160 likes | 181 Views
Network Security Lab. Jelena Mirkovic sunshine@cis.udel.edu Sig NewGrad presentantion. Main Research Areas. Distributed Denial of Service Distributed defense: DefCOM Internet Worms Worm simulation: PAWS Cooperative defense: WIN Detecting new malicious executables
E N D
Network Security Lab Jelena Mirkovicsunshine@cis.udel.edu Sig NewGrad presentantion
Main Research Areas • Distributed Denial of Service • Distributed defense: DefCOM • Internet Worms • Worm simulation: PAWS • Cooperative defense: WIN • Detecting new malicious executables • Application-level Honeynets, summarizing firewall logs, predicting routing changes …
Distributed Denial of Service Ideal solution! Too much traffic Attack traffic looks likelegitimate
Distributed Denial of Service Stop attack Detect attack Differentiate betweenattack and legitimate traffic
DefCOM • Distributed defense against DDoS • Combines nodes at: • Victim – Alert generators: detect attack and alert other nodes • Core – Rate limiters: stop attack by dropping traffic • Source – Classifiers: differentiate between legitimate and attack traffic • Nodes cooperate through an overlay
DefCOM C RL Attack! AG RL C 1. Attack detection
DefCOM I see mark 5! mark = 5 mark 56 C RL I see marks 12 and 56! AG I see mark 3! RL mark = 12 C mark = 3 2. Forming the traffic tree
DefCOM C RL AG RL C 2. Forming the traffic tree
50Mbps 50Mbps 50Mbps 50Mbps DefCOM C RL AG 100Mbps RL C 3. Distributed rate-limiting
50Mbps 50Mbps 50Mbps 50Mbps DefCOM L=6 M=20 L=4 M=25 C RL AG 100Mbps RL C L=33 M=17 L=76 M=43 4. Traffic differentiation
50Mbps 50Mbps 50Mbps 50Mbps DefCOM L=6 M=20 L=4 M=25 C RL AG 100Mbps RL C L=33 M=17 L=76 M=43 4. Traffic differentiation
Internet Worms • A program that: • Scans network for vulnerable machines • Breaks into machines by exploiting the found vulnerability • Installs some piece of malicious code – backdoor, DDoS tool • Moves on • Don’t need any user action to spread • Spread very fast!
PAWS • Parallel worm simulator • Runs on multiple machines – gain memory and CPU resources • Can simulate greater detail than single-node simulators • Can simulate various defenses • Machines synchronize with network messages
WIN • Worm information network • We need fast, automatic response to stop worms • How can we detect worms • How can we devise signatures quickly and automatically • How can we share signatures with other networks • How can we accept signatures from others and be sure we won’t filter out legitimate traffic