10 likes | 264 Views
Detection and Isolation of Traffic Anomalies on Abilene Network topology using DETER. 1 Howells Ihekweme, 2 Blaine Nelson, 2 Saurabh Amin, 2 Suzanna Shmeelk EdD, 3 Ted Faber PhD, 3 Jelena Mirkovic PhD, 2 Shankar Sastry PhD
E N D
Detection and Isolation of Traffic Anomalies on Abilene Network topology using DETER 1Howells Ihekweme, 2Blaine Nelson, 2Saurabh Amin, 2Suzanna Shmeelk EdD, 3Ted Faber PhD, 3Jelena Mirkovic PhD, 2Shankar Sastry PhD 1University of Maryland at College Park, 2University of California at Berkeley, 3University of Southern California I The primary research objective is to study the interaction and strategies for attack and defense of control systems and detection systems in the emulated environment provided by the cyber-Defense Technology Experimental Research (DETER) testbed using Security Experimentation EnviRonment (SEER). This objective can be achieved with DTrigger. DTrigger is a monitoring software written by Ling Huang of Intel Corp. It is designed with the focus on data collection for anomaly detection. And it connects together the best technique from continuously data streaming, online machine learning and distributed signal processing. Moreover, on DETER testbed we hope to: 1) Construct an emulation of a real internet backbone i.e. Abilene Network Topology and the communication control system behavior. 2) Implement realistic attacks on that emulated environment which causes the control system to fail, thereby ultimately leading to plant and controller failures across the system. 3) Use DTrigger to deploy and monitor based on Denial of Service (DoS) detection algorithm and successfully train it to attack anomaly in the emulated framework. 4) Explore defense that make the control and learning systems more resilient to these attacks. This research focuses on detection and differentiation of traffic anomalies on Abilene network topology using DETER. Introduction Result-in progress Method • 1. Setting up experiment on DETER testbed • Created twelve pc backbone nodes and external (ingress/egress) nodes to the backbone nodes. Figure 2 is a typical topology with three backbone nodes and a Lan • Set up the routing matrix by linking all the backbone nodes and putting a start command on the nodes with two for loops • Swap in experiment and launch experiment to SEER using a Java script. • Ping all the nodes to check for broken routes using an already made bash script. • 2. Detection and monitoring the Abilene network topology. • As a DETER user absolute control off all the Router nodes and the plant/controller machines has to secured, monitored for traffic anomalies fro the DETER simulated attacker as seen in Figure 3. • 3. Differentiation of anomalous traffic using trend analysis • Using the GUI interface on DETER testbed with SEER this is a visual presentation of how normal traffic is expected to look as compared to an attack traffic as shown on Figure 4 (left) and Figure 5 (right) respectively. • Green is regular traffic • Red is attack traffic • Cyan is regular traffic not forwarded • Black is attack traffic not forward Figure 2: DETER Testbed Topology Figure 4(L ) and Figure 5(R): Graphical representation of traffics on DETER http://seer.isi.deterlab.net/v1.6/user/topo.html Motivation The increase of intrusion and extrusion of confidential information is a motivation for this project on CyberSecurity, defense and trustworthy systems by realistically emulating the Internet2 Abilene network topology on DETER testbed. Abilene is a high performance backbone network that is managed by Internet2. Moreover, Abilene is predominantly used by Universities, corporate and affiliate institutions. This research can help solve the problem by detecting and differentiating of traffic anomalies on network topology using DETER. Also, develop and deploy defense strategies on the network topology. Figure 1 is an illustration of a typical Abilene Network topology. • Future work • More research can be performed on this project. The detection and differentiation of traffic anomalies on the Abilene network topology using DETER is a work -in progress. The future goals are: • Collect generated traffic on the network and compare with normal traffic for anomalies; • Develop, update DTrigger on the emulated Abilene network and; • Deploy defense strategies on Abilene network topology as shown in Figure 6. Figure 3: Traffic Detection and monitoring on DETER Acknowledgements Thanks to the Team for Ubiquitous Secure Technology (TRUST) at the University of California, Berkeley and National Science Foundation (NSF) for supporting and funding this Program. Special thanks to the my teammates : John Mela, Jennifer Li, Efrain Plascencia, Mentors: Blaine Nelson, Saurabh Amin, Suzanna Shmeelk EdD, Dr. Ted Faber PhD, Dr. Jelena Mirkovic PhD, Dr. Kristen Gates EdD and Dean of Engineering Dr. Shankar Sastry, PhD Figure 6: Backbone routers, traffic generators and detectors on DETER Figure 1: The Abilene Network http://www.qwest.com/about/qwest/internet2/map.html