Showing papers on "Pre-play attack published in 2004"
Patent•
16 Jul 2004TL;DR: In this article, a system for detecting and responding to an attack comprises a filter module, a node, a management module, and a test node, where the filter module allows questionable messages to proceed and maintains logical operations associated with the questionable messages within a restricted region.
Abstract: A system for detecting and responding to an attack comprises a filter module, a node, a management module, and a test node. The filter module allows questionable messages to proceed. The node receives the questionable messages and maintains logical operations associated with the questionable messages within a restricted region. The management module resets the service node upon a network attack. The test node replays the node questionable messages to identify a new attack. A method of protecting against a network attack logs questionable messages and directs the questionable messages to a node. The method maintains logical operations associated with the questionable messages within a restricted region and identifies a network attack upon the node, which triggers an intrusion response. The intrusion response resets the node, replays the questionable messages within a test node to identify a new attack message, and adds the new attack message to the known attack messages.
187 citations
06 Dec 2004
TL;DR: This work observes that different attack instances can be derived from each other using simple transformations, and model these transformations as inference rules in a natural-deduction system to automatically generate all possible instances derived by a set of rules.
Abstract: A common way to elude a signature-based NIDS is to transform an attack instance that the NIDS recognizes into another instance that it misses For example, to avoid matching the attack payload to a NIDS signature, attackers split the payload into several TCP packets or hide it between benign messages We observe that different attack instances can be derived from each other using simple transformations We model these transformations as inference rules in a natural-deduction system Starting from an exemplary attack instance, we use an inference engine to automatically generate all possible instances derived by a set of rules The result is a simple yet powerful tool capable of both generating attack instances for NIDS testing and determining whether a given sequence of packets is an attack In several testing phases using different sets of rules, our tool exposed serious vulnerabilities in Snort - a widely deployed NIDS Attackers acquainted with these vulnerabilities would have been able to construct instances that elude Snort for any TCP-based attack, any Web-CGI attack, and any attack whose signature is a certain type of regular expression
85 citations
01 Jan 2004
TL;DR: A metric to determine whether one version of a system is relatively more secure than another with respect to the system’s attack surface is proposed and demonstrated and validated by measuring the relative attack surface of four versions of the Linux operatingsystem.
Abstract: We propose a metric to determine whether one version of a system is relatively more secure thananother with respect to the system’s attack surface. Intuitively, the more exposed the attack surface,the more likely the system could be successfully attacked, and hence the more insecure it is. Wedefine an attack surface in terms of the system’s actions that are externally visible to its usersand the system’s resources that each action accesses or modifies. To apply our metric in practice,rather than consider all possible system resources, we narrow our focus on a “relevant” subset ofresource types, which we call attack classes; these reflect the types of system resources that aremore likely to be targets of attack. We assign payoffs to attack classes to represent likelihoods ofattack; resources in an attack class with a high payoff value are more likely to be targets or enablersof an attack than resources in an attack class with a low payoff value. We outline a method toidentify attack classes and to measure a system’s attack surface. We demonstrate and validate ourmethod by measuring the relative attack surface of four different versions of the Linux operatingsystem.Keywords: Security metrics, attack, attack class, attack surface, threat modeling
74 citations
Journal Article•
TL;DR: This work presents a more efficient way to accomplish the minimal hitting set attack, i.e. the authors need less observations by looking for unique minimal hitting sets, and uses frequency analysis to enhance the applicability of the attack.
Abstract: A passive attacker can compromise a generic anonymity protocol by applying the so called disclosure attack, i.e. a special traffic analysis attack. In this work we present a more efficient way to accomplish this goal, i.e. we need less observations by looking for unique minimal hitting sets. We call this the hitting set attack or just HS-attack. In general, solving the minimal hitting set problem is NP-hard. Therefore, we use frequency analysis to enhance the applicability of our attack. It is possible to apply highly efficient backtracking search algorithms. We call this approach the statistical hitting set attack or SHS-attack. However, the statistical hitting set attack is prone to wrong solutions with a given small probability. We use here duality checking algorithms to resolve this problem. We call this final exact attack the HS*-attack.
