Northwestern Lab for Internet and Security Technology (LIST) Yan Chen ychen@cs.northwestern.edu Department of Computer Science Northwestern University http://www.cs.northwestern.edu/~ychen Global Router-based Anomaly/Intrusion Detection (GRAID) Systems Current Intrusion Detection Systems and Shortcomings Mostly host-based and not scalable to high-speed networks Mostly signature-based and cannot recognize unknown anomalies/intrusions Isolated or centralized systems Slammer worm infected 75,000 machines in <10 mins Polymorphic/new viruses/worms Insufficient info for causes, patterns and prevalence of global-scale attacks Multiple GRAID sensors interconnect through distributed hash table (DHT) for alarm fusion with Scalability Load balancing Fault-tolerance Intrusion correlation Internet IDS IDS + SFC GRAID Coverage Attack Injected CDDHT Mesh Router LAN Internet Switch (a) (b) GRAID sensor scan port Splitter (c) Online traffic recording and analysis for high-speed routers Remote aggregated sketch records Sent out for aggregation Normal flows Reversible k-ary sketch monitoring Part I Sketch-based monitoring & detection Local sketch records Sketch based statistical anomaly detection (SSAD) Streaming packet data Attach GRAID sensors to high-speed routers (a) original configuration, (b) distributed configuration for which each port is monitored separately, (c) aggregate configuration for which a splitter is used to aggregate the traffic from all the ports of a router. Keys of suspicious flows Filtering Keys of normal flows Statistical detection Sample hardware: FPGA board used to implement the sketch-based traffic stream monitoring (courtesy of Prof. Memik of ECE Dept) Signature-based detection Per-flow monitoring Network fault detection Suspicious flows Part II Per-flow monitoring & detection Traffic profile checking Integrated approach for false positive reduction Intrusion or anomaly alarms Our theme: challenges for Internet as a new infrastructure for service delivery Un-trusted: security (viruses, worms, etc.) Highly dynamic: congestion/failures Modules on the critical path Modules on the non-critical path Data path Control path Architecture of a GRAID sensor Hardware implementation of critical-path for real-time detection Tomography-based Overlay network Monitoring (TOM) Real Adaptive Streaming Media on TOM Challenge: Given an overlay of n end hosts and O(n2) paths, how to select a minimal subset of paths to monitor so that the loss rates/latency of all other paths can be inferred. X UC San Diego Stanford HP Labs Overlay network monitoring essential for Overlay routing/location VPN management/provisioning Service redirection/placement Link failure/congestion diagnosis Requirements for E2E monitoring system Scalable & efficient: small amount of probing traffic Accurate: capture congestion/failures Adaptive: nodes join/leave, topology changes Robust: tolerate measurement errors Balanced measurement load End hosts Overlay Network Operation Center UC Berkeley Our solution: Select a basis set of k paths that fully describe O(n2) paths (k = O(nlogn)). Monitor the loss rates of k paths, and infer the loss rates of all other paths Adaptive to topology changes Balanced measurement load Topology measurement error tolerance Implemented with Winamp client and SHOUTcast server Congestion introduced with a Packet Shaper Skip-free playback: server buffering and rewinding Total adaptation time < 4 seconds See our paper in Collaborators