Proceedings of the 10th ACM Conference on Computer and Communications Security - Article Example

?Article Critique Sommer, D. and V. Paxson. (2003). Enhancing Byte-Level Network Intrusion Detection Signatures with Context. CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, pages 262-271. New York: ACM. Summary The article is authored by Robin Sommer and Vern Paxson and details a Network Intrusion Detection Signature (NIDS) system that is an improvement over other NIDS that use byte sequences as signatures to detect malicious activity. The authors assert that although these systems have high efficiency, they have a limitation as they tend to suffer from a high false-positive rate, that is, they detect non-attacks as actual attacks. They mention that signature matching also has inherent weaknesses. For instance, when using tight signatures, the matcher does not have the ability to detect attacks other than those for which it has clearly specified signatures; consequently, it is highly possible that the matcher will completely miss new attacks, which, unfortunately, are being developed at a rapid pace. Besides, often signatures are not in fact “tight” as the developers proclaim. To address the NIDS weaknesses mentioned above, Sommer and Paxson (2003) develop the concept of contextual signatures as an enhancement of string-based signature-matching employed by traditional NIDS. Under this system, instead of only matching fixed strings in isolation, the process is enhanced with additional context. These enhancements include the provision of low-level context by using regular expressions for matching, and high-level context by making use of the semantic information availed by Bro’s protocol analysis and scripting language. Consequently, the newly designed NIDS’ expressiveness is greatly enhanced and this significantly reduces false positive rates. Critique In this paper, the authors describe a Network Intrusion Detection Signature system that they have designed as an improvement to conventional systems that have intrinsic weaknesses. However, developing such a system would be in vain if the traditional systems did not have any weaknesses, or if the newly designed NIDS did not bring any improvements, and this is the whole essence of research. The authors give detailed descriptions of gaps in previous NIDS and how their system will address these flaws. This is one of the strengths and contributions of the paper. Their design is built on one popular form of detecting misuse of network resources known as signature matching in which the system scans network traffic for matches against exact and clearly defined patterns. Flaws identified in earlier systems include a high probability of false positives. Besides, they systems do not address failed attacks. The authors assert that the problem of false positives can be greatly reduced through additional context. To this end, the newly designed NIDS will enable the use of additional context by: i. Providing full regular expressions rather than using fixed strings, and ii. Giving the signature engine a perception of full connection state, this permits it to compare multiple interdependent matches in both directions when the connection is in use. If the signature engine reports the match of a signature, the system uses this information to initiate a decision process, rather than an alert as occurs in most signature-matching systems. To indicate how effective their system is, the authors compare the re-designed NIDS with one of the conventional systems, Snort. A weakness of the paper is its failure to compare their newly designed system to a number of conventional NIDSs. Indeed, the authors only compare their system to one conventional system; Snort. It is known that different NIDS have unique flaws and strengths, perhaps a review of more systems would reveal a number of gaps that the authors would then address in their design enhancements and subsequent research. Findings from these numerous papers would have also served as platforms for future research in the field of network intrusion prevention. The authors contend that various difficulties exist in the evaluation of NIDS both in terms of assessing attack detection and in terms of evaluating performance. This perhaps accounts for their failure to assess more NIDS in their research. Although the authors present a brilliant paper in detailing flaws in conventional NIDS and how their new system will fix these, the paper could still benefit from some improvements. First, the authors need to evaluate more NIDSs and measure them up against their system to identify whether any additional flaws exist in these other systems or in their own system. Besides, their new NIDS system needs to be taken through rigorous testing procedures using test attacks to determine whether it can detect and correctly identify these attacks. Such tests are necessary before full implementation of the system. This article expands on what I have learnt in class, particularly in the area of internet security. Unauthorized access into a system through network intrusion can result into correspondence interception, loss or deletion of information, access and intrusion into software, databases and servers and even failure of servers. Consequently, research into internet security must be an ongoing process as new threats arise daily, and this paper is just part of ongoing research process. Concepts that would improve the paper include incorporation of other tools that can work in tandem with the described NIDS to enhance internet security. These techniques would include information on how to choose a network topology that limits intrusions, incorporation of data protection measures, and the physical security represented through the identification of people allowed to physically