered in a top-
down fashion and merging is performed at the highest level possible.

107
 Normalization
‰ Translates alerts into a standardized
format (i.e., unifying syntax and
semantics)
‰ Attack names should be identical
‰ Time/date representation should be unique

‰ …

Mohamed Hamdi

Alert messages are produced by a variety of sensors developed by different vendors and research
groups. Because these alert messages can be encoded in different formats, it is necessary to
translate each alert into a standardized format that is understood by the alert correlation process.
This translation, or normalization, implies that the syntax and semantics of a sensor alert is
recognized.
The purpose of the Intrusion Detection Working Group is to define data formats and exchange
procedures for sharing information of interest to intrusion detection and response systems, and to
management systems which may need to interact with them. The main outcome was the Intrusion
Detection Message Exchange Format data model (IDMEF). IDMEF provides a standard
representation for intrusion alerts. This representation defines the syntax of an alert and specifies
the semantics of certain attributes. However, the IDMEF effort is mostly concerned with syntactic
rules. It is possible, and common, that sensor implementors choose different names for the same
attack, provide incomplete information for certain fields, or choose to include additional fields to
store relevant data. As a result, similar information can be labeled differently or can be included in
different fields. Because there is no specification for the content of most fields, they can be filled
with meaningless strings (most commonly, “unknown” is used).
The intrusion detection community would benefit greatly from a shared alert model that extends
the current IDMEF work with semantic information and a common attack naming scheme. An
ontology for intrusions is a prerequisite for true interoperability between different IDSs. It is
necessary to capture low-level attributes at both the network and the operating system level.
Without a common way of describing all involved entities, sensors will continue to send reports
that appear to disagree even when detecting the same intrusion. In current alert correlation
systems, adapter modules are used to interface with different intrusion detection sensors. Each
module relies on a knowledge base to convert sensor-specific information into attributes and
values usable by the correlator. In order to facilitate convergence, a newly designed alert
correlation system should take alert names from the CVE (Common Vulnerabilities and
Exposures) list, which is a well-known effort to standardize the names for all publicly known
vulnerabilities.

108
 Pre-processing
‰ Required because certain sensors omit
some fields that are important for the
correlation process
‰ The pre-processing phase mainly includes
‰ Determining alert’s time
‰ Determining alert’s source and target

‰ Determining attack’s name

Mohamed Hamdi

Normalized alerts are denoted by a standardized name and have attributes that are in a format that is
understood by the correlation system. However, an additional preprocessing phase is required because
certain sensors omit some of the fields that are important for the correlation process (i.e., start time, end
time, source, and target).
• Determining alert’s time: The start time and the end time have to be determined for each alert. The start
time of an event is defined as the point in time when this event occurs. The end time of an event is
defined as the point in time when an event ends. The difference between the end time and the start time
denotes the duration of the event. The IDMEF standard defines the following three different classes to
represent time.
• ‘CreateTime’: This is the time when the alert is created by the analyzer.This is the only
timestamp considered mandatory by the IDMEF standard.
• ‘DetectTime’: This is the time when the event(s) producing an alert are detected by the
analyzer. In the case of more than one event, the time the first event was detected.
• ‘AnalyzerTime’: This is the time at the analyzer when the alert is sent to a correlation system
(which is called manager in the IDMEF terminology).
• Determining alert’s source and target: When the timestamps have been set (using any of the techniques
described above), the source(s) and target(s) of the attack have to be determined. According to the
IDMEF standard, the attack source is composed of information about the node, the user, the process,
and the network service that originated the attack. The attack target also includes a list of affected files.
Not all fields have to be defined for both the source and the target, but the correlation system requires at
least one non-empty field for each. When the correlation system receives alert message with empty
source or target attributes, the preprocessing phase has to provide some best-effort values. For host-
based alerts, the node fields of the attacks’ source and target are set to the address of the host where
the sensor is located. For network-based alerts, the node information is taken from the source and
destination IP addresses.
• Determining attack’s name: The alert can be augmented with additional information on the basis of the
standardized alert name that is assigned in the previous phase. An example for such information is the
attack class, which describes the type of an attack with respect to a simple scheme that distinguishes
between local or remote information gathering and privilege escalation attempts. The class information is
useful because it allows one to group together similar attacks.

109
 Alert aggregation
‰ Theaggregation process consists of five
steps:
‰ Alert fusion
‰ Alert verification

‰ Attack scenario reconstruction

‰ Distributed attack scenario reconstruction

‰ Attack focus recognition

Mohamed Hamdi

110
 Alert fusion

Mohamed Hamdi

The task of the alert fusion phase is to combine alerts that result from the independent detection
of the same attack occurrence by different intrusion detection systems. Alert fusion acts as a filter
that removes obvious duplicates from the correlation process.
The decision to fuse two alerts in the alert fusion step is based on the temporal difference
between these two alerts and the information that they contain. The alert fusion phase only
considers two alerts as candidates for fusion when their start times and end times differ by less
than a certain, predefined time span It is not required that two alerts have identical time values in
order to compensate for clock drift when sensors are located at different machines and for the
time it takes the alert messages to reach the correlator. In addition, it is necessary that the alerts
are received from different sensors. This is reasonable because it cannot be expected that a
certain sensor emits two similar alerts with different time stamps for one single attack occurrence.
Finally, all overlapping attributes (i.e., attributes for which both alerts specify values) have to be
identical. There are no restrictions on the values of attributes that are only specified by a single
alert. At a first glance, these constraints seem very restrictive. However, the purpose of the fusion
phase is to combine duplicate alerts, not to correlate closely related attacks (this is implemented
in later phases).
When two alerts are fused, the resulting meta-alert is assigned the earlier of both start times and
end times. This is done in the assumption that both alerts are related to the same attack, and a
later time stamp is likely to be the result of delays at the sensors. Because the values of attributes
that are defined in both alerts have to be identical, the corresponding attributes of the meta-alert
receive the same values. For attributes that are only defined in a single alert, the corresponding
attributes of the meta-alert are assigned the respective values that are defined. An alternative way
of describing the attributes of the meta-alert after fusing two alerts is that the attribute fields of the
fused meta-alert are set to the union of the values of the respective alert attributes.

