1 / 25

Network Intrusion Detection and Mitigation

Network Intrusion Detection and Mitigation. Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern University http://list.cs.northwestern.edu. Our Theme. Internet is becoming a new infrastructure for service delivery

diem
Download Presentation

Network Intrusion Detection and Mitigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Intrusion Detection and Mitigation Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science Northwestern University http://list.cs.northwestern.edu

  2. Our Theme • Internet is becoming a new infrastructure for service delivery • World wide web, • VoIP • Email • Interactive TV? • Major challenges for Internet-scale services • Scalability: 600M users, 35M Web sites, 2.1Tb/s • Security: viruses, worms, Trojan horses, etc. • Mobility: ubiquitous devices in phones, shoes, etc. • Agility: dynamic systems/network, congestions/failures • Ossification: extremely hard to deploy new technology in the core

  3. Battling Hackers is a Growth Industry! --Wall Street Journal (11/10/2004) • The past decade has seen an explosion in the concern for the security of information • Internet attacks are increasing in frequency, severity and sophistication • Denial of service (DoS) attacks • Cost $1.2 billion in 2000 • Thousands of attacks per week in 2001 • Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked

  4. Battling Hackers is a Growth Industry (cont’d) • Virus and worms faster and powerful • Melissa, Nimda, Code Red, Code Red II, Slammer … • Cause over $28 billion in economic losses in 2003, growing to over $75 billion in economic losses by 2007. • Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss • Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss • Spywares are ubiquitous • 80% of Internet computers have spywares installed

  5. The Spread of Sapphire/Slammer Worms

  6. How can it affect cell phones? • Cabir worm can infect a cell phone • Infect phones running Symbian OS • Started in Philippines at the end of 2004, surfaced in Asia, Latin America, Europe, and recently in US • Posing as a security management utility • Once infected, propagate itself to other phones via Bluetooth wireless connections • Symbian officials said security was a high priority of the latest software, Symbian OS Version 9. • With ubiquitous Internet connections, more severe viruses/worms for mobile devices will happen soon …

  7. Cable Modem Premises- based AccessNetworks LAN Transit Net LAN LAN Private Peering Premises- based Core Networks Transit Net WLAN WLAN NAP Analog WLAN Transit Net Public Peering DSLAM Operator- based RAS Regional Wireline Regional Cell H.323 Data Cell Data H.323 Cell PSTN Voice Voice The Current Internet: Connectivity and Processing

  8. Current Intrusion Detection Systems (IDS) • Mostly host-based and not scalable to high-speed networks • Slammer worm infected 75,000 machines in <10 mins • Host-based schemes inefficient and user dependent • Have to install IDS on all user machines ! • Mostly signature-based • Cannot recognize unknown anomalies/intrusions • New viruses/worms, polymorphism

  9. Current Intrusion Detection Systems (II) • Statistical detection • Hard to adapt to traffic pattern changes • Unscalable for flow-level detection • IDS vulnerable to DoS attacks • WiMAX, up to 134Mbps, 10 min traffic may take 4GB memory • Overall traffic based: inaccurate, high false positives • Cannot differentiate malicious events with unintentional anomalies • Anomalies can be caused by network element faults • E.g., router misconfiguration, signal interference of wireless network, etc.

  10. Adaptive Intrusion Detection System for Wireless Networks (WAIDM) • Online traffic recording and analysis for high-speed WiMAX networks • Leverage sketches for data streaming computation • Record millions of flows (GB traffic) in a few Kilobytes • Online adaptive flow-level anomaly/intrusion detection and mitigation • Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes • Use statistics from MIB of Access Point to understand the wireless network status • E.g., busy vs. idle wireless networks, with different level of interferences, etc. • Unsupervised learning without knowing ground truth

  11. WAIDM Systems (II) • Integrated approach for false positive reduction • 802.16 Signature-based detection • WiMAX network element fault diagnostics • Traffic signature matching of emerging applications • Hardware speedup for real-time detection • Collaborated with Gokhan Memik (ECE of NU) • Try various hardware platforms: FPGAs, network processors

  12. WAIDM Deployment • Attached to a switch connecting BS as a black box • Enable the early detection and mitigation of global scale attacks • Highly ranked as “powerful and flexible" by the DARPA research agenda Users Internet Users WAIDM system Internet 802.16 scan port 802.16 BS BS Switch/ Switch/ BS controller BS controller 802.16 802.16 BS BS Users Users (a) (b) WAIDM deployed Original configuration

