Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Intrusion Detection and Mitigation

Published byTabitha Small Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Intrusion Detection and Mitigation"— Presentation transcript:

1 Network Intrusion Detection and Mitigation
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern University Morris Moore, vice president and director of Systems/Architecture, Wireless Broadband and Systems Group, Motorola Semiconductor Products Sector.

2 Our Theme Internet is becoming a new infrastructure for service delivery World wide web, VoIP Interactive TV? Major challenges for Internet-scale services Scalability: 600M users, 35M Web sites, 2.1Tb/s Security: viruses, worms, Trojan horses, etc. Mobility: ubiquitous devices in phones, shoes, etc. Agility: dynamic systems/network, congestions/failures Ossification: extremely hard to deploy new technology in the core

3 Battling Hackers is a Growth Industry!
--Wall Street Journal (11/10/2004) The past decade has seen an explosion in the concern for the security of information Internet attacks are increasing in frequency, severity and sophistication Denial of service (DoS) attacks Cost $1.2 billion in 2000 Thousands of attacks per week in 2001 Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked 2.4 billion loss: Economic loss:

4 Battling Hackers is a Growth Industry (cont’d)
Virus and worms faster and powerful Melissa, Nimda, Code Red, Code Red II, Slammer … Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007. Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss Spywares are ubiquitous 80% of Internet computers have spywares installed 2.4 billion loss: Economic loss:

5 The Spread of Sapphire/Slammer Worms
In the first 30 minutes of Sapphire’s spread, we recorded nearly 75,000 unique infections. As we will detail later, most of these infections actually occurred within 10 minutes. This graphic is more for effect rather than technical detail: We couldn’t determine a detailed location for all infections, and the diameter of each circle is proportional to the lg() of the number of infections, underrepresenting larger infections. Nevertheless, it gives a good feel for where Sapphire spread. We monitored the spread using several “Network Telescopes”, address ranges where we had sampled or complete packet traces at single sources. We also used the D-shield distributed intrusion detection system to determine IPs of infected machines, but we couldn’t use this data for calculating the scanning rate.

6 How can it affect cell phones?
Cabir worm can infect a cell phone Infect phones running Symbian OS Started in Philippines at the end of 2004, surfaced in Asia, Latin America, Europe, and recently in US Posing as a security management utility Once infected, propagate itself to other phones via Bluetooth wireless connections Symbian officials said security was a high priority of the latest software, Symbian OS Version 9. With ubiquitous Internet connections, more severe viruses/worms for mobile devices will happen soon … Symbian OS: the mobile OS provider

7 The Current Internet: Connectivity and Processing
Access Networks Cable Modem LAN Premises- based WLAN Operator- Core Networks Transit Net Private Peering NAP Public Peering H.323 Data RAS Analog DSLAM The ISP likely has banks of many modems multiplexed onto a high capacity telephone cable that transports a large number of phone calls simultaneously (such as a T1, E1, ISDN PRI, etc.). This requires a concentrator or "remote access server" (RAS). PSTN Regional Wireline Voice Cell

8 Current Intrusion Detection Systems (IDS)
Mostly host-based and not scalable to high-speed networks Slammer worm infected 75,000 machines in <10 mins Host-based schemes inefficient and user dependent Have to install IDS on all user machines ! Mostly signature-based Cannot recognize unknown anomalies/intrusions New viruses/worms, polymorphism

9 Current Intrusion Detection Systems (II)
Statistical detection Hard to adapt to traffic pattern changes Unscalable for flow-level detection IDS vulnerable to DoS attacks WiMAX, up to 134Mbps, 10 min traffic may take 4GB memory Overall traffic based: inaccurate, high false positives Cannot differentiate malicious events with unintentional anomalies Anomalies can be caused by network element faults E.g., router misconfiguration, signal interference of wireless network, etc.

10 Adaptive Intrusion Detection System for Wireless Networks (WAIDM)
Online traffic recording and analysis for high-speed WiMAX networks Leverage sketches for data streaming computation Record millions of flows (GB traffic) in a few Kilobytes Online adaptive flow-level anomaly/intrusion detection and mitigation Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes Use statistics from MIB of Access Point to understand the wireless network status E.g., busy vs. idle wireless networks, with different level of interferences, etc. Unsupervised learning without knowing ground truth

11 WAIDM Systems (II) Integrated approach for false positive reduction
Signature-based detection WiMAX network element fault diagnostics Traffic signature matching of emerging applications Hardware speedup for real-time detection Collaborated with Gokhan Memik (ECE of NU) Try various hardware platforms: FPGAs, network processors

12 WAIDM Deployment Attached to a switch connecting BS as a black box
Enable the early detection and mitigation of global scale attacks Highly ranked as “powerful and flexible" by the DARPA research agenda Users Internet Users WAIDM system Internet 802.16 scan 802.16 BS BS port Switch/ Switch/ BS controller BS controller 802.16 802.16 BS BS Users Users (a) Original configuration (b) WAIDM deployed

