320 likes | 458 Views
Defending Distributed Systems Against Malicious Intrusions and Network Anomalies. Kai Hwang Internet and Grid Computing Laboratory University of Southern California
E N D
Defending Distributed Systems Against Malicious Intrusions and Network Anomalies Kai Hwang Internet and Grid Computing Laboratory University of Southern California Keynote Presentationat the IEEE International Workshop on Security in Systems and Networks (SSN-2005),held in conjunction withthe IEEE International Parallel and Distributed Processing Symposium (IPDPS-2005),Denver, Colorado, April 8, 2005 This presentation is based on research findings by USC GridSec team. Project Web site: http://GridSec.usc.edu, supported by NSF ITR Grant No. 0325409, and contributed by Min Cai, Shanshan Song, Ricky Kwok, Ying Chen, and Hua Liu
Presentation Outline: • Security/privacy demands in networked or distributed computer systems • GridSec NetShield architecture for defending distributed resource sites in Grids, clusters, etc. • Internet datamining for collaborative anomaly and intrusion detection system (CAIDS) with traffic episode rule training and analysis • Fast containment of internet worm outbreaks and tracking of related DDoS attacks with distributed-hashing overlays
Security and Privacy Demands inNetwork and Distributed Systems • Trusted resource allocation, sharing, and scheduling • Secure communications among resource sites, clusters, and protected download among peer machines • Intrusion and anomaly detection, attack repelling, trace back, pushback of attacks, etc • Fortification of hardware/software (firewalls, packet filters, VPN gateways, traffic monitors, security overlays, etc. ) • Self-defense toolkits/middleware for distributed defense, risk assessment, worm containment, response automation • Anonymity, confidentiality, data integrity, fine- grain access control, resolving conflicts in security policies, etc
Site S1 3 Host VPN Gateway Internet 3 Host 3 Host 2 3 3 Host Host 2 3 3 Host Host 1 3 VPN Gateway 3 3 VPN Gateway Host Host Site S3 Site S2 Steps for automated self-defense at resource site : Step 1: Intrusion detected by host-based firewall /IDS Step 2: All VPN gateways are alerted with the intrusions Step 3: Gateways broadcast response commands to all hosts GridSec: A Grid Security ITR Project at USC
The NetShield Architecture with Distributed Security Enforcement over a DHT Overlay
Building Encrypted Tunnels between Grid Resource Sites Through the DHT Overlay • The number of encrypted tunnels should grow with O(N) instead of O(N x N), where N is the number of Grid sites • Using shortest path, security policy is enforced with minimal VPN tunnels to satisfy special Grid requirements, automatically • How to integrate security policies from various private networks through the public network ? • How to resolve security policy conflicts among hosts, firewalls, switches, routers, and servers, etc. in a Grid environment ?
Site S3 Site S2 Site S1 Physical backbone DHT Overlay Ring Trust Vector Trust vector propagation User application and SeGO server negotiation Site S4 V V V V V VPN Gateway SeGO Server Hosts Cooperating gateways working together to establish VPN tunnels for trust integration Trust Integrationover a DHT Overlay
Datamining for Anomaly Intrusion Detection (IDS) Network Router ISP Firewall Victim’s Internal Network The NetShield System The Internet Intrusion ResponseSystem (IRS) Risk Assessment System (RAS) USC NetShield Intrusion Defense System for Protecting Local Network of Grid Computing Resources
Alert Operations performed in local Grid sites and correlated globally
Basic Concept of Internet Episodes • Event Type: A, B, C, D, E, F, etc. • Event Sequence: e.g., <(E,31),(D,32),(F,33)> • Window: Event sequence with a particular width • Episode: partially ordered set of events, e.g. whenever A occurs, B will occur soon • Frequency of episode: fraction of windows in which episode occurs • Frequent episode: set of episodes having a frequency over a particular frequency threshold • Frequent episode rules are generated to describe the connection events
Frequent Episode Rules (FER) for CharacterizingNetwork Traffic Connections E→D, F ( c, s ) The episode of 3 connection events (E, D, F) = (http, smtp, telnet). On the LHS , we have the earlier event E (http). On the RHS, we have two consequence events D (smtp) and F(telnet); where s is the support probablity and c is the confidence level specified below:(service = http, flag = SF) → (service = smtp, srcbyte = 5000), (service = telnet, flag = SF) (0.8, 0.9) Support probability s = 0.9 and Confidence level c = 0.8 that the episode will take place in a typical traffic stream
Training data from audit normal traffic records Single-connection attacks detected at packet level ADS Episode Rule Database IDS Audit records from traffic data Unknown or burst attacks Anomalies detected over multiple connections Signature MatchingEngine Episode Mining Engine ADS Known attack signatures from ISD provider New signaturesfrom anomalies detected Attack Signature Database Signature Generator A Cooperative Anomaly and Intrusion Detection System (CAIDS), built with a Network Intrusion Detection System (NIDS) and an Anomaly Detection System (ADS) operating interactively through automated signature generation
