Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security System for KOREN/APII-Testbed

Similar presentations


Presentation on theme: "Security System for KOREN/APII-Testbed"— Presentation transcript:

1 Security System for KOREN/APII-Testbed
Sungkwan Youm Korea Univ. A Study of TE for KOREN/APII-Testbed

2 Research Goal Deploy attack defense system to KOREN for improving security Yearly Plan 2003 : Security system design and algorithm proposal Proposal of dynamic and adaptive detecting algorithm Design system which detects and defends attack Implementation of signature detector 2004 : Implementation of system and deployment of KOREN Implementation of dynamic detecting component Implementation of agent, manager Main goal of this research is to deploy attack defense system to KOREN to improve security. And first year goal is security system design and algorithm proposal. Specific plan is to propose dynamic and adaptive detecting algorithm, and design a system which detects and defends attacks, and to implement signature detector. And second year goal is to implement system and to deploy it to KOREN. For this we are going to implement dynamic detection component, agent, manager A Study of TE for KOREN/APII-Testbed

3 System Architecture AGENT Filtering Manager Security DB Libcap
Server Filtering Manager AGENT Security DB To another agent Libcap Signature Detector Visualization NetFlow Flow isolation Anomaly Detector Elementary classification There are two detectors. First one is signature detector. We determine to use Snort. Snort matches pattern with predefine DB. And Second one is anomaly detector. It uses against DDoS attack. It monitors traffic, and maintain statistical average of packet attributes. If some attributes exceed average, then anomaly detector considers that attack happened. Signatures which were created these two detectors are transferred to filtering manager and other agent’s manager. And then filtering manager performs filtering process based on signatures. These signatures are visualized by visualization tool. attack Adaptive classification A Study of TE for KOREN/APII-Testbed

4 Configuration for Security Agent
Detecting KOREN Protected Server Agent Filtering Agent Filtering Another Network attack Agent Filtering Filtering This slide shows a configuration of security agent. It is deployed at protected server or router. If agent detects attack, it creates signature. And detecting agent transfers this signature to other agents. Then, they perform filtering process based on signatures. Agent Agent attack User A Study of TE for KOREN/APII-Testbed

5 Signature Detector Using Snort Perform as NIDS Optimize RuleSet
Deployed in Suwon, Deajeon Seoul Seoul XP Suwon Snort Server Daegu Snort Server Daejeon Signature detector uses snort which is well-known open source IDS. It performs as NIDS. It has too many rulesetes. So it needs to be optimized for using in high speed network. We delete some ruleset which causes meaningless detection. And It is deployed in Suwon( ) and Daejeon( ). Busan Kwangju A Study of TE for KOREN/APII-Testbed

6 Signature Detector Detection Results
Alert List <Signature > <Classification > <Total#> Sensor# < Src. Addr. > < Dest. <First> < Last > [arachNIDS][snort] ICMP PING CyberKit 2.2 Windows   misc- activity   4690 (15%) 1 299 :19:39 :18:41 [snort] SCAN Squid Proxy attempt   attempted-  recon     12 (0%) 2 :06:48 :17:13    url[snort] SCAN SOCKS Proxy attempt      attempted- recon   30 (0%) 5 :25:26 [snort] SCAN Proxy (8080) attempt   [cve][icat][bugtraq][snort] BAD-TRAFFIC IP Proto 103 (PIM)      non- standard- protocol   25792 (84%) :18:55 :18:36    url[bugtraq][bugtraq][snort] MS-SQL Worm propagation attempt      misc- attack   2 (0%) :19:00 [snort] ICMP superscan echo   :02:04 [arachNIDS][snort] ICMP PING NMAP  :20:50 [cve][icat][cve][icat][cve][icat][snort] SNMP public access u에   :13:27 These are alert list of snort. In this result, ICMP Superscan echo, Scan proxy 8080, Scan socks proxy attemps, Scan squid proxy attempt will be attacker’s scan attempt of network. But if the proxy is behind a firewall or trusted host, it will be normal access into network and other hosts. If we can know trusted host’s IP, can classify scan attempt and normal access. Badtraffic IP Protocol can be DDoS attack traffic using weak point of CISCO router or Hello message traffic that router sends to neighboring PIM routers. The OSs for KOREN's routers have weak point about DDoS attack, so it needs to be versioned up or patched. And also we detect MS-SQL worm propagation attempt. For defending this worm, it needs to close port 1434 or filtering attack packets. A Study of TE for KOREN/APII-Testbed