13 GRAID Sensor Architecture
Remote aggregated sketch records Sent out for aggregation Reversible k-ary sketch monitoring Part I Sketch-based monitoring & detection Normal flows Local sketch records Sketch based statistical anomaly detection (SSAD) Streaming packet data Keys of suspicious flows Filtering Keys of normal flows Statistical detection Signature-based detection Per-flow monitoring Network fault detection Part II Per-flow monitoring & detection Suspicious flows Traffic profile checking Intrusion or anomaly alarms to fusion centers Modules on the critical path Modules on the non-critical path Data path Control path

14 Scalable Traffic Monitoring and Analysis - Challenge
Potentially tens of millions of time series ! Need to work at very low aggregation level (e.g., IP level) Each access point (AP) can have 200 Mbps – a collection of APs can easily go up to 2-20 Gbps The Moore’s Law on traffic growth …  Per-flow analysis is too slow or too expensive Want to work in near real time The Nokia WCDMA Radio Network Controller is an integral part of the end-to-end Nokia Wideband Code Division Multiple Access (WCDMA) solution, efficiently supporting the multimedia applications enabled by 3G mobile networks. Capacity 48–196 Mbit/s (up to 2 cabinets)

15 Sketch-based Change Detection (ACM SIGCOMM IMC 2003, 2004)
Error Sketch Sketch module Forecast module(s) Change detection module (k,u) … Sketches Alarms Input stream: (key, update) Summarize input stream using sketches Build forecast models on top of sketches Report flows with large forecast errors

16 Evaluation of Reversible K-ary Sketch
Evaluated with tier-1 ISP trace and NU traces Scalable Can handle tens of millions of time series Accurate Provable probabilistic accuracy guarantees Even more accurate on real Internet traces Efficient For the worst case traffic, all 40 byte packets: 16 Gbps on a single FPGA board 526 Mbps on a Pentium-IV 2.4GHz PC Only less than 3MB memory used Patent filed Annopalis wildstar board

17 GRAID Sensor Architecture
Remote aggregated sketch records Sent out for aggregation Reversible k-ary sketch monitoring Part I Sketch-based monitoring & detection Normal flows Local sketch records Sketch based statistical anomaly detection (SSAD) Streaming packet data Keys of suspicious flows Filtering Keys of normal flows Statistical detection Signature-based detection Per-flow monitoring Network fault detection Part II Per-flow monitoring & detection Suspicious flows Traffic profile checking Intrusion or anomaly alarms to fusion centers Modules on the critical path Modules on the non-critical path Data path Control path

18 Current IDS Insufficient for Wireless Networks
Most existing IDS signature-based Especially for wireless networks Detect denial-of-service attacks caused by the WEP authentication vulnerability, e.g., Airespace Current statistical IDS has manually set parameters Cannot adapt to the traffic pattern changes However, wireless networks often have transient connections Hard to differentiate collisions, interference, and attacks

19 Statistical Anomaly/Intrusion Detection and Mitigation for Wireless Networks
Use statistics from MIB of AP to understand the current wireless network status Interference Detection MIB Group Retry count, FCS err count, Failed count … Intrusion Detection MIB Group Duplicate count, Authentication failure count, EAP negotiation failure count, Abnormal termination percentage … DoS Detection MIB Group Auth flood to BS, De-Auth flood to SS Automatically adapt to different learned profiles on observing status changes

20 Preliminary Algorithm
Collect MIBs Collect MIBs Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group Inter Inter Intru Inter L H Intrusion L Intru H DoS DoS Interference H Interference H DoS Attack H DoS Attack H Intrusion

21 Intrusion Detection and Mitigation
Attacks detected Mitigation Denial of Service (DoS), e.g., TCP SYN flooding SYN defender, SYN proxy, or SYN cookie for victim Port Scan and worms Ingress filtering with attacker IP Vertical port scan Quarantine the victim machine Horizontal port scan Monitor traffic with the same port # for compromised machine Spywares Warn the end users being spied

22 GRAID Sensor Architecture
Remote aggregated sketch records Sent out for aggregation Reversible k-ary sketch monitoring Part I Sketch-based monitoring & detection Normal flows Local sketch records Sketch based statistical anomaly detection (SSAD) Streaming packet data Keys of suspicious flows Filtering Keys of normal flows SIGCOMM04 Statistical detection Signature-based detection Per-flow monitoring Network fault detection Part II Per-flow monitoring & detection Suspicious flows Traffic profile checking Intrusion or anomaly alarms to fusion centers Modules on the critical path Modules on the non-critical path Data path Control path

23 Research methodology Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989

24 Potential Collaborative Research Areas with Motorola
Wireless virus/worm detection Spyware detection Both by operators at infrastructure level (e.g., access point) Intrusion detection and mitigation for cellular network infrastructure Automatic attack responding and survival for Motorola infrastructure products

25 Thank You! More Questions?

Download ppt "Network Intrusion Detection and Mitigation"

Similar presentations

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Welcome to EECS 354 Network Penetration and Security.

Welcome to EECS 354 Network Penetration and Security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.

A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.

1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.
1 Networking and Security: Connecting Computers and Keeping Them Safe from Hackers and Viruses Networking fundamentals Network architecture Network components.

1 Networking and Security: Connecting Computers and Keeping Them Safe from Hackers and Viruses Networking fundamentals Network architecture Network components.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.

Towards a High speed Router based Anomaly/Intrusion detection System Yan Gao & Zhichun Li.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

Similar presentations

Ads by Google