Internet Datamining for Episode Rule Generation
Attack Spectrum from MIT Lincoln Labin 10 Days of Experimentation
1. Label relevant connections toassociate with an FER. Online traffic episode rules from the datamining engine Episode rules matching the normal FER database ? Yes Episode Frequency exceeding the rule threshold ? No (Stealthy attacks) No • Check error flags or other useful temporal statistics • Extract common features suchas IP addresses, protocol, etc.to form the signature Yes (Massive attacks) • Calculate additional information such as connection count, average and percentage of connections, etc. • Select one of the predefined classifiers • Use the selected classifier to classify the attack class and find the relevant connections • Extract common features in all identified connections, such as the IP addresses, protocol, etc. to form the signature Adding new signatures to the Snort database Ignore the normal episode rules from legitimate users (No anomaly detected) Automated Signature Generation from Frequent Episode Analysis
Successful Detection Rates of Snort , Anomaly Detection System (ADS), and the Collaborative Anomaly and Intrusion Detection System (CAIDS)
False Alarms out of 201 Attacks in CAIDS Triggered by Different Attack Types under Various Scanning Window Sizes Using larger windows result in more false alarms. Shorter windows in 300 sec or less are better in the sense that shorter episodes will be mined to produce shorter rules, leading to faster rule matching in the anomaly detection process
Detection Rates of Snort, ADS, and CAIDSunder Various Attack Classes On the average, the CAIDS (white bars) outperforms the Snort and ADS by 51% and 40%, respectively
Internet Worm and Flood Control: • A DHT-based WormShield overlay network is under development at USC. • Fast worm signature generation and fast dissemination through both local and global address dispersion • Automated tracking of DDoS attack-transit routers to cut off malicious packet flows for dynamic DDoS flood control
The WormShield Built with a DHT-based Overlay with Six Worm Monitors
Signature Detection in Worm Spreading and the Growth of Infected hosts for Simulated CodeRed Worms on a Internet Configuration of 105,246 Edge networks in 11,342 Autonomous Systems Containing 338,652 Vulnerable Hosts
Effects of Local Prevalence ThresholdWorm spreading and the growth of infected hosts
Effects of Global Address Prevalenceon Worm Spreading and the Growth of Infected Hosts
Reduction of Infected Hosts by Independent vs. Collaborative Monitoring over the Edge Networks
Packet/Flow Counting for Tracking Attack-Transit Routers (ATRs)
Other Hot Security Research Areas: • Efficient and enforceable trust models are very much in demand for networked and distributed systems: PKI services, VPN tunneling, trust negotiation, security overlays, reputation system etc. • Large-scale security benchmark experiments in open Internet environments are infeasible. The NSF/HSD DETER testbed should be fully used in performing such experiments to establish sustainable cybertrust over all edge networks. • Internet datamining for security control and for the guarantee of Quality-of-Service in real-life network applications – Interoperability between wired and wireless networks is a wide-open area for further research.
Final Remarks • The NetShield built with DHT-based security overlay networks support distributed intrusion and anomaly detection, alert correlation, collaborative worm containment, and flooding attack suppression. • The CAIDS can cope with both known and unknown network attacks, secure many cluster/Grid/P2P operations in using common Internet services: telnet, http, ftp, Email, SMTP, authentication, etc. • Automated virus or worm signature generation plays a vital role to monitory network epidemic outbreaks and to give early warning of large-scale system intrusions, network anomalies, and DDoS flood attacks. Extensive benchmark experiments on the DETER test bed will prove the effectiveness.
Recent Related Papers: • M. Cai, K. Hwang, Y. K. Kwok, Y. Chen, and S. S. Song, “Fast Containment of Internet Worms and Tracking of DDoS Attacks with Distributed-Hashing Overlays”, IEEE Security and Privacy, accepted to appear Nov/Dec. 2005. • K. Hwang, Y. Kwok, S. Song, M. Cai, R. Zhou, Yu. Chen, Ying. Chen, and X. Lou, “GridSec: Trusted Grid Computing with Security Binding and Self-Defense against Network Worms and DDoS Attacks”, International Workshop on Grid Computing Security and Resource Management (GSRM’05), in conjunction with ICCS 2005, Atlanta, May 22-25, 2005. • M. Qin and K. Hwang, “Frequent Episode Rules for Internet Traffic Analysis and Anomaly Detection”, IEEE Network Computing and Application Symp. (NCA-2004), Cambridge, MA. August 31, 2004 • K. Hwang, Y. Chen and H. Liu, “ Defending Distributed Computing Systems from Malicious Intrusions and Network Anomalies”, IEEE Workshop on Security in Systems and Networks (SSN’05), in conjunction with IEEE IPDPS 2005, Denver, April 8, 2005.