Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.
Lab for Internet & Security Technology (LIST) Northwestern University
School of Computer Science and Information Systems
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Manan Sanghi, Yan Chen, Ming- Yang Kao Northwestern Lab.
1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.
What Learned Last Week Homework qn –What machine does the URL go to?
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –
1 HPNAIDM: the High-Performance Network Anomaly/Intrusion Detection and Mitigation System Yan Chen Lab for Internet & Security Technology (LIST) Department.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
1 Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
A Dos Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Department of EECS, Northwestern University.
7.5 Intrusion Detection Systems Network Security / G.Steffen1.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
Anomaly/Intrusion Detection and Prevention in Challenging Network Environments 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Yan Chen Dept. of Electrical Engineering and Computer Science Northwestern University Spring Review 2008 Award # : FA Intrusion Detection.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
Monitoring, Diagnosing, and Securing the Internet 1 Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for.
Northwestern Lab for Internet & Security Technology (LIST)
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Network-based Intrusion Detection, Prevention and Forensics System
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Yan Chen Department of Electrical Engineering and Computer Science
Network Intrusion Detection and Mitigation
Yan Chen Lab for Internet & Security Technology (LIST)
End-user Based Network Measurement and Diagnosis
Introduction to Internet Worm
Presentation transcript:

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University Adaptive Intrusion Detection and Mitigation Systems for WiMAX Networks Motorola Liaisons Gregory W. Cox, Z. Judy Fu, Philip R. Roberts Motorola Labs

The Spread of Sapphire/Slammer Worms

Current Intrusion Detection Systems (IDS) Mostly host-based –not scalable to high-speed networks Mostly simple signature-based –Can’t deal with unknown attacks, polymorphic worms Statistical detection –Unscalable for flow-level detection –Overall traffic based: inaccurate, high false positives Cannot differentiate malicious events with unintentional anomalies

Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Could be differentiator for Motorola’s products Original configuration WAIDM deployed Inter net BS User s (a) (b) BS User s Switch/ BS controller Internet scan port WAIDM system BS Users BS Users Switch/ BS controller

Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) Scalability –Online traffic recording »Reversible sketch for data streaming computation »Record millions of flows (GB traffic) in a few hundred KB –Online sketch-based flow-level anomaly detection »Adaptively learn the traffic pattern changes Accuracy Integrated approach for false positive reduction –Automatic Polymorphic Worm signature generation (Hamsa) –Network element fault Diagnostics with Operational Determinism (ODD)

WAIDM Architecture Reversible sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Polymorphic worm detection (Hamsa) Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault diagnosis (ODD)

Accomplishments Motorola Interactions –The first two components of WAIDM are ready for field test on Motorola WiMAX networks or testbed –Product teams interested to use as differentiator (Networks security service director: Randall Martin) –Close collaboration/interaction with Motorola Labs (Judy Fu, Phil Roberts, Steve Gilbert) Patents being filed through Motorola –Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications. –Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience. Students involved –Three Ph.D. students: Yan Gao, Zhichun Li, & Yao Zhao –One M.S. student: Prasad Narayana

Accomplishments on Publications Four conference papers and one journal papers (with another four under submission) –A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, to appear in IEEE International Conference on Distributed Computing Systems (ICDCS), 2006 (14%). –Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience, to appear in IEEE Symposium on Security and Privacy, 2006 (about 8%). –Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications, Proc. of IEEE INFOCOM, 2006 (18%). –IDGraphs: Intrusion Detection and Analysis Using Stream Compositing, to appear in IEEE Computer Graphics & Applications, special issue on Visualization for Cyber Security, »An earlier version also in Proc. of the IEEE Workshop on Visualization for Computer Security (VizSEC), 2005

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience

Desired Requirements for Polymorphic Worm Signature Generation No existing work satisfies these requirements ! Network based, no host-level info Noise tolerant –Most network flow classifiers suffer false positives. –Even host based IDSes, such as honeynets, can be injected with noise. Attack resilience –Attackers always try to evade the IDS Efficient signature matching for high-speed links

Hamsa Architecture

Choice of Signatures Two classes of signatures Content based –Invariant content »Protocol Frame »Control Data: leading to control flow hijacking »Worm Executable Payload –Token: a substring with reasonable coverage to the suspicious traffic –Signatures: conjunction and/or sequence of tokens Behavior based Our choice: content based –Fast signature matching »ASIC based approach can achieve 6 ~ 8Gbps –Generic, not depend upon any protocol or server

Hamsa Design Key idea: model the uniqueness of worm invariants –Greedy algorithm for finding token conjunction signatures Highly accurate while much faster –Both analytically and experimentally –Compared with the latest work, polygraph –Suffix array based token extraction Provable attack resilience guarantee –Propose an adversary model Noise tolerant

Hamsa Signature Generator Core part: Model-based Greedy Signature Generation Iterative approach for multiple worms Signature refinement for better specificity –False positive is worse than false negative

Experiment Methodology Experiential setup: –Suspicious pool: »Three pseudo polymorphic worm based on real exploits (Code- Red II, Apache-Knacker and ATPhttpd), »Two polymorphic engine from Internet (CLET and TAPiON). –Normal pool: 2 hour departmental http trace (326MB) Signature evaluation: –False negative: 5000 generated worm samples per worm –False positive: »4-day departmental http trace (12.6 GB) »3.7GB web crawling including.mp3,.rm,.ppt,.pdf,.swf etc. »/usr/bin of Linux Fedora Core 4

Results on Signature Quality Single worm with noise –Suspicious pool size: 100 and 200 samples –Noise ratio: 0%, 10%, 30%, 50% –Noise samples randomly picked from the normal pool –Always get above signature and accuracy Multiple worms with similar results Worms Training FN Training FP Evaluation FN Evaluation FP Binary evaluation FP Signature Code-Red II00000 {'.ida?': 1, '%u780': 1, ' HTTP/1.0\r\n': 1, 'GET /': 1, '%u': 2} CLET00.109% %0.268% {'0\x8b': 1, '\xff\xff\xff': 1,'t\x07\xeb': 1}

Speed and Attack Resilience Results Implementation with hybrid of C++/Python –500 samples with 20% noise, 326MB normal traffic pool, 15 seconds on an XEON 2.8Ghz Provable attack resilience –We propose a new attack, token-fit –It fails the existing state-of-the-art, Polygraph –BUT We still can generate correct signature!

Ongoing Work Semantics Aided Signature Generation for Zero-day Polymorphic Worms –Some worms do not have any content invariant –Incorporate semantic information for more accurate detection Vulnerability Analysis for WiMAX Network Protocols –Use formal verification methods to automatically search for vulnerabilities in specs. –Completeness and correctness