1. 1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University http://list.cs.northwestern.edu Adaptive Intrusion Detection and Mitigation Systems for WiMAX Networks Motorola Liaisons Gregory W. Cox, Z. Judy Fu, Philip R. Roberts Motorola Labs

2. 2 Battling Hackers is a Growth Industry! The past decade has seen an explosion in the concern for the security of information Denial of service (DoS) attacks –Cost $1.2 billion in 2000 Viruses and worms faster and more powerful –Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007. --Wall Street Journal (11/10/2004)

3. 3 Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN Regional Wireline Regional Voice Cell Cable Modem LAN Premises- based WLAN Premises- based Operator- based H.323 Data RAS Analog DSLAM H.323

4. 4 Motivation Viruses/worms moving into the wireless world … –6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices IEEE 802.16 WiMAX networks emerging –Predicted multi-billion dollar industry –No existing research/product tailored towards 802.16 anomaly/intrusion detection and mitigation 802.16 IDS development can potentially lead to critical gain in market share –All major WLAN vendors integrated IDS into products Strategically important to lead in WiMAX product portfolio with security & trouble shooting capability –Simply buy off-the-shelf IDSes blind to their limitations

5. 5 Existing Intrusion Detection Systems (IDS) Insufficient Mostly host-based and not scalable to high-speed networks –Slammer worm infected 75,000 machines in < 10 mins –Host-based schemes inefficient and user dependent »Have to install IDS on all user machines ! Mostly signature-based –Cannot recognize unknown anomalies/intrusions –New viruses/worms, polymorphism

6. 6 Current IDS Insufficient (II) Statistical detection –Hard to adapt to traffic pattern changes –Unscalable for flow-level detection »IDS vulnerable to DoS attacks »WiMAX, up to 134Mbps, 10 min traffic may take 4GB memory –Overall traffic based: inaccurate, high false positives »Existing high-speed IDS here Cannot differentiate malicious events with unintentional anomalies –Anomalies can be caused by network element faults –E.g., signal interference of wireless network

7. 7 Adaptive Intrusion Detection System for Wireless Networks (WAIDM) Online traffic recording and analysis for high- speed WiMAX networks –Leverage sketches for data streaming computation –Record millions of flows (GB traffic) in a few Kilobytes Online flow-level intrusion detection & mitigation –Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes »Successfully detected flow-level SYN flooding and various port scans with NU, LBL and Fermi network traces –Flow-level mitigation of attacks –Combine with 802.16 specific signature-based detection »Automatic polymorphic worm signature generation

8. 8 WAIDM Systems (II) Anomaly diagnosis for false positive reduction –Use statistics from MIB of base station to understand the wireless network status »E.g., busy vs. idle wireless networks, with different level of interferences, etc. »Successfully experimented with 802.11 networks –Root cause analysis for diagnose link failures, routing misconfiguration, etc. –Useful for managing and trouble-shooting the WiMAX networks

9. 9 WAIDM Deployment Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Highly ranked as “powerful and flexible" by the DARPA research agenda Original configuration WAIDM deployed Inter net 802.16 BS User s (a) (b) 802.16 BS User s Switch/ BS controller Internet scan port WAIDM system 802.16 BS Users 802.16 BS Users Switch/ BS controller

10. 10 WAIDM Architecture Reversible k-ary sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms to fusion centers Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Traffic profile checking Statistical detection Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault detection

11. 11 Intrusion Mitigation Attacks detectedMitigation Denial of Service (DoS), e.g., TCP SYN flooding SYN defender, SYN proxy, or SYN cookie for victim Port Scan and wormsIngress filtering with attacker IP Vertical port scanQuarantine the victim machine Horizontal port scanMonitor traffic with the same port # for compromised machine SpywaresWarn the end users being spied

12. 12 Evaluated with NU traces (536M flows, 3.5TB traffic) Scalable and efficient –For the worst case traffic, all 40 byte packets: »16 Gbps on a single FPGA board »526 Mbps on a Pentium-IV 2.4GHz PC –Only less than 10MB memory used Accurate –19 SYN flooding, 1784 horizontal scans and 29 vertical scans detected in one-day NU traces –Validation »All flooding and vertical scan, and top 10 and bottom 10 for horizontal scans »Both well-known and new worms found (new confirmed in DShield) Patent filed Evaluation of Sketch-based Detection

13. 13 Research methodology Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment