An IST Projecthttp://www.ist-lobster.org/ 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos.

Slides:



Advertisements
Similar presentations
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Advertisements

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,
1 IP-Lookup and Packet Classification Advanced Algorithms & Data Structures Lecture Theme 08 – Part I Prof. Dr. Th. Ottmann Summer Semester 2006.
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
The Assembly Language Level
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Protomatching Network Traffic for High Throughput Network Intrusion Detection Shai RubinSomesh JhaBarton P. Miller Microsoft Security Analysis Services.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Efficient Multi-Match Packet Classification with TCAM Fang Yu
FFPF: Fairly Fast Packet Filters uspace kspace nspace Vrije Universiteit Amsterdam Herbert Bos Willem de Bruijn Trung Nguyen Mihai Cristea Georgios Portokalidis.
An IST Projecthttp:// 1 Herbert Bos, VU, FFPF: Fairly Fast Packet Filters Herbert Bos Vrije Universiteit.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
RAID2005 CardGuard: Towards software-based signature detection for intrusion prevention on the network card Herbert Bos and Kaiming Huang presented by.
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Penetration Testing Security Analysis and Advanced Tools: Snort.
CHP - 9 File Structures. INTRODUCTION In some of the previous chapters, we have discussed representations of and operations on data structures. These.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
FEATURES & FUNCTIONALITY. Page 2 Agenda Main topics Packet Filter Firewall Application Control Other features.
N E T G R O U P P O L I T E C N I C O D I T O R I N O Towards Effective Portability of Packet Handling Applications Across Heterogeneous Hardware Platforms.
Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.
Chapter 22 Q and A Victor Norman CS 332 Spring 2014.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Sven Ubik, Petr Zejdl, Vladimir Smotlacha TNC-2006, Catania, Hardware anonymization.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
1 Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about private networks and NAT.
Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.
An end-to-end usage of the IPv6 flow label
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
The Devil and Packet Trace Anonymization Authors: Ruoming Pang, Mark Allman, Vern Paxson and Jason Lee Published: ACM SIGCOMM Computer Communication Review,
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS Update and plans for the next six months Heraklion, 4 th June 2007.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
ECE 526 – Network Processing Systems Design Network Address Translator II.
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
1 8.4 Extensions to the Basic TM Extended TM’s to be studied: Multitape Turing machine Nondeterministic Turing machine The above extensions make no increase.
Challenges and  Goal: remove critical stuff remove critical stuff but: keep enough info to stay useful but: keep enough info to stay.
Network Analyzer :- Introduction to Ethereal Computer Networking (Graduate Class)
Some Great Open Source Intrusion Detection Systems (IDSs)
SIEM Rotem Mesika System security engineering
CHP - 9 File Structures.
The Devil and Packet Trace Anonymization
Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460
Principles of Computer Security
Virtual LANs.
RESOLVING IP ALIASES USING DISTRIBUTED SYSTEMS
Packet Switching To improve the efficiency of transferring information over a shared communication line, messages are divided into fixed-sized, numbered.
Advanced Algorithms for Fast and Scalable Deep Packet Inspection
Lecture 14 Virtual Memory and the Alpha Memory Hierarchy
دیواره ی آتش.
Network Analyzer :- Introduction to Wireshark
Network Analyzer :- Introduction to Wireshark
A Hybrid Finite Automaton for Practical Deep Packet Inspection
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

An IST Projecthttp:// 1 Herbert Bos, VU, The Ruler Anonymization Language Kees van Reeuwijk Herbert Bos Vrije Universiteit Amsterdam herbertb _AT_ cs.vu.nl

An IST Projecthttp:// 2 Herbert Bos, VU, Privacy a shared monitoring infrastructure?  what about privacy?! Before talking about privacy ask the following: would you share information?

An IST Projecthttp:// 3 Herbert Bos, VU, Responses vary… –No, absolutely not. I will not reveal any information I will not reveal even the load of my network –Maybe I can share some general statistics what traffic goes in and out of my network –I am willing to share the headers of the packets IP addresses anonymized, payload stripped just like NLANR does today –I would like to share all information with my local administrators some information with associated researchers anonymized information with the rest of the world –Yes – share everything! information wants to be free! Lobster can provide all of the above

An IST Projecthttp:// 4 Herbert Bos, VU, 2. anonymization policy enforcement making sure parties only get properly anonymized traces determines who gets access to what How does it work? 1.applying anonymisation functions functionality to strip/hash payloads, zero addresses, etc.  library of possible anonymisation functions framework to apply these functions on traffic

An IST Projecthttp:// 5 Herbert Bos, VU, How does it work? 1.applying anonymisation functions functionality to strip/hash payloads, zero addresses, etc.  library of possible anonymisation functions framework to apply these functions on traffic 2. anonymization policy enforcement making sure parties only get properly anonymized traces determines who gets access to what UNCHANGED MAP TO INTEGER MAP ACCORDING TO DISTRIBUTION STRIP RANDOM FILENAME RANDOM HASH PATTERN FILL ZERO REPLACE PREFIX PRESERVING REGEXP CHECKSUM ADJUST SUBFIELD