111
 Alert verification
‰ Allows to distinguish between successful
and failed intrusion attempts
‰ Reduces the negative impact of false
positives
‰ Implements multiple techniques:
‰ Pattern-matching
‰ Behavior modeling

‰ …

Mohamed Hamdi

When a sensor outputs an alert, there are three possibilities:

1. The sensor has correctly identified a successful attack. This alert is most likely relevant (i.e., a true
positive).
2. The sensor has correctly identified an attack, but the attack failed to meet its objectives. Although some
sites might be interested in failed attack attempts, the alert should be differentiated from a successful
instance. This kind of alert is called a irrelevant positive or nontextual (reflecting the missing contextual
information that the IDS would require to determine a failed attack).
3. The sensor incorrectly identified an event as an attack. The alert represents incorrect information (i.e., a
false positive).
The idea of alert verification is to discriminate between successful and failed intrusion attempts (both false
and irrelevant positives). This is important for the correlation process because although a failed attack
indicates malicious intent, it does not provide increased privileges or any additional information (besides
the fact that an attacker learned that the particular attack is ineffective).
There are different techniques that can be used to perform alert verification.
One possibility is to compare the configuration of the victim machine (e.g., operating system, running
services, service version) to the requirements of a
successful attack. When the victim is not vulnerable to a particular attack (because the configuration does
not satisfy the attack requirements), then the
alert can be tagged as failed. Another possibility is to model the expected “outcome” of attacks. The
“outcome” describes the visible and checkable traces that a certain attack leaves at a host or on the
network (e.g., a temporary file or an outgoing network connection). When an alert has to be verified, the
system can check for these traces.
An important distinction between different alert verification mechanisms is whether they are active or
passive. Active verification mechanisms are definedas mechanisms that gather configuration data or
forensic traces after an alert occurs. Passive mechanisms, on the other hand, gather configuration data
once (or at regular, scheduled intervals) and have data available before the attack occurs. Both active
and passive techniques can be used to check attack requirements against victim configurations. To
check for traces that might be left after an attack, only active mechanisms can be employed. Note that
the distinction between active and passive mechanisms is solely based on the point in time when the
configuration or forensic data is collected. Passive mechanisms perform this task before an alert is
received, active mechanisms perform it as a reaction to a received alert.

112
 Attack scenario
reconstruction

Mohamed Hamdi

An attack scenario combines a series of alerts that refer to attacks launched by one attacker
against a single target. The goal of this phase is to correlate alerts that are caused by an attacker
that tests different exploits against a certain program or that runs the same exploit multiple times
to guess correct values for certain parameters (e.g., the offsets and memory addresses for a
buffer overflow). The correlation process still operates on very basic relationships between alerts.
The task of attack thread recognition is limited to the aggregation of alerts that are caused by the
activity of a single attacker who focuses on a single target.
Alert threads are constructed by merging alerts with equivalent source and target attributes that
occur in a certain temporal proximity. Attacks are considered to occur in sequence after each
other, and therefore, it is not necessary that both start times and end times of the alerts are close
(as was required for alert fusion). Instead, the requirement is that the end time of the earlier attack
has to be close to the start time of the following one.

113
 Distributed attack scenario
reconstruction

Mohamed Hamdi

Distributed alert scenario reconstruction aims at building links between different alerts scenarios
having the same target. One important task at this level is to correlate network-based and host-
based alert scenarios. Linking network-based to host-based alerts is difficult because the
information that is present in these alerts differs. Network-based sensors can provide the source
and destination IP addresses and ports of packet(s) that contain detected attacks. Host-based
sensors, on the other hand, include information about the process that is attacked and the user on
whose behalf this process is executed.
A possible approach is to state that a host-based alert is linked to a network-based alert if it
occurs a short time after the network-based attack and the network-based attack targets the host
where the host-based attack is observed. This approach is simple, but has the obvious drawback
that it is very imprecise and might correlate independent alerts. It can, however, be improved by
utilizing a priori information about the port(s) used by a certain network service. Another possibility
is to specify that a certain attack is known to prepare for or to be a precondition for another attack.
This allows a packet containing a specific attack to be linked to an alert raised by a sensor
monitoring the victim server.

114
 Attack focus recognition
‰ Identify
attack source(s) and target(s)
‰ Two possible schemes are inverstigated:
‰ ‘Many2one’: Multiple hosts attack a single
vicitim
‰ ‘One2many’: A single host attacks multiple
victims
‰ Based on sliding time window

Mohamed Hamdi

The task of the attack focus recognition phase is to identify hosts that are either the source or the
target of a substantial amount of attacks. This phase aggregates the alerts associated with a
single host attacking multiple victims (called a one2many scenario) and multiple attackers
attacking a single victim (called a many2one scenario).
The attack focus phase is effective in reducing the number of alerts caused by (distributed) denial
of service (DDoS) attacks and port scan activity. In general, alerts related to a DDoS attempt can
be merged into a single many2one meta-alert, while alerts related to port scans are combined into
a single one2many meta-alert.
Attack focus recognition is, in its simplest form, based on a sliding time window. The correlation
system computes the total number of attacks that each host has launched during a time window
w. Each host that is responsible for more that than a certain number of attacks (given by an a
priori threshold t) is considered to perform a one2many attack and an appropriate meta-alert is
created.
A one2many alert can be further classified as a horizontal portscan or as a horizontal multiscan. A
horizontal portscan refers to a situation where a certain host probes the status of a particular port
on many targets. A horizontal multiscan is similar, but instead of a single port, multiple ports are
probed on each host. Note that the set of probed ports is consistent between targets. To further
classify a one2many alert as one of these two types of scans, the destination ports of the
individual attacks are analyzed. When all attacks target the same port, or the same set of ports,
the alert is further classified as either a horizontal portscan or a horizontal multiscan. In addition to
the number of attacks that each host has launched, the total number of times that each host was
the victim of an attack is determined as well. When a host is the victim of more than a certain
number of attacks, an appropriate many2one meta-alert is created. When the number of attacks
against the host exceeds a second threshold, which is significantly higher than the threshold
necessary to create a many2one alert, the meta-alert is additionally tagged as a denial of service.
The source field of a one2many meta-alert is set to be the attacker’s host, while the target and all
other remaining fields are the union of the targets of the individual attacks. The many2one
scenario operates in a similar way, the only difference being that the roles of the attacker (source)
and victim (target) are reversed.

115
 3- Digital investigation
‰ The use of scientifically derived and proved
methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation, and presentation of digital
evidence derived from digital sources for the
purpose of facilitation or furthering the
reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown
to be disrupted to planned operations
A road map for digital forensics
Digital Forensics Research Workshop. (2001)
Mohamed Hamdi

Digital forensics, also known as computer and network forensics, has many definitions. Generally,
it is considered the application of science to the identification, collection, examination, and
analysis of data while preserving the integrity of the information and maintaining a strict chain of
custody for the data. Computer and network forensics has evolved to assure proper presentation
of computer crime evidentiary data into court. Forensic tools and techniques are most often
thought of in the context of criminal investigations and computer security incident handling used to
respond to an event by investigating suspect systems, gathering and preserving evidence,
reconstructing events, and assessing the current state of an event.
When deciding which internal or external parties should handle each aspect of forensics,
organizations should keep the following factors in mind:
•Cost. There are many potential costs. Software, hardware, and equipment used to collect and
examine data may carry significant costs (e.g., purchase price, software updates and upgrades,
maintenance), and may also require additional physical security measures to safeguard them from
tampering. Other significant expenses involve staff training and labor costs, which are particularly
significant for dedicated forensic specialists. In general, forensic actions that are needed rarely
might be more cost-effectively performed by an external party, whereas actions that are needed
frequently might be more cost-effectively performed internally.
•Response Time. Personnel located on-site might be able to initiate computer forensic activity
more quickly than could off-site personnel. For organizations with geographically dispersed
physical locations, off-site outsourcers located near distant facilities might be able to respond
more quickly than personnel located at the organization’s headquarters.
•Data Sensitivity. Because of data sensitivity and privacy concerns, some organizations might be
reluctant to allow external parties to image hard drives and perform other actions that provide
access to data. For example, a system that contains traces of an incident might also contain
health care information, financial records, or other sensitive data; an organization might prefer to
keep that system under its own control to safeguard the privacy of the data. On the other hand, if
there is a privacy concern within the team. For example, if an incident is suspected to involve a
member of the incident handling team, using an independent third party to perform forensic
actions would be preferable.