62 citations
23 May 2004
TL;DR: In this paper, the hitting set attack was used to compromise a generic anonymity protocol by applying the so-called disclosure attack, i.e., a special traffic analysis attack, and the attack was called the hitting sets attack or just HS-attack.
Abstract: A passive attacker can compromise a generic anonymity protocol by applying the so called disclosure attack, i.e. a special traffic analysis attack. In this work we present a more efficient way to accomplish this goal, i.e. we need less observations by looking for unique minimal hitting sets. We call this the hitting set attack or just HS-attack.
In general, solving the minimal hitting set problem is NP-hard. Therefore, we use frequency analysis to enhance the applicability of our attack. It is possible to apply highly efficient backtracking search algorithms. We call this approach the statistical hitting set attack or SHS-attack.
However, the statistical hitting set attack is prone to wrong solutions with a given small probability. We use here duality checking algorithms to resolve this problem. We call this final exact attack the HS*-attack.
55 citations
TL;DR: The advanced attacker presented here, called the "majority-flipping attacker," does not decay with the parameters of the model, unlike any other attack strategy known.
Abstract: A successful attack strategy in neural cryptography is presented. The neural cryptosystem, based on synchronization of neural networks by mutual learning, has been recently shown to be secure under different attack strategies. The success of the advanced attacker presented here, called the "majority-flipping attacker," does not decay with the parameters of the model. This attacker's outstanding success is due to its using a group of attackers which cooperate throughout the synchronization process, unlike any other attack strategy known. An analytical description of this attack is also presented, and fits the results of simulations.
54 citations
10 May 2004
TL;DR: This paper introduces a generic DDoS attack detection mechanism as well as the design and setup of a testbed for performing experiments and analysis, and shows that the mechanism can detect DDoSattack.
Abstract: Distributed denial-of-service (DDoS) attack has turned into one of the major security threats in recent years. Usually the only solution is to stop the services or shut down the victim and then discard the attack traffic only after the DDoS attack characteristics (such as the destination ports of the attack packets) are known. In this paper, we introduce a generic DDoS attack detection mechanism as well as the design and setup of a testbed for performing experiments and analysis. Our results showed that the mechanism can detect DDoS attack. This enables us to proceed to the next steps of packet classification and traffic control.
48 citations
14 May 2004
TL;DR: A secure and practical CRT-based RSA signature scheme that is secure against side channel attacks, including power analysis attack, timing attack, and fault analysis attack and also secure against differential power attack by using the message random blinding technique on RSA with CRT.
Abstract: A secure and practical CRT-based RSA signature scheme is proposed against side channel attacks, including power analysis attack, timing attack, and fault analysis attack. The performance advantage obtained over other existing countermeasures is demonstrated. To prevent from fault attack, the proposed countermeasure employs a fault diffusion concept which is to spread the fault into the correct term during the recombination process by using CRT. This new countermeasure is also secure against differential power attack by using the message random blinding technique on RSA with CRT.
32 citations
Patent•
19 Apr 2004
TL;DR: In this paper, the authors present a system, method and computer program product for ensuring the quality of service provided by a protected network of computers during an ongoing security breach is provided.
Abstract: A system, method and computer program product for ensuring the quality of service provided by a protected network of computers during an ongoing security breach is provided. The quality of the services is ensured by performing secure quality of service actions on data packets on the network. The sQos actions depend on whether the data packets correspond to an attack on the computer to which they are directed, called the destination computer. If the data packet corresponds to an attack, then the actions also depend on the type of attack. In case there is no attack, the actions depend on the history of attacks by data packets that had originated from the same source computer and were directed towards the same destination computer. Supported actions include HardenFW (206), ControlBW (208) and ConnectionLimit (210).