7 Anomaly Detection Algorithm
Entropy Measure randomness of packet attribute (ex. Source address) Maintain average of entropy Detect attack with threshold setting Chi-square test Measure distribution of attribute Use anomaly detection of various packet attributes We use Entropy computation and Chi-square test as anomaly detection algorithm. First one is entropy computation method. In this formula, Pi is probability about n packet attributes. Entropy computation measure the randomness of packet attribute, and maintain average of entropy. If current entropy exceeds average value, It can detect attack And Chi-square test measures distribution of attribute. B is binning value that is combining a set of possible values. The Chi-Square defines Ni as the number of packets whose value falls in the ith bin under current state and ni as expected number of packets under typical distribution. This can use for anomaly detection of various packet attributes A Study of TE for KOREN/APII-Testbed

8 Anomaly Detection Mechanism
Adaptive Classification Incoming traffic (attack and normal packets) Elementary Classification Suspicious Signature Malicious Signature Using single detecting algorithm (entropy) with low accuracy Using multiple detecting algorithms (chi-square) with high accuracy Filtering Manager This slide shows anomaly detection Mechanism. There are two classification processes; Elementary classification and adaptive classification. Elementary classification uses single entropy computation with low accuracy. Another words, this classification is achieved widely about attack packet. This process will reduce network congestion. Adaptive classification uses multiple chi-square test with high accuracy. This will reduce error detecting rate. Signatures that are created by these two classification is transferred to filtering manager Malicious Suspicious Incoming traffic (attack and normal packets) Secure packets A Study of TE for KOREN/APII-Testbed

9 Anomaly Detection Mechanism
Elementary classification Apply suspicious signature with high sensitive Classification achieved widely about attack packets Reduce congestion problem of network Use entropy calculation with low threshold value Adaptive classification Apply malicious signature with high sensitive Reduce error detection rate Use chi-square test with high threshold value This slide is contents that is discussed at previous slide. So I will skip. A Study of TE for KOREN/APII-Testbed

10 Flowchart of Signature Creation
Pick up next packet attributes (as sa or ma) Calculate entropy of packet attribute, sa and compare with average Exceed threshold? Update average value of entropy Create suspicious signature based on packet attribute, sa Do number of packets that belong to suspicious signature exceed upper-bound threshold n? Filtering based on signatures Calculate chi-square value of packet attribute ma and update average Calculate chi-square value of packet attribute ma of suspicious packets Create malicious signature by adding ma to suspicious signature Yes No This flowchart is creation process of signature. A Study of TE for KOREN/APII-Testbed

11 Anomaly Detection Process
Example of detection process Entropy (About source address) Entropy Average Current Entropy Signature 7(threshold 8) 8.7 {Src= } Chi-square (about packet length) This slide shows example of detecting process. First one is entropy computation about source address. If entropy average is 7 and threshold is 8 and current entropy is 8.7, then detecting module creates signature based on source address. And next is Chi-square test about source port number. At this case If the value of average is 1200, and current value is 2000, then signature is created with source port number. Chi-square Average Current Chi-square value Signature 1200(threshold 1300) 2000 {leng=1-64byte} A Study of TE for KOREN/APII-Testbed

12 Anomaly Detector Architecture
Monitoring Tool Agent Detecting Module 1 Detecting Module 2 Detecting Module n Packet attributes Source address Destination address Source port number Destination port number Protocol Anomaly Detection Manager Suspicious, Malicious Signature This slice shows a system architecture. First, measuring tool collect packet attributes. And detecting components compute about attributes and create signature. These signatures are transmitted to filtering manager and the other agents. And the filtering manager performs filtering process. And anomaly detection manager manages detecting module, and sets threshold value, transfer signature to other filtering manager. Also, it supports user interface. Filtering Manager A Study of TE for KOREN/APII-Testbed

13 Signature Detector Testing (DDoS)
Testing Environment Attack Packet Target Control Msg. Attack Packet Snort : impossible to detect attack packet ( , Daejeon) Control Msg. Control Msg. Master Agent Agent Snort’s ruleset about DDoS attack is focused on control message that exchanged by master and agent. So as you look at this slide, if a snort is locates in same local network as master and agent, snort can detect their control messages. But if it doesn’t, snort can’t detect control messages as well as attack packets. We test snort to confirm this factor. We set TFN2K at Suwon node as attack tool and deploy snort server at Suwon and Daejeon nodes. Snort : possible to detect control message ( , Suwon) A Study of TE for KOREN/APII-Testbed

