Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN

Published byEvangeline Mosley Modified over 5 years ago

Similar presentations

Presentation on theme: "Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN"— Presentation transcript:

1 Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN
Hongda Li, Feng Wei, and Hongxin Hu SDN-NFV Security 2019

2 Outline Motivation Background Our Approach Case Study

3 Network Access Control with SDN
FlowGuard [HotSDN’14] Access Control Policies Dynamic Firewall [RAID’15] Virtual Firewall [NDSS’17] How to generate new ACP? Anomaly Unknown vulnerabilities Zero-day security threat

4 Existing Anomaly-based IDS
Semantic Gap Access Control Policies Uncover novel security threats Obscure outcome

5 Machine Learning Model Explanation
Outcome CAT DOG Input Predictor

6 Explanation Mechanisms
Whitebox Blackbox Black Box x y x1 xn y1 yn Global Explanation xi yi Local Explanation

7 Local & Blackbox Explanation
Local Approximation Explanation Logic 𝒑𝒓𝒆𝒅𝒊𝒄𝒕𝒐𝒓 e𝒍 e 𝒍 𝒙 Why 𝒙 is predicted as circle?

8 Approach Overview Anomaly-based IDS Outcome Explanator Policy
SDN Controller SDN Flow Rule Access Control Policy Anomaly-based IDS Mirrored Traffic Outcome Explanator AIDS Outcome Policy Generator Outcome Explanation SDN Switch

9 AIDS Outcome Explanation
Local Approximation Explanation Logic F(x) x Linear Regression 𝒙: (duration, proto_type, service, flag, src_byte, dst_byte, … ) FI: (97, , , , 95, , … ) Feature Importance

10 Access Control Policy Generation
<filers, actions> Selects network entities Defines action to take Networks; Hosts; Connections; Flows; Packets; Combination of above; Allow; Deny; Redirect; Quarantine; Mirror; 𝒙: (duration, proto_type, service, flag, src_byte, dst_byte, … ) FI: (97, , , , 95, , … ) Explanation

11 Case Study: AIDS Recurrent Neural Network (RNN) NSL-KDD dataset
Detect across multiple records NSL-KDD dataset 41 raw feature Keras + TensorFlow for implementation

12 Case Study: Outcome Explanation
Choose Neptune attack in dataset Extensive SYN error or SYN rejection Two records labeled as Neptune attack Explanation (Feature Importance) Record1: (0, tcp, private, S0, …, 255, 20, 0.08, 0.07, 0, 0, 1, 1, 0, 0) Record2: (0, tcp, imap4, REJ, …, 255, 17, 0.07, 0.07, 0, 0, 0, 0, 1, 1) Percentage of SYN Error Percentage of Rejection Error

13 Case Study: Policy Generation
Outcome Explanation <filters=(ip_proto=tcp, tcp_flags=syn, sip= , dip= ), actions=(drop)> Access Control Policy

14 Conclusion and Future Work
Explained the outcome of anomaly-based IDS Generated network access control policy according to the explanation Future work Better explanation that handles decency among records Policy generation process formalization More evaluation on realistic traffic and attacks

15 Hongda Li (hongdal@clemson.edu)
Q & A Hongda Li Thank you!

Download ppt "Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN"

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Openflow App Security Chao SHI Stephen Duraski. Background Software-defined networking o Control plane abstraction o Abstract topology view o Abstraction.

Openflow App Security Chao SHI Stephen Duraski. Background Software-defined networking o Control plane abstraction o Abstract topology view o Abstraction.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Optical Ring Networks Research over MAC protocols for optical ring networks with packet switching. MAC protocols divide the ring bandwidth according to.

Optical Ring Networks Research over MAC protocols for optical ring networks with packet switching. MAC protocols divide the ring bandwidth according to.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Yan Chen Northwestern Lab for Internet and Security Technology.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.

Where Are the Nuggets in System Audit Data? Wenke Lee College of Computing Georgia Institute of Technology.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.

Network Intrusion Detection Using Random Forests Jiong Zhang Mohammad Zulkernine School of Computing Queen's University Kingston, Ontario, Canada.
1 Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Benchmark H. Güneş Kayacık Nur Zincir-Heywood Malcolm I. Heywood.

1 Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Benchmark H. Güneş Kayacık Nur Zincir-Heywood Malcolm I. Heywood.
VeriFlow: Verifying Network-Wide Invariants in Real Time

VeriFlow: Verifying Network-Wide Invariants in Real Time
2016-5-261 SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,

SDN based Network Security Monitoring in Dynamic Cloud Networks Xiuzhen CHEN School of Information Security Engineering Shanghai Jiao Tong University,
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Internetworking – What is internetworking? Connect multiple networks of one or more organizations into a large, uniform communication system. The resulting.

Internetworking – What is internetworking? Connect multiple networks of one or more organizations into a large, uniform communication system. The resulting.

Similar presentations

Ads by Google