116
 Forensic process
‰ Collection
‰ Identify, label, record, and acquire data from the possible
sources of relevant data
‰ Examination
‰ Process large amounts of collected data to assess and extract
data of particular interest
‰ Analysis
‰ Analyze the results of the examination to derive useful
information that addresses the questions that were the impetus
for performing the collection and examination
‰ Reporting
‰ Reporting the results of the analysis

Mohamed Hamdi

Despite the abundant research activity related to digital forensic models, the tasks constituting the forensic
process are not standardized yet. Many of the proposed guidelines are specific to several technologies or
systems and are not yet open enough to be applied to various kinds of digital attacks. In 2001, the US
Department of Justice (DoJ) presented a four-step model including "collection, examination, analysis, and
reporting." The Digital Forensics Research Workshop introduced three extra phases that are "identification",
"preservation" and "decision” making the framework more appropriate to computer forensics. In fact, the DoJ
model does not take into account some particular characteristics of this field. Identification, for instance,
becomes more complex in the case of digital forensics because of the huge volume of available data it may
have to analyze. In the following, the most important steps that are shared by the aforementioned models
are discussed. More precisely, evidence collection, preservation, and analysis as well as intention inference
will be focused on.
The first task is to locate and identify useful evidence. To this end, the investigator should seize the various
hardware that may contain relevant information. Unfortunately, this is not always possible to perform.
Meanwhile computers, hard disks or CD-ROMs can be seized, LANs (Local Area Networks) and
communications infrastructures, which can hold key elements, are hard or even impossible to seize for
evidence purposes. Moreover, the complexity of evidence collection depends heavily on the cleverness of
the attacker. For instance, the use of encryption, scrubbing tools makes evidence harder to reach.
Once gathered, the evidence has to be correctly maintained to prevent it from being totally or partially lost. In
fact, the attacker may try to get back the hardware evidence to avoid being caught. He can also delete or
alter digital information that constitutes a proof against him. Thus, evidence integrity is a key factor that
should be considered to guarantee admissibility if needed.
The two last steps are crucial in order to have a sound interpretation of the collected information. The time,
techniques or location of attack’s source, to name just a few, are elements that can help the forensic analyst
in his task. Just like traditional crimes, profiles can be built to characterize criminals. Evidence analysis and
suspect intention inference are so close that they could be merged in the same step. Their separation
comes from the fact that different skills are needed for different tasks. Evidence analysis involves a deep
context-specific scientific knowledge while behavior modeling can be used through the use of traditional
techniques.
A key feature of digital forensics is that the quantity of gathered information can be so big that it becomes
hard to analyze. For example, visualizing the content of five Mega bytes of electronic documents or log files
could not be done manually. To this end, various automated tools can assist investigators to accelerate the
search of digital evidence or to conduct an inference-based reasoning to analyze the attack.

117
 Evidence requirements
‰ The digital evidence should be
‰ Accurate
‰ Verifiable

‰ Repeatable

‰ Authenticated

‰ Admissible

Mohamed Hamdi

In order to recognize digital evidence as a legal proof to indict or to discharge a suspect, it has to conform to
several requirements. In particular, the evidence should not be altered, and examination results should be
accurate, verifiable and repeatable. However, the most crucial requirement an investigation should fulfill is
authenticity, i.e., to demonstrate that a given (hardware or software) piece of evidence is effectively related
to the suspect. For example, to link data on a computer to individuals, the investigator can use access
control logs, cryptographic based authentication, or biometric features. On the other hand, to prove
malicious network activity, he can rely on IP addresses, passwords or digital certificates. A reoccurring
problem at this stage is to consider the case where an alibi is investigated. In fact, the reliability of the
evidence, especially time and location, is the main issue to prove in such cases. Another issue is that pieces
of evidence should be admissible, meaning that they should be acceptable legally. This assumes that the
investigator must be aware of the legal framework.
In its Good Practice Guide for Computer Based Evidence, the English Association of Chief Police Officers
(ACPO) defines four principles that have to be followed during an investigation process. These principles are
given below:
•First Principle: No action taken by Police or their agents should change data held on a computer or other
media, which may subsequently be relied in Court.
•Second Principle: In exceptional circumstances where a person finds it necessary to access original data
held on a target computer, that person must be competent to do so and to give evidence explaining the
relevance and the implications of their actions.
•Third Principle: An audit trail or other record of all processes applied to computer-based evidence should be
created and preserved. An independent third party should be able to examine those processes and achieve
the same result.
•Fourth Principle: The Officer in charge of the case is responsible for ensuring that the law and these
principles are adhered to. This applies to the possession of, and access to, information contained in a
computer. They must be satisfied that anyone accessing the computer, or any use of a copying device,
complies with these laws and principles.
It appears that the ACPO guideline relies on the fact that digital evidence has the same nature as traditional
evidence. Therefore, it should be subject to the same rules and laws. In spite of their popularity, the ACPO
principles, in their current version have two major shortcuts. First, they do not guarantee some of the
fundamental properties of digital evidence. For example, they are not sufficient to produce integrity because
data in electronic format is intrinsically volatile and thus, can disappear without user intervention. In other
terms, the four principles are necessary, but not sufficient to provide integrity. Another limit is that the ACPO
guide is limited to the investigation of standalone computers. It does not address cases where a suspect
performs a network attack.

118
 Hard disk investigation (1)

‰ The mechanisms used by the attacker to

hide incriminating data can rely on
‰ Unused space
‰ Slack space

‰ Deleted files

‰ Bad sectors

‰ Translated disk geometry

Mohamed Hamdi

A possible approach to hide data is to act at the partitioning stage by marking several partitions as
hidden or leaving unused spaces that can be filled through the use of specific disk editors.
Another category of free sectors that can be exploited for illegal purposes consists in the
unassigned sectors that are left between partitions. File systems, on the other hand, present other
possibilities to the suspect as he may delete some files in order to recover them later. Effectively,
several OSs do not thoroughly erase the sectors containing a deleted file but they mark them as
possible to reallocate instead. Of course, the examiner may be asked to perform some more
skillful tasks depending on the technical capabilities of the suspect (that could be estimated from
his profile). In the following, two from the myriad of the hiding techniques that require a relatively
high technical level are described.
When being manufactured, hard disks are checked for bad sectors. When a defective sector is
found, one possibility is to mark it by setting the bit 0 of the sector flag to 1. Once performed, this
operation denies access from the controller to the concerned sector. To avoid affecting the disk
capacity, several controllers are able to format substitutive free sectors to replace the damaged
ones. Then, the address value of a bad sector is substituted by the address of the newly affected
sector. Attackers can use this process, called bad sector mapping, by making access requests to
sectors containing incriminating information to other normal sectors. Thus, the content of the
hidden sectors cannot be explored through the OS.
An other method for hiding data inside a hard disk stems from the incompatibility between the
addressing structures of IDE/ATA hard disks and several BIOS programs. In fact, this makes an
important number of physical sectors inaccessible by the execution of BIOS interruption operation.
The solution that has been adopted by most of the computer manufacturers to attenuate this
space loss is called translated disk geometry. A glance at this process shows that a number of
sectors are impossible to access by the BIOS because of the use of rounding operator . This fact
can be exploited by attackers because the disk space that is presumed to be unusable for a BIOS
may be recognized by other BIOS programs.

