1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
seminar on Intrusion detection system
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Lecture 11 Intrusion Detection (cont)
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Department Of Computer Engineering
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine,
An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
EDUCAUSE Security 2006 Internet John Brown University.
Intrusion Detection Systems Present by Ali Fanian In the Name of Allah.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Introduction to Honeypot, Botnet, and Security Measurement
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
BotNet Detection Techniques By Shreyas Sali
Hacker Zombie Computer Reflectors Target.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
1 Impact of IT Monoculture on Behavioral End Host Intrusion Detection Dhiman Barman, UC Riverside/Juniper Jaideep Chandrashekar, Intel Research Nina Taft,
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Intrusion Detection System (IDS) Basics LTJG Lemuel S. Lawrence Presentation for IS Sept 2004.
1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
A Case Study on Computer Worms Balaji Badam. Computer worms A self-propagating program on a network Types of Worms  Target Discovery  Carrier  Activation.
Anomaly Detection and Internal Network Security Jose Nazario, Ph.D. Arbor Networks.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Computer Security Firewalls and Intrusion Prevention Systems.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Network System Security - Task 2. Russell Johnston.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Internet Quarantine: Requirements for Containing Self-Propagating Code
Working at a Small-to-Medium Business or ISP – Chapter 8
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Roland Kwitt & Tobias Strohmeier
Intrusion Detection & Prevention
Intrusion Prevention Systems
Introduction to Internet Worm
Presentation transcript:

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004

2 Motivation Threats to Today’s Internet –Internet worms Code-Red, Nimda, MS-SQL (Slammer/Sapphire), Blaster –DDoS attacks – spams Disaster caused by these threats –Millions of PCs cannot work properly Automatic reboot Disconnected by network admins –Critical servers stopped working SQL servers DDoS attacked servers –Network outages Links congested Routers down

3 Internet Quarantine Containing self-propagating malicious code is very important –Internet worms propagation caused huge problems –DDoS attacks rely on a large number of compromised zombies – spammers start exploiting compromised machines to forward spam s To contain worms successfully, we need to [moore03internet] –Automatically detect and activate filtering mechanisms within minutes, –Generate signatures for content filtering –deploy content filtering in a large number of coordinated ISPs

4 Can We Protect Our Own Network against Intruders? Yes, but limited… Network intrusion detection –Misuse detection (signature-based) Detect known malicious attacks very well Cannot detect new attacks without signatures –Anomaly detection Can detect new attacks high false alarm rates due to high variance of incoming traffic Firewalls –Not flexible, usually require human intervention –movable points (laptops) –Distributed firewall is still a research problem

5 Our Idea Why is it hard to detect intruders? –So many of them… –Large variance of behaviors Can we monitor local hosts? –Limited number of them –Network behavior follows some pattern Basic idea –Monitor network behavior of local hosts –Prevent compromised local hosts from infecting others –Generate signatures based on traffic from those hosts

6 Our Approach Detect compromised local hosts in an edge network –Online passively monitor all traffic into/from an edge network –Train a network behavior profile for each host inside the edge network and online update it –Alarm when an end host behaves anomalously –Assumption: the period of normal behavior of end hosts is long enough for this training purpose Generate signatures of malicious code –Redirect traffic from an anomalous host to a honeypot –Create signatures in the honeypot Distribute signatures to other networks –Can leverage on overlay multicast

7 Design Choices Why support the proposed monitoring? –Compromised hosts may infect other hosts inside the edge network Why monitor at gateways of edge networks? –Single monitoring point for inbound and outbound traffic –Moderate traffic load –More information than end hosts –More reliable and harder to be compromised than end hosts

8 Network Behavior Profile (I) Network behavior of an end host can be abstracted as a series of connections to/from that host –TCP connection; each UDP packet is a connection –Each connection can be represented by a vector of one-dimension variables: X=(X 1, X 2,… X n ) Duration, transport protocol, service, outgoing/incoming packet/data size, time since last connection, if the remote host is visited before, etc –Aggregated features of connections # connections/minute –Model of network behavior a multivariate distribution P(X) describes how likely a connection may happen

9 Network Behavior Profile (II) A network behavior profile is an approximation of the multivariate distribution P(X) –Quantify the resolution of each variable Time-of-Day: day time/night; Day-of-Week: weekday/weekend –Select a subset of one-dimensional marginal and conditional distributions for approximating the multivariate distribution P(X)=P(X 1 )P(X 2 )P(X 3 |X 2 ) –Use a set of histograms to model one-dimensional distributions Histograms: nonparametric, each to update

10 Proof-of-Concepts We do not have concrete results for anomaly detection. We need to find features which can be used to differentiate normal and anomalous network behavior. –Outgoing connections –New targets –Different services Data: 2 weeks (11/09/03-11/25/03) tcpdump traces of our group (40 active hosts) We will show network behavior of 4 end hosts which indicate some possible ways to do network anomaly detection.

11 Network Behavior: TCP Connection Speed

12 Network Behavior: New Targets

13 Network Behavior: Services

14 Discussion Is it possible to differentiate between normal and anomalous network behavior of end hosts? –Network behavior of most end hosts are relatively stable? –Client vs. Server –New service release –Planet lab hosts Coordination among edge networks –What information to share? –How to make decision based on shared information? Statistical learning theory for anomaly detection –Most data is normal behavior –Online update/detection Trace collection –Departmental/campus network –Commercial ISPs?

15 Related Work Virus Throttle [williamson03implementing] –Limit/Watch the speed of connection made by an end host to detect if it’s compromised –Static: 1 connection/second –Only look at connection speed –Implemented at end hosts: maybe removed by malicious code Online Fraud Detection [lambert00detecting] –Online data mining of a stream of transactions for customer patterns –fraud detection applied to cell phones and credit cards Honeycomb [kreibich03honeycomb] –Honeypots: Decoy computing resources set up for monitoring and logging malicious activities –String-based pattern detection

16 Summary Problem –Self-propagating malicious code is big threat to Today’s Internet Idea –Monitor network behavior of local hosts –Prevent compromised local hosts from infecting others –Generate signatures based on traffic from those hosts Approach –Collaborative online passive monitoring at edge networks –Redirect traffic to honeypots to create signatures Future work –Investigate anomaly detection algorithms on real world data –Study coordinated analysis algorithms –Efficient passive monitoring mechanism

17 References [moore03internet] –Internet Quarantine: Requirements for Containing Self- Propagating Code – /worm-infocom03.pdf [williamson03implementing] –Implementing and Testing a Virus Throttle – 103.pdf [lambert00detecting] –Detecting Fraud in the Real World – [kreibich03honeycomb] –Honeycomb – Creating Intrusion Detection Signatures Using Honeypots – II/papers/honeycomb.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.