  13. Remote aggregated sketch records Sent out for aggregation GRAID Sensor Architecture Part I Sketch-based monitoring & detection Reversible k-ary sketch monitoring Normal flows Sketch based statistical anomaly detection (SSAD) Local sketch records Streaming packet data Keys of suspicious flows Filtering Keys of normal flows Statistical detection Signature-based detection Per-flow monitoring Network fault detection Part II Per-flow monitoring & detection Suspicious flows Traffic profile checking Intrusion or anomaly alarms to fusion centers Modules on the critical path Modules on the non-critical path Data path Control path

  14. Scalable Traffic Monitoring and Analysis - Challenge • Potentially tens of millions of time series ! • Need to work at very low aggregation level (e.g., IP level) • Each access point (AP) can have 200 Mbps – a collection of 10-100 APs can easily go up to 2-20 Gbps • The Moore’s Law on traffic growth …  • Per-flow analysis is too slow or too expensive • Want to work in near real time

  15. ErrorSketch Sketchmodule Forecastmodule(s) Change detectionmodule (k,u) … Alarms Sketches Sketch-based Change Detection(ACM SIGCOMM IMC 2003, 2004) • Input stream: (key, update) • Summarize input stream using sketches • Build forecast models on top of sketches • Report flows with large forecast errors

  16. Evaluation of Reversible K-ary Sketch • Evaluated with tier-1 ISP trace and NU traces • Scalable • Can handle tens of millions of time series • Accurate • Provable probabilistic accuracy guarantees • Even more accurate on real Internet traces • Efficient • For the worst case traffic, all 40 byte packets: • 16 Gbps on a single FPGA board • 526 Mbps on a Pentium-IV 2.4GHz PC • Only less than 3MB memory used • Patent filed

  17. Remote aggregated sketch records Sent out for aggregation GRAID Sensor Architecture Part I Sketch-based monitoring & detection Reversible k-ary sketch monitoring Normal flows Sketch based statistical anomaly detection (SSAD) Local sketch records Streaming packet data Keys of suspicious flows Filtering Keys of normal flows Statistical detection Signature-based detection Per-flow monitoring Network fault detection Part II Per-flow monitoring & detection Suspicious flows Traffic profile checking Intrusion or anomaly alarms to fusion centers Modules on the critical path Modules on the non-critical path Data path Control path

  18. Current IDS Insufficient for Wireless Networks • Most existing IDS signature-based • Especially for wireless networks • Detect denial-of-service attacks caused by the WEP authentication vulnerability, e.g., Airespace • Current statistical IDS has manually set parameters • Cannot adapt to the traffic pattern changes • However, wireless networks often have transient connections • Hard to differentiate collisions, interference, and attacks

  19. Statistical Anomaly/Intrusion Detection and Mitigation for Wireless Networks • Use statistics from MIB of AP to understand the current wireless network status • Interference Detection MIB Group • Retry count, FCS err count, Failed count … • Intrusion Detection MIB Group • Duplicate count, Authentication failure count, EAP negotiation failure count, Abnormal termination percentage … • DoS Detection MIB Group • Auth flood to BS, De-Auth flood to SS • Automatically adapt to different learned profiles on observing status changes

  20. Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group L Intru Intru Inter H H H H H H Interference Interference Intrusion DoS Attack DoS Attack Preliminary Algorithm Collect MIBs Collect MIBs Process Interference Collision MIB Group Process Intrusion Detection MIB Group Process DoS MIB Group L Inter Inter DoS DoS Intrusion

  21. Intrusion Detection and Mitigation

  22. Remote aggregated sketch records Sent out for aggregation GRAID Sensor Architecture Part I Sketch-based monitoring & detection Reversible k-ary sketch monitoring Normal flows Sketch based statistical anomaly detection (SSAD) Local sketch records Streaming packet data Keys of suspicious flows Filtering Keys of normal flows SIGCOMM04 Statistical detection Signature-based detection Per-flow monitoring Network fault detection Part II Per-flow monitoring & detection Suspicious flows Traffic profile checking Intrusion or anomaly alarms to fusion centers Modules on the critical path Modules on the non-critical path Data path Control path

  23. Research methodology Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment

  24. Potential Collaborative Research Areas with Motorola • Wireless virus/worm detection • Spyware detection • Both by operators at infrastructure level (e.g., access point) • Intrusion detection and mitigation for cellular network infrastructure • Automatic attack responding and survival for Motorola infrastructure products

  25. Thank You! More Questions?

More Related