Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.
Anomaly Based Intrusion Detection System
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Department Of Computer Engineering
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Netflow Overview PacNOG 6 Nadi, Fiji. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation –Cisco.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on.
Honeypot and Intrusion Detection System
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Breno de MedeirosFlorida State University Fall 2005 Network Intrusion Detection Systems Beyond packet filtering.
Chapter 5: Implementing Intrusion Prevention
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Net Flow Network Protocol Presented By : Arslan Qamar.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Security System for KOREN/APII-Testbed
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 4 Learning About Other Devices.
1 CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A CURELAN TECHNOLOGY Co., LTD
© 2002, Cisco Systems, Inc. All rights reserved..
1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Snort – IDS / IPS.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Principles of Computer Security
Chapter 8: Monitoring the Network
Intrusion Detection system
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Presentation transcript:

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC 2004

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Intrusion Detection An IDS is a system used for detecting network attacks They detect both successful and unsuccessful attacks They Detect attacks from insiders IDS Categories:  Host /Network based  They use Misuse /Anomaly detection  Distributed Intrusion Detection Systems

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Intrusion Detection(2) Misuse Detection  Sniffs network packets  If known a signature is matched, it detects the attack  Resembles to an anti-virus system  Must be updated night and day

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Intrusion Detection(3) Anomaly Detection  Checks for great variation from the normal behaviour of an entity  An entity could be a user, a computer or network link  Use of an expert system  The system has to be trained to become operational

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Denial of Service Attacks An attack to suspend the availability of a service Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" DoS: single correctly made malicious packets against the target machine Distributed DoS: traffic flows from various sources to exhaust network or computing resources

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Main Characteristics of DoS Variable targets:  Single hosts or whole domains  Computer systems or networks  Important  Important : Active network components (e.g. routers) also vulnerable and possible targets! Variable uses & effects:  Hacker "turf" wars  High profile commercial targets (or just competitors…).  Useful in cyber-warfare, terrorism etc.

Network Flow-based Anomaly Detection of DDoS Attacks - TNC Taking Control 2. Commanding the attack Distributed DoS Target domain "zombies" Pirated machines Domain A Pirated machines Domain B Attacker X

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Netflow What is a flow? Defined by seven keys: Source IP address Destination IP address Source Port Destination Port Layer 3 Protocol Type TOS byte (DSCP) Input logical interface (ifIndex)

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 NetFlow Sequence Router (from Cisco.com) 1.Create and update flows in NetFlow Cache Inactive timer expired (15 sec is default) Active timer expired (30 min is default) NetFlow cache is full (oldest flows expire) RST or FIN TCP Flag Export Packet Payload (flows) 2.Expiration 3.Aggregation? e.g. Protocol-Port Aggregation Scheme becomes 4.Export Version Yes No Aggregated Flows – export Version 8 or 9 Non-Aggregated Flows – export Version 5 or 9 5.Transport Protocol

Our Solution: An anomaly detection tool OpenEye

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 OpenEye DDoS Attack Detection Tool Analyses flows that are exported from Cisco Netflow enabled routers Compatible with Netflow v9 Works with IPv4 and IPv6 traffic Uses anomaly detection algorithm based on specific metrics and thresholds Written in Java language

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Implementation Two main modules: - Collector The Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure. - Detector The Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates notifications with security alerts to the administrator.

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 DoS Detection Metrics (1) Metrics for Packets/Flows based on deviation CP ij = Current Packets/Flows from interface i to j AP ij = Average Packets/Flows from interface i to j

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 DoS Detection Metrics (2) Number of flows with very small lifetime Number of flows with a very small number of packets Percentages of TCP/UDP traffic

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Data structures Tables for number of packets and number of flows for every pair of interfaces Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Attack Graphs

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Future Work More experiments Detection of worms Creation and testing of new metrics Usage of OpenEye as a part of a Distributed Intrusion Detection System

Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Acknowledgements Panoptis  GrNet  Ntua NOC  Netmode 

Questions and Answers