100 likes | 117 Views
Network-based Intrusion Detection, Prevention and Forensics System. Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for Internet & Security Technology (LIST) http://list.cs.northwestern.edu. The Spread of Sapphire/Slammer Worms.
E N D
Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for Internet & Security Technology (LIST) http://list.cs.northwestern.edu
Current Intrusion Detection Systems (IDS) • Mostly host-based and not scalable to high-speed networks • Slammer worm infected 75,000 machines in <10 mins • Host-based schemes inefficient and user dependent • Have to install IDS on all user machines ! • Mostly simple signature-based • Cannot recognize unknown anomalies/intrusions • New viruses/worms, polymorphism
Current Intrusion Detection Systems (II) • Cannot provide quality info for forensics or situational-aware analysis • Hard to differentiate malicious events with unintentional anomalies • Anomalies can be caused by network element faults, e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration • Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.
Network-based Intrusion Detection, Prevention, and Forensics System • Online traffic recording [SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear] • Reversible sketch for data streaming computation • Record millions of flows (GB traffic) in a few hundred KB • Small # of memory access per packet • Scalable to large key space size (232 or 264) • Online sketch-based flow-level anomaly detection [IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06] • Adaptively learn the traffic pattern changes • As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed • Online stealthy spreader (botnet scan) detection [IWQoS 2007]
Network-based Intrusion Detection, Prevention, and Forensics System (II) • Polymorphic worm signature generation & detection [IEEE Symposium on Security and Privacy 2006] [IEEE ICNP 2007 to appear] • Accurate network diagnostics [ACM SIGCOMM 2006] [IEEE INFOCOM 2007] • Scalable distributed intrusion alert fusion w/ DHT [SIGCOMM Workshop on Large Scale Attack Defense 2006] • Large-scale botnet and P2P misconfiguration event forensics [work in progress]
RAND system RAND system Internet scan port Internet LAN Internet LAN RAND system LAN Switch Switch Splitter Switch Splitter Router Router Switch Switch Router scan port LAN LAN Switch LAN (a) HPNAIDM system (b) (c) System Deployment • Attached to a router/switch as a black box • Edge network detection particularly powerful Monitor each port separately Monitor aggregated traffic from all ports Original configuration
Sponsors for LIST: • Department of Energy (Early CAREER Award) • Air Force Office of Scientific Research (Young Investigator Award) • National Science Foundation • Microsoft Research • Motorola Inc. • Additional industry collaborators • SANS(SysAdmin, Audit, Network, Security) Institute • AT &T Labs Northwestern Lab for Internet and Security Technology (LIST)
Team of LIST • Prof. Bin Liu from Tsinghua Univ., partially supported as an Eshbach Scholar of Northwestern University • Jiazhen Chen (M.S. student) • Kai Chen (Ph.D. student) • Anup Goyal (Ph.D. student) • Zhichun Li (Ph. D. student) • Ying He (visiting Ph.D. student) • Chengchen Hu (visiting Ph.D. student) • Rahul Potharaju (M.S. student) • Sagar Vemuri (M.S. student) • Gao Xia (visiting Ph.D. student from Tsinghua University) • Yao Zhao (Ph.D. student) • Yanmei Zhang (visiting Ph.D. student) • Zhaosheng Zhu (Ph.D. student)