119
 Hard disk investigation (2)
‰ Investigators should examine copies of
files, not original files
‰ Disk imaging tools
‰ Investigators should preserve the integrity
of the original storage media
‰ Write-blocker (hardware, software)
‰ Investigators should rely on file headers to
identify the content of a specific file
‰ File viewer
Mohamed Hamdi

Files can be copied from media using two different techniques:

•Logical Backup. A logical backup copies the directories and files of a logical volume. It does not
capture other data that may be present on the media, such as deleted files or residual data stored
in slack space.
•Bit Stream Imaging. Also known as disk imaging, bit stream imaging generates a bit-for-bit copy
of the original media, including free space and slack space. Bit stream images require more
storage space and take longer to perform than logical backups. When a bit stream image is
executed, either a disk-to-disk or a disk-to-file copy can be performed.

During backups and imaging, the integrity of the original media should be maintained. To ensure
that the backup or imaging process does not alter data on the original media, analysts can use a
write-blocker while backing up or imaging the media. A write-blocker is a hardware or software-
based tool that prevents a computer from writing to computer storage media connected to it.
Hardware write-blockers are physically connected to the computer and the storage media being
processed to prevent any writes to the media. After a backup or imaging is performed, it is
important to verify that the copied data is an exact duplicate of the original data. Computing the
message digest of the copied data can be used to verify and ensure data integrity. A message
digest is a hash that uniquely identifies data and has the property that changing a single bit in the
data will cause a completely different message digest to be generated.

Analysts can accurately identify the type of data stored in many files by looking at their file
headers. A file header contains identifying information about a file and possibly metadata that
provides information about the file contents. A file header could be located in a file separate from
the actual file data. Another effective technique for identifying the type of data in a file is a simple
histogram showing the distribution of ASCII values as a percentage of total characters in a file.

120
 OS investigation
‰ The collection process should involve
‰ Volatile data: Slack space, free space,
network configuration, running processes,
open files, login sessions
‰ Non-volatile data: Configuration files,
password files, log files, application files,
swap files, dump file, temporary files
‰ Investigators should choose the
appropriate shutdown method
Mohamed Hamdi

Volatile OS data involving an event can be collected only from a live system that has not been rebooted or
shut down since the event occurred. Every action performed on the system, whether initiated by a person or
by the OS itself, will almost certainly alter the volatile OS data in some way. The most interesting locations
where the analyst might look for volatile data include the following:
•Memory contents: There are several utilities that can copy the contents of RAM to a data file and
assist in subsequent analysis of the data. On most systems, it is not possible to avoid alteration of
RAM when running a utility that attempts to make a copy of RAM. Instead, the goal is to perform
the copying with as small a footprint as possible to minimize the disruption of RAM.
•Network configuration: Most OSs include a utility that displays the current network configuration,
such as ifconfig on UNIX systems and ipconfig on Windows systems. Information that can be
provided through network configuration utilities includes the hostname, the physical and logical
network interfaces, and configuration information for each interface (e.g., IP address, Media Access
Control [MAC] address, current status).
•Running processes: All UNIX-based systems offer the ps command for displaying currently
running processes. Although Windows offers a graphical user interface (GUI)-based process list
utility, the Task Manager, it is usually preferable to have a text-based listing. Third-party utilities can
be used to generate a text list of running processes for Windows systems.
•Open files: All UNIX-based systems offer the lsof command for displaying a list of open files.
Third-party utilities can be used to generate text lists of open files for Windows systems.
After obtaining volatile OS data, analysts often should collect non-volatile OS data. To do so, the analyst first
should decide whether the system should be shut down. Shutting down the system not only affects the
ability to perform bit stream imaging and many logical backups, but can also change which OS data is
preserved. Most systems can be shut down through two methods:
•Graceful shutdown: This causes the OS to perform cleanup activities, such as closing open files,
deleting temporary files, and possibly clearing the swap file, before shutting down the system. A
graceful shutdown can also trigger removal of malicious material; for example, memory-resident
rootkits may disappear, and Trojan horses may remove evidence of their malicious activity. The OS
is typically shut down from the account of the administrator or the current user of the system (if the
current user has sufficient privileges).
•Power removal: Disconnecting the power cord from the back of the computer (and removing the
batteries on a laptop or other portable device) can preserve swap files, temporary data files, and
other information that might be altered or deleted during a graceful shutdown.73 Unfortunately, a
sudden loss of power can cause some OSs to corrupt data, such as open files. In addition, for
some consumer devices, such as PDAs and cell phones, removing battery power can cause a loss
of data.

121
 Network investigation
‰ IDPSs and firewalls do not provide reliable
information about attack source
‰ Tracing the source of anonymous flow:
‰ IP marking
‰ Edge sampling
‰ Authenticated marking
‰ Deterministic packet marking
‰ Hash - based trace- back
‰ Thumb printing
‰ Inter- packet delay based tracing
Mohamed Hamdi

Introducing network protocols and applications in the computing environment opens many breaches that
malicious entities are able to exploit. For instance, attackers can easily hide their identities due to the
stateless nature of the existing routing protocols. Furthermore, the effect of an attack can propagate rapidly
from a physical location to another through the use of means provided by communication infrastructure
itself. Therefore, Intrusion Detection Systems (IDSs) are not sufficient to solve the fundamental problems of
network forensics. Basically, IDSs detect events that are correlated with attacks and can react in different
ways (i.e. generating alarms, blocking connections, etc.). This is not sufficient when conducting an
investigation process as the identity of the attacker has to be determined. This is often a complex task since
intruders use stepping-stones and zombies when carrying out their attacks. More clever attackers may send
their packets across encrypted links to make their identification more difficult.
Tracing anonymous attack flows is not the only issue the investigator should consider, but it is, by far, the
most critical one. Besides, an important research effort should be directed toward identifying the source of
attacks. Other activities such as evaluating the impact of an attack or studying its modus operandi have also
to be performed within the frame of the forensic process. Assessing the damage resulting from an intrusion
is particularly helpful to determine whether the investigation should be pursued or not on the basis of a cost-
benefit balance. Of course, this assumes that an efficient cost model for computer network forensics has
been applied. In addition, a deep analysis of the attack technique may reveal useful information about the
attacker as it will be demonstrated in the next section. In the remainder of this section, we focus on the
traceback problem as we believe it is a challenging issue.
Several solutions have been developed as an attempt to locate particular hosts in a specific network that are
initiating network attacks. They are called source tracing systems. At this stage, it may seem to the reader
that trace-back methods are not related to digital forensics. In fact, these methods have been seldom
presented as forensic tools and they have been rather viewed as IDS components. Particularly, they confer
reactivity to intrusion detection. Nevertheless, they remain efficient for post-mortem analysis (i.e., after the
occurrence of the attack).
Tracing methods can be divided into two classes: host-based methods and network-based methods. The
former consist of installing agents on each network host while the latter use the network infrastructure to
identify attack sources. A trivial shortcoming of host-based tracing is that it is no longer applicable if the
attacker uses a host where the trace-back system is not installed. In other terms, such component has to be
installed on each host which is obviously an unrealistic assumption in an open environment like the Internet.
In the sequel, the study is restricted to network-based tracing approaches since they are more appropriate
for modern networks that are, by nature, open.

