Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evangelos Markatos, FORTH Network Monitoring for Performance and Security The LOBSTER project Evangelos.

Published byTerence Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "Evangelos Markatos, FORTH Network Monitoring for Performance and Security The LOBSTER project Evangelos."— Presentation transcript:

1 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org1 Network Monitoring for Performance and Security The LOBSTER project Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Crete, Greece The LOBSTER project

2 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org2 Talk Roadmap Motivation –We need to understand the Internet for better application performance, for early problem diagnosis, and for better security EC-funded work on net. monitoring –R&D: SCAMPI (2001-2005) –Pilot Infrastructure: LOBSTER (2005-2007)

3 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org3 Motivation: Why do we need network traffic monitoring? “…for the most part we really have no idea what’s on the network… We … “can’t measure topology in either direction at any layer can’t get precise one-way delay can’t get an hour of packets from the core can’t get accurate bandwidth/capacity information can’t get anything from the core with real addresses in it” …for the most part we really have no idea what’s on the network… K Claffy, CAIDA 2004

4 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org4 What is the problem? Poor network monitoring capabilities –We suffer malicious cyberattacks such as viruses and worms, spyware, DoS/DDoS –We do not know which applications are running on our networks –“Friendly fire”: unintentional attacks to major Internet services

5 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org5 Cyberattacks continue to plague our networks Famous worm outbreaks: –Summer 2001: Code-Red worm Infected 350,000 computers in 24 hours –January 2003: Sapphire/Slammer worm Infected 75,000 computers in 30 minutes –March 2004: Witty Worm Infected 20,000 computers in 60 minutes

6 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org6 Cyberattacks in palmtops and mobile phones PocketPC virus: –Duts Mobile phone virus: –Cabir –Infects the Symbian operating system

7 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org7 Why do Cyberattacks continue to plague Internet? Defense against worms: –Detection: several minutes (semi-manual) –Fingerprinting (i.e., generate an IDS signature or firewall rule) Hours (manual) –Deployment of signatures to firewalls/IDSs, and patching Minutes to hours

8 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org8 Why do Cyberattacks continue to plague Internet? II –Attack detection, identification, and response/deployment takes hours –Usually too late, when almost all computers have already been infected –Can we respond faster to reduce the damage?

9 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org9 Problem II: Who generates all this traffic? 69% of the traffic is unaccounted-for –Maybe belongs to p2p applications that use dynamic ports –Maybe belongs to media applications –The bottom line is: We don’t know

10 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org10 “Friendly Fire” on the Internet Win 2K and Win XP computers –Started updating root DNS servers –Created significant load to DNS –Not clear why…

11 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org11 Problem summary Our understanding of the Internet needs to be improved The gap between what we can measure and what we need to measure is large and getting larger

12 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org12 Unaccounted traffic is increasing The gap continues to widen with time…

13 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org13 Solution? We need better network monitoring: –Faster: detect worms before they infect the planet –More accurate: close the gap between what we know and what is really going on

14 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org14 Network Monitoring! It is a good idea! “… develop and deploy the technology to make it possible to record a day in the life of the Internet…” Committee on Research Horizons in Networking Clark, Lazowska, Patterson, Paxson, Savage, Zegura, …. 2001

15 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org15 SCAMPI and LOBSTER: two steps for better Internet Monitoring SCAMPI: a SCAlable Monitoring Platform for the Internet LOBSTER: Large Scale Monitoring of Broadband Internet Infrastructure

16 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org16 SCAMPI SCAMPI profile: –IST R&D project –Funded by European Commission –Duration: 1/4/02-31/3/05

17 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org17 SCAMPI: Goals Develop a passive monitoring platform –capture all network traffic and examine it Technology: –Develop a 10 Gbps FPGA-based card –Develop a Monitoring Application Programming Interface (MAPI) –Develop efficient monitoring applications

18 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org18 SCAMPI: Achievements Security - high-speed intrusion detection: –Find all packets that are being sent to my network and contain the “CODE-RED” worm –Find all computers in my network that are infected with backdoors Security - DDOS attack detection Performance analysis –What percentage of my traffic goes to KaZaA? –What is my network latency to http://www.cnn.com?http://www.cnn.com

19 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org19 SCAMPI: Achievements II Portability : MAPI has been ported to –Commodity network interfaces –Endace DAG packet capture cards –SCAMPI card –Partial implementations also exist for Intel IXP network processors

