Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Published byNorman Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC."— Presentation transcript:

1 Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece vhatzi@netmode.ntua.gr TNC 2004

2 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Intrusion Detection An IDS is a system used for detecting network attacks They detect both successful and unsuccessful attacks They Detect attacks from insiders IDS Categories:  Host /Network based  They use Misuse /Anomaly detection  Distributed Intrusion Detection Systems

3 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Intrusion Detection(2) Misuse Detection  Sniffs network packets  If known a signature is matched, it detects the attack  Resembles to an anti-virus system  Must be updated night and day

4 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Intrusion Detection(3) Anomaly Detection  Checks for great variation from the normal behaviour of an entity  An entity could be a user, a computer or network link  Use of an expert system  The system has to be trained to become operational

5 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Denial of Service Attacks An attack to suspend the availability of a service Until recently the "bad guys" tried to enter our systems. Now it’s: "If not us, then Nobody" DoS: single correctly made malicious packets against the target machine Distributed DoS: traffic flows from various sources to exhaust network or computing resources

6 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Main Characteristics of DoS Variable targets:  Single hosts or whole domains  Computer systems or networks  Important  Important : Active network components (e.g. routers) also vulnerable and possible targets! Variable uses & effects:  Hacker "turf" wars  High profile commercial targets (or just competitors…).  Useful in cyber-warfare, terrorism etc.

7 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 1. Taking Control 2. Commanding the attack Distributed DoS Target domain "zombies" Pirated machines Domain A Pirated machines Domain B Attacker X

8 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Netflow What is a flow? Defined by seven keys: Source IP address Destination IP address Source Port Destination Port Layer 3 Protocol Type TOS byte (DSCP) Input logical interface (ifIndex)

9 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 NetFlow Sequence Router (from Cisco.com) 1.Create and update flows in NetFlow Cache Inactive timer expired (15 sec is default) Active timer expired (30 min is default) NetFlow cache is full (oldest flows expire) RST or FIN TCP Flag Export Packet Payload (flows) 2.Expiration 3.Aggregation? e.g. Protocol-Port Aggregation Scheme becomes 4.Export Version Yes No Aggregated Flows – export Version 8 or 9 Non-Aggregated Flows – export Version 5 or 9 5.Transport Protocol

10 Our Solution: An anomaly detection tool OpenEye

11 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 OpenEye DDoS Attack Detection Tool Analyses flows that are exported from Cisco Netflow enabled routers Compatible with Netflow v9 Works with IPv4 and IPv6 traffic Uses anomaly detection algorithm based on specific metrics and thresholds Written in Java language

12 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Implementation Two main modules: - Collector The Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure. - Detector The Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates e-mail notifications with security alerts to the administrator.

13 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 DoS Detection Metrics (1) Metrics for Packets/Flows based on deviation CP ij = Current Packets/Flows from interface i to j AP ij = Average Packets/Flows from interface i to j

14 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 DoS Detection Metrics (2) Number of flows with very small lifetime Number of flows with a very small number of packets Percentages of TCP/UDP traffic

15 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Data structures Tables for number of packets and number of flows for every pair of interfaces Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces

16 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Attack Graphs

17 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Future Work More experiments Detection of worms Creation and testing of new metrics Usage of OpenEye as a part of a Distributed Intrusion Detection System

18 Network Flow-based Anomaly Detection of DDoS Attacks - TNC 2004 Acknowledgements Panoptis  http://panoptis.sourceforge.net/ GrNet  http://www.grnet.gr Ntua NOC  http://noc.ntua.gr Netmode  http://netmode.ntua.gr

19 Questions and Answers

Download ppt "Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.

Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.

Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.
Anomaly Based Intrusion Detection System

Anomaly Based Intrusion Detection System
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google