Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California.

Slides:

Advertisements

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Advertisements

Bitmap algorithms for flow counting – Internet Measurement Conference, October 2003 Bitmap Algorithms for Counting Active Flows on High Speed Links Cristian.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

Rarest First and Choke Algorithms are Enough Arnaud LEGOUT INRIA, Sophia Antipolis France G. Urvoy-Keller and P. Michiardi Institut Eurecom France.

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Modeling Network Traffic as Images Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University.

Very Fast containment of Scanning Worms Presenter: Yan Gao Authors: Nicholas Weaver Stuart Staniford Vern.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Fast Port Scan Using Sequential Hypothesis Testing Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan.

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

CS591A1 Fall Sketch based Summarization of Data Streams Manish R. Sharma and Weichao Ma.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

Fast and Robust Worm Detection Algorithm Tian Bu Aiyou Chen Scott Vander Wiel Thomas Woo bearhsu.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.

Locality-Aware Request Distribution in Cluster-based Network Servers Presented by: Kevin Boos Authors: Vivek S. Pai, Mohit Aron, et al. Rice University.

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Anomaly Detection Studies in the IP Backbone Tao Ye Sprint Burlingame, CA

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

Scalable and Efficient Data Streaming Algorithms for Detecting Common Content in Internet Traffic Minho Sung Networking & Telecommunications Group College.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

New Streaming Algorithms for Fast Detection of Superspreaders Shobha Venkataraman* Joint work with: Dawn Song*, Phillip Gibbons ¶,

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon (Technion, Israel) Joint work with Iddo Hanniel and Isaac Keslassy ( Technion ) 1.

CEDAR Counter-Estimation Decoupling for Approximate Rates Erez Tsidon Joint work with Iddo Hanniel and Isaac Keslassy Technion, Israel 1.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Carleton University School of Computer Science Exposure Maps: Removing Reliance on Attribution During Scan Detection David Whyte, P.C. van Oorschot, Evangelos.

On the processing time for detection of Skype traffic P.M. Santiago del Río, J. Ramos, J.L. García-Dorado, J. Aracil Universidad Autónoma de Madrid A.

Authors: Haiquan (Chuck) Zhao, Hao Wang, Bill Lin, Jun (Jim) Xu Conf. : The 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Distributed Monitoring of Mesh Networks Elizabeth Belding-Royer Mobility Management and Networking (MOMENT) Lab Dept. of Computer Science University of.

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.

DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Is Sampled Data Sufficient for Anomaly Detection Ip Wing Chung Peter ( ) Ngan Sze Chung ( )

Open-Eye Georgios Androulidakis National Technical University of Athens.

Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University

D 陳怡安 R 解巽評 R 高榮泰 IEEE/ACM TRANSACTIONS ON NETWORKING OCTOBER 2006 Cristian Estan, George Varghese, Member, IEEE, and Michael Fisk.

DoS/DDoS attack and defense

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

An Efficient Gigabit Ethernet Switch Model for Large-Scale Simulation Dong (Kevin) Jin.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Transport layer identification of P2P traffic Victor Gau Yi-Hsien Wang

SCREAM: Sketch Resource Allocation for Software-defined Measurement Masoud Moshref, Minlan Yu, Ramesh Govindan, Amin Vahdat (CoNEXT’15)

Very Fast containment of Scanning Worms Presented by Vinay Makula.

SketchVisor: Robust Network Measurement for Software Packet Processing

Jian Wu (University of Michigan)

A Resource-minimalist Flow Size Histogram Estimator

Distributed Network Traffic Feature Extraction for a Real-time IDS

Author: Matthew M. Williamson, HP Labs Bristol

Data Streaming in Computer Networking

Very Fast containment of Scanning Worms

Srinivas Narayana MIT CSAIL October 7, 2016

SCREAM: Sketch Resource Allocation for Software-defined Measurement

Local Worm Detection using Honeypots Justin Miller Jan 25, 2007

Very Fast Containment of Scanning Worms

Heavy Hitters in Streams and Sliding Windows

Transport Layer Identification of P2P Traffic

Lu Tang , Qun Huang, Patrick P. C. Lee

Presentation transcript:

Tracking Port Scanners on the IP Backbone Tao Ye Sprint Burlingame, CA Avinash Sridharan University of Southern California

1 Goals Port scanning a major propagation channel >Costly Virus and worm outbreaks: $245M North America operators 2004, Blaster $1B, Code Red $1.2B world wide >Denial of Service: blackmail commerce websites Our goals >Detect and track >Understand long term behavior of scanners >On the backbone network

