Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Published byElijah Cook Modified over 9 years ago

Similar presentations

Presentation on theme: "Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University"— Presentation transcript:

1 Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Intrusion Detection and Forensics for Self-defending Wireless Networks

2 Security Challenges in GIG Wireless Networks In addition to sharing similar challenge of wired net –High speed traffic (e.g., WiMAX) –Zero-day threats –Lack of quality info for situational-aware analysis: attack target/strategy, attacker (botnet) size, etc. Wireless networks are more vulnerable –Open media Easy to sniff, spoof and inject packets –Open access Hotspots and potential large user population

3 Self-Defending Wireless Networks Net-based adaptive intrusion detection & mitigation –Scalable traffic monitoring & anomaly detection (done in yr1) –Polymorphic zero-day worm signature generation (done in year 2) –Automated analysis of large-scale botnet probing events for situation aware info (mostly done, focus of this talk) Proactive vulnerability analysis and defense of wireless network protocols (done) –Found a class of exception triggered DoS attacks –Easy to launch: no need to change MAC –Efficient and scalable: small traffic, attack large # of clients –Stealthy: cannot be detected w/ current IDS/IPS

4 4 Generally Applicable Countermeasures schemes also proposed.

5 Accomplishments on Publications Six conference and three journal papers “Using Failure Information Analysis to Detect Enterprise Zombies", to appear in the Proc. of SecureComm 2009. "POPI: A User-level Tool for Inferring Router Packet Forwarding Priority", ACM/IEEE Transaction on Networking (ToN), 2009. "FAD and SPA: End-to-end Link-level Loss Rate Inference without Infrastructure", in the Journal of Computer Networks, 2009. “Exception Triggered DoS Attacks on Wireless Networks”, the 39th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2009. "BotGraph: Large Scale Spamming Botnet Detection", USENIX Symposium on Networked Systems Design and Implementation (NSDI) 2009. "Towards Efficient Large-Scale VPN Monitoring and Diagnosis under Operational Constraints", IEEE INFOCOM (main conference), 2009. “Automating Analysis of Large-Scale Botnet Probing Events”, ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2009. “Pollution Attacks and Defenses for Internet Caching Systems”, in Journal of Computer Networks, 2008. "Botnet Research Survey," the 32nd Annual IEEE International Computer Software and Applications Conference, 2008 Collaborated publication with Dr. Keesook Han from AFRL Resulted from joint research on botnet. Obtain binary/source from Dr. Han Plan to use the testbed developed at AFRL

6 Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST) Northwestern University * UC Berkeley / ICSI

7 7 Motivation Administrators IPv4 Space Enterprise Botnets Does this attack specially target us? Can we answer this question with only limited information observed locally in the enterprise?

8 8 Motivation Can we infer the probe strategy used by botnets? Can we infer whether a botnet probing attack specially targets a certain network, or we are just part of a larger, indiscriminant attack? Can we extrapolate botnet global properties given limited local information?

9 9 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties Evaluation Conclusions

10 10 Botnet Probing Events Big spikes of larger numbers of probers mainly caused by botnets

11 11 System Framework See the paper for subtle system details.

12 12 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties Evaluation Conclusions

13 13 Discover the Botnet Probing Strategies Use statistical tests to understand probing strategies –Leverage on existing statistical tests Monotonic trend checking: detect whether bots probe the IP space monotonically Uniformity checking: detect whether bots scan the IP range uniformly. –Design our own Hitlist (liveness) checking: detect whether they avoid the dark IP space Dependency checking: do the bots scan independently or are they coordinated?