20 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org20 SCAMPI: Achievements III MAPI provides high-level abstractions –Ease of use –More expressive: users can better communicate their monitoring needs to the system [NOMS 03] –Faster: MAPI can capitalize on underlying special- purpose monitoring hardware [MASCOTS 03] The end result: Improved network monitoring capability

21 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org21 The LOBSTER infrastructure LOBSTER –A network of passive Internet traffic monitors –Cooperation: Exchange information and observations Correlate results

22 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org22 LOBSTER SSA LOBSTER profile: –A “Specific Support Action” –Funded by European Commission –27-month project: 1/10/04-31/12/06

23 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org23 Challenging issues I Trust: cooperating sensors may not trust each other –Need to protect private and confidential information –Achieved through multi-level anonymization techniques (un)limited access to internal users Outside users will be able to operate on anonymized data only

24 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org24 Challenging issues II Need a Common Programming Environment –Use DiMAPI (Distributed Monitoring Application Programming Interface) –MAPI developed within the SCAMPI project

25 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org25 Challenging issues III Resilience to attackers: What if intruders penetrate LOBSTER? –Can they have access to private/confidential data? –NO! Hardware anonymization The level of anonymization can be tuned by system administrators

26 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org26 Potential LOBSTER applications: traffic monitoring Accurate traffic monitoring –how much of your bandwidth is going to file sharing applications such as Gnutella? –Which application generates most of the traffic?

27 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org27 Potential LOBSTER applications: Early- warning systems Automatic detection of new worms –Detect worms within minutes Early-warning –Alert administrators+users about potential attacks Timely response to worms –Generate attack signature

28 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org28 Potential LOBSTER applications: GRIDs GRID Performance debugging –GRID-enabled applications are highly dependent on network characteristics Remote data access Remote resource access (e.g. sensors, instruments) Remote computing power –How can we perform complete diagnosis when applications are not working as expected? The local LAN? the WAN? The remote LAN? The local computer? The remote server? A middleware server?

29 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org29 Who can benefit from LOBSTER? NRNs/ISPs –Better Internet traffic monitoring of their networks –Better understanding of their interactions with other NRNs/ISPs Security analysis/researchers –Access to anonymized data –Access to anonymized testbed Study trends and validate research results Network and security administrators –Access to a traffic monitoring infrastructure –Access to early-warning systems –Access to software and tools

30 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org30 Summary Our understanding of the Internet needs to be improved SCAMPI/LOBSTER provide better network monitoring through High-end passive monitoring systems A distributed infrastructure of monitoring systems Trusted cooperation in an untrusted world Common programming platform Infrastructure resilience against attacks

31 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org31 Network Monitoring for Performance and Security The LOBSTER project Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Crete, Greece The LOBSTER project

32 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org32 LOBSTER partners Research Organizations –ICS-FORTH, Greece –Vrije University, The Netherlands –TNO Telecom, The Netherlands NRNs/ISPs, Associations –CESNET, Czech Republic –UNINETT, Norway –FORTHNET, Greece –TERENA, The Netherlands Industrial Partners –ALCATEL, France –Endace, UK

33 Evangelos Markatos, FORTH http://www.ist-lobster.org info@ist-lobster.org33 SCAMPI partners Research Organizations –ICS-FORTH, Greece –University of Leiden, The Netherlands –Masaryk University, Czech Republic –IMEC, Belgium NRNs/ISPs, Associations –CESNET, Czech Republic –UNINETT, Norway –FORTHNET, Greece –TERENA, The Netherlands Industrial Partners –NETIKOS, Italy –SIEMENS, Germany –4PLUS, Greece

Download ppt "Evangelos Markatos, FORTH Network Monitoring for Performance and Security The LOBSTER project Evangelos."

Similar presentations

Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.

Outpost Office Firewall Product presentation. What is Outpost Office Firewall? Software firewall solution designed especially to meet small and medium.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute 2008. 10. 22.

Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
SDN and Openflow.

SDN and Openflow.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Evangelos Markatos, FORTH CyberSecurity Research in Crete Evangelos Markatos Institute of Computer Science.

Evangelos Markatos, FORTH CyberSecurity Research in Crete Evangelos Markatos Institute of Computer Science.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.

1 Pertemuan 05 Firewall Matakuliah: H0451/Praktikum Jaringan Komputer Tahun: 2006 Versi: 1/0.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Profile-Based Web Intrusion Prevention System by Donovan Thorpe CS526 Fall 2002.

Profile-Based Web Intrusion Prevention System by Donovan Thorpe CS526 Fall 2002.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Similar presentations

Ads by Google