32 citations
Book•
01 Jan 2004
TL;DR: A Fault Model for Software Security Testing, Breaking Security through the User Interface, and How Secure is Secure?
Abstract: (Chapters 1-6 conclude with a "Conclusion," "Exercises," and "References." Chapter 7 concludes with a "Conclusion" and "References" and the Appendices conclude with only "References.") Preface. Dedication. Chapter Summaries. I. INTRODUCTION. 1. A Fault Model for Software Security Testing. Why Security Testing is Different. A Fault Model for Security Vulnerabilities. Security Concerns and the How to Break Software Fault Model. Creating an Attack Plan. A Note on Format. II. CREATING UNANTICIPATED USER INPUT SCENARIOS. 2. Attacking Software Dependencies. First Attack: Block access to libraries. Second Attack: Manipulate the application's registry values. Third Attack: Force the application to use corrupt files. Fourth Attack: Manipulate and replace files that the application creates, reads from, writes to or executes. Fifth Attack: Force the application to operate in low memory, disk space and network availability conditions. Summary: A Checklist for Battle. 3. Breaking Security through the User Interface. First Attack: Overflow input buffers. Second Attack: Examine all common switches and options. Third Attack: Explore escape characters, character sets and commands. Summary: A Checklist for Battle. III. DESIGN AND IMPLEMENTATION ATTACKS. 4. Attacking Design. First Attack: Try common default and test account names and passwords. Second Attack: Use Holodeck to expose unprotected test APIs. Third Attack: Connect to all ports. Fourth Attack: Fake the source of data. Fifth Attack: Create loop conditions in any application that interprets script, code or other user supplied logic. Sixth Attack: Use alternate routes to accomplish the same task. Seventh Attack: Force the system to reset values. Summary: A Checklist for Battle. 5. Attacking Implementation. First Attack: Get between time of check and time of use. Second Attack: Create files with the same name as files protected with a higher classification. Third Attack: Force all error messages. Fourth Attack: Use Holodeck to look for temporary files and screen their contents for sensitive information. Summary: A Checklist for Battle. IV. APPLYING THE ATTACKS. 6. Putting it All Together. Pre-Attack Preparations. Opponent#1: Microsoft Windows Media Player 9.0 (Windows). Opponent#2: Mozilla 1.2.1 (Windows). Opponent#3: OpenOffice.org 1.0.2 (Linux). V. CONCLUSION. 7. Some Parting Advice. How Secure is Secure? Mining Gold from Bug Databases. Final Words of Wisdom. APPENDICES. Glossary of Coding, Testing, and Software Security Terms. Appendix A. Using the Tools on the Accompanying CD. Surveying the Tools. Holodeck. Port Scanner. Appendix B. Software's Invisible Users. Where Errors Slip In. The Human User. The Operating System User. The API User. The File System User. Index.
25 citations
TL;DR: It is shown that an attacker can easily prevent the normal use of communication facilities by performing the attack and an enhancement of the scheme is proposed to isolate such a problem.
Abstract: Recently, Lee et al. proposed an improvement on Peyravian and Zunic scheme to make the protocol withstand the guessing attack. However, their scheme suffers from a denial of service attack. In this paper, we show that an attacker can easily prevent the normal use of communication facilities by performing the attack. We also propose an enhancement of the scheme to isolate such a problem.
29 Mar 2004
TL;DR: This work proposes a new methodology based on graph theory, which provides a simple and intuitive approach to the vulnerability analysis of the attack and for synthesizing IP spoofing-free configurations.
Abstract: Firewalls offer a protection for private networks against both internal and external attacks. However, configuring firewalls to ensure the protections is a difficult task. The main reason is the lack of methodology to analyze the security of firewall configurations. IP spoofing attack is an attack in which an attacker can impersonate another person towards a victim. We propose a new methodology for verifying the vulnerability of firewall configurations to IP spoofing attack and for synthesizing IP spoofing-free configurations. Our methodology is based on graph theory, which provides a simple and intuitive approach to the vulnerability analysis of the attack.
