Presentation is loading. Please wait.

Presentation is loading. Please wait.

Northwestern Lab for Internet & Security Technology (LIST)

Published byNancy Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Northwestern Lab for Internet & Security Technology (LIST)"— Presentation transcript:

1 Northwestern Lab for Internet & Security Technology (LIST) http://list.cs.northwestern.edu

2 Personnel Prof. Yan Chen Ph. D. Students Brian Chavez Brian Chavez Yan Gao Yan Gao Zhichun Li Zhichun Li Yao Zhao Yao Zhao M. S. Students Prasad Narayana Leon ZhaoUndergraduates Too many to be listed

3

4 Projects The High-Performance Network Anomaly/Intrusion Detection and Mitigation (HPNAIDM) Systems Overlay Network Monitoring and Diagnostics Adaptive Intrusion Detection and Mitigation Systems for WiMAX Networks

5 Internet is becoming a new infrastructure for service delivery World wide web, World wide web, VoIP VoIP Email Email Interactive TV? Interactive TV? Major challenges for Internet-scale services Scalability: 600M users, 35M Web sites, 2.1Tb/s Scalability: 600M users, 35M Web sites, 2.1Tb/s Security: viruses, worms, Trojan horses, etc. Security: viruses, worms, Trojan horses, etc. Mobility: ubiquitous devices in phones, shoes, etc. Mobility: ubiquitous devices in phones, shoes, etc. Agility: dynamic systems/network, congestions/failures Agility: dynamic systems/network, congestions/failures Our Theme

6 Battling Hackers is a Growth Industry! The past decade has seen an explosion in the concern for the security of information Internet attacks are increasing in frequency, severity and sophistication Denial of service (DoS) attacks Cost $1.2 billion in 2000 Cost $1.2 billion in 2000 Thousands of attacks per week in 2001 Thousands of attacks per week in 2001 Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked --Wall Street Journal (11/10/2004)

7 Battling Hackers is a Growth Industry (cont’d) Virus and worms faster and powerful Melissa, Nimda, Code Red, Slammer … Melissa, Nimda, Code Red, Slammer … Cause over $28 billion in economic losses in 2003, growing to > $75 billion in economic losses by 2007. Cause over $28 billion in economic losses in 2003, growing to > $75 billion in economic losses by 2007. Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss Spywares are ubiquitous 80% of Internet computers have spywares installed 80% of Internet computers have spywares installed

8 The Spread of Sapphire/Slammer Worms

9 Current Intrusion Detection Systems (IDS) Mostly host-based and not scalable to high- speed networks Slammer worm infected 75,000 machines in <10 mins Slammer worm infected 75,000 machines in <10 mins Host-based schemes inefficient and user dependent Host-based schemes inefficient and user dependent Have to install IDS on all user machines ! Mostly signature-based Cannot recognize unknown anomalies/intrusions Cannot recognize unknown anomalies/intrusions New viruses/worms, polymorphism New viruses/worms, polymorphism

10 Current Intrusion Detection Systems (II) Statistical detection Hard to adapt to traffic pattern changes Hard to adapt to traffic pattern changes Unscalable for flow-level detection Unscalable for flow-level detection IDS vulnerable to DoS attacks Overall traffic based: inaccurate, high false positives Overall traffic based: inaccurate, high false positives Cannot differentiate malicious events with unintentional anomalies Anomalies can be caused by network element faults Anomalies can be caused by network element faults E.g., router misconfiguration E.g., router misconfiguration

11 High-Performance Network Anomaly/Intrusion Detection and Mitigation System (HPNAIDM) Online traffic recording Reversible sketch for data streaming computation Reversible sketch for data streaming computation Record millions of flows (GB traffic) in a few hundred KB Record millions of flows (GB traffic) in a few hundred KB Small # of memory access per packet Small # of memory access per packet Scalable to large key space size (2 32 or 2 64 ) Scalable to large key space size (2 32 or 2 64 ) Online sketch-based flow-level anomaly detection Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed

12 HPNAIDM (II) Integrated approach for false positive reduction Signature-based detection Signature-based detection Network element fault diagnostics Network element fault diagnostics Traffic signature matching of emerging applications Traffic signature matching of emerging applications Infer key characteristics of malicious flows for mitigation HPNAIDM: First flow-level intrusion detection that can sustain 10s Gbps bandwidth even for worst case traffic of 40-byte packet streams

13 Reversible Sketch Based Anomaly Detection Input stream: (key, update) (e.g., SIP, SYN- SYN/ACK) Sketch module Forecast module(s) Anomaly detection module (k,u) … Sketches Error Sketch Alarms Report flows with large forecast errors Infer the (characteristics) key for mitigation Summarize input stream using sketches Build forecast models on top of sketches

14 RS((DIP, Dport), SYN-SYN/ACK) RS((SIP, DIP), SYN-SYN/ACK) RS((SIP, Dport), SYN-SYN/ACK) Attack types RS((DIP, Dport), SYN-SYN/ACK) RS((SIP, DIP), SYN-SYN/ACK) SYN-SYN/ACK) RS((SIP, Dport), SYN-SYN/ACK) SYN flooding YesYesYes Vertical scans NoYesNo Horizontal scans NoNoYes Sketch-based Intrusion Detection

15 Intrusion Mitigation Attacks detected Mitigation Denial of Service (DoS), e.g., TCP SYN flooding SYN defender, SYN proxy, or SYN cookie for victim Port Scan and worms Ingress filtering with attacker IP Vertical port scan Quarantine the victim machine Horizontal port scan Monitor traffic with the same port # for compromised machine

16 Evaluated with NU traces (239M flows, 1.8TB traffic/day) Scalable Can handle hundreds of millions of time series Can handle hundreds of millions of time series Accurate Anomaly Detection w/ Sketches Compared with detection using complete flow logs Compared with detection using complete flow logs Provable probabilistic accuracy guarantees Provable probabilistic accuracy guarantees Even more accurate on real Internet traces Even more accurate on real Internet tracesEfficient For the worst case traffic, all 40 byte packets For the worst case traffic, all 40 byte packets 16 Gbps on a single FPGA board 526 Mbps on a Pentium-IV 2.4GHz PC Only less than 3MB memory used Only less than 3MB memory used Preliminary Evaluation

17 Preliminary Evaluation (cont’d) 25 SYN flooding, 936 horizontal and 19 vertical scans detected 17 out of 25 SYN flooding verified w/ backscatter Complete flow-level connection info used for backscatter Complete flow-level connection info used for backscatter Scans verified (all for vscan, top and bottom 10 for hscan) Unknown scans also found in DShield and other alert reports Unknown scans also found in DShield and other alert reports DescriptionDport coun t Remote desktop scan 33891 SQLSnake14333 W32.Rahack48992 unknown scan 36321 Scan SSH 221 unknown scan 102021 Proxy scan 81181 Top 10 horizontal scansDescriptionDportcount W32.Sasser.B.Wor m 55541 Backdoor.CrashCo ol 98982 Unknown scan 421 VNC scan 59003 Unknown scan 61012 Scan SSH 221 Bottom 10 horizontal scans

18 Sponsors Motorola Department of Energy

19 Research Methodology & Collaborators Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment

Download ppt "Northwestern Lab for Internet & Security Technology (LIST)"

Similar presentations

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Welcome to EECS 354 Network Penetration and Security.

Welcome to EECS 354 Network Penetration and Security.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Welcome to CS 450 Internet Security: A Measurement-based Approach.

Welcome to CS 450 Internet Security: A Measurement-based Approach.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.

Similar presentations

Ads by Google