1 / 19

Northwestern Lab for Internet & Security Technology (LIST) list.cs.northwestern

Northwestern Lab for Internet & Security Technology (LIST) http://list.cs.northwestern.edu. Prof. Yan Chen Ph. D. Students Brian Chavez Yan Gao Zhichun Li Yao Zhao. M. S. Students Prasad Narayana Leon Zhao Undergraduates Too many to be listed. Personnel. Projects.

marilyng
Download Presentation

Northwestern Lab for Internet & Security Technology (LIST) list.cs.northwestern

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Northwestern Lab for Internet & Security Technology (LIST)http://list.cs.northwestern.edu

  2. Prof. Yan Chen Ph. D. Students Brian Chavez Yan Gao Zhichun Li Yao Zhao M. S. Students Prasad Narayana Leon Zhao Undergraduates Too many to be listed Personnel

  3. Projects • The High-Performance Network Anomaly/Intrusion Detection and Mitigation (HPNAIDM) Systems • Overlay Network Monitoring and Diagnostics • Adaptive Intrusion Detection and Mitigation Systems for WiMAX Networks

  4. Our Theme • Internet is becoming a new infrastructure for service delivery • World wide web, • VoIP • Email • Interactive TV? • Major challenges for Internet-scale services • Scalability: 600M users, 35M Web sites, 2.1Tb/s • Security: viruses, worms, Trojan horses, etc. • Mobility: ubiquitous devices in phones, shoes, etc. • Agility: dynamic systems/network, congestions/failures

  5. Battling Hackers is a Growth Industry! --Wall Street Journal (11/10/2004) • The past decade has seen an explosion in the concern for the security of information • Internet attacks are increasing in frequency, severity and sophistication • Denial of service (DoS) attacks • Cost $1.2 billion in 2000 • Thousands of attacks per week in 2001 • Yahoo, Amazon, eBay, Microsoft, White House, etc., attacked

  6. Battling Hackers is a Growth Industry (cont’d) • Virus and worms faster and powerful • Melissa, Nimda, Code Red, Slammer … • Cause over $28 billion in economic losses in 2003, growing to > $75 billion in economic losses by 2007. • Code Red (2001): 13 hours infected >360K machines - $2.4 billion loss • Slammer (2003): 10 minutes infected > 75K machines - $1 billion loss • Spywares are ubiquitous • 80% of Internet computers have spywares installed

  7. The Spread of Sapphire/Slammer Worms

  8. Current Intrusion Detection Systems (IDS) • Mostly host-based and not scalable to high-speed networks • Slammer worm infected 75,000 machines in <10 mins • Host-based schemes inefficient and user dependent • Have to install IDS on all user machines ! • Mostly signature-based • Cannot recognize unknown anomalies/intrusions • New viruses/worms, polymorphism

  9. Current Intrusion Detection Systems (II) • Statistical detection • Hard to adapt to traffic pattern changes • Unscalable for flow-level detection • IDS vulnerable to DoS attacks • Overall traffic based: inaccurate, high false positives • Cannot differentiate malicious events with unintentional anomalies • Anomalies can be caused by network element faults • E.g., router misconfiguration

  10. High-Performance Network Anomaly/Intrusion Detection and Mitigation System (HPNAIDM) • Online traffic recording • Reversible sketch for data streaming computation • Record millions of flows (GB traffic) in a few hundred KB • Small # of memory access per packet • Scalable to large key space size (232 or 264) • Online sketch-based flow-level anomaly detection • Leverage statistical learning theory (SLT) adaptively learn the traffic pattern changes • As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed

  11. HPNAIDM (II) • Integrated approach for false positive reduction • Signature-based detection • Network element fault diagnostics • Traffic signature matching of emerging applications • Infer key characteristics of malicious flows for mitigation HPNAIDM: First flow-level intrusion detection that can sustain 10s Gbps bandwidth even for worst case traffic of 40-byte packet streams

  12. ErrorSketch Sketchmodule Forecastmodule(s) Anomaly detectionmodule (k,u) … Alarms Sketches Reversible Sketch Based Anomaly Detection • Input stream: (key, update) (e.g., SIP, SYN-SYN/ACK) • Summarize input stream using sketches • Build forecast models on top of sketches • Report flows with large forecast errors • Infer the (characteristics) key for mitigation

  13. Sketch-based Intrusion Detection • RS((DIP, Dport), SYN-SYN/ACK) • RS((SIP, DIP), SYN-SYN/ACK) • RS((SIP, Dport), SYN-SYN/ACK)

  14. Intrusion Mitigation

  15. Preliminary Evaluation • Evaluated with NU traces (239M flows, 1.8TB traffic/day) • Scalable • Can handle hundreds of millions of time series • Accurate Anomaly Detection w/ Sketches • Compared with detection using complete flow logs • Provable probabilistic accuracy guarantees • Even more accurate on real Internet traces • Efficient • For the worst case traffic, all 40 byte packets • 16 Gbps on a single FPGA board • 526 Mbps on a Pentium-IV 2.4GHz PC • Only less than 3MB memory used

  16. Preliminary Evaluation (cont’d) • 25 SYN flooding, 936 horizontal and 19 vertical scans detected • 17 out of 25 SYN flooding verified w/ backscatter • Complete flow-level connection info used for backscatter • Scans verified (all for vscan, top and bottom 10 for hscan) • Unknown scans also found in DShield and other alert reports Bottom 10 horizontal scans Top 10 horizontal scans

  17. Sponsors Department of Energy Motorola

  18. Research Methodology & Collaborators Combination of theory, synthetic/real trace driven simulation, and real-world implementation and deployment

More Related