14 14 Design Space

15 15 Hitlist Checking Configure the sensor to be half darknet and half honeynet Use metric θ = # src in darknet/ # src in honeynet. Threshold 0.5

16 16 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties –Global scan scope, total # of bots, total # of scans, total scan rate for each bot Evaluation Conclusions

17 17 Extrapolate Global Properties: Basic Ideas and Validation Observe the packet fields that change with certain patterns in continuous probes. –IPID: a packet field in IP header used for IP defragmentation –Ephemeral port number: the source port used by bots –Increment for a fixed # per scan Validation –IPID continuity: All versions of Windows and MacOS –Ephemeral port number continuity: botnet source code study Agobot, Phatbot, Spybot, SDbot, rxBot, etc. –Control experiments with NAT

18 18 Estimate Global Scan Rate of Each Bot Count the IPID & ephemeral port # changes –Recover the overflow of IPID and ephemeral port number –Estimate the rate with linear regression when correlation coefficient > 0.99 –Counter overestimation: use less of the two T IPID

19 19 Extrapolate Global Scan Scope IPv4 Space Botnets Total scans from bot i : scan rate R i * scan time T i = 100*1000=100,000 bot i n i =100 Aggregating multiple bots Local/global ratio

20 20 Extrapolate Global # of Bots Idea: similar to Mark and Recapture Assumption: All bots have the same global scan range Bots Total M=4000 First half m1=1000 Observed by both m12= 250 Second half m2=1000 M=m1*m2/m12 M m1m2 m12

21 21 Agenda Motivation Basic framework Discover the botnet probing strategies Extrapolate global properties Evaluation Conclusions

22 22 Dataset Based on a 10 /24 honeynet in a National Lab (LBNL) 293GB packet traces in 24 months (2006-07) Totally observed 203 botnet probing events –Average observed #bots/event is 980. Mainly on SMB/WINRPC, VNC, Symantec, MSSQL, HTTP, Telnet Size of the system: 13,900 lines: Bro (6,000), Python (4,000), C++ (2,500), R (1,400)

23 23 More than 80% uniform scanning Validate the results through visualization and find the results are highly accurate. Property Checking Results

24 24 Extrapolation Results Most of extrapolated global scopes are at /8 size, which means the botnets do not target the enterprise (LBNL). Validation based with DShield data –DShield: the largest Internet alert repository –Find the /8 prefixes in DShield with sufficient source (bots) overlap with the honeynet events Due to incompleteness of Dshield data, 12 events validated –Calculate the scan scope in each /8 based on sensor coverage ratio.

25 25 Extrapolation Validation Define scope factor as max(DShield/Honeynet,Honeynet/DShield) CDF of the scope factor 75% within 1.35 All within 1.5

26 26 Conclusions Develop a set of statistical approaches to assess four properties of botnet probing strategies Designed approaches to extrapolate the global properties of a scan event based on limited local view Through real-world validation based on DShield, we show our scheme are promisingly accurate

27 27 Backup

28 28 Event size distribution

29 29 Extrapolate the scope Local/global ratio Probing time window Estimate global probing rate Probes observed locally

30 30 Monotonic trend checking Goal: detect whether the bots probe the IP space monotonically –E.g. simple sequential probing Technique: –Mann-Kendall trend test –Intuition: check whether the aggregated sign value (sign(A i+1 -A i )) out of the range of randomness can achieve. –When most (>80%) senders in an events follow trend we label the events follow trends

31 31 Uniformity Checking Goal: detect whether the botnet scan the IP range uniformly. Technique: –Chi-Square test –Intuition: put address into bins. The scan observed in each bin should be similar. –Significance level of 0.5%

32 32 Dependency Checking Goal: Is the bots try to get out each other’s way? Idea: account the number of address receive zero scan and comparing with confidence interval of the independent random case.

Download ppt "Yan Chen Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University"

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
1 A Suite of Schemes for User-level Network Diagnosis without Infrastructure Yao Zhao, Yan Chen Lab for Internet and Security Technology, Northwestern.

1 A Suite of Schemes for User-level Network Diagnosis without Infrastructure Yao Zhao, Yan Chen Lab for Internet and Security Technology, Northwestern.
Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.

Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.

A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks Yan Gao, Zhichun Li, Yan Chen Lab for Internet and Security Technology.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.

10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
What Learned Last Week Homework qn –What machine does the URL go to?

What Learned Last Week Homework qn –What machine does the URL go to?
Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts

Modeling/Detecting the Spread of Active Worms Lixin Gao Dept. Of Electrical & Computer Engineering Univ. of Massachusetts
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Similar presentations

Ads by Google