1 / 1

Global Router-based Anomaly/Intrusion Detection (GRAID) Systems

Attack Injected GRAID Coverage Internet Overlay Network Operation Center GRAID sensor GRAID sensor Internet scan port Internet GRAID sensor LAN LAN Internet LAN Switch Switch Splitter End hosts Switch Splitter Router Router IDS CDDHT Mesh Switch Switch Router

lotus
Download Presentation

Global Router-based Anomaly/Intrusion Detection (GRAID) Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Attack Injected GRAID Coverage Internet Overlay Network Operation Center GRAID sensor GRAID sensor Internet scan port Internet GRAID sensor LAN LAN Internet LAN Switch Switch Splitter End hosts Switch Splitter Router Router IDS CDDHT Mesh Switch Switch Router IDS + SFC scan port LAN Switch LAN Attack Injected LAN (a) GRAID sensor (b) (c) Current Intrusion Detection Systems and Shortcomings Mostly host-based and not scalable to high-speed networks Mostly signature-based and cannot recognize unknown anomalies/intrusions Isolated or centralized systems Slammer worm infected 75,000 machines in <10 mins Polymorphic/new viruses/worms Insufficient info for causes, patterns and prevalence of global-scale attacks Our theme: challenges for Internet as a new infrastructure for service delivery Un-trusted: security (viruses, worms, etc.) Highly dynamic: congestion/failures Stanford UC San Diego X HP Labs Northwestern Lab for Internet and Security Technology (LIST)Yan Chenychen@cs.northwestern.eduDepartment of Computer ScienceNorthwestern Universityhttp://www.cs.northwestern.edu/~ychen Global Router-based Anomaly/Intrusion Detection (GRAID) Systems Multiple GRAID sensors interconnect through distributed hash table (DHT) for alarm fusion with Scalability Load balancing Fault-tolerance Intrusion correlation Online traffic recording and analysis for high-speed routers Remote aggregated sketch records Sent out for aggregation Part I Sketch-based monitoring & detection Reversible k-ary sketch monitoring Normal flows Sketch based statistical anomaly detection (SSAD) Local sketch records Streaming packet data Attach GRAID sensors to high-speed routers (a) original configuration, (b) distributed configuration for which each port is monitored separately, (c) aggregate configuration for which a splitter is used to aggregate the traffic from all the ports of a router. Keys of suspicious flows Filtering Keys of normal flows Statistical detection Sample hardware: FPGA board used to implement the sketch-based traffic stream monitoring (courtesy of Prof. Memik of ECE Dept) Signature-based detection Per-flow monitoring Network fault detection Suspicious flows Part II Per-flow monitoring & detection Traffic profile checking Integrated approach for false positive reduction Intrusion or anomaly alarms Modules on the non-critical path Modules on the critical path Data path Control path Architecture of a GRAID sensor Hardware implementation of critical-path for real-time detection Tomography-based Overlay network Monitoring (TOM) Real Adaptive Streaming Media on TOM Challenge: Given an overlay of n end hosts and O(n2) paths, how to select a minimal subset of paths to monitor so that the loss rates/latency of all other paths can be inferred. Overlay networkmonitoring essential for Overlay routing/location VPN management/provisioning Service redirection/placement Link failure/congestion diagnosis Requirements for E2E monitoring system Scalable & efficient: small amount of probing traffic Accurate: capture congestion/failures Adaptive: nodes join/leave, topology changes Robust: tolerate measurement errors Balanced measurement load UC Berkeley Our solution: Select a basis set of k paths that fully describe O(n2) paths (k =O(nlogn)). Monitor the loss rates of k paths, and infer the loss rates of all other paths Adaptive to topology changes Balanced measurement load Topology measurement error tolerance Implemented with Winamp client and SHOUTcast server Congestion introduced with a Packet Shaper Skip-free playback: server buffering and rewinding Total adaptation time < 4 seconds See our paper in Collaborators

More Related