“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

Slides:



Advertisements
Similar presentations
New Directions in Traffic Measurement and Accounting Cristian Estan (joint work with George Varghese)
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
On the Difficulty of Scalably Detecting Network Attacks Kirill Levchenko with Ramamohan Paturi and George Varghese.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Lecture 1 Overview: roadmap 1.1 What is computer network? the Internet? 1.2 Network edge  end systems, access networks, links 1.3 Network core  network.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
NET-REPLAY: A NEW NETWORK PRIMITIVE Ashok Anand Aditya Akella University of Wisconsin, Madison.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Middleboxes & Network Appliances EE122 TAs Past and Present.
Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
Othman Othman M.M., Koji Okamura Kyushu University 1.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
--Harish Reddy Vemula Distributed Denial of Service.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
Transmission Control Protocol TCP. Transport layer function.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Distributed Denial of Service Attacks
Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.
Open-Eye Georgios Androulidakis National Technical University of Athens.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
DoS/DDoS attack and defense
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
1 Network Address Translation. 2 Network Address Translation (NAT) Extension of original addressing scheme Motivated by exhaustion of IP address space.
ECE 526 – Network Processing Systems Design Network Address Translator.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
Very Fast containment of Scanning Worms Presented by Vinay Makula.
DDoS Attacks on Financial Institutions Presentation
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Data Streaming in Computer Networking
Filtering Spoofed Packets
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
POOJA Programmer, CSE Department
On the Difficulty of Scalably Detecting Network Attacks
Statistical based IDS background introduction
Transport Layer 9/22/2019.
Presentation transcript:

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist

2November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

3November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

4November 7, 2007 CS-622 Why do w need scalable attack detection? Scalable: Able to detect network behavior at multi-gigabit speeds (at least 1 Gb/s). Detect behavior over a set of packets at network vantage points such as routers. Proposed solution: Aggregation (combining multiple connections) for attack detection?

5November 7, 2007 CS-622 Why Use Aggregation? Combining several lines into one is more efficient for forwarding. Can have millions of flows/connections with no enough high speed memory (on-chip and off-chip SRAM or cache) at router. Other services use forms of aggregation for faster processing. – Example: Internet lookup routers store prefixes for the entire Internet to process requests faster.

6November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

7November 7, 2007 CS-622 Problems of Aggregation Behavioral Aliasing: Good behaviors aggregate to look like bad behaviors. False positive: Server thinks a resource is under attack, when traffic is in a normal state computers look like 1 computer due to aggregation.

8November 7, 2007 CS-622 SYN :80 Problems of Aggregation Spoofing – Attacker avoids detection by appearing benign. Our focus is TCP (Transport Control Protocol) SYN flooding, also known as Partial Completion Attacks: Connections Opened, but not closed. SYN – Connection request and connection opened. FIN – Connection finished/closed. SYN :80 FIN :80 Attacker Victim Firewall/Proxy/Victim Server (Does detection of SYN flooding)

9November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

10November 7, 2007 CS-622 Kinds of Attacks Partial Completion Attacks Attacks That Do Scanning Bandwidth Attacks Commonality = Bandwidth Tied Up or Resources Tied Up

11November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

12November 7, 2007 CS-622 Partial Completion Filters (PCFs) New data structure. Can detect scanning attacks and partial completion attacks with small traffic volume. Can detect victims reacting to an attack. Only useful for TCP. Only have a local geographical scope.

13November 7, 2007 CS-622 Partial Completion Filters (PCFs) SYN :20 FIN :20 SYN :24 Courtesy of Minsoo Choi, University of Southern California If N packets delivered, stay within √N standard deviation. If noise, 3 √N standard deviation hash functions in experiments. (Requires 480 Kbits memory)

14November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

15November 7, 2007 CS-622 How do we use PCFs? Partial Completion Attacks TCP Scanning Detection PCF(SYN, FIN, )

16November 7, 2007 CS-622 Where do I deploy PCFs? Near sources -> Look at Source IP. –Recognizes Scanning –Recognizes too many SYN packets w/o FINs. Incoming/Outgoing edge of network -> Look at Destination IP. –Recognizes Attack Outgoing edge of network -> Look at Source IP. –Recognizes false FIN w/o FIN-ACK

17November 7, 2007 CS-622 Roadmap Why do we need scalable attack detection? What are the difficulties in implementing scalable attack detection? What kinds of attacks can be detected? What are Partial Completion Filters (PCFs)? How do we use Partial Completion Filters? What are the experimental results?

18November 7, 2007 CS-622 Experiment Setup ISP AISP B 2 real flows of traffic from 1 day OC-48 -> Mbits/second Dir = Direction ISP = Internet Service Provider Internet Dir 0 Dir 1

19November 7, 2007 CS-622 How do we take into account bias? SYN FIN Difference in Experiment

20November 7, 2007 CS-622 Results 5 million destinations (About 30 million ports) & 2 million sources (About 30 million ports). 517 Attack Flows. 6 False Positives -> Too many SYNs. 0 False Negatives -> Too many FINs. Could measure the time length of the attacks.

21November 7, 2007 CS-622 Scanning Detection SYNs without FINs could mean port scans A source doing port scanning will send SYN packets, but no FIN packets to MANY destinations (in red).

22November 7, 2007 CS-622 Conclusions Speed requirement: Using aggregation is possible for attack detection on networks of at least Mbits/second. Memory requirement: Only uses 480 Kbits memory for hash functions. Accurate in a Local Area Network.

23November 7, 2007 CS-622 Further Research/Work Run more tests using more sets of data. Only one set of data used in paper’s experiment. Research other methods of attack detection at high speeds and compare results. Further research scan-based (worm) attacks.

24November 7, 2007 CS-622 References Ramana Rao Kompella, Sumeet Singh, and George Varghese, “On Scalable Attack Detection in the Network”, February Choi, Minsoo, “ On Scalable Attack Detection in the Network Presentation ”, netweb.usc.edu/ftp/p ub/cs558f05/Slides/mi nsoo.ppt, 2007.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.