Real-time Detection and Containment of Network Attacks using QoS Regulation
description
Transcript of Real-time Detection and Containment of Network Attacks using QoS Regulation
Real-time Detection and Containment of Network Attacks using QoS Regulation
Seong Soo Kim and A. L. Narasimha Reddy
Computer Engineering
Department of Electrical Engineering
Texas A&M University
{skim, reddy}@ee.tamu.edu
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
2
Outline• Introduction and Motivation• Our Approach• Implementation• Experiments & Discussion• Conclusion
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
3
Contents• Introduction and Motivation
• Our Approach- Nature of Network Attacks in Protocol- Structure of flexible buffer management non class-based flexible class-based buffer management
• Implementation- Weighted Fair Queuing- Thresholds- Exponential Weighted Moving Average (EWMA)
• Experiment & Discussion- Input Traffic by Protocol and Detection- Output Traffic by Protocol- Forwarded Traffic by Protocol- Evaluation of Anomaly Detection
• Conclusion
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
4
Attack/ Anomaly• Bandwidth attacks/anomalies, Flash crowds
• DoS – Denial of Service : – TCP SYN flood, UDP flooding, ICMP echo reply
• Typical Types:- Single attacker (DoS)- Multiple Attackers (DDoS)- Multiple Victims (Worm)
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
5
Motivation (1)• Current network-centric approaches are Attack-specific
- TCP SYN: by handling TCP SYN cookies or TCP SYN- ICMP : by turning off ICMP echo reply These attack-specific approaches become ineffective with DDoS
Need General & Aggregate Mechanisms
• Previous studies looked at individual Flow-based Mechanisms- Partial state- RED-PD These become ineffective with DDoS
need Resource-based regulation Link speeds are increasing
Need simple, effective mechanisms to implement at line speeds
Class-based buffer management
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
6
Motivation (2)• Class-based buffer management
– Rate Control, Window Control, Weighted Fair Queuing- Always parse packets and assign to designated buffers
However, most of the time, traffic is normal- Become ineffective when traffic changes dynamically
Because of predefined fixed rates in protocol or resources
• Flexible buffer management- Normal : non class-based- Attack : class-based Monitoring during normal & Switching during attack
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
7
Contents• Introduction and Motivation
• Our Approach- Nature of Network Attacks in Protocol- Structure of flexible buffer management non class-based flexible class-based buffer management
• Implementation- Weighted Fair Queuing- Thresholds- Exponential Weighted Moving Average (EWMA)
• Experiment & Discussion- Input Traffic by Protocol and Detection- Output Traffic by Protocol- Forwarded Traffic by Protocol- Evaluation of Anomaly Detection
• Conclusion
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
8
Nature of Network Attacks in Protocol
• Most network attacks are protocol specific
- by S/W codes exploiting specific vulnerability
• Various kinds of attacks staged in different protocols- Utility of class-based
regulation
Protocol Anomalies and Attacks
TCP TCP SYN FloodingACK ScanTelnet ScanTCP session hijacking (Hunt, Juggernaut)WinNukeChristmas TreeCode Red
UDP Echo-ChargenTrin00NimdaSQL Slammer
ICMP SmurfICMP echo replyPing of DeathRingZeroTFN (Tribe Flood Network)WinFreezeLoki
Typical attacks and their protocols
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
9
Structure of flexible buffer management• Non class-based management in normal times• Monitoring the ICMP traffic i(t), TCP traffic t(t), UDP traffic u(t) and
ETC. traffic e(t).• Anomaly detection through the variation of the input traffic in protocol• Switching to class-based management during attack
Switch
TCP
ICMP
UDP
Etc.
All in one (ICMP, TCP, UDP, Etc.)
