1 / 21

Security System for KOREN/APII-Testbed

Security System for KOREN/APII-Testbed. Sungkwan Youm Korea Univ. Research Goal. Deploy attack defense system to KOREN for improving security Yearly Plan 2003 : Security system design and algorithm proposal Proposal of dynamic and adaptive detecting algorithm

brie
Download Presentation

Security System for KOREN/APII-Testbed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security System for KOREN/APII-Testbed Sungkwan Youm Korea Univ. A Study of TE for KOREN/APII-Testbed

  2. Research Goal • Deploy attack defense system to KOREN for improving security • Yearly Plan • 2003 : Security system design and algorithm proposal • Proposal of dynamic and adaptive detecting algorithm • Design system which detects and defends attack • Implementation of signature detector • 2004 : Implementation of system and deployment of KOREN • Implementation of dynamic detecting component • Implementation of agent, manager A Study of TE for KOREN/APII-Testbed

  3. System Architecture Server Filtering Manager AGENT Security DB To another agent Libcap Signature Detector Visualization NetFlow Flow isolation Anomaly Detector Elementary classification attack Adaptive classification A Study of TE for KOREN/APII-Testbed

  4. Another Network Agent Agent Agent Agent Agent Configuration for Security Agent Detecting KOREN Protected Server Filtering Filtering attack Filtering Filtering attack User A Study of TE for KOREN/APII-Testbed

  5. Signature Detector Seoul • Using Snort • Perform as NIDS • Optimize RuleSet • Deployed in Suwon, Deajeon Seoul XP Suwon Snort Server Daegu Snort Server Daejeon Busan Kwangju A Study of TE for KOREN/APII-Testbed

  6. Signature Detector Detection Results • Alert List A Study of TE for KOREN/APII-Testbed

  7. Anomaly Detection Algorithm • Entropy • Measure randomness of packet attribute (ex. Source address) • Maintain average of entropy • Detect attack with threshold setting • Chi-square test • Measure distribution of attribute • Use anomaly detection of various packet attributes A Study of TE for KOREN/APII-Testbed

  8. Incoming traffic (attack and normal packets) Incoming traffic (attack and normal packets) Suspicious Signature Malicious Signature Suspicious Malicious Anomaly Detection Mechanism Adaptive Classification Elementary Classification Using single detecting algorithm (entropy) with low accuracy Using multiple detecting algorithms (chi-square) with high accuracy Filtering Manager Secure packets A Study of TE for KOREN/APII-Testbed

  9. Anomaly Detection Mechanism • Elementary classification • Apply suspicious signature with high sensitive • Classification achieved widely about attack packets • Reduce congestion problem of network • Use entropy calculation with low threshold value • Adaptive classification • Apply malicious signature with high sensitive • Reduce error detection rate • Use chi-square test with high threshold value A Study of TE for KOREN/APII-Testbed

  10. Pick up next packet attributes (as sa or ma) Calculate entropy of packet attribute, sa and compare with average Update average value of entropy Calculate chi-square value of packet attribute ma and update average No Exceed threshold? Calculate chi-square value of packet attribute ma of suspicious packets Yes Create suspicious signature based on packet attribute, sa No Exceed threshold? Yes Yes Do number of packets that belong to suspicious signature exceed upper-bound threshold n? Create malicious signature by adding ma to suspicious signature No Filtering based on signatures Flowchart of Signature Creation A Study of TE for KOREN/APII-Testbed

  11. Example of detection process Entropy (About source address) Anomaly Detection Process • Chi-square (about packet length) A Study of TE for KOREN/APII-Testbed

  12. Anomaly Detector Architecture Monitoring Tool Agent Detecting Module 1 Detecting Module 2 Detecting Module n Packet attributes Source address Destination address Source port number Destination port number Protocol Anomaly Detection Manager Suspicious, Malicious Signature Filtering Manager A Study of TE for KOREN/APII-Testbed

  13. Testing Environment Agent Agent Master Signature Detector Testing (DDoS) Attack Packet Target Control Msg. Attack Packet Snort : impossible to detect attack packet (203.255.255.94, Daejeon) Control Msg. Control Msg. Snort : possible to detect control message (163.180.118.68, Suwon) A Study of TE for KOREN/APII-Testbed

  14. TFN2K icmp possible communication detection Signature Detector Testing (DDoS) • DDoS TFN client command BE detection A Study of TE for KOREN/APII-Testbed

  15. Anomaly Detector Algorithm Testing (DDoS) • Testing Environment Local Network (Normal Traffic) DDoS Attack(TFN2K) Analyze Packet, Flow’s attribute using detecting algorithm Attribute DB Monitoring Tool (Libcap, NetFlow) Source Address Destination Address Source Port Num Destination Port Num Victim Packet Length A Study of TE for KOREN/APII-Testbed

  16. Anomaly Detector Testing (DDoS) • About Packet Attributes A Study of TE for KOREN/APII-Testbed

  17. Anomaly Detector Testing (DDoS) • In this case, packet length is not valid attribute A Study of TE for KOREN/APII-Testbed

  18. Anomaly Detector Testing (DDoS) • About Flow Attributes A Study of TE for KOREN/APII-Testbed

  19. Anomaly Detector Testing (DDoS) • Need to set threshold value lower A Study of TE for KOREN/APII-Testbed

  20. Conclusion • Signature Detector detect well-known attack • Anomaly Detector detect DDoS attack that can’t detect by Signature Detector • Security system will improve KOREN’s security A Study of TE for KOREN/APII-Testbed

  21. Future Works • Monitor malicious traffic using signature detector • Design filtering manager • Implement detecting module A Study of TE for KOREN/APII-Testbed

More Related