05 Dec 2004
TL;DR: A new power analysis attack against DES is introduced based on the well known Davies-Murphy attack, which takes advantage of non-uniform output distributions for two adjacent S-boxes to obtain one bit of information about the key.
Abstract: In this paper, we introduce a new power analysis attack against DES. It is based on the well known Davies-Murphy attack. As for the original attack, we take advantage of non-uniform output distributions for two adjacent S-boxes. We show how to detect these biased distributions by power analysis on any DES inner round and thus obtain one bit of information about the key.
TL;DR: This work proposes a improved version of the S/Key scheme, preserving the same properties and withstanding the stolen-verifier attack, without limiting the login times.
Abstract: With the one-time password concept, the S/Key scheme is widely utilized by the protocols with limited login times to defend against replay attack. By employing the simple and unidirectional hash function, the improved version of the S/Key scheme is proposed to withstand spoofing attack, pre-play attack and off-line dictionary attack. However, the schemes limit login times. Hence, we propose a scheme, preserving the same properties and withstanding the stolen-verifier attack, without limiting the login times.
Journal Article•
TL;DR: In this article, a new power analysis attack based on the well known Davies-Murphy attack against DES is proposed. But this attack requires no information about DES inputs or outputs, and therefore it is likely to defeat many actual countermeasures, in particular masking techniques.
Abstract: In this paper, we introduce a new power analysis attack against DES. It is based on the well known Davies-Murphy attack. As for the original attack, we take advantage of non-uniform output distributions for two adjacent S-boxes. We show how to detect these biased distributions by power analysis on any DES inner round and thus obtain one bit of information about the key. An advantage of this new attack is that no information about DES inputs or outputs is required. Therefore it is likely to defeat many actual countermeasures, in particular the popular masking techniques.
23 Mar 2004
TL;DR: This work presents a new and effective attack on cryptosystems that implement the Fiat-Shamir identification scheme, which is successful against all system configurations in contrast to the original Bellcore attack, which has been proven incomplete.
Abstract: Fault-injection attacks and cryptanalysis is a realistic threat for systems implementing cryptographic algorithms. We revisit the fault-injection attacks on the Fiat-Shamir authentication scheme, a popular authentication scheme for service providers like pay per view television, video distribution and cellular phones. We present a new and effective attack on cryptosystems that implement the Fiat-Shamir identification scheme. The attack is successful against all system configurations in contrast to the original Bellcore attack, which has been proven incomplete (easy to defend against).
11 Oct 2004
TL;DR: Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively with relatively low false positives produced.
Abstract: Denial of service attacks have become one of the most serious threats to the Internet community One effective means to defend against such attacks is to locate the attack source(s) and to filter out the attack traffic To locate the attack source(s), this paper proposes an adaptive packet marking scheme for IP traceback, which supports two types of marking A participating border router would perform deterministic router id marking when a packet enters the network for the first time, and probabilistic domain id marking when it receives a packet from another domain After collecting sufficient packets, the victim would reconstruct the attack graph incorporating attack paths and the source router(s) identified, with each node on the paths viewed as a domain Based on the attack graph traced back we propose to let the filtering agent(s) inspect the markings inscribed in the received packets and filter the packets with a marking matching with the attack signatures Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively with relatively low false positives produced Meanwhile, with the attack packets filtering mechanism, around 80% attack traffic would be removed and the normal traffic can be efficiently preserved in order to restore the victim's service
Journal Article•
TL;DR: A platform system that can not only detect and attack in the case of actual combat, but also be used for training the administrator with actual combat experience is offered.
