Over the last few years, attack graphs have became a well recognized tool to analyze and model complex network attack. The most advanced evolution of attack graphs, called anticipation games, is based on game theory. However even if anticipation games allow to model time, collateral effects and player interactions with the network, there is still key aspects of the network security that cannot be modeled in this framework. Theses aspects are network cooperation to fight unknown attack, the cost of attack based on its duration and the introduction of new attack over the time. In this paper we address these needs, by introducing a three-fold extension to anticipation games. We prove that this extension does not change the complexity of the framework. We illustrate the usefulness of this extension by presenting how it can be used to find a defense strategy against 0 days that use an honey net. Finally, we have implemented this extension into a prototype, to show that it can be used to analyze large networks security.

Presented at FAST’08, Malaga, Spain

Full paper (PDF)

Published at WISTP 2008 and Awarded Best Paper

With the growing use of protocols obfuscation techniques, protocol identification for Q.O.S enforcement, traffic prohibition, and intrusion detection has became complex task. This paper address this issue with a probabilistic identification analysis that combines multiples advanced identification techniques and returns an ordered list of probable protocols. It combines a payload analysis with a classifier based on several discriminators, including packet entropy and size.
We show with its implementation, that it overcomes the limitations of traditional port-based protocol identification when dealing with hard to classify protocol such as peer to peer protocols. We also details how it deals with tunneled session and covert channel.

Author Version (PDF)

The traceroute tool is one of the basic tool used for network troubleshooting. It has been available since network early days. Still because it is based on TTL header modification and ICMP message, it is not straightforward to understand and implement. The goal of this exercise is to re-implement and add additional techniques to this utility.
This will allow student to understand the notion of packet injection and packet sniffing. It also gives the opportunity to play with more subtle thing such as
network latency, packet filtering and Q.O.S because the main goal is to have a tool that will adapt its behavior according to router and packets filter behavior.
The exercice v0.2 (PDF)
Structure de protocol structure header (.h)
portable types for C code (.h)

A good book that details how the libnet and libpcap can be used is:

Building Open Source Network Security Tools: Components and Techniques

(The author of the book is also the author of the libnet)

Le Sujet

Lorsque l’on parle de securite web l’on pense imediatement aux vulnerabilites classiques telque le cross-scripting, l’injection SQL, les vulnerabilites PHP. Ce TD propose d’explorer une autre facette des problemes de securite web la fuite d’information. La mise en ligne d’information s’accompagne en effet toujours du risque de divulger des informations sensibles voir confidentiels. Le dernier exemple en date est biensur Orange qui par erreur a mis en ligne les tarifs de l’iphone avant l’heure. Information qui a reprise par de nombreux blogs annulant l’effet d’annonce escompter.

Afin de mettre en avant ce probleme, le TP vous propose de realiser un logiciel qui analyse les pages web d’un site et indique via une representation sous forme de graph dirige les pages contenant des informations sensibles. Ce TD est aussi l’occasion de tester et s’agguerrir a l’utilisation de diverse technique d’intelligence artificiel pour l’analyse de texte.

Fichier

sujet version 1 (pdf)

Accepted paper at ASIAN 2007 at Carnegie Mellon University in Qatar.

Abstract

We present a logic-based framework to evaluate the resilience of computer networks in the face of incidents, i.e., attacks from malicious intruders as well as random faults. Our model uses a two-layered presentation of dependencies between files and services, and of timed games to represent not just incidents, but also the dynamic responses from administrators and their respective delays. We demonstrate that a variant TATL$\Diamond$ of timed alternating-time temporal logic is a convenient language to express several desirable properties of networks, including several forms of survivability. We illustrate this on a simple redundant Web service architecture, and show that checking such timed games against the so-called TATL$\Diamond$ variant of the timed alternating time temporal logic TATL is EXPTIME-complete.

Files

Incident Logic author version (PDF)

This work was presented at NordSec 2007: The 12th Nordic Workshop on Secure IT Systems as short paper.

In this paper we introduce a new technique to count the number of hosts behind a NAT. This technique based on TCP timestamp option, works with Linux and BSD system and therefore is complementary to the previous one base on IPID than does not work for those systems. Our implementation demonstrates the practicability of this method.

Time has something to tell us about Network Address Translation (PDF Version)

@InProceedings{ Bursztein2007_1,
title = “Time has something to tell us about Network Address Translation”,
booktitle = “NordSec 2007″,
author = “E. Bursztein”,
month = “Nov.”,
year = “2007″
}

Ce document contient une partie des traces reseaux vu en cours pour la detection d’intrusion et l’analyse de traces. Il vous permet de vous assurez que vous avez bien suivi le cours et d’appronfondir le sujet. Vous trouverez des traces d’activites normales, des traces d’attaques mais aussi deux traces mysteres. Celle-ci seront developper en cours. Essayer d’apporter la reponse.

Le fichier: Traces reseau (pdf)

Le but de ce TD est de vous permettre de voir en détail le fonctionnement d’un scanner de ports. L’autre objectif de ce TD est aussi de vous faire decouvrir le fonctionnement de la libpcap et la libnet qui sont des briques essentiels dans la programmation d’outils de sécurité système. Enfin c’est l’occasion de revoir la pile TCP. Les deux techniques demandées vanilla scan et half-open scan sont celle employer de base par NMAP. Elles furent decrites dans un article de Phrack 51 en 1997.

Le TD Scanner réseau (PDF)

L’article de phrack (en) : The Art of Port Scanning

la traduction francais (qualité moyenne)

Intrusion Detection Systems (IDS) are used to discover several kinds of attacks. Commercial solutions are, generally centralized and suffer from significant limitations when used in high speed networks. This is one of our major motivations to use distributed model based on agent platform. We believe that agent facilities will help collecting efficent and useful informations for IDS. We also propose to use a combined analysis by invoking speciallized agents. The idea is to have a signature based agent, temporal analysis agent and behavior analysis agent. By combining three ananlysis, our IDS will be able to detect several kinds of attacks and intrusions. Before introducing our global agent IDS architecture, we need to validate the agent palteforme use and verify a set of security features. The first step is to choose a platforme which can offer security mechanisms needed by IDS solutions. In this paper, we first sum up IDS security needs, we introduce a set of comparison criteria and we present a security feautures study of agent platforme. After studying Concordia, JADE, Aglet, Voyager, Agent-TCL , MAP and JATLite platformes, we introduce our agent IDS by presenting the global architecture and future works.

Toward Agent IDS: agent platform security features study abstract

Toward Agent IDS: agent platform security features study slides

This tutorial focus on the techniques used to scout a network, from host probing to advance fingerprint identification. It also present the methods that can be used to deceive scouting attempts.

Network scouting techniques : utilisation and prevention slides

Network scouting techniques : utilisation and prevention article french

Network scouting techniques : utilisation and prevention article english