122
 IP marking
‰ Building a map of
routes originating
from the victim using
a traditional mapping
technique
‰ Identifying the valid
attack path

Mohamed Hamdi

The first task is to build a map of routes originating from the victim using a traditional mapping
technique. Typically, this map consists of a directed acyclic graph such as illustrated in the above
figure, where V is the victim host, {Ri} are the routers and leaves {Ai} represent the potential attack
sources.
The attack path from a leaf node Ai is the ordered list of routers between Ai and V. The exact
trace-back problem can therefore be defined as determining the attack path and the associated
attack origin for each attacker.
In essence, IP marking consists of the fact that routers add path information into the packets
during forwarding to allow the victim to reconstruct the attack path. Of course, this approach
extends the flow transmitted across the network and would be likely unfeasible without
considering several probabilistic and encoding issues.

123
 Edge sampling
‰ Three fields (start, end, distance) are added to
mark edges instead of nodes
‰ If the packet is to be marked, the router inserts its IP
address in the ‘start’ field and 0 in the ‘distance’ field
‰ If the ‘distance’ field is set to zero, the router inserts
its IP address into the ‘end’ field
‰ Else, the router increments the ‘distance’ field
‰ The number of packets X needed to reconstruct
a path of length d verifies
ln (d )
E(X ) ≤
p (1 − p )
d −1

Mohamed Hamdi

It is more efficient to mark edges in the attack path rather than nodes. The edge sampling
algorithm consists of introducing three fields: start, end and distance that have to be added to
marked packets. When a router marks a packet, it puts its IP address into the start field and zero
into the distance field. However, if the distance field is already set to zero meaning that the
previous router has marked the packet, the router writes its IP address into the end field. Clearly,
this mechanism allows the representation of the edge between the current router and the previous
router that marked the packet. Moreover, even if the router does not mark the packet, it always to
increment the distance field to guarantee a more efficient characterization of spoofed packets. The
distance fields corresponding to those packets would be greater than the length of the attack path.
To write the marking information in a given packet, one can overload of the IP identification field of
the IP header that is normally used for fragmentation. This choice relies on measurements having
shown that less than 0.25% of packets are actually fragmented. However, IP identification is a 16-
bit field while 72 bits are needed to encode edge information (32 bits for start and end IP
addresses and 8 bits for distance). Thus, an encoding technique called Fragmentation Sampling
Scheme (FSS) has been developed. FSS is based on two mechanisms. First, the usage of
exclusive-or (XOR) of the IP addresses constituting the edge permits to reduce the required
storage space by a factor of two. The resulting value from this operation is called the edge-id.
Therefore, the victim will receive the edge-ids of two adjacent routers except for packets arriving
from routers that are at one hop from those routers.
The second encoding mechanism consists of splitting each packet into 8 non-overlapping
fragments. When a packet is marked, the router selects a random fragment and adds it up to the
packet. This solves the problem as the 16 bits of the IP identification field can be filled by
assigning 8 bits to the edge-id fragment, 3 bits to the position of the fragment and 5 bits to the
distance.
Nonetheless, due to the use of edge-ids instead of traditional logical addresses, another problem
called collision (or birthday paradox) arises. Effectively, edge-ids are not unique and the
probability that the victim host receives two identical edge fragments is not zero. In order to
overcome this limitation, a redundancy check mechanism can be added to the algorithm.

124
 Authenticated marking
‰ 11-bithash values are used instead of full
IP addresses
‰ The marking information is expressed by

(
edge _ id = h1 IP Ri ⊕ h2 IP R j ) ( )
where h1 and h2 are two distinct 11-bit
hash functions.

Mohamed Hamdi

Assuming that the route map has been predetermined by the victim host, the full IP addresses are
not needed for the tracing purpose. In this way, 11-bit hash values of edge-ids can be used
instead of fragments. Supposing that Ri and Rj marked a given packet, the victim would receive
the result of the XOR of the IP address of Ri and the IP address of Rj.
Two one-way functions are used to recover the order of the routers at the victim stage; using a
single function would not allow path reconstruction as the XOR operator is commutative. Although
the Advanced Marking Scheme presents an acceptable computational overhead, it can be
thwarted if an upstream router is compromised. In fact, all routers are supposed to be trustful. A
potential method to address this issue is to authenticate packet marking using an approach based
on cryptographic checksums.
Assuming that each router Ri holds a symmetric key Ki, it can compute the Message
Authentication Codes (MAC) of edge-ids and append them to marked packets in order to prevent
other routers from forging its marking information. As for every symmetric encryption technique,
key management is the fundamental problem arising in the Authenticated Marking Scheme. Time-
released keys authentication mechanisms can be used if the size of the route map is important
(yielding an impractical number of keys).

125
 Deterministic packet
marking
‰ Probabilistic marking techniques
‰ Require important computational capabilities
‰ Are only applicable to detect the source of
DoS attacks
‰ Do not guarantee convergence

‰ Deterministic packet marking: Packet

marking occurs at the ingress interface of
the closest router to the attacker

Mohamed Hamdi

Probabilistic Packet Marking (PPM) schemes, have three principal shortcomings. First, they
require important processing and memory capabilities at the victim level. Furthermore, their
application is restricted to Denial of Service (DoS) and Distributed Denial of Service (DDoS)
attacks. However, the main limitation of these techniques is that they may not converge because
a large number of packets of the order of thousands must be available at the victim host in order
to reconstruct the attacked paths.
To overcome PPM disadvantages, a new marking technique, called Deterministic Packet Marking
(DPM) was introduced. The rationale behind this scheme is to perform the marking at the ingress
interface of the closest router to the attacker since multiple attack paths can correspond to the
same attack (this is the essence of routing algorithms). In other words, the attack flow is uniquely
identified by its source and destination. In addition, this marking scheme is deterministic in the
sense that every packet is marked by the nearest router to the station that emitted it.
To encode the marking information (the source IP address) in IP datagrams, DPM uses the IP
Identification field and the 1-bit reserved flag of the IP header. The IP address is divided into two
equal segments and the marking process consists of putting randomly, with probability of 0.5, one
of those parts into the IP Identification field. Clearly, the 1-bit flag is used to state whether the
marking information consists of the first or the second half of the source IP address.
This method outperforms PPM since it does not have an important computational complexity. The
number of packets that are needed by the victim to identify the attacker is by far less than in the
PPM case. In fact, two packets originating from the same source and having two different marks
are sufficient. Yet, it assumes the existence of a strong intervention from Internet Service
Providers (ISPs), which cannot be usually provided for obvious reasons. In addition, DPM cannot
be used if Network Address Translation (NAT) is used in the network which includes the attacker's
machine. Indeed, the victim would recover the private address of the attacker that does not
contain any interesting information.

