1 / 27

Real-time Detection and Containment of Network Attacks using QoS Regulation

Real-time Detection and Containment of Network Attacks using QoS Regulation. Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University {skim, reddy}@ee.tamu.edu. Outline. Introduction and Motivation Our Approach Implementation

pavel
Download Presentation

Real-time Detection and Containment of Network Attacks using QoS Regulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real-time Detection and Containment of Network Attacks using QoS Regulation Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University {skim, reddy}@ee.tamu.edu

  2. Outline • Introduction and Motivation • Our Approach • Implementation • Experiments & Discussion • Conclusion Texas A & M University ICC 2005

  3. Contents • Introduction and Motivation • Our Approach • Nature of Network Attacks in Protocol • Structure of flexible buffer management • non class-based  flexible  class-based buffer management • Implementation • Weighted Fair Queuing • Thresholds • Exponential Weighted Moving Average (EWMA) • Experiment & Discussion • Input Traffic by Protocol and Detection • Output Traffic by Protocol • Forwarded Traffic by Protocol • Evaluation of Anomaly Detection • Conclusion Texas A & M University ICC 2005

  4. Attack/ Anomaly • Bandwidth attacks/anomalies, Flash crowds • DoS – Denial of Service : • TCP SYN flood, UDP flooding, ICMP echo reply • Typical Types: • Single attacker (DoS) • Multiple Attackers (DDoS) • Multiple Victims (Worm) Texas A & M University ICC 2005

  5. Motivation (1) • Current network-centric approaches are Attack-specific • TCP SYN: by handling TCP SYN cookies or TCP SYN • ICMP : by turning off ICMP echo reply • These attack-specific approaches become ineffective with DDoS  Need General & Aggregate Mechanisms • Previous studies looked at individual Flow-based Mechanisms • Partial state • RED-PD • These become ineffective with DDoS  need Resource-based regulation • Link speeds are increasing • Need simple, effective mechanisms to implement at line speeds Class-based buffer management Texas A & M University ICC 2005

  6. Motivation (2) • Class-based buffer management • Rate Control, Window Control, Weighted Fair Queuing • Always parse packets and assign to designated buffers • However, most of the time, traffic is normal • Become ineffective when traffic changes dynamically • Because of predefined fixed rates in protocol or resources • Flexible buffer management • Normal : non class-based • Attack : class-based • Monitoring during normal & Switching during attack Texas A & M University ICC 2005

  7. Contents • Introduction and Motivation • Our Approach • Nature of Network Attacks in Protocol • Structure of flexible buffer management • non class-based  flexible  class-based buffer management • Implementation • Weighted Fair Queuing • Thresholds • Exponential Weighted Moving Average (EWMA) • Experiment & Discussion • Input Traffic by Protocol and Detection • Output Traffic by Protocol • Forwarded Traffic by Protocol • Evaluation of Anomaly Detection • Conclusion Texas A & M University ICC 2005

  8. Nature of Network Attacks in Protocol Typical attacks and their protocols • Most network attacks are protocol specific • by S/W codes exploiting specific vulnerability • Various kinds of attacks staged in different protocols • Utility of class-based regulation Texas A & M University ICC 2005

  9. RED/DropTail ICMP Class-based Output traffic TCP WFQ Classify UDP Input traffic Switch Etc. Non Class-based Output traffic detect signal All in one (ICMP, TCP, UDP, Etc.) Attack Detector RED/DropTail Structure of flexible buffer management • Non class-based management in normal times • Monitoring the ICMP traffic i(t), TCP traffic t(t), UDP traffic u(t) and ETC. traffic e(t). • Anomaly detection through the variation of the input traffic in protocol • Switching to class-based management during attack Texas A & M University ICC 2005

  10. Contents • Introduction and Motivation • Our Approach • Nature of Network Attacks in Protocol • Structure of flexible buffer management • non class-based  flexible  class-based buffer management • Implementation • Weighted Fair Queuing • Thresholds • Exponential Weighted Moving Average (EWMA) • Experiment & Discussion • Input Traffic by Protocol and Detection • Output Traffic by Protocol • Forwarded Traffic by Protocol • Evaluation of Anomaly Detection • Conclusion Texas A & M University ICC 2005

  11. The proportion of major protocols over two different traffic traces Weighted Fair Queuing • Wide-sense Stationary (WSS) property • The traffic-volume ratios of each protocol show stationary property over long-range time periods • 4 classes: ICMP, TCP, UDP and etc. • During normal times, the weights for each class (protocol) are set • These weights are adjustable according to input traffic Texas A & M University ICC 2005

  12. Thresholds (1) • Traffic volume-based thresholds • TH: High threshold monitoring abnormal increase of specific protocol traffic • TL: Low threshold monitoring abnormal decreases • TCP usually occupies most of traffic • In case of TCP attack, attack could be detected through other protocols indirectly • Other indicators may be more sensitive Texas A & M University ICC 2005

