SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael.

Slides:

Advertisements

Similar presentations

Supporting Cooperative Caching in Disruption Tolerant Networks

Advertisements

Nicholas Weaver Vern Paxson Stuart Staniford UC Berkeley ICIR

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Sungwon Yi, Xidong Deng, George Kesidis, and Chita R. Das Department of Computer Science and Engineering, The Pennsylvania State University Abstract Introduction.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Modeling Malware Spreading Dynamics Michele Garetto (Politecnico di Torino – Italy) Weibo Gong (University of Massachusetts – Amherst – MA) Don Towsley.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

The Connectivity and Fault-Tolerance of the Internet Topology

The Sybil Attack in Sensor Networks: Analysis & Defenses J. Newsome, E. Shi, D. Song and A. Perrig IPSN’04.

Highly-Resilient, Energy-Efficient Multipath Routing in Wireless Sensor Networks Computer Science Department, UCLA International Computer Science Institute,

The Evolving Threat of Internet Worms Jose Nazario, Arbor Networks.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

1 Data Persistence in Large-scale Sensor Networks with Decentralized Fountain Codes Yunfeng Lin, Ben Liang, Baochun Li INFOCOM 2007.

Dynamic Tuning of the IEEE Protocol to Achieve a Theoretical Throughput Limit Frederico Calì, Marco Conti, and Enrico Gregori IEEE/ACM TRANSACTIONS.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

DNA Research Group 1 Growth Codes: Maximizing Sensor Network Data Persistence Abhinav Kamra, Vishal Misra, Dan Rubenstein Department of Computer Science,

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

The Sybil Attack in Sensor Networks: Analysis & Defenses James Newsome, Elaine Shi, Dawn Song, Adrian Perrig Presenter: Yi Xian.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Lecture 11 Intrusion Detection (cont)

EDUCAUSE Security 2006 Internet John Brown University.

© 2005 Prentice Hall14-1 Stumpf and Teague Object-Oriented Systems Analysis and Design with UML.

Tomo-gravity Yin ZhangMatthew Roughan Nick DuffieldAlbert Greenberg “A Northern NJ Research Lab” ACM.

Distributed Network Intrusion Detection An Immunological Approach Steven Hofmeyr Stephanie Forrest Patrik D’haeseleer Dept. of Computer Science University.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

A Review by Raghu Rangan WPI CS525 September 19, 2012 An Early Warning System Based on Reputation for Energy Control Systems.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Senior Project Ideas: Blind Communication & Internet Measurements Mehmet H. Gunes.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.

(CISCO) Self-Defending Networks Ben Sangster. Agenda (CISCO) Self-Defending Network Concept Why do we need SDN’s? Foundation of the CSDN? Endpoint Protection.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Adapted from the original presentation made by the authors Reputation-based Framework for High Integrity Sensor Networks.

Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.

Communication Paradigm for Sensor Networks Sensor Networks Sensor Networks Directed Diffusion Directed Diffusion SPIN SPIN Ishan Banerjee

Stamping out worms and other Internet pests Miguel Castro Microsoft Research.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore, Colleen Shannon, Geoffrey M.Voelker, Stefan Savage University of California,

Interconnect simulation. Different levels for Evaluating an architecture Numerical models – Mathematic formulations to obtain performance characteristics.

1 On the Performance of Internet Worm Scanning Strategies Authors: Cliff C. Zou, Don Towsley, Weibo Gong Publication: Journal of Performance Evaluation,

Conficker Update John Crain. What is Conficker? An Internet worm  Malicious code that is self-replicating and distributed over a network A blended threat.

A Trust Based Distributed Kalman Filtering Approach for Mode Estimation in Power Systems Tao Jiang, Ion Matei and John S. Baras Institute for Systems Research.

1 Very Fast containment of Scanning Worms By: Artur Zak Modified by: David Allen Nicholas Weaver Stuart Staniford Vern Paxson ICSI Nevis Netowrks ICSI.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

LOBSTER: Large Scale Monitoring of Broadband Internet Infrastructure Evangelos Markatos The LOBSTER Consortium Institute.

Research Direction Advisor: Frank,Yeong-Sung Lin Presented by Jia-Ling Pan 2010/10/211NTUIM OPLAB.

Main Theme: Diffuse Computing Managing and maintaining a computational infrastucture, distributed among many heterogeneous nodes that do not trust each.

1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

MITRE 7 April 2009 CS 5214 Presenter: Phu-Gui Feng Performance Analysis of Distributed IDS Protocols for Mobile GCS Dr. Jin-Hee Cho, Dr. Ing-Ray Chen MITRE.

IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Internet Quarantine: Requirements for Containing Self-Propagating Code

A Straightforward Path Routing in Wireless Ad Hoc Sensor Networks

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

Modeling, Early Detection, and Mitigation of Internet Worm Attacks

Introduction to Internet Worm

Presentation transcript:

SPYCE/May’04 coverage: A Cooperative Immunization System for an Untrusting Internet Kostas Anagnostakis University of Pennsylvania Joint work with: Michael Greenwald, UPenn, Angelos Keromytis - Columbia Partially supported by the CIP/SW URI "Software Quality and Infrastructure Protection for Diffuse Computing" through ONR grant N

SPYCE/May’04 Overview Goal: detect and react to large-scale worm attacks –All sorts of worms including “day-zero” –Minimize infection and cost of false alarms Problems: –Detection uncertainty: false positives vs. false negatives –Reaction cost: quarantine infrastructure, service disruption –Limited resources: detection & quarantine Basic idea: –Cooperative distributed system of sensors, sharing alert and infection information –Distributed algorithm: coverage –Assumes faulty, malicious sensors –Basic design principle: “trust, but verify” 1

SPYCE/May’04 System model Router/COVERAGE Network domain/ “neighborhoods” hosts Enterprise net/LAN Router can scan, filter worms directed to and from hosts Limited scan/filter budget Router Nodes exchange alert/ infection reports with random “local” (high-rate) and “remote” (low-rate) nodes

SPYCE/May’04 COVERAGE: communication Nodes periodically exchange reports: Low-rate exchanges with random “remote” sensors High-rate exchanges with “local” sensors Reports contain (for each worm): Is node infected? Is node scanning/filtering? # infected nodes seen # scanning nodes seen # infected nodes others reported # scanning nodes others reported Update local state based on reports: Trust “pull” more than “push” “local” “direct” “remote”

SPYCE/May’04 COVERAGE: estimation Virus model: –Infection growth rate a –Fraction of infected hosts p For each virus, coverage maintains history of: –Fraction of scanning nodes N –Fraction of infected hosts p History is used to compute: –Infection growth  based on p –Virulence v based on p and 

SPYCE/May’04 COVERAGE: reaction In regular intervals, a node adapts its behavior as follows. For every virus, in decreasing order of virulence v : –Activate scanning/filtering if N p Keep COVERAGE “ahead” of the infection Avoid overreacting to false or malicious alerts –Activate if N min with probability (N-min) Always keep a minimum fraction of nodes active –Adapt remote polling rate to v If there is some indication of a virus outbreak, but not sufficient evidence to start scanning, poll remote nodes more aggressively.

SPYCE/May’04 Simulation study Network model: –Full mesh network topology –100,000 routers – 8 nodes on LAN –2000 “domains” with 50 routers each –Single worm Metrics of interest: –Max. infection, false alarm cost Comparison with naïve alert broadcast algorithm [NRL03]

SPYCE/May’04 Example: reaction to worm attack COVERAGE reacts fast, even for highly virulent “Warhol”-type worms. Secondary outbreak attempts are likely, but can be successfully contained.

SPYCE/May’04 Worm response performance 2-4% seems sufficient for most worms but very-high-virulence worms may need higher level of idle-scanning. Min-level of scanning should be configured according to perceived risk Most worms can be contained to under 8% infection, but highly virulent worms may spread to a higher fraction of nodes. Need to increase communication rate to improve containment performance. Slower worms sometimes harder to contain especially as we increase communication cost - response is sometimes better when there are less accurate virulence estimates!

SPYCE/May’04 Naïve approach collapses for >1% malicious nodes – 90% of the nodes are scanning for the wrong worm! Robustness to false alarms Impact of false alarms reasonable for up to 3% malicious nodes and most worms, but VERY hard to deal with highly virulent worms as % of malicious nodes increases COVERAGE communication cost peaks for 1% malicious nodes (unlike naïve approach where communication cost increases linearly with the % of malicious nodes *and* their alert generation rate)

SPYCE/May’04 Summary COVERAGE is a distributed cooperative worm defense mechanism –Main design issue is to respond quickly to worm attacks + tolerate a fair number of faulty or malicious participants –Basic idea is to carefully sample global state to validate claims made by individual participants Experimental results (preliminary): –It is possible to detect and react to worm attacks while not over-reacting to false alarms –There is a three-way trade-off between communication, false scanning, and max. infection

SPYCE/May’04 Ongoing work Detailed performance analysis: –More complex simulation scenarios with multiple worms, network vulnerability model, scanning vs. filtering, patching, etc. Tuning of algorithm: –Reduce communication cost –Pre-filter reports –Prelim. results show that better trade-off between reaction performance + resilience to attacks is possible Experiments with prototype (small-scale): –use combination of signature-based IDS, anomaly detection schemes, honeypots, etc.