Attack
Download
1 / 1

Northwestern Lab for Internet and Security Technology LIST - PowerPoint PPT Presentation


  • 393 Views
  • Uploaded on

Attack Injected GRAID Coverage Internet Overlay Network Operation Center GRAID sensor GRAID sensor Internet scan port Internet GRAID sensor LAN LAN Internet LAN Switch Switch Splitter End hosts Switch Splitter Router Router IDS CDDHT Mesh Switch Switch Router

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Northwestern Lab for Internet and Security Technology LIST' - lotus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Attack

Injected

GRAID Coverage

Internet

Overlay Network Operation Center

GRAID

sensor

GRAID

sensor

Internet

scan port

Internet

GRAID

sensor

LAN

LAN

Internet

LAN

Switch

Switch

Splitter

End hosts

Switch

Splitter

Router

Router

IDS

CDDHT

Mesh

Switch

Switch

Router

IDS + SFC

scan port

LAN

Switch

LAN

Attack

Injected

LAN

(a)

GRAID

sensor

(b)

(c)

Current Intrusion Detection Systems and Shortcomings

Mostly host-based and not scalable to high-speed networks

Mostly signature-based and cannot recognize unknown anomalies/intrusions

Isolated or centralized systems

Slammer worm infected 75,000 machines in <10 mins

Polymorphic/new viruses/worms

Insufficient info for causes, patterns and prevalence of global-scale attacks

Our theme: challenges for Internet as a new infrastructure for service delivery

Un-trusted: security (viruses, worms, etc.)

Highly dynamic: congestion/failures

Stanford

UC San Diego

X

HP Labs

Northwestern Lab for Internet and Security Technology (LIST)Yan [email protected] of Computer ScienceNorthwestern Universityhttp://www.cs.northwestern.edu/~ychen

Global Router-based Anomaly/Intrusion Detection (GRAID) Systems

Multiple GRAID sensors interconnect through distributed hash table (DHT) for alarm fusion with

Scalability

Load balancing

Fault-tolerance

Intrusion correlation

Online traffic recording and analysis for high-speed routers

Remote

aggregated

sketch

records

Sent out for

aggregation

Part I

Sketch-based

monitoring & detection

Reversible

k-ary sketch monitoring

Normal flows

Sketch based statistical anomaly detection (SSAD)

Local sketch records

Streaming packet data

Attach GRAID sensors to high-speed routers (a) original configuration, (b) distributed configuration for which each port is monitored separately, (c) aggregate configuration for which a splitter is used to aggregate the traffic from all the ports of a router.

Keys of suspicious flows

Filtering

Keys of normal flows

Statistical detection

Sample hardware: FPGA board used to implement the sketch-based traffic stream monitoring (courtesy of Prof. Memik of ECE Dept)

Signature-based detection

Per-flow monitoring

Network fault detection

Suspicious flows

Part II

Per-flow

monitoring & detection

Traffic profile checking

Integrated approach for false positive reduction

Intrusion or anomaly alarms

Modules on the non-critical

path

Modules on the critical

path

Data path

Control path

Architecture of a GRAID sensor

Hardware implementation of critical-path for real-time detection

Tomography-based Overlay network Monitoring (TOM)

Real Adaptive Streaming Media on TOM

Challenge: Given an overlay of n end hosts and O(n2) paths, how to select a minimal subset of paths to monitor so that the loss rates/latency of all other paths can be inferred.

Overlay networkmonitoring essential for

Overlay routing/location

VPN management/provisioning

Service redirection/placement

Link failure/congestion diagnosis

Requirements for E2E monitoring system

Scalable & efficient: small amount of probing traffic

Accurate: capture congestion/failures

Adaptive: nodes join/leave, topology changes

Robust: tolerate measurement errors

Balanced measurement load

UC Berkeley

Our solution: Select a basis set of k paths that fully describe O(n2) paths (k =O(nlogn)). Monitor the loss rates of k paths, and infer the loss rates of all other paths

Adaptive to topology changes

Balanced measurement load

Topology measurement error tolerance

Implemented with Winamp client and SHOUTcast server

Congestion introduced with a Packet Shaper

Skip-free playback: server buffering and rewinding

Total adaptation time < 4 seconds

See our paper in

Collaborators


ad