126
 Hash-based trace-back
‰ Introduces a three-level hierarchy
‰ Data Generation Agents (DGAs)
‰ SPIE Collection and Reduction Agents (SCARs)
‰ SPIE Trace
- back Manager (STM)
‰ The trace-back process
1. DGAs capture compressed data that uniquely
identifies each packet
2. SCARs receive attack notification from STM
3. SCARs gets attack packets’ digests from DGAs
4. SCARs report local attack path to STM
5. STM combines local attack paths
Mohamed Hamdi

The Hash-based IP trace-back approach, also referred to as Source Path Isolation Engine (SPIE),
introduces a three-level hierarchy consisting of Data Generation Agents (DGAs), SPIE Collection
and Reduction Agents (SCARs) and a SPIE Traceback Manager (STM). DGAs, which are at the
lowest level of the hierarchy, consist typically of routers that offer the possibility of capturing a
compressing piece of information, which uniquely identify each packet they forward. To achieve
this goal, hash functions are applied to the constant fields of the IP header (that do not change
during the transmission) and to the first 8 bytes of the packet payload. A backup functionality has
also been considered to overcome routers memory limitations.
At the upper level, SCARs receive notifications of attack occurrence from the STM, which is the
communicating component with various IDSs existing in the network. SCARs send queries to the
appropriate DGAs to get the digests of the packets that were forwarded at the time interval
including the instant were the attack took place. Having analyzed packet hashes, every SCAR
reports to the STM the results concerning the attack paths in its region. Finally, the STM combines
the elementary attack paths, and thus performs the packet tracing.
Although SPIE is efficient and robust against various packet transformations (e.g., NAT,
encryption), some important factors might obstruct its application in real contexts. The most
important issue is related to the industry since SPIE relies on routers, which include sophisticated
functionalities. Each router must be equipped with specific functions to extract packet hashes and
an implemented backup strategy. This requires a great effort from manufacturers, which would
make them reserved about developing those functionalities. Similarly, ISPs are closely involved in
this marking scheme. For instance, the synchronization of the time intervals is a particularly tricky
task. An additional limitation results from the fact that a centralized STM controls the whole
system, which makes the framework more vulnerable as everything would collapse in the case of
an STM failure.

127
 Thumb printing (1)
‰ Given a packet stream of a specific
connection, identify the connections steps
from the victim to the attacker
‰ Connection chain identification relies on
characteristics that uniquely identify
connections, and that are difficult to forge

Mohamed Hamdi

The goal of connection chain identification is to find the set of hosts that the intruder used to carry
out an attack. A common technique to hide source’s attack is to log on to a set of sources before
breaking into the target. The attacker identification task becomes harder if the intrusion traces are
deleted or if encrypted networks segments are used. Thus, finding connection chain should not
rely on the study of traditional intrusion traces (essentially log files), but on the study of other
characteristics that represent uniquely a connection and that are difficult to forge.
If H0, H1, …,Hn-1 are the potential intermediate hosts the attacker used to perform an intrusion, a
connection ci is defined as a log-on operation between hosts Hi-1 and Hi . When the attacker
establishes connection ci, the data flow sent between Hi-1 and Hi is called a packet stream. The
goal of the connection chain identification process is, given a packet stream of a connection ci, to
determine the entire connection steps denoted c1, c2, …, cm from the attacker to the victim.

128
 Thumb printing (2)
‰ Given two connections ci and cj, the sequence
numbers of the corresponding packet streams
are denoted by (s li )0 ≤ l ≤ n and (slj )0≤l ≤ n . Similarly, the
i j
packet arrival time is represented by two series
(tli )0≤l ≤n and (tlj )0≤l≤n.The deviation between the
i j
packet streams is computed using the following
expression:
Dij = min ⎨ ∑ (T (h, k ) − min(T (h, k ))), ∑ (T (h, k ) − max(T (h, k )))⎬,
1 ⎧ h=d h=d
⎫
0≤ k ≤ m '
d ⎩ h =1 h
h =1
h
⎭

where T(h,k) =tkj+h −thi , d = sni − s1i and m ' = max {l slj + d ≤ n j } .
i

Mohamed Hamdi

The idea behind thumb printing is that several features of the transmitted data is constant at all
points on a connection chain. Thumbprints can be thought of as signatures that uniquely identify a
connection chain.
This method relies on the observation that the evolution of sequence numbers during the
transmission of a packet stream is a good criterion to measure the correlation between
connections. A metric based on the evolution of sequence numbers during a connection can be
used in order to measure the deviation between connections. This metric should be kept small
when computed for two connections that belong to the same connection chain. Basically, the
correlation metric represents the slope of the graph that maps sequence numbers to time. Thus,
the main assumption is that this metric is nearly invariant (or constant) for connections occurring
in the same chain.
Informally, a deviation is a measure of similarity of the evolution of sequence numbers according
to time for two packet streams. In fact, T(h,k) can be seen as a distance, in terms of time,
between the k+hth packet of the connection j and the hth of the connection i. Henceforth, the above
condition means that the graphs representing this evolution have to be adjusted horizontally and
vertically so that the average distance between them is minimal. Thus, an advantage of deviation-
based connection chain identification is that it does not require clock synchronization as only the
shapes of the aforementioned graphs are compared.
Meanwhile, sequence numbers are generally managed by OSs kernels and this makes the
invariance assumption inconsistent if multiple OSs are used along the connection chain.
Moreover, since the packet content is not used in the deviation-based approach, it is still accurate
when the attacker uses application-level encryption (e.g., SSH, SSL) to hide the transmitted data.
However, this reasoning no longer holds if encryption occurs at the network level (e.g. ESP) as
deviation-based tracing is vulnerable against payload padding. Even worse, the system may not
be able to analyze properly packet headers.