2 Motivation and Challenges Why Backbone ? >Detection: Existing work most at stub networks, limited visibility >Tracking: Honeypots can be evaded >More scanning activities visible at core >Peering point unique vantage point Challenges >Backbone traffic unidirectional, asymmetric >High speed (OC-48, OC-192) links, needs fast algorithm >Diverse traffic mix, needs efficient data structure

3 Outline Motivation and Challenges Methodology >Detection Algorithm: TAPS >Online Implementation Architecture Results: Scanner Behavior Conclusion

4 Outline Motivation and Challenges Methodology >Detection Algorithm: TAPS >Online Implementation Architecture Results: Scanner Behavior Conclusion

5 Intuition: Access Patterns

6 TAPS: Time-based Access Pattern Sequential hypothesis testing Based on 5-tuple flow summary on unidirectional link Scanner suspects: source IPs accesses IP/port (or port/IP) ratio > k in time-bin Sequential Hypothesis Testing

7 TAPS Threshold for tagging source as scanner Increment when IP/port > K Decrement when IP/port < K Threshold for tagging source as benign

8 Outline Motivation and Challenges Methodology >Detection Algorithm: TAPS >Online Implementation Architecture Results: Scanner Behavior Conclusion

9 Online Implementation Architecture Use CMON to produce flows in NetFlow5 Flow Daemon distributes flows Keep flows in circular buffer CMON Flow Collector Flow Daemon Core App Handler TAPSOther Disk Writer Disk Reader Circular Buffer Disk Flow Daemon

10 Design choices: Circular Buffer How many minutes of data do we buffer? Queuing model >Slotted single queue, service data after Q bytes are stored >Time slot t, Receives A(t) arrivals, has U(t) backlog, service rate μ(t) when U(t) >= Q >Use Lyapunov drift theorem to bound expected back log queue: >Assuming E(μ(t)) = 1.1λ >Measured arrival rate, U ~ 11min (300MB), we set to 60min.

11 Detector and Tracker Architecture

12 Design choices: Approximation Counters Issues: >Need to keep the fan-out count for each IP >Heap implementation has prohibitively high memory requirements Probabilistic Counters: >Many recently proposed counters: Small SRAM Implementation: Multi-resolution bitmap, trigger bitmap >Simple Flajolet-Martin counter FM counter performance >8 hash functions accurate enough for <>k test >256, 32 and 8 hash functions

13 Outline Motivation and Challenges Methodology >Detection Algorithm: TAPS >Online Implementation Architecture Results: Scanner Behavior Conclusion

14 Results Data set >OC48 Peering link incoming, ~320Mbps, 22 days >OC48 Peering link outgoing, ~560Mbps, 3 days

15 Scanner Duration 22 days 3 days

16 Scanner Rate

17 Scanner Footprint (22 days) Scanners lasting < 2 hrs Scanners lasting > 2 hrs

18 Number of Scanner Detected (1) Time series of Number of scanners detected (3days)

19 Number of Scanner Detected (2) Time series of Number of scanners detected (22days)

20 Conclusion Online Scan Detection and Tracking >Targets unidirectional backbone link >Detector: Time-based Access Pattern Sequential Hypothesis (TAPS) Combines rate limiting with statistical tests on destination IP and port access patterns >Implementation design: Queue model and FM counter Scanner Behavior >90-10 split of scanning rate, scanning duration behavior >Spike in number of scanners detected

21 Scanning Ports Port accessed

22 Choose a Detection Algorithm Requirements >Unidirectional backbone link >Do not rely on TCP connections or server configuration information >Protocol Independence: capture TCP and UDP scanners. >High detection rate, low false positives Evaluated >Snort >TRW >TAPS

23 Duration (3 day)

24 Scanner Footprint (2) Scanners lasting < 5.5 hrsScanners lasting > 5.5 hrs

25 Port Scan Detector Evaluation of existing detectors >Industry SNORT, Netscreen Static thresholding: “> n dest/m sec” = scanner >Research TRW (Jung et al 2004 Oakland Conf) –Connection failure as indicator –Sequential Hypothesis Testing using Threshold Random Walk –Needs an ORACLE –TRWSYN »Our backbone adaptation of TRW »SYN flows indicate failure Design TAPS >Combine rate-limiting and hypothesis testing

26 Performance: TCP OC-48