access IT infrastructure components such as servers and routers. One of the books that can give an insightful understanding into this field is titled Tomorrow's technology and you by Beekman and Beekman (2010). Besides, I found a journal titled Bro: A system for detecting network intruders in real-time by V. Paxson very informative as it gave insight into how the Bro system works. Jackson, C., A. Barth, A. Bortz, W. Shao, and D. Boneh. (2007). Protecting Browsers from DNS Rebinding Attacks. ACM Trans. Web, Vol. 3, No. 1., pp. 1-26 Summary This article details DNS rebinding, a process that takes advantage of the interaction between browsers and their plugins, such as Flash player, Silverlight, and Java. The authors assert that the attacks can convert browsers into open network proxies that can then make the whole system vulnerable to unauthorized access and further attack. These attacks can be used to bypass firewalls and send spam email, commit click fraud, and frame hijacked IP addresses in cyber attacks. The authors emphasize that the classic security against these malicious attacks, known as “DNS pinning” can no longer work in modern browsers. The main focus of the paper, however, is to detail the design of robust protection against this kind of attack. The authors recommend the setting up of plugin patches to protect internet users from hackers. The tool, referred to as dnswall, is not only easy to set up, but it also prevents large-scale exploitation and firewall bypass. The authors also describe two defense options which they refer to as policy-based pinning and host name authorization. Critique In any research process, it is paramount that a gap is first observed before initiating the research process, and this can only be done through evaluation and assessment of systems for which the researcher(s) is trying to improve on. Jackson et al. (2007) excel in this area as they describe the various vulnerabilities that exist in modern browsers and how traditional tools for preventing such attacks, such as DNS pinning, are ineffective in modern browsers. DNS pinning is said to be ineffective due to the vulnerabilities resulting from the recent introduction of plugins into browsers. Although the plugins provide additional browser functionality, their interaction with the browser can permit the attacker to read and write data directly on sockets to a hijacked system regardless of strong pinning. This is one of the main contributions of the paper. A second strength of the paper is seen in the way the researchers detail the communication between plugins and the browser and how this makes the browser vulnerable to hackers. Apart from the general communication process, the authors also detail communication processes between browsers and specific plugins such as Flash Player, Java, and Java LiveConnect. These plugins provide vulnerability against DNS rebinding attacks as they enable subsecond attacks, provide socket-level network access, and operate autonomously from browsers. In order to prevent the vulnerabilities, these plugins must be patched. The paper exhibited a few weaknesses and limitations. These include the failure of the researchers to give adequate detail regarding the functioning of dnswall. They only mention that the tool will protect against firewall circumvention but barely mention how it will work towards this. However, the paper is strong in giving alternative or additional options that can prevent DNS rebinding attacks. These mechanisms include fixing plugins, fixing browsers using default-deny sockets, and fixing browsers using default-allow sockets. Besides, the Firefox NoScript extension can offer partial protection against the attacks. Possible improvements to this paper include a thorough comparison of dnswall against other tools used to prevent DNS rebinding attacks. This would make it possible to evaluate the effectiveness of the tool and even expose some weaknesses that could form the basis for future research. The paper serves to extend my knowledge of concepts learned in class. Internet security is a very broad and complex topic and research into this important area is ongoing as has been seen in the last paper included in this critique. I have previously read widely on the subject of internet security, some of the areas touched on include malicious software (viruses, worms, spyware etc.) and how antivirus programs function to curtail the effects of these programs, denial-of-service attacks and the role of firewalls in web security. This paper improved my comprehension of how firewalls can be bypassed and the tools that can be used to reduce this risk. Some of the books that can increase one’s understanding of internet security include Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin and Cyber Threat: Internet Security for Home and Business by David Mcmahon. Although dnswall is one of the most common tools in DNS filtering and preventing DNS rebranding, it should be used in combination with other tools due to the wide range of threats that internet users face. Besides, internet attacks are rapidly evolving in form and type and research in to this field must match the pace at which these threats arise. This paper was just a part of that research and the researchers could not obviously cover everything. Consequently, future research into DNS rebranding should focus on the effectiveness of various tools in fighting these attacks. References Jackson, C., A. Barth, A. Bortz, W. Shao, and D. Boneh. (2007). Protecting Browsers from DNS Rebinding Attacks. ACM Trans. Web, 3(1): 1-26. Sommer, D. and V. Paxson. (2003). Enhancing Byte-Level Network Intrusion Detection Signatures with Context. CCS '03 Proceedings of the 10th ACM conference on Computer and communications security, pages 262-271. New York: ACM. Read More