Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for Internet & Security Technology (LIST) http://list.cs.northwestern.edu
The Spread of Sapphire/Slammer Worms In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.
Current Intrusion Detection Systems (IDS) Mostly host-based and not scalable to high-speed networks Slammer worm infected 75,000 machines in <10 mins Host-based schemes inefficient and user dependent Have to install IDS on all user machines ! Mostly simple signature-based Cannot recognize unknown anomalies/intrusions New viruses/worms, polymorphism
Current Intrusion Detection Systems (II) Cannot provide quality info for forensics or situational-aware analysis Hard to differentiate malicious events with unintentional anomalies Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc. Statistical detection Unscalable for flow-level detection IDS vulnerable to DoS attacks Overall traffic based: inaccurate, high false positives
Network-based Intrusion Detection, Prevention, and Forensics System Online traffic recording [SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear] Reversible sketch for data streaming computation Record millions of flows (GB traffic) in a few hundred KB Small # of memory access per packet Scalable to large key space size (232 or 264) Online sketch-based flow-level anomaly detection [IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06] Adaptively learn the traffic pattern changes As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed Online stealthy spreader (botnet scan) detection [IWQoS 2007]
Network-based Intrusion Detection, Prevention, and Forensics System (II) Polymorphic worm signature generation & detection [IEEE Symposium on Security and Privacy 2006] [IEEE ICNP 2007 to appear] Accurate network diagnostics [ACM SIGCOMM 2006] [IEEE INFOCOM 2007] Scalable distributed intrusion alert fusion w/ DHT [SIGCOMM Workshop on Large Scale Attack Defense 2006] Large-scale botnet and P2P misconfiguration event forensics [work in progress]
System Deployment Attached to a router/switch as a black box Edge network detection particularly powerful Router LAN Internet Switch (a) (b) RAND system scan port Splitter (c) HPNAIDM Monitor each port separately Monitor aggregated traffic from all ports Original configuration
Northwestern Lab for Internet and Security Technology (LIST) Sponsors for LIST: Department of Energy (Early CAREER Award) Air Force Office of Scientific Research (Young Investigator Award) National Science Foundation Microsoft Research Motorola Inc. Additional industry collaborators SANS(SysAdmin, Audit, Network, Security) Institute AT &T Labs
Team of LIST Prof. Bin Liu from Tsinghua Univ., partially supported as an Eshbach Scholar of Northwestern University Jiazhen Chen (M.S. student) Kai Chen (Ph.D. student) Anup Goyal (Ph.D. student) Zhichun Li (Ph. D. student) Ying He (visiting Ph.D. student) Chengchen Hu (visiting Ph.D. student) Rahul Potharaju (M.S. student) Sagar Vemuri (M.S. student) Gao Xia (visiting Ph.D. student from Tsinghua University) Yao Zhao (Ph.D. student) Yanmei Zhang (visiting Ph.D. student) Zhaosheng Zhu (Ph.D. student)
? ? ?