The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey*, Evan Cooke*, Farnam Jahanian* †, Jose Nazario †, David Watson* Presenter:
IPv6 Background Radiation Geoff Huston APNIC R&D.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
- 1 - Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic Michael Bailey, Evan Cooke, David Watson and Farnam Jahanian University.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
T H E O H I O S T A T E U N I V E R S I T Y Computer Science and Engineering Current Calendar Calendar Index Upcoming Speakers About... Artificial Intelligence.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Lecture 11 Intrusion Detection (cont)
Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm Authors: Michael Vrable, Justin Ma, Jay chen, David Moore, Erik Vandekieft, Alex.
The Changing Internet Ecology: New Threats to Infrastructure Security Farnam Jahanian Arbor Networks / University of Michigan.
Introduction to Honeypot, Botnet, and Security Measurement
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network and Internet Security SYSTEM SECURITY. Virus Countermeasures Antivirus approach ◦Ideal solution: Prevention ◦Not allowing the virus to infect.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
Internet Worms Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Intrusion Detection Systems Austen Hayes Cameron Hinkel.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
CIS 442- Chapter 3 Worms. Biological and computer worms Definition, main characteristics Differences from Viruses Bandwidth consumption and speed of propagation.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Linux Networking and Security
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Open-Eye Georgios Androulidakis National Technical University of Athens.
1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Footprinting and Scanning
DoS/DDoS attack and defense
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Advanced Anti-Virus Techniques
HoneyStat: Local Worm Detection Using Honeypots David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, et al from Georgia Institute of Technology Authors: The.
Characteristics of Internet Background Radiation ACM Internet Measurement Conference (IMC), 2004 Authors: Ruoming Pang, Vinod Yegneswaran, Paul Barford,
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University.
CompTIA Security+ Study Guide (SY0-401)
Footprinting and Scanning
Footprinting and Scanning
CompTIA Security+ Study Guide (SY0-401)
Early Measurements of a Cluster-based Architecture for P2P Systems
Modeling and Measuring Botnets
Mapping Internet Sensors With Probe Response Attacks
THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System
Data Mining & Machine Learning Lab
CSE551: Introduction to Information Security
Introduction to Internet Worm
Presentation transcript:

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publication: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb Presenter: Brad Mundt for CAP6133 Spring ‘08

Motivation Stability and integrity of national infrastructure Rapid moving threats Worms DDOS Routing Exploits Globally scoped No geographic or topological boundaries Evolutionary threats

Monitoring Dark address space No legitimate hosts Misconfiguration Attack Challenges Sensor coverage Service emulation

Internet Monitoring System (IMS) Distributed globally scoped Internet threat monitoring system Sensor network Lightweight responder Payload signature and caching

IMS Architecture

Sensor Network Designed to measure, characterize, and track Less in-depth information Increase global threat visibility Wide and distributed address blocks 28 distinct monitored blocks 18 physical installations Query system to connect all sensors Beyond scope of the paper

Lightweight responder Get responses across ports without application related information Service agnostic: Responds to SYN requests on all ports In UDP connection, payload can arrive in first packet In TCP connections, payload arrives after connection

Lightweight responder Infection responses by target

Lightweight responder Passive aspect captures UDP based attacks Active aspect initiates TCP connection Elicits payload to differentiate traffic Many threats use same ports IMS responds to SYN requests on all ports

Lightweight responder Differentiate Services

Hashing and caching MD5 hash the packet payload If new Add hash to DB Cache payload for analysis If already seen Log Also good for metrics

Metrics Worm behaviors Virulence Demographics Propagation Community Reponse Scanning DDOS

Worm lifecycle

Worm presence

Scanning

DDOS

Summary A globally scoped Internet monitoring system Wide, dark address monitoring Blackhole networking Three components Distributed Monitoring Infrastructure Lightweight Active Responder Payload Signatures and Caching

Contributions A wider scope IMS in dark address blocks Layer 3 lightweight responder Unique payload caching by hashing

Weaknesses Limited analysis from the lightweight responder No layer 7 information, all layer 3 Sensors could be identified Fingerprinted Blacklisted

How to Improve Anti-fingerprinting techniques Sensor rotation Source squelching Blackhole masking with simulated hosts and topology Hybrid system Combine host-based sensors with wide address space monitors Additional techniques for characterizing attackers OS fingerprinting Firepower calculations

The End Thank you…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.