An IST Projecthttp:// 6 Herbert Bos, VU, How does it work? 1.applying anonymisation functions functionality to strip/hash payloads, zero addresses, etc.  library of possible anonymisation functions framework to apply these functions on traffic 2. anonymization policy enforcement making sure parties only get properly anonymized traces determines who gets access to what Ruler: special-purpose, high-level language for packet rewriting in general and anonymization in particular What is so nice about it? easy to specify needs fast, efficient translates to low-level HW

An IST Projecthttp:// 7 Herbert Bos, VU, different policies different anonymization rules for different users credentials determine what sort of access is allowed

An IST Projecthttp:// 8 Herbert Bos, VU, Ruler a simple rule-based language –Generic sanitization –Efficient (DFA-based) implementation –Strive to make implementation in HW possible –Design to allow for (future) formal reasoning –Understand common network protocols –Extensible

An IST Projecthttp:// 9 Herbert Bos, VU, Ruler Patterns and filters consisting of rules pattern: pattern udpHeader: ( source: byte #2 dest: byte #2 len: byte #2 checksum: byte #2 ) filter: include layouts.rli filter simple eh:Ethernet_header iph:IPv4_header * => eh iph with [src=0, dest=0];

An IST Projecthttp:// 10 Herbert Bos, VU, Matching language Fixed number of bytes, fixed value 42#1 5 0x800#2 “url” Fixed number of bytes, arbitrary value byte#2 byte#1 byte Arbitrary number of bytes and value *

An IST Projecthttp:// 11 Herbert Bos, VU, Matching language: bit patterns Surrounded by {} Fixed number of bits, fixed value 42#7 0 0x800#16 Fixed number of bits, arbitrary value bit#2 bit#1 bit

An IST Projecthttp:// 12 Herbert Bos, VU, Matching language: labels Patterns can be labeled source: byte #6 dest: byte #6 payload: * Patterns can be grouped with brackets ether: (s:byte#6 d:byte#6 p:byte#2) Note the nested labels: ether refers to 14 bytes, ether.s refers to 6 bytes

An IST Projecthttp:// 13 Herbert Bos, VU, Matching language: patterns Patterns can be defined and named separately pattern ether: ( s:byte#6 d:byte#6 p:byte#2 ) Allows re-use of common patterns

An IST Projecthttp:// 14 Herbert Bos, VU, include files Definitions can be included from another file include “layouts.rli” Normally used for pattern definitions, but can be used for filters too layouts.rli defines many common header layouts: ethernet, IP, TCP, UDP, etc.

An IST Projecthttp:// 15 Herbert Bos, VU, use of labels Pattern names can now be used instead of the pattern they stand for ether * "warez" * Can be used in rewrite actions: a:byte#2 b:* => b a The trick is to do it fast

An IST Projecthttp:// 16 Herbert Bos, VU, The with construct The with construct replaces named parts of a pattern with other patterns ether with [p=0x0806#2] Restrictions: replacement pattern may not be longer or shorter than the original. ether with [p=42] // WRONG (1 byte)

An IST Projecthttp:// 17 Herbert Bos, VU, Rule actions Action is one of: –reject –accept, accept 5 –result pattern

An IST Projecthttp:// 18 Herbert Bos, VU, Tagged Deterministic Finite Automata We compile to a Tagged Deterministic Finite Automaton (TDFA) Tagged because we need the position of sub- patterns. States: –stop (we know what action to take) –inspect (look at a byte, branch) –tag (register positions in the input) –jump (skip irrelevant input bytes) –memory inspect (look at previous input)

An IST Projecthttp:// 19 Herbert Bos, VU, applications besides anonymisation we also applied Ruler to intrusion detection developed a snort2ruler compiler –translates majority of Snort rules automatically –some rules need manual help –some rules cannot be translated as is –implemented in parallel on an Intel IXP2400 network processor

An IST Projecthttp:// 20 Herbert Bos, VU, extensibility Ruler is extensible: it may call external functions filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => tail ; –allows us to use libraries of previously developed anonymisation functions in Lobster we have integrated Ruler with MAPI –a Ruler program can be applied to packets of arbitrary flows –Ruler may use MAPI’s default anonymisation functions

An IST Projecthttp:// 21 Herbert Bos, VU, Ruler for IDS

An IST Projecthttp:// 22 Herbert Bos, VU, Preliminary results able to keep up with gigabit scanning (only small number of rules tested) large number of rules: –large number of states –long compilation Gigabit rates: even on IXP with real traffic

An IST Projecthttp:// 23 Herbert Bos, VU, ruler – the language conclusions useful efficient multiple application domains state space may be the limiting factor fits in FFPF and Lobster

An IST Projecthttp:// 24 Herbert Bos, VU, EXAMPLES

An IST Projecthttp:// 25 Herbert Bos, VU, SISAL include layouts.rli filter two_rules eh: Ethernet_header iph: IPv4_header payload:(* “/bin/sh” *) => reject ; eh: Ethernet_header iph: IPv4_header payload:* => eh iph with [src=0, dest=0] ; include layouts.rli filter rewrite eh:Ethernet_header iph:IPv4_header with [ proto=17] udph:udpHeader * => iph.src iph.dest udph.source udph.dest udph.len ; 12

An IST Projecthttp:// 26 Herbert Bos, VU, SISAL include layouts.rli filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => head "XXX" tail; include layouts.rli filter zap_url head:(Ethernet_header IPv4_header * "GET ") url:* tail: (0x0D 0x0A *) => tail ; 43

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.