129
 Inter-packet delay based
tracing
‰ Packet timestamps are used to evaluate the
correlation between two packet streams
‰ Correlation window
( )
Wl , s d1i ,..., d ni i = d li ,..., d li+ s −1 ,
where l is the starting point of the window, s is
the size of the window, and dki = tki +1 − tki is the IPD.
‰ The correlation function is expressed by
CPF (ci , c j , l , k , s ) = φ (Wl , s (ci ), Wl + k , s (c j )),
where φ (.,.) is a similarity measurement criteria.
Mohamed Hamdi

In order to address the problem of characterizing partially (or totally) encrypted connection chains,
the investigator can use a method which is very similar to the previous one except that it relies
only on packet timestamps to evaluate the correlation between the two packet streams. More
precisely, it introduces the notion of Inter-Packet Delay (IPD) correlation window as a feature that
characterizes a portion of a packet stream.
The first step is to find, for a given value of j , the offset k that corresponds to a maximum of
CPF(.,.,.,.,.). The alert reader would have remarked that this procedure is equivalent to the graph
adjustment used in deviation-based tracing. By varying j, a set of optimal offsets are determined.
Therefore, according to the basic hypothesis, these offsets should be equal for all the correlation
points if ci and cj belong to the same connection chain.
The main advantage of IPD-based tracing is that it can be used in real-time, which may not be
very important from the computer forensics point of view. Another interesting feature is that it
needs relatively a few packets when compared to other methods in order to perform the
correlation process.

130
 Further readings
‰ M. Hamdi, N. Boudriga, “Forensic Science
and Computers,” The Handbook of
Information Security, Vol. 2, EiC: Hossein
Bidgoli, John Wiley & Sons, ISBN:
0471648337, 2006.
‰ C. Kruegel, F. Valeur, G. Vigna, “Intrusion
Detection and Correlation: Challenges and
Solutions,” Springer, ISBN: 0-387-23399-
7, 2005.

Mohamed Hamdi

131
Part IV: Building
Security Policies

Mohamed Hamdi

132
 Security policy
‰ Used to express requirements in different
contexts
‰ Difficult to find a uniform definition
‰ Generally, a SP consists of a ‘a set of
rules that determine how a particular set of
assets should be secured’

Mohamed Hamdi

Finding a precise meaning to this term turns out to be very arduous as it is used to refer to numerous disparate aspects
of information systems’ security. The following examples give an idea about the different ways a SP can be thought
of depending on the context. The quoted sentences have been taken verbatim from the source documents so that
the reader can concretely note this ambiguity.
1. Information system SP: For an organization that owns a set of networked assets, the SP constitutes the core of the
security plan which entails the design and the implementation of security measures as well as documentation of
security incidents. The SP is the foundation for a security program addressing the business needs of the
organization. It should reflect the strategic approach of the enterprise to cope with the security risks that characterize
the environment. In (Hare, 2002, pp. 353), the SP has been defined as a “high level statement that reflects
organization’s belief related to information security.” The major purpose of the SP is to select the appropriate security
solutions to face those threat events while ensuring that the cost of protecting the infrastructure does not exceed the
benefit it provides. In business jargon, the rules of the SP should guarantee a Return On Investment (ROI).
2. Operating System (OS) SP: Due to the numerous security threats that exploit weaknesses at the OS level, a set of
protection mechanisms should be implemented to plug up such vulnerabilities. The totality of the protection
mechanisms related to an OS is called the Trusted Computing Base (TCB). They concern the various resources of
the computer system (e.g., hardware, software, processes). The most relevant example consists of the access
control policy which is enforced by secure OSs to protect the objects they handle. Obviously, for consistency and
completeness purposes, those mechanisms should abide by a set of rules, which form the SP. The reference
monitor is an entity that mediates accesses to objects by subjects. Among those accesses, only those that conform
to the SP are allowed. The reference monitor basically guarantees that the OS respects several pre-defined security
principles such as least privilege and continuous protection.
3. Key management SP: To establish a secure tunnel using the IPSec protocol suite, two end-points should agree upon
a set of mutually acceptable cryptographic parameters called Security Association (SA). These security parameters
are managed according to local security policies which are set in each end-node. For example, when creating a new
SA in order to modify an older one, “deletion of the old SA is dependent on local security policy.” Besides, a standard
has been recently developed to administrate IPSec security policies; it defined the concept of IP Security Policy
(IPSP).
These examples lead us to discuss the various SP types. It is noteworthy that rather than being conflicting, the above
definitions present the same concept from different angles. The alert reader would have remarked that the first
definition, related to information systems security, provides the broadest view in the sense that both OS security and
the usage of secure protocols can be seen as specific components of the global security program. In our sense, the
difficulty of defining a SP stems from the basic fact that security is related to many organizational aspects. For
example, from a human resource perspective, the SP serves “to inform all individuals operating within an
organization on how they should behave related to a specific topic” (Tudor, 2001). From a risk management point of
view, “policies should be concerned with what assets to protect and why they need to be protected” (Canavan, 2001,
pp. 239).
To unify all these views, the SP can be defined as a set of rules that determine how a particular set of assets should be
secured. This definition can in fact be applied to represent all SPs without delving into details concerning the context
and the language to adopt (natural language or machine language).

133
 SP fragmentation (1)
‰ SPs treat multiple security facets
‰ SPs can be expressed in different languages
‰ SPs can have different audiences
Ö Splitting the SP into multiple fragments
guarantees that:
‰ All SP audiences can be addressed efficiently
‰ All security requirements can be addressed
‰ The security properties (e.g., confidentiality, integrity)
of the various SP portions can be preserved more
easily

Mohamed Hamdi

The SP is a multi-faceted concept that can effectively be defined in various manners. Security
specialists that addressed SPs mentioned this aspect. Most of them have agreed that "a suite
of policy documents rather than a single policy document works better in a large corporate
environment" (Canavan, 2003, p. 5). In fact, splitting the SP into fragments has multiple
advantages:
1. All SP audiences can be addressed efficiently.
2. All security requirements can be addressed.
3. The security properties (e.g., confidentiality, integrity) of the various SP portions can be
preserved more easily.
More concretely, a classification scheme should be considered to ensure that multiple policies are
developed to address the same security context.

134
 SP fragmentation (2)
‰ Audience-based classification
‰ e.g., Governing SP, Technical SP, End-user
SP
‰ Issue-based classification
‰ e.g., Access control SP, Information
classification SP,
‰ Sensitivity-based classification
‰ e.g., Top Secret, Secret, Confidential, Public

Mohamed Hamdi

Examples of SP classifications are given below to highlight the importance, or even the necessity,
of SP fragmentation:
1. Audience-based classification: In (Canavan, 2003), Canavan argued that policies should be
hierarchized with respect to the hierarchical structure of roles. He proposed three policy types
which are: governing policy, technical policy, and end-user policy.
2. Issue-based classification: Ensuring the security of a system is proportionally difficult to its
complexity. Requirements related to security are defined with respect to the functionalities that
the system provides. Depending on the assets to protect, some issues can be more
emphasized than others. For example, for an Internet Service Provided (ISP), the major need
is to guarantee access to network services modulo the respect of contracts, laws, and ethics.
For this reason, ISPs concentrate their SPs on access control, authentication, and availability.
However, as the data structures they handle are simple (compared to other organization
types), developing an ICP requires less effort. On the opposite, a Certification Authority (CA)
manages a more rich data set. Cryptographic keys, digital certificates, and revocation lists are
just examples of these data. Consequently, information classification becomes more complex
than in the former case (ISPs). In the following, we attempt to give some of the security issues
that would need a separate policy. The information security policy and the access control
policy will be particularly detailed. The remaining policies will be discussed in later sections.
3. Sensitivity-based classification: Gaining knowledge about how a system is protected is often
one of the primary goals for an attacker. Thus, the SP itself should be secured in the sense
that it should not be accessed by non-authorized entities. This presupposes that SP content is
divided into pieces corresponding each to a security level. The most trivial sensitivity-based
classification consists in separating internal policies from external policies (Purser, 2004).
Policies that address the secure functioning of the production process are internal. Their
content should not be published outside the organization. Conversely, external policies are
those that are intended to be published to external audience. This classification can be
improved by being more granular. For example, internal policies themselves can be split into
many categories depending on the sensitivity of the concerned department.

