Presented by Nadine Sundquist
description
Transcript of Presented by Nadine Sundquist
![Page 1: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/1.jpg)
“On Scalable Attack Detection in the Network”
Ramana Rao Kompella, Sumeet Singh, and George Varghese
Presented by Nadine Sundquist
![Page 2: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/2.jpg)
2 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 3: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/3.jpg)
3 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 4: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/4.jpg)
4 November 7, 2007 CS-622
Why do w need scalable attack detection?
• Scalable: Able to detect network behavior at multi-gigabit speeds (at least 1 Gb/s).
• Detect behavior over a set of packets at network vantage points such as routers.
• Proposed solution: Aggregation (combining multiple connections) for attack detection?
![Page 5: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/5.jpg)
5 November 7, 2007 CS-622
Why Use Aggregation?
• Combining several lines into one is more efficient for forwarding.
• Can have millions of flows/connections with no enough high speed memory (on-chip and off-chip SRAM or cache) at router.
• Other services use forms of aggregation for faster processing. – Example: Internet lookup routers store 150
000 prefixes for the entire Internet to process requests faster.
![Page 6: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/6.jpg)
6 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 7: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/7.jpg)
7 November 7, 2007 CS-622
Problems of AggregationBehavioral Aliasing: Good behaviors aggregateto look like bad behaviors.
False positive: Server thinks a resource is under attack,when traffic is in a normal state.
192.168.1.1
192.168.1.1
192.168.1.1
192.168.1.1
128.1.1.7
128.1.1.7128.1.1.7
128.1.1.7
2 computers look like 1 computer due to aggregation.
![Page 8: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/8.jpg)
8 November 7, 2007 CS-622
SYN 128.1.1.7:80SYN 128.1.1.7:80
Problems of AggregationSpoofing – Attacker avoids detection by appearing benign.
Our focus is TCP (Transport Control Protocol) SYN flooding, also known as Partial Completion Attacks: ConnectionsOpened, but not closed.
SYN – Connection request and connection opened.FIN – Connection finished/closed.
SYN 128.1.1.7:80SYN 128.1.1.7:80SYN 128.1.1.7:80FIN 128.1.1.7:80FIN 128.1.1.7:80
Attacker Victim
Firewall/Proxy/Victim Server(Does detection of SYN flooding)
![Page 9: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/9.jpg)
9 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 10: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/10.jpg)
10 November 7, 2007 CS-622
Kinds of Attacks
• Partial Completion Attacks• Attacks That Do Scanning• Bandwidth Attacks• Commonality = Bandwidth Tied Up
or Resources Tied Up
![Page 11: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/11.jpg)
11 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 12: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/12.jpg)
12 November 7, 2007 CS-622
Partial Completion Filters (PCFs)
• New data structure.• Can detect scanning attacks and partial
completion attacks with small traffic volume.
• Can detect victims reacting to an attack.
• Only useful for TCP.• Only have a local geographical scope.
![Page 13: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/13.jpg)
13 November 7, 2007 CS-622
Partial Completion Filters (PCFs)
SYN 192.168.1.1:20
FIN 192.168.1.1:20
SYN 10.1.1.5:24
SYN 10.1.1.5:24
SYN 10.1.1.5:24
Courtesy of Minsoo Choi, University of Southern California
If N packets delivered, stay within √N standard deviation.
If noise, 3 √N standard deviation.
5000 hash functions in experiments.(Requires 480 Kbits memory)
![Page 14: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/14.jpg)
14 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 15: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/15.jpg)
15 November 7, 2007 CS-622
How do we use PCFs?
• Partial Completion Attacks
• TCP Scanning Detection
PCF(SYN, FIN, <Destination IP: Destination Port>)
PCF(SYN, FIN, <Source IP>)
![Page 16: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/16.jpg)
16 November 7, 2007 CS-622
Where do I deploy PCFs?• Near sources -> Look at Source IP.
– Recognizes Scanning– Recognizes too many SYN packets w/o
FINs.
• Incoming/Outgoing edge of network -> Look at Destination IP. – Recognizes Attack
• Outgoing edge of network -> Look at Source IP. – Recognizes false FIN w/o FIN-ACK
![Page 17: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/17.jpg)
17 November 7, 2007 CS-622
Roadmap• Why do we need scalable attack
detection?• What are the difficulties in implementing
scalable attack detection?• What kinds of attacks can be detected?• What are Partial Completion Filters (PCFs)?• How do we use Partial Completion Filters?• What are the experimental results?
![Page 18: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/18.jpg)
18 November 7, 2007 CS-622
Experiment Setup
ISP A ISP B
2 real flows of traffic from 1 dayOC-48 -> 2488.32 Mbits/second
Dir = DirectionISP = Internet Service Provider
Internet
Dir 0
Dir 0Dir 1
Dir 1
![Page 19: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/19.jpg)
19 November 7, 2007 CS-622
How do we take into account bias?
-150 150SYN FIN Difference in Experiment
![Page 20: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/20.jpg)
20 November 7, 2007 CS-622
Results• 5 million destinations (About 30 million
ports) & 2 million sources (About 30 million ports).
• 517 Attack Flows.• 6 False Positives -> Too many SYNs.• 0 False Negatives -> Too many FINs.• Could measure the time length of the
attacks.
![Page 21: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/21.jpg)
21 November 7, 2007 CS-622
Scanning Detection• SYNs without FINs could mean port scans
A source doing port scanning will send SYN packets, but no FIN packets to MANY destinations (in red).
![Page 22: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/22.jpg)
22 November 7, 2007 CS-622
Conclusions
• Speed requirement: Using aggregation is possible for attack detection on networks of at least 2488.32 Mbits/second.
• Memory requirement: Only uses 480 Kbits memory for hash functions.
• Accurate in a Local Area Network.
![Page 23: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/23.jpg)
23 November 7, 2007 CS-622
Further Research/Work
• Run more tests using more sets of data. Only one set of data used in paper’s experiment.
• Research other methods of attack detection at high speeds and compare results.
• Further research scan-based (worm) attacks.
![Page 24: Presented by Nadine Sundquist](https://reader036.fdocuments.us/reader036/viewer/2022081504/568145ae550346895db2aaf0/html5/thumbnails/24.jpg)
24 November 7, 2007 CS-622
References
• Ramana Rao Kompella, Sumeet Singh, and George Varghese, “On Scalable Attack Detection in the Network”, February 2007.
• Choi, Minsoo, “On Scalable Attack Detection in the Network Presentation”, netweb.usc.edu/ftp/pub/cs558f05/Slides/minsoo.ppt, 2007.