Abstract: This paper offers a method of collecting the function involving network detection, penitration, intruding and protection of one whole platform in order to guarantee the security of the system. This system is divided into client and server. The client integrates the function of security detection and attack, it can measure the security and hole of the goal system and attack or invade the system according to the result of detecting at the same time. Server carries on system detecting and simulation of being attacked, accesses the corresponding data from the database after judging according to location sign, and simulates the dynamic process while system is attacked and the destruction degree after intruding. This platform system can not only detect and attack in the case of actual combat, but also be used for training the administrator with actual combat experience.
TL;DR: An Improved Optimal Strong-Password Authentication (I-OSPA) protocol is proposed, which is secure against stolen-verifier attack and impersonation attack, and since the cryptographic operations are computed by the processor in the smart card, it needs relatively low computational workload and communicational workload for user.
Abstract: In the Internet, user authentication is the most important service in secure communications. Although password-based mechanism is the most widely used method of the user authentication in the network, people are used to choose easy-to-remember passwords, and thus suffers from some Innate weaknesses. Therefore, using a memorable password it vulnerable to the dictionary attacks. The techniques used to prevent dictionary attacks bring about a heavy computational workload. In this paper, we describe a recent solution, the Optimal Strong-Password Authentication (OSPA) protocol, and that it is vulnerable to the stolen-verifier attack and an impersonation attack. Then, we propose an Improved Optimal Strong-Password Authentication (I-OSPA) protocol, which is secure against stolen-verifier attack and impersonation attack. Also, since the cryptographic operations are computed by the processor in the smart card, the proposed I-OSPA needs relatively low computational workload and communicational workload for user.
01 Jan 2004
TL;DR: A new power analysis attack against DES based on the well known Davies-Murphy attack, which takes advantage of non-uniform output distri- butions for two adjacent S-boxes to obtain one bit of information about the key.
Abstract: In this paper, we introduce a new power analysis attack against DES. It is based on the well known Davies-Murphy attack. As for the original attack, we take advantage of non-uniform output distri- butions for two adjacent S-boxes. We show how to detect these biased distributions by power analysis on any DES inner round and thus obtain one bit of information about the key. An advantage of this new attack is that no information about DES inputs or outputs is required. Therefore it is likely to defeat many actual countermeasures, in particular the popular masking techniques.
30 Jun 2004
TL;DR: This paper proposes an IP traceback marking scheme that can efficiently trace the sources of distributed DoS attack and performs domain-based marking which involves only the participation of domain border routers.
Abstract: Denial of Service (DoS) attack has become a serious threat to the Internet today. In view of the increasing sophistication and severity of DoS attacks, the victim should be able to quickly identify the potential attackers and eliminate their traffic. To locate the source of an attack, we need to have an effective means to trace the paths of the attack packets. In this paper, we propose an IP traceback marking scheme that can efficiently trace the sources of distributed DoS attack. The marking scheme has a good performance in terms of its high success rate in tracing the attack sources. The proposed method generates no false positives and can cope with multiple attacks efficiently. It performs domain-based marking which involves only the participation of domain border routers. When compared with other marking schemes, it requires fewer packets for attack path reconstruction. Further, the inclusion of a checksum for the markings enables the victim to check for the integrity of the packet markings.
TL;DR: The adapted attack modeling suggests a solution to the problems of the existing attack tree modelings, and can represent simultaneous, precise time-dependent attack, and attack period, which are nearly impossible to be represented in many other existing methods.
Abstract: As the use of the Internet has explosively increased, it is likely for the Internet to be exposed to various attacks. Modeling the Internet attacks is essential to simulate the attacks. However, the existing studies on attack modeling have mainly focused on classifying and categorizing the attacks and consequently they are not suitable to representing attack scenarios in the Internet security simulation. In this paper, we introduce the existing methods of attack modeling, and propose an adapted attack modeling to properly express the properties for the Internet security simulator. The adapted attack modeling suggests a solution to the problems of the existing attack tree modelings, such as difficulty of composing complex scenarios ambiguity of attack sequence, lack of system state information. And it can represent simultaneous, precise time-dependent attack, and attack period, which are nearly impossible to be represented in many other existing methods.