14 Signature Detector Testing (DDoS)
TFN2K icmp possible communication detection ID < Signature > < Timestamp > <Source Address> < Dest.Address > < Layer 4Proto > #150-(2-3872) [snort] tfn2k icmp possible communication      :18:52   ICMP #151-(2-3871) [snort] tfn2k icmp possible communication    #152-(2-3870) [snort] tfn2k icmp possible communication    :18:53 #153-(2-3869)    :18:53   DDoS TFN client command BE detection ID < Signature > < Timestamp > <Source Address> < Dest.Address > < Layer 4Proto > #156-(2-3866) [snort] DDOS TFN client command BE     :18:56  ICMP #157-(2-3865) [snort] DDOS TFN client command BE       :18:56   #158-(2-3864) [snort] DDOS TFN client command BE    :18:56 #159-(2-3863)    :18:57   #160-(2-3862)    :18:57 #161-(2-3863) This slide shows Suwon’s snort testing result. It detects tfn2k icmp possible communication and DDoS TFN client command BE. But Daejeon node’s snort doesn’t create any signature about TFN2K. So we can confirm that if snort is located in same local as attack tool, snort can detect control message of master and agent. A Study of TE for KOREN/APII-Testbed

15 Anomaly Detector Algorithm Testing (DDoS)
Testing Environment Local Network (Normal Traffic) DDoS Attack(TFN2K) Analyze Packet, Flow’s attribute using detecting algorithm Attribute DB Monitoring Tool (Libcap, NetFlow) Source Address Destination Address We also test about anomaly detecting algorithm. This test uses modified Libcap which gathers packet’s attributes and NetFlow which gathers flow’s attributes. These monitoring data is saved to attribute DB. We analyze attribute DB data with applying detecting algorithm. Source Port Num Destination Port Num Victim Packet Length A Study of TE for KOREN/APII-Testbed

16 Anomaly Detector Testing (DDoS)
About Packet Attributes These are analyzing results used detecting algorithm. Left figure is result that computed entropy of source address. This process corresponds to Elementary Classification. X axis is packet number and Y axis is entropy value. This process detectes 10,000 packets to be sent by TFN2K. At this case we can detect DDoS attack to set threshold value as 8.5. Second figure is result that analyzed Packet Length of packets that is detected as suspicious by Elementary Classification. In this process, we decrease packet’s sampling size to analyze with high accuracy. In this result, there are three places that value is more than These are normal packet, that are falsely detected. And measured the degree of distribution of normal packets about attack packets. A Study of TE for KOREN/APII-Testbed

17 Anomaly Detector Testing (DDoS)
This slide shows the result that performs Chi-Square test about destination address and source port number. We can divide packet into normal packets and attack packets using destination address. But If we use source port number we can’t classify. So in this test, source port number is not valid attribute. In this case, packet length is not valid attribute A Study of TE for KOREN/APII-Testbed

18 Anomaly Detector Testing (DDoS)
About Flow Attributes These are test result that use flow’s attributes to know that NetFlow can use as monitoring tool. As you see, these figures are similar to analyzing packet’s attributes. But total value of entropy and chi-square test is a little fell down. So it needs to be set threshold value lower. And therefore detecting algorithm can apply to attributes of packet and flow A Study of TE for KOREN/APII-Testbed

19 Anomaly Detector Testing (DDoS)
Need to set threshold value lower A Study of TE for KOREN/APII-Testbed

20 Conclusion Signature Detector detect well-known attack
Anomaly Detector detect DDoS attack that can’t detect by Signature Detector Security system will improve KOREN’s security Security system uses signature IDS and anomaly IDS. Signature IDS can detect well-known pattern attack. And anomaly IDS detect DDoS flooding attack that can’t be detected by snort. If we can construct system which control traffic automatically without administrator's intervention using signature that is created in IDSs, may improve security of KOREN. A Study of TE for KOREN/APII-Testbed

21 Future Works Monitor malicious traffic using signature detector
Design filtering manager Implement detecting module We will monitor and analyze malicious traffic using signature detector continually. And we have a plan that designs filtering manager and implements detecting module. A Study of TE for KOREN/APII-Testbed


Download ppt "Security System for KOREN/APII-Testbed"

Similar presentations


Ads by Google