1 / 13

Telecommunication and Security LAB. Dept. of Industrial Engineering

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks. Seok Bong Jeong. Telecommunication and Security LAB. Dept. of Industrial Engineering. Contents. I. Introduction II. Placement of Distributed Detection Systems

rusty
Download Presentation

Telecommunication and Security LAB. Dept. of Industrial Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Seok Bong Jeong Telecommunication and Security LAB. Dept. of Industrial Engineering

  2. Contents • I. Introduction • II. Placement of Distributed Detection Systems • Objectives for DDS placement • DS placement problem • III. Numerical Results • IV. Conclusions 2통신시스템인터넷보안연구실

  3. I. Introduction (1) DDoS Attacks • The Internet infrastructure is highly vulnerable to distributed attacks (DDoS attacks and flash crowds) • DDoS attacks • DDoS attacks do not rely on particular network protocols or system weaknesses. • DDoS attacks simply exploit the huge resource asymmetry between the Internet and the victim. • Flash crowds • FCs occur when a large number of users try to access the same server simultaneously. • FCs overload the network links, routers, and server itself. victim attacker Masters (handlers) Agents (daemon or zombies) 3통신시스템인터넷보안연구실

  4. I. Introduction (2) • Several approaches to defend against distributed attacks • EMERALD, GrIDS, JAM, JiNao, AAFID • Challenging tasks to design an effective and deployable DDS • A variety of algorithmic and engineering design issues • What is the minimum number of DSs required? • Optimal placement of DSs • Objectives of this paper • We focus on the placement problem of DSs across large scale networks for distributed intrusion detection approaches. • Minimize the overall number of DSs • Limiting possible nodes that can be participate in an attack 4통신시스템인터넷보안연구실

  5. II. Objectives for DDS placement • Assumption • All attack traffic passing through sensor nodes that perform DS are detected • Routing is performed by the shortest path between two nodes • DSs are placed in nodes 3, 4, and 7 • Possible Attack nodes to node i, A(i) • A(1) = {node 2} • A(5) = {node 0, node 6, node 8, node 9} • Node 1 is more robust than node 5 5통신시스템인터넷보안연구실

  6. II. Objectives for DDS placement • DDS placement issues • It is impossible to implement DSs in all nodes in a network • Most distributed attacks (e.g. DDoS attack) become critical threats when a great number of nodes (e.g. servers or hosts) participate in an attack • Thus, if we place DDSs across the network in a well distributed manner, the impact of attacks can be sufficiently localized and minimized and can thus be ignored. • Key Objectives of placing DSs • Minimize the total number of the DSs • Minimize the number of nodes that could send the attack packets to any other nodes that are separated by more than the given number of hops without passing through sensors • Find the optimal placement of the DSs 6통신시스템인터넷보안연구실

  7. III. DS placement problem (DSPP) – (1) • Notations • G = (V, E) : an undirected graph representing Internet topology • Each node in V can be interpreted as a router or an autonomous system • T : a subset of nodes where intrusion detection is performed • : the coverage ratio. • : be the localization factor • : the number of nodes that are more than hops apart from node and can send attack packets to node without passing through DSs. • :every attack can be localized to within a small set of candidate nodes with a distance of less than r hops from node • . :all attack packets destined to node i are detected because all traffic destined to node i must pass through at least one DS • (DSPP1) 7통신시스템인터넷보안연구실

  8. III. DS placement problem (DSPP) – (2) • Notations • : be the decision variable, which is 1 if node i performs DS and 0 otherwise • : be the subset of , which is composed of the edges that connect the nodes that perform DS. • : the distance between node i and j • : if the distance between node i and j is more than r, and 0 elsewhere in G` • DSPP2 where 8통신시스템인터넷보안연구실

  9. III. DS placement problem (DSPP) – (3) • Set packing problem • is a packing with respect to if for all . • Each packing is composed of nodes that are not DS nodes • The maximum value of for all nodes in a packing should be less than r • is the decision variable, which is 1 if the index j of is included in the set packing F, and 0 otherwise • Let be the coefficient, which is 1 if the node i is included in , and 0 otherwise. • (DSPP3) 9통신시스템인터넷보안연구실

  10. III. DS placement problem (DSPP) – (4) 10통신시스템인터넷보안연구실

  11. V. Numerical Results (1) 11통신시스템인터넷보안연구실

  12. (a) (c) (b) V. Numerical Results (2) 12통신시스템인터넷보안연구실

  13. Conclusions • We have presented a DSs placement approach in order to detect distributed attacks. • Perfect detection is difficult to achieve in the Internet environment while maintaining sparse coverage. However, this is mitigated by the fact that attack traffic that can escape the DS can be localized within r hops. • Our scheme reduces the total number of DSs while localizing attack candidate sources 13통신시스템인터넷보안연구실

More Related