On the Difficulty of Scalably Detecting Network Attacks

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
1 Reading Log Files. 2 Segment Format
FLAME: A Flow-level Anomaly Modeling Engine
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Network Intrusion Detection Systems Presented by Keith Elliott.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
1 Energy Efficient Multi-match Packet Classification with TCAM Fang Yu
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
Topological Relationships Between Complex Spatial Objects Daniel Hess and Yun Zhang.
On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Intrusion Detection System Marmagna Desai [ 520 Presentation]
Chirag N. Modi and Prof. Dhiren R. Patel NIT Surat, India Ph. D Colloquium, CSI-2011 Signature Apriori based Network.
1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.
FIREWALL Mạng máy tính nâng cao-V1.
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R. Crandall University of New Mexico, Dept. of Computer Science USENIX 2010.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Signature Based and Anomaly Based Network Intrusion Detection
Intrusion Detection Systems Austen Hayes Cameron Hinkel.
23-aug-05Intrusion detection system1. 23-aug-05Intrusion detection system2 Overview of intrusion detection system What is intrusion? What is intrusion.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FORESEC Academy FORESEC Academy Security Essentials (III)
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,
Hybrid Approaches Towards Optimized Network Discovery Techniques By David Meltzer.
Monitoring and Measurement System in EuQoS project dr Andrzej Beben Telecommunication Network Technology Group Warsaw University.
MASCOTS 2003 An Active Traffic Splitter Architecture for Intrusion Detection Ioannis Charitakis Institute of Computer Science Foundation of Research And.
ILP-Based Pin-Count Aware Design Methodology for Microfluidic Biochips Chiung-Yu Lin and Yao-Wen Chang Department of EE, NTU DAC 2009.
1 LD-Sketch: A Distributed Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams Qun Huang and Patrick P. C. Lee The Chinese.
Efficient & Robust TCP Stream Normalization Mythili Vutukuru Joint work with Hari Balakrishnan and Vern Paxson.
April 4th, 2002George Wai Wong1 Deriving IP Traffic Demands for an ISP Backbone Network Prepared for EECE565 – Data Communications.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
A Resource Efficient Content Inspection System for Next Generation Smart NICs Karthikeyan Sabhanatarajan, Ann Gordon-Ross* The Energy Efficient Internet.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection Sailesh Kumar Sarang Dharmapurikar Fang Yu Patrick Crowley Jonathan.
Presented by: Daniel Hess, Yun Zhang. Motivation Problem statement Major contributions Key concepts Validation methodology Assumptions Recommended changes.
1 RealProct: Reliable Protocol Conformance Testing with Real Nodes for Wireless Sensor Networks Junjie Xiong, Edith C.-Ngai, Yangfan Zhou, Michael R. Lyu.
DoS/DDoS attack and defense
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network Intrusion Detection System (NIDS)
Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.
EXAMPLE 3 Write an indirect proof Write an indirect proof that an odd number is not divisible by 4. GIVEN : x is an odd number. PROVE : x is not divisible.
Sven Ubik, Aleš Friedl CESNET TNC 2009, Malaga, Spain, 11 June 2009 Experience with passive monitoring deployment in GEANT2 network.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.
Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
Analysis and Comparison of TCP Reno and TCP Vegas Review
Denial of Service Mitigation with OpenFlow using SciPass
IDS Intrusion Detection Systems
Research Methods Dr. X.
Computer Data Security & Privacy
Data Streaming in Computer Networking
Introduction to Networking
Srinivas Narayana MIT CSAIL October 7, 2016
RealProct: Reliable Protocol Conformance Testing with Real Nodes for Wireless Sensor Networks Junjie Xiong
POOJA Programmer, CSE Department
DINA YOGA RIAN HASBI YANA
Memento: Making Sliding Windows Efficient for Heavy Hitters
Presentation transcript:

On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko, Romanmohan Patruri, George Varghese Presented by: Yaxuan Qi, 2007.11.29

Outline Problem & Contributions Background Study of Attacks Conclusion SYN-flooding Port-scan Connection-Hijacking Fragmentation Conclusion

Problem Most network intrusion tools (e.g., Bro) use per-flow state to reassemble TCP connections and fragments A high speeds at network vantage points, some form of aggregation is necessary. a number of problems have scalable solutions. No clear proof that such per-flow state is required for many of these problems

Contribution Proves: Exposes assumptions that Many well-known intrusion detection problems (detecting SYN Flooding, Port Scans, Connection Hijacking, and content matching across fragments) require per-flow state. Exposes assumptions that need to be changed to provide scalable solutions to these problems; Concludes with some systems techniques to circumvent these lower bounds.

Background Deployment of NIDS Per-flow state Vantage point: deeper inside the network Cost-saving: number and management As close to the attacker as possible Fewer legitimate users are affected (??) Per-flow state Provide wire-speed detection Reduce false positive

Background Related work Vantage point also requires per-flow state However, high-speed devices rely on cache or on-chip SRAM Still smaller flow aggregation Load-splitters Expensive Also split attacks

Methodology Abstract Problem Formulation Example Lower Bound definition Example illustration Lower Bound Spatial complexity Proof (see appendix) Practical Implications Scalability

Ingress SYN-flooding

Ingress SYN-flooding

Ingress SYN-flooding

Ingress SYN-flooding

Ingress SYN-flooding

Egress SYN-flooding

Ingress Port-Scanning

Ingress Port-Scanning

Egress Port-Scanning

TCP-Hijacking

TCP-Hijacking

Fragmentation Detection

Fragmentation Detection

Conclusion

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.