Global Intrusion Detection Using Distribute Hash Table Jason Skicewicz, Laurence Berland, Yan Chen Northwestern University 6/2004.

Slides:

Advertisements

Similar presentations

SkipNet: A Scalable Overlay Network with Practical Locality Properties Nick Harvey, Mike Jones, Stefan Saroiu, Marvin Theimer, Alec Wolman Microsoft Research.

Advertisements

CAN 1.Distributed Hash Tables a)DHT recap b)Uses c)Example – CAN.

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

Digital Library Service – An overview Introduction System Architecture Components and their functionalities Experimental Results.

Peer-to-Peer Systems Chapter 25. What is Peer-to-Peer (P2P)? Napster? Gnutella? Most people think of P2P as music sharing.

Application of Bayesian Network in Computer Networks Raza H. Abedi.

CSCI 4550/8556 Computer Networks Comer, Chapter 18: IP: Internet Protocol Addresses.

Denial-of-Service Resilience in Peer-to-Peer Systems D. Dumitriu, E. Knightly, A. Kuzmanovic, I. Stoica and W. Zwaenepoel Presenter: Yan Gao.

IP: The Internet Protocol

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Topics in Reliable Distributed Systems Fall Dr. Idit Keidar.

Peer To Peer Distributed Systems Pete Keleher. Why Distributed Systems? l Aggregate resources! –memory –disk –CPU cycles l Proximity to physical stuff.

DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.

ICDE A Peer-to-peer Framework for Caching Range Queries Ozgur D. Sahin Abhishek Gupta Divyakant Agrawal Amr El Abbadi Department of Computer Science.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

Sybex CCENT Chapter 13: Network Address Translation Instructor & Todd Lammle.

Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.

1 LAN switching and Bridges Relates to Lab 6. Covers interconnection devices (at different layers) and the difference between LAN switching (bridging)

Roger ZimmermannCOMPSAC 2004, September 30 Spatial Data Query Support in Peer-to-Peer Systems Roger Zimmermann, Wei-Shinn Ku, and Haojun Wang Computer.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1 TCOM 509 – Internet Protocols (TCP/IP) Lecture 02_b Instructor: Dr. Li-Chuan Chen Date: 09/08/2003 Based in part upon slides of Prof. J. Kurose (U Mass),

Penetration Testing Security Analysis and Advanced Tools: Snort.

Network Layer (3). Node lookup in p2p networks Section in the textbook. In a p2p network, each node may provide some kind of service for other.

PA3: Router Junxian (Jim) Huang EECS 489 W11 /

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Chord: A Scalable Peer-to-peer Lookup Protocol for Internet Applications Xiaozhou Li COS 461: Computer Networks (precept 04/06/12) Princeton University.

CSC Intro. to Computing Lecture 23: Networks.

Efficient Addressing Outline Addressing Subnetting Supernetting CS 640.

Chapter 18 IP: Internet Protocol Addresses

SYSTEM ADMINISTRATION Chapter 8 Internet Protocol (IP) Addressing.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Super-peer Network. Motivation: Search in P2P Centralised (Napster) Flooding (Gnutella)  Essentially a breadth-first search using TTLs Distributed Hash.

Node Lookup in P2P Networks. Node lookup in p2p networks In a p2p network, each node may provide some kind of service for other nodes and also will ask.

An IP Address Based Caching Scheme for Peer-to-Peer Networks Ronaldo Alves Ferreira Joint work with Ananth Grama and Suresh Jagannathan Department of Computer.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Kaleidoscope – Adding Colors to Kademlia Gil Einziger, Roy Friedman, Eyal Kibbar Computer Science, Technion 1.

1 Peer-to-Peer Technologies Seminar by: Kunal Goswami (05IT6006) School of Information Technology Guided by: Prof. C.R.Mandal, School of Information Technology.

Chapter 9 Hardware Addressing and Frame Type Identification 1.Delivering and sending packets 2.Hardware addressing: specifying a destination 3. Broadcasting.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Plethora: Infrastructure and System Design. Introduction Peer-to-Peer (P2P) networks: –Self-organizing distributed systems –Nodes receive and provide.

Peer to Peer Network Design Discovery and Routing algorithms

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

CS470 Computer Networking Protocols

Two Peer-to-Peer Networking Approaches Ken Calvert Net Seminar, 23 October 2001 Note: Many slides “borrowed” from S. Ratnasamy’s Qualifying Exam talk.

INTERNET TECHNOLOGIES Week 10 Peer to Peer Paradigm 1.

Role Of Network IDS in Network Perimeter Defense.

Introduction Contain two or more CPU share common memory and peripherals. Provide greater system throughput. Multiple processor executing simultaneous.

Large-Scale Monitoring of DHT Traffic Ghulam Memon – University of Oregon Reza Rejaie – University of Oregon Yang Guo – Corporate Research, Thomson Daniel.

1 LAN switching and Bridges Relates to Lab Outline Interconnection devices Bridges/LAN switches vs. Routers Bridges Learning Bridges Transparent.

Coping with Link Failures in Centralized Control Plane Architecture Maulik Desai, Thyagarajan Nandagopal.

IP Addressing. A 32-bit logical naming convention A dotted-decimal notation is used: – –Each number represents 8 bits. Number is Part.

IP Addressing Introductory material.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Chapter 13 Network Address Translation

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

IP Addressing Introductory material.

IP Addressing Introductory material.

