1 / 14

THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System

THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System. Presented by: Bruce Meeks, Jr. Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publisher: Electrical Engineering and Computer Science

noahf
Download Presentation

THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. THE INTERNET MOTION SENSOR: A Distributed Blackhole Monitoring System Presented by: Bruce Meeks, Jr. Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson Publisher: Electrical Engineering and Computer Science Department, University of Michigan

  2. INTRODUCTION AND MOTIVATION • National Infrastructure of global networks vulnerable to rapidly growing internet threats • Amongst them, fast moving worms, distributed denial of service attacks, and routing exploits

  3. INTRODUCTION AND MOTIVATION • Threats’ share several key components: 1) globally scoped 2) occasional zero-day threats 3) evolutionary characteristic 4) many are exceptionally virulent

  4. One promising method for investigating these threats is monitoring unused or dark address space Two key design challenges necessary to incorporate this monitoring infrastructure: AUTHORS’ PROPOSED METHODS FOR MONITORING AND ANALYSIS

  5. SENSOR COVERAGE • The visibility of the system into Internet threats • One method to increase visibility is to monitor larger blocks of address space

  6. SERVICE EMULATION • Difficult to emulate realistic Internet services because the IMS doesn’t interact with live hosts • An ideal system would reproduce all current and future services with exactly the same behaviors as all possible end-hosts.

  7. MAIN CONTRIBUTIONS • The design and implementation of a distributed, globally scoped, Internet threat monitoring system - IMS architecture • The deployment and demonstration of the IMS on production networks - Current deployment and observations

  8. INTERNET MOTION SENSOR ARCHITECURE • Offers Three Novel Contributions: • Distributed Monitoring Infrastruture • 2) Lightweight Active Reponder • 3) Payload Signatures and Caching

  9. INTERNET MOTION SENSOR ARCHITECURE1st Novel Contribution Distributed Monitoring Infrastructure - Distributed deployment to increase visibility

  10. INTERNET MOTION SENSOR ARCHITECURE2nd Novel Contribution Lightweight Active Responder - Characterize threats on emerging ports and services - Essentially a honeypot (low responsive)

  11. INTERNET MOTION SENSOR ARCHITECURE2nd Novel Contribution Light Weight Active Responder

  12. INTERNET MOTION SENSOR ARCHITECURE3rd Novel Contribution Payload Signatures and Caching • Only stores new payloads • Storage conservation • Identifies new payloads ** Note: Goal of IMS is to measure, characterize, and track a broad range of Internet threats **

  13. Deployment Observations and Experiences • Three events captured using IMS deployment: • Internet Worm activity • Scanning • 3) DDoS

  14. Weaknesses of Paper • Next step of counteraction after detection ? • Why should this method of monitoring and analyzing be superior to others? • Provides little to no information on defending against threats that depend on application level responses.

More Related