Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern."— Presentation transcript:

1 1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern University http://list.cs.northwestern.edu

2 2 Internet is becoming a new infrastructure for service delivery –World wide web, –VoIP –Email –Interactive TV? Major challenges for Internet-scale services –Scalability: 600M users, 35M Web sites, 2.1Tb/s –Security: viruses, worms, Trojan horses, etc. –Mobility: ubiquitous devices in phones, shoes, etc. –Agility: dynamic systems/network, congestions/failures –Ossification: extremely hard to deploy new technology in the core Our Theme

3 3 Battling Hackers is a Growth Industry! The past decade has seen an explosion in the concern for the security of information Internet attacks are increasing in frequency, severity and sophistication Denial of service (DoS) attacks –Cost $1.2 billion in 2000 –Thousands of attacks per week in 2001 –Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked --Wall Street Journal (11/10/2004)

4 4 Battling Hackers is a Growth Industry (cont’d) Virus and worms faster and powerful –Melissa, Nimda, Code Red, Code Red II, Slammer … –Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007. –Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss –Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss Spywares are ubiquitous –80% of Internet computers have spywares installed

5 5 The Spread of Sapphire/Slammer Worms

6 6 How can it affect cell phones? Cabir worm can infect a cell phone –Infect phones running Symbian OS –Started in Philippines at the end of 2004, surfaced in Asia, Latin America, Europe, and recently in US –Posing as a security management utility –Once infected, propagate itself to other phones via Bluetooth wireless connections –Symbian officials said security was a high priority of the latest software, Symbian OS Version 9. With ubiquitous Internet connections, more severe viruses/worms for mobile devices will happen soon …

7 7 Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN Regional Wireline Regional Voice Cell Cable Modem LAN Premises- based WLAN Premises- based Operator- based H.323 Data RAS Analog DSLAM H.323

8 8 Current Intrusion Detection Systems (IDS) Mostly host-based and not scalable to high-speed networks –Slammer worm infected 75,000 machines in <10 mins –Host-based schemes inefficient and user dependent »Have to install IDS on all user machines ! Mostly signature-based –Cannot recognize unknown anomalies/intrusions –New viruses/worms, polymorphism

9 9 Current Intrusion Detection Systems (II) Statistical detection –Hard to adapt to traffic pattern changes –Unscalable for flow-level detection »IDS vulnerable to DoS attacks »WiMAX, up to 134Mbps, 10 min traffic may take 4GB memory –Overall traffic based: inaccurate, high false positives Cannot differentiate malicious events with unintentional anomalies –Anomalies can be caused by network element faults –E.g., router misconfiguration, signal interference of wireless network, etc.

10 10 Adaptive Intrusion Detection System for Wireless Networks (WAIDM) Online traffic recording and analysis for high- speed WiMAX networks –Leverage sketches for data streaming computation –Record millions of flows (GB traffic) in a few Kilobytes Online adaptive flow-level anomaly/intrusion detection and mitigation –Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes –Use statistics from MIB of Access Point to understand the wireless network status »E.g., busy vs. idle wireless networks, with different level of interferences, etc. –Unsupervised learning without knowing ground truth

11 11 WAIDM Systems (II) Integrated approach for false positive reduction –802.16 Signature-based detection –WiMAX network element fault diagnostics –Traffic signature matching of emerging applications Hardware speedup for real-time detection –Collaborated with Gokhan Memik (ECE of NU) –Try various hardware platforms: FPGAs, network processors

12 12 WAIDM Deployment Attached to a switch connecting BS as a black box Enable the early detection and mitigation of global scale attacks Highly ranked as “powerful and flexible" by the DARPA research agenda Original configuration WAIDM deployed Inter net 802.16 BS User s (a) (b) 802.16 BS User s Switch/ BS controller Internet scan port WAIDM system 802.16 BS Users 802.16 BS Users Switch/ BS controller

13 13 GRAID Sensor Architecture Reversible k-ary sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms to fusion centers Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Traffic profile checking Statistical detection Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault detection

14 14 Scalable Traffic Monitoring and Analysis - Challenge Potentially tens of millions of time series ! –Need to work at very low aggregation level (e.g., IP level) –Each access point (AP) can have 200 Mbps – a collection of 10-100 APs can easily go up to 2-20 Gbps –The Moore’s Law on traffic growth …  Per-flow analysis is too slow or too expensive –Want to work in near real time