A Scalable content-addressable network

IP Addressing Introductory material

A Semantic Peer-to-Peer Overlay for Web Services Discovery

Prepared by :Adeel Ahmad

Dynamic Routing Protocols part3 B

Presentation transcript:

Global Intrusion Detection Using Distribute Hash Table Jason Skicewicz, Laurence Berland, Yan Chen Northwestern University 6/2004

Current Architecture  Intrusion Detection Systems Vulnerable to attackVulnerable to attack Many false responsesMany false responses Limited network viewLimited network view Varying degrees of intelligenceVarying degrees of intelligence  Centralized Data Aggregation Generally done manuallyGenerally done manually Post-mortem global viewPost-mortem global view Not real time!Not real time!

Sensor Fusion Centers  Sensor fusion centers (SFC) aggregates information from sensors throughout the network More global viewMore global view Larger information poolLarger information pool Still vulnerable to attackStill vulnerable to attack Overload potential if multiple simultaneous attacksOverload potential if multiple simultaneous attacks  Can’t we leverage all the participants?

Distributed Fusion Centers  Different fusion centers for different anomalies  Must attack all fusion centers, or know more about fusion center assignments  Still needs to be manually set up, routed to  What if things were redundant and self-organizing?

What is DHT  DHT, or Distributed Hash Tables, is a peer-to-peer system where the location of a resource or file is found by hashing on the key  DHTs include CHORD, CAN, PASTRY, and TAPESTRY  DHT attempts to spread the keyspace across as many nodes as possible  Different DHT use different topologies

CAN  CAN is based on a multi-reality n- dimensional toroid for routing (Ratnasamy et al)

CAN  Each reality is a complete toroid, provides full redundancy  Network covers entire address space, dynamically splits space  Routes across the CAN, so you don’t need to connect directly to the Fusion Center

GIDS over DHT  Fusion centers are organized on a distributed hash table Peer-to-peerPeer-to-peer Self-organizedSelf-organized DecentralizedDecentralized ResilientResilient  We use Content Addressable Network (CAN) Highly redundantHighly redundant N-dimensional toroid enhances reachabilityN-dimensional toroid enhances reachability

DIDS diagram

INTERNET NIDS Host IDS CAN Peer-to-peer Infected Machine Worm Probe Sent NIDS Reports to Fusion Center CAN directs to Fusion Center IDS on probed Host reports to Fusion Center

Reporting Information  Fusion Centers need enough information to make reasonable decisions  ID systems all have different proprietary reporting formats  Fusion Centers would be overloaded with data if full packet dumps were sent  We need a concise, standardized format for reporting anomalies

Symptom Vector  Standardized set of information reported to fusion centers.  Plugins for IDS could be written to handle producing these vectors and actually connect to the CAN  Flexibility for reporting more details

Symptom Vector Payload: Payload specifies some descriptor of the actual packet payload. This is most useful for worms. Two choices we’ve considered so far are a hash of the contents, or the size in bytesPayload: Payload specifies some descriptor of the actual packet payload. This is most useful for worms. Two choices we’ve considered so far are a hash of the contents, or the size in bytes Event_type: A code specifying an event type such as a worm probe or a SYN floodEvent_type: A code specifying an event type such as a worm probe or a SYN flood Based on the event_type, upper_limit and lower_limit are two numerical fields available for the reporting IDS to provide more informationBased on the event_type, upper_limit and lower_limit are two numerical fields available for the reporting IDS to provide more information

Payload Reporting  Hash: a semi-unique string produced by performing mathematical transformations on the content Uniquely identifies the contentUniquely identifies the content Cannot easily be matched based on “similarity” so it’s hard to spot polymorphic wormsCannot easily be matched based on “similarity” so it’s hard to spot polymorphic worms  Size: the number of bytes the worm takes up Non-unique: two worms could be of the same size, though we’re doing research to see how often that actually occursNon-unique: two worms could be of the same size, though we’re doing research to see how often that actually occurs Much easier to spot polymorphism: simple changes cause no or only small changes in sizeMuch easier to spot polymorphism: simple changes cause no or only small changes in size

Routing Information  DHT is traditionally a peer to peer file sharing network Locates content based on name, hash, etcLocates content based on name, hash, etc Not traditionally used to locate resourcesNot traditionally used to locate resources  We develop a routing vector in place of traditional DHT addressing methods, and use it to locate the appropriate fusion center(s)

Routing Vector  Based on the anomaly type  Generalized to ensure similar anomalies go to the same fusion center, while disparate anomalies are distributed across the network for better resource allocation  Worm routing vector:  Worm routing vector:

Routing Vector  Worm routing vector avoids using less relevant fields such as source port or IP addresses  Designed to utilize only information that will be fairly consistent across any given worm  Used to locate fusion center, which receives full symptom vector for detailed analysis

Size and the boundary problem  Assume a CAN with several nodes. Each is allocated a range of sizes, say in blocks of 1000 bytes.  Assume node A has range and node B has range  If a polymorphic worm has size ranging between 4980 and 5080, the information is split  Solution? Have information sent across the boundary. Node A sends copies of anything with size >4900 to node B and node B sends anything with size 4900 to node B and node B sends anything with size <5100 to A

To DHT or not to DHT  DHT automatically organizes everything for us  DHT ensures anomalies are somewhat spread out across the network  DHT routes in real time, without substantial prior knowledge of the anomaly  DHT is redundant, making an attack against the sensor fusion center tricky at worst and impossible to coordinate at best

Simulating the system  We build a simple array of nodes, and have them generate the symptom and routing vectors as they encounter anomalies  Not yet complete, work in progress  Demonstrates fusibility of information appropriately; non- interference of multiple simultaneous anomalies

Further Work  Complete paper (duh)  Add CAN to simulation to actually route  Include real-world packet dumps in the simulation  Test on more complex topologies?