Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network-based Intrusion Detection, Prevention and Forensics System

Similar presentations


Presentation on theme: "Network-based Intrusion Detection, Prevention and Forensics System"— Presentation transcript:

1 Network-based Intrusion Detection, Prevention and Forensics System
Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for Internet & Security Technology (LIST)

2 The Spread of Sapphire/Slammer Worms
In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.

3 Current Intrusion Detection Systems (IDS)
Mostly host-based and not scalable to high-speed networks Slammer worm infected 75,000 machines in <10 mins Host-based schemes inefficient and user dependent Have to install IDS on all user machines ! Mostly simple signature-based Cannot recognize unknown anomalies/intrusions New viruses/worms, polymorphism

4 Current Intrusion Detection Systems (II)
Cannot provide quality info for forensics or situational-aware analysis Hard to differentiate malicious events with unintentional anomalies Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc. Statistical detection Unscalable for flow-level detection IDS vulnerable to DoS attacks Overall traffic based: inaccurate, high false positives

5 Network-based Intrusion Detection, Prevention, and Forensics System
Online traffic recording [SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear] Reversible sketch for data streaming computation Record millions of flows (GB traffic) in a few hundred KB Small # of memory access per packet Scalable to large key space size (232 or 264) Online sketch-based flow-level anomaly detection [IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06] Adaptively learn the traffic pattern changes As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed Online stealthy spreader (botnet scan) detection [IWQoS 2007]

6 Network-based Intrusion Detection, Prevention, and Forensics System (II)
Polymorphic worm signature generation & detection [IEEE Symposium on Security and Privacy 2006] [IEEE ICNP 2007 to appear] Accurate network diagnostics [ACM SIGCOMM 2006] [IEEE INFOCOM 2007] Scalable distributed intrusion alert fusion w/ DHT [SIGCOMM Workshop on Large Scale Attack Defense 2006] Large-scale botnet and P2P misconfiguration event forensics [work in progress]

7 System Deployment Attached to a router/switch as a black box
Edge network detection particularly powerful Router LAN Internet Switch (a) (b) RAND system scan port Splitter (c) HPNAIDM Monitor each port separately Monitor aggregated traffic from all ports Original configuration

8 Northwestern Lab for Internet and Security Technology (LIST)
Sponsors for LIST: Department of Energy (Early CAREER Award) Air Force Office of Scientific Research (Young Investigator Award) National Science Foundation Microsoft Research Motorola Inc. Additional industry collaborators SANS(SysAdmin, Audit, Network, Security) Institute AT &T Labs

9 Team of LIST Prof. Bin Liu from Tsinghua Univ., partially supported as an Eshbach Scholar of Northwestern University Jiazhen Chen (M.S. student) Kai Chen (Ph.D. student) Anup Goyal (Ph.D. student) Zhichun Li (Ph. D. student) Ying He (visiting Ph.D. student) Chengchen Hu (visiting Ph.D. student) Rahul Potharaju (M.S. student) Sagar Vemuri (M.S. student) Gao Xia (visiting Ph.D. student from Tsinghua University) Yao Zhao (Ph.D. student) Yanmei Zhang (visiting Ph.D. student) Zhaosheng Zhu (Ph.D. student)

10 ? ? ?


Download ppt "Network-based Intrusion Detection, Prevention and Forensics System"

Similar presentations


Ads by Google