135
 SP requirements
‰ Accountability: Every action performed on
the system should be traced
‰ Awareness: Every user should possess
the appropriate knowledge to interact with
the system in a secure manner.
‰ Proportionality: Security measures defined
in the security policy must be suitable with
the risks that threaten the system.

Mohamed Hamdi

A SP must possess several properties to fulfill its objectives. The essence of these properties is given in the
following.
1. Accountability: Every action performed on the system should leave a trace that would serve for
monitoring the system state. This guideline is tightly related to the continuous control of the IT
infrastructure. Practically, the most common accountability mechanism consists simply of recording
traces into log files. Nonetheless, as resources dedicated to this activity are generally limited (in the
sense that they do not allow the capture of all the attributes defining a system state), the security policy
should clearly treat the following issues:
1. Generation: What should be logged? Which are the relevant data with regard to the intrinsic
characteristics of the system under analysis?
2. Analysis: How should the captured information be analyzed to state whether the policy has
been violated?
3. Archival and storage: The information that accounts for the interaction of various components of
the system often has important security levels. Furthermore, archival is a key consideration due
to the fact that traces might be needed after a long time of being captured. Therefore, the
security policy must discuss storage procedures while putting the stress on access control
issues.
2. Awareness: Every user of the system should possess the appropriate knowledge to interact with the
system in a secure manner. This principle is particularly important since most of the security attacks
originate from the inside of the system or exploit vulnerabilities that exist in internal components (e.g.,
misconfigurations). In addition, awareness considerably reduces unintentional harmful actions. Training
programs are often mentioned as a solution that fulfills these needs. However, we believe that a strong
involvement of the human resources department is the best alternative for an enterprise to reach an
acceptable security level. For instance, some investigations should be conducted to gather if the
candidate caused security problems in his past jobs. Likewise, procedures that should apply when an
employee leaves an organization have to be included in the security policy to ensure that the employee
no longer possesses his security privileges.
3. Proportionality: Security measures defined in the security policy must be suitable with the risks that
threaten the system. In other terms, the value of critical information as well as the probability
corresponding to security attacks (deduced from studying the environment of the system) should be
taken into consideration when developing security policy. Obviously, overlooking these aspects would
lead to grave consequences due to the unrealistic view.
An intriguing point that might have been noticed by the reader is that the two latter objectives are, in some
sense, conflicting. A complete SP is rarely cost-effective because the attacks corresponding to a generic
environment are so numerous that mitigating all of them cannot be achieved with a reasonable budget.
Another problem may arise from the fact that completeness is a utopia that can never be objectively
reached. Effectively, the SP development team can never build a zero-uncertainty representation of the
studied environment.

136
 SP lifecycle

Risk analysis Development

Reassessment Approval

Implementation PublicationRaising
awareness

Mohamed Hamdi

Developing a security policy should be done according to several steps that are briefly explained
below:
1. Risk analysis: It includes essentially mission statement, asset evaluation, and threat
assessment. It is worth mentioning that some parts of the SP can be written in this step. In
fact, the risk analyst needs some rules to assign a security level to each resource meaning
that the data classification policy should have already been constructed at this level.
2. Development: This step consists of selecting the security rules that best fit the requirements of
the organization. The SP development team must use convenient languages to model and
validate the SP. The main characteristic of this step is that it is performed progressively to
move from an abstract representation towards a more concrete one.
3. Approval: It relies on a multi-disciplinary committee that validates the security policy. At every
layer (i.e., abstraction degree) of the development process, the SP should be validated
against: (a) the upper layer and (b) the security objectives.
4. Raising awareness: This ensures that the security policy is accessible to everyone who is
authorized to access it. This means that the SP is published correctly and that every user of
the secured system must possess the skills that are suitable to his responsibilities.
5. Implementation: It enforces the application of the security policy. During this step, operational
and technical controls are put in place. Operational controls are security mechanisms that are
essentially implemented and executed by the users themselves while technical controls
include the automated security countermeasures.
6. Reassessment: It guarantees a continuous monitoring of the security policy through scheduled
revisions and analyses. This process is essential to practically test the efficiency of the SP
since new threats can occur.

137
 SP and documentation
hierarchy
‰ An efficient security architecture
encompasses the use of different
document categories:
‰ Standards
‰ Procedures

‰ Baselines

‰ Guidelines

Mohamed Hamdi

To respect the uniformity of the organizational global view to face the potential threats, the SP
must be closely related to the whole security documentation. In the following, we outline the
main document categories that should be used to build an effective security architecture.
1. Standards: A standard is a document that defines how a specific task should be performed. It
can concern, for instance, the development of a product or a protocol related to a secure
process. Generally, standards are developed so that the community using the target system
knows what should be done to interact with it securely.
2. Procedures: Procedures describe exactly how to use the standards and guidelines to
implement the countermeasures that support the policy. These procedures can be used to
describe everything from the configuration of operating systems, databases, and network
hardware to how to add new users, systems, and software.
3. Baselines: Baselines are used to create a minimum level of security necessary to meet policy
requirements. Baselines can be configurations, architectures, or procedures that might or
might not reflect the business process, but that can be adapted to meet these requirements.
They can be used as an abstraction to develop standards.
4. Guidelines: Sometimes security cannot be described as a standard or set as a baseline, but
some guidance is necessary. These are areas where recommendations are created as
guidelines to the user community as a reference to proper security. For example, your policy
might require a risk analysis every year. Rather than requiring specific procedures to perform
this audit, a guideline can specify the methodology that is to be used, leaving the audit team to
work with management to fill in the details.

138
 Further readings
‰ M. Hamdi, N. Boudriga, “Security Policy
Guidelines,” The Handbook of Information
Security, Vol. 3, EiC: Hossein Bidgoli, John
Wiley & Sons, ISBN: 0471648337, 2006.
‰ M. Hamdi, N. Boudriga, “Computer Security Risk
Management: Theory, Challenges, and
Countermeasures,” International Journal of
Communication Systems, Vol. 18, Issue 8, pp.
763-793, 2005.

Mohamed Hamdi

139
Exercises II

Mohamed Hamdi

140