15 15 Sketch-based Change Detection (ACM SIGCOMM IMC 2003, 2004) Input stream: (key, update) Sketch module Forecast module(s) Change detection module (k,u) … Sketches Error Sketch Alarms Report flows with large forecast errors Summarize input stream using sketches Build forecast models on top of sketches

16 16 Evaluated with tier-1 ISP trace and NU traces Scalable –Can handle tens of millions of time series Accurate –Provable probabilistic accuracy guarantees –Even more accurate on real Internet traces Efficient –For the worst case traffic, all 40 byte packets: »16 Gbps on a single FPGA board »526 Mbps on a Pentium-IV 2.4GHz PC –Only less than 3MB memory used Patent filed Evaluation of Reversible K-ary Sketch

17 17 GRAID Sensor Architecture Reversible k-ary sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms to fusion centers Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Traffic profile checking Statistical detection Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault detection

18 18 Current IDS Insufficient for Wireless Networks Most existing IDS signature-based –Especially for wireless networks –Detect denial-of-service attacks caused by the WEP authentication vulnerability, e.g., Airespace Current statistical IDS has manually set parameters –Cannot adapt to the traffic pattern changes However, wireless networks often have transient connections –Hard to differentiate collisions, interference, and attacks

19 19 Statistical Anomaly/Intrusion Detection and Mitigation for Wireless Networks Use statistics from MIB of AP to understand the current wireless network status –Interference Detection MIB Group »Retry count, FCS err count, Failed count … –Intrusion Detection MIB Group »Duplicate count, Authentication failure count, EAP negotiation failure count, Abnormal termination percentage … –DoS Detection MIB Group »Auth flood to BS, De-Auth flood to SS Automatically adapt to different learned profiles on observing status changes

20 20 Preliminary Algorithm Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group Collect MIBs Intrusion Intru H Inter Interference H L DoS DoS Attack H Collect MIBs Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group InterDoS Interference H DoS Attack H Inter Intru L H Intrusion

21 21 Intrusion Detection and Mitigation Attacks detectedMitigation Denial of Service (DoS), e.g., TCP SYN flooding SYN defender, SYN proxy, or SYN cookie for victim Port Scan and wormsIngress filtering with attacker IP Vertical port scanQuarantine the victim machine Horizontal port scanMonitor traffic with the same port # for compromised machine SpywaresWarn the end users being spied

22 22 GRAID Sensor Architecture Reversible k-ary sketch monitoring Filtering Sketch based statistical anomaly detection (SSAD) Local sketch records Sent out for aggregation Remote aggregated sketch records Per-flow monitoring Streaming packet data Normal flows Suspicious flows Intrusion or anomaly alarms to fusion centers Keys of suspicious flows Keys of normal flows Data path Control path Modules on the critical path Signature -based detection Traffic profile checking Statistical detection Part I Sketch- based monitoring & detection Part II Per-flow monitoring & detection Modules on the non-critical path Network fault detection SIGCOMM04

23 23 Research methodology Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment

24 24 Potential Collaborative Research Areas with Motorola Wireless virus/worm detection Spyware detection Both by operators at infrastructure level (e.g., access point) Intrusion detection and mitigation for cellular network infrastructure Automatic attack responding and survival for Motorola infrastructure products

25 25 Thank You! More Questions?

Download ppt "1 Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern."

Similar presentations

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.

1 Yan Chen Northwestern University Lab for Internet and Security Technology (LIST) in Northwestern.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.

Wireless Security. Access Networks Core Networks The Current Internet: Connectivity and Processing Transit Net Private Peering NAP Public Peering PSTN.
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Welcome to EECS 354 Network Penetration and Security.

Welcome to EECS 354 Network Penetration and Security.
Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.

Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Welcome to CS 450 Internet Security: A Measurement-based Approach.

Welcome to CS 450 Internet Security: A Measurement-based Approach.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.
Welcome to EECS 450 Internet Security. Why Internet Security The past decade has seen an explosion in the concern for the security of information –Malicious.

Welcome to EECS 450 Internet Security. Why Internet Security The past decade has seen an explosion in the concern for the security of information –Malicious.
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.

A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Manan Sanghi, Yan Chen, Ming- Yang Kao Northwestern Lab.

1 Towards Anomaly/Intrusion Detection and Mitigation on High-Speed Networks Yan Gao, Zhichun Li, Manan Sanghi, Yan Chen, Ming- Yang Kao Northwestern Lab.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?

Similar presentations

Ads by Google