Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network-based Intrusion Detection, Prevention and Forensics System

Published byCornelius Park Modified over 6 years ago

Similar presentations

Presentation on theme: "Network-based Intrusion Detection, Prevention and Forensics System"— Presentation transcript:

1 Network-based Intrusion Detection, Prevention and Forensics System
Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for Internet & Security Technology (LIST)

2 The Spread of Sapphire/Slammer Worms
In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.

3 Current Intrusion Detection Systems (IDS)
Mostly host-based and not scalable to high-speed networks Slammer worm infected 75,000 machines in <10 mins Host-based schemes inefficient and user dependent Have to install IDS on all user machines ! Mostly simple signature-based Cannot recognize unknown anomalies/intrusions New viruses/worms, polymorphism

4 Current Intrusion Detection Systems (II)
Cannot provide quality info for forensics or situational-aware analysis Hard to differentiate malicious events with unintentional anomalies Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc. Statistical detection Unscalable for flow-level detection IDS vulnerable to DoS attacks Overall traffic based: inaccurate, high false positives

5 Network-based Intrusion Detection, Prevention, and Forensics System
Online traffic recording [SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear] Reversible sketch for data streaming computation Record millions of flows (GB traffic) in a few hundred KB Small # of memory access per packet Scalable to large key space size (232 or 264) Online sketch-based flow-level anomaly detection [IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06] Adaptively learn the traffic pattern changes As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed Online stealthy spreader (botnet scan) detection [IWQoS 2007]

6 Network-based Intrusion Detection, Prevention, and Forensics System (II)
Polymorphic worm signature generation & detection [IEEE Symposium on Security and Privacy 2006] [IEEE ICNP 2007 to appear] Accurate network diagnostics [ACM SIGCOMM 2006] [IEEE INFOCOM 2007] Scalable distributed intrusion alert fusion w/ DHT [SIGCOMM Workshop on Large Scale Attack Defense 2006] Large-scale botnet and P2P misconfiguration event forensics [work in progress]

7 System Deployment Attached to a router/switch as a black box
Edge network detection particularly powerful Router LAN Internet Switch (a) (b) RAND system scan port Splitter (c) HPNAIDM Monitor each port separately Monitor aggregated traffic from all ports Original configuration

8 Northwestern Lab for Internet and Security Technology (LIST)
Sponsors for LIST: Department of Energy (Early CAREER Award) Air Force Office of Scientific Research (Young Investigator Award) National Science Foundation Microsoft Research Motorola Inc. Additional industry collaborators SANS(SysAdmin, Audit, Network, Security) Institute AT &T Labs

9 Team of LIST Prof. Bin Liu from Tsinghua Univ., partially supported as an Eshbach Scholar of Northwestern University Jiazhen Chen (M.S. student) Kai Chen (Ph.D. student) Anup Goyal (Ph.D. student) Zhichun Li (Ph. D. student) Ying He (visiting Ph.D. student) Chengchen Hu (visiting Ph.D. student) Rahul Potharaju (M.S. student) Sagar Vemuri (M.S. student) Gao Xia (visiting Ph.D. student from Tsinghua University) Yao Zhao (Ph.D. student) Yanmei Zhang (visiting Ph.D. student) Zhaosheng Zhu (Ph.D. student)

10 ? ? ?

Download ppt "Network-based Intrusion Detection, Prevention and Forensics System"

Similar presentations

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Lab for Internet & Security Technology (LIST) Department of.
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.

A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.

1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

Similar presentations

Ads by Google