  13. Thresholds (2) • 3s-based threshold • The thresholds can be set as the 3s of normal distribution for individual protocol • Detection of anomalies Texas A & M University ICC 2005

  14. Exponential Weighted Moving Average (EWMA) • For accommodating the dynamics of traffic, moving average of each protocol is applied. • Filter out short term noise • Operation Modes • Non class-based: FCFS • Class-based: Weighted round robin • Buffer management: RED or Drop-Tail Texas A & M University ICC 2005

  15. Contents • Introduction and Motivation • Our Approach • Nature of Network Attacks in Protocol • Structure of flexible buffer management • non class-based  flexible  class-based buffer management • Implementation • Weighted Fair Queuing • Thresholds • Exponential Weighted Moving Average (EWMA) • Experiment & Discussion • Input Traffic by Protocol and Detection • Output Traffic by Protocol • Forwarded Traffic by Protocol • Evaluation of Anomaly Detection • Conclusion Texas A & M University ICC 2005

  16. Real attack trace Case • KREONet2 Traces • 5 major actual attacks • 10 days long Texas A & M University ICC 2005

  17. Input Traffic – Real attacks • The vertical lines show the 5 salient attack periods • UDP, ICMP can be detected by their variations • TCP can be detected by TCP or other variations • The last sub-figure shows the generated attack detection signal through majority voting Texas A & M University ICC 2005

  18. Output traffic proportion by protocol in non class-based Output traffic proportion by protocol in flexible-based Output Traffic -- flexible buffer management • The traffic volume delivered • Non class-based scheduling • During attack, the protocols responsible for attack increase abruptly • Other protocols suffer from congestion • Flexible buffer management • All protocols maintain their predefined weights regardless of attack • At the onset of attack, the instantaneous peaks result from the latency of detection and switching Texas A & M University ICC 2005

  19. Forwarded traffic proportion by protocol in non class-based Forwarded traffic proportion by protocol in flexible-based Forwarded Traffic -- flexible buffer management • Output / input traffic volume (%) • Non class-based scheduling • During attack, not only the culpable protocols but other innocent protocol decrease together • Flexible buffer management • Generally the only responsible protocol is filtered out • In 4th multi-protocol based attack, the TCP, UDP and ICMP are mitigated sequentially Texas A & M University ICC 2005

  20. Simulated attacks • Simulated virtual attacks • Synthesized attacks + the Univ. of Auckland without attacks from NLANR • U of Auckland trace consists of only TCP, UDP and ICMP • To evaluate the sensitivity of our detector over attacks of various configurations. • Persistency • Intermittent : send malicious packets in on-off type at 3-minute interval • Persistent : continue to assault through the attack • IP address : target IP address type • Single destination : (semi) single destination • Semi-random : mixed type ( fixed portion + randomly changeable portion ) • Random : randomly generated • Port • Reserved, randomly generated and ephemeral client ports. Texas A & M University ICC 2005

  21. Input Traffic – Simulated attacks Texas A & M University ICC 2005

  22. Non class-based Buffer management Flexible Buffer management Output Traffic – simulated attacks Texas A & M University ICC 2005

  23. Forwarded traffic proportion by protocol in non class-based Forwarded traffic proportion by protocol in flexible-based Forwarded Traffic by Protocol in flexible buffer • Output / input traffic volume (%) • In the 360 ~ 1080, the gradual decrease comes from not by attacks but by congestion drops, due to processing limitations of system Texas A & M University ICC 2005

  24. Evaluation of Anomaly Detection Evaluation Results of protocol composition signals • Composite detection signal • Logical OR • Majority voting • Detection signal is used for switching the buffer management • Complexity • O(1) processing cost per packet • O(n) storage cost per sample, n is number of protocols • True Positive rate • False Positive rate • Likelihood Ratio by b/a, ideally it is infinity • Negative Likelihood Ratio by 1-b/1-a, ideally it is zero Texas A & M University ICC 2005

  25. Contents • Introduction and Motivation • Our Approach • Nature of Network Attacks in Protocol • Structure of flexible buffer management • non class-based  flexible  class-based buffer management • Implementation • Weighted Fair Queuing • Thresholds • Exponential Weighted Moving Average (EWMA) • Experiment & Discussion • Input Traffic by Protocol and Detection • Output Traffic by Protocol • Forwarded Traffic by Protocol • Evaluation of Anomaly Detection • Conclusion Texas A & M University ICC 2005

  26. Conclusion • We studied the feasibility of detecting anomalies through variations in protocol traffic. • We evaluated the effectiveness of our approach by employing real and simulated traffic traces • The protocol composition signal could be a useful signal • Real-time traffic monitoring is feasible • Simple enough to be implemented inline • Flexible buffer management effective in containing attacks Texas A & M University ICC 2005

  27. Thank you !!http://ee.tamu.edu/~reddy Texas A & M University ICC 2005

More Related