WFQClassify
Attack
Detector
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
10
Contents• Introduction and Motivation
• Our Approach- Nature of Network Attacks in Protocol- Structure of flexible buffer management non class-based flexible class-based buffer management
• Implementation- Weighted Fair Queuing- Thresholds- Exponential Weighted Moving Average (EWMA)
• Experiment & Discussion- Input Traffic by Protocol and Detection- Output Traffic by Protocol- Forwarded Traffic by Protocol- Evaluation of Anomaly Detection
• Conclusion
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
11
• Wide-sense Stationary (WSS) property– The traffic-volume ratios of each protocol show stationary
property over long-range time periods
– 4 classes: ICMP, TCP, UDP and etc.
– During normal times, the weights for each class (protocol) are set
– These weights are adjustable according to input traffic
Weighted Fair Queuing
The proportion of major protocols over two different traffic traces
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
12
Thresholds (1)
• Traffic volume-based thresholds– TH: High threshold monitoring abnormal increase of specific
protocol traffic
– TL: Low threshold monitoring abnormal decreases
– TCP usually occupies most of traffic In case of TCP attack, attack could be detected through other
protocols indirectly Other indicators may be more sensitive
protocol theof proportioncurrent theis
protocol individual is where,
),(1),( , ),(1),(
t)r(p,
p
tpTtpTtprtpT HLH
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
13
Thresholds (2)
• 3-based threshold– The thresholds can be set as the 3 of normal distribution
for individual protocol
• Detection of anomalies
normal is )( , Otherwise
attack is )( , ),(1
),(1),( If
tp,
tp, tpT)*MA(p,t
tpT)*MA(p,ttpr
L
H
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
14
Exponential Weighted Moving Average (EWMA)
• For accommodating the dynamics of traffic, moving average of each protocol is applied.– Filter out short term noise
• Operation Modes– Non class-based: FCFS
– Class-based: Weighted round robin
– Buffer management: RED or Drop-Tail
,1)r(,1)MA(
tpMAtprtpMA
where,
)1,()1(),(),(
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
15
Contents• Introduction and Motivation
• Our Approach- Nature of Network Attacks in Protocol- Structure of flexible buffer management non class-based flexible class-based buffer management
• Implementation- Weighted Fair Queuing- Thresholds- Exponential Weighted Moving Average (EWMA)
• Experiment & Discussion- Input Traffic by Protocol and Detection- Output Traffic by Protocol- Forwarded Traffic by Protocol- Evaluation of Anomaly Detection
• Conclusion
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
16
• KREONet2 Traces- 5 major actual attacks- 10 days long
Real attack trace Case
1 2 3 4 5
Duration 5.3 h 4.5 h 4.1 hours 12.3 h 3.6 h
IP semi-random randoma random semi-randomrandom
random
Protocol TCP UDP TCP/UDP TCP/UDP/ICMP UDP
Port #80 #1434 random/#1434 #80 / #1434 / #0 #1434
Size 48B 404B random/ 404B 48B / 404B/ 28B 404B
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
17
Input Traffic – Real attacks
• The vertical lines show the 5 salient attack periods
• UDP, ICMP can be detected by their variations
• TCP can be detected by TCP or other variations
• The last sub-figure shows the generated attack detection signal through majority voting
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
18
Output Traffic -- flexible buffer management• The traffic volume delivered
• Non class-based scheduling- During attack, the protocols
responsible for attack increase abruptly
- Other protocols suffer from congestion
• Flexible buffer management- All protocols maintain their
predefined weights regardless of attack
- At the onset of attack, the instantaneous peaks result from the latency of detection and switching
Output traffic proportion by protocol in non class-based
Output traffic proportion by protocol in flexible-based
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
19
Forwarded Traffic -- flexible buffer management
Forwarded traffic proportion by protocol in non class-based
Forwarded traffic proportion by protocol in flexible-based
• Output / input traffic volume (%)
• Non class-based scheduling- During attack, not only the
culpable protocols but other innocent protocol decrease together
• Flexible buffer management- Generally the only responsible
protocol is filtered out
- In 4th multi-protocol based attack, the TCP, UDP and ICMP are mitigated sequentially
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
20
• Simulated virtual attacks- Synthesized attacks + the Univ. of Auckland without attacks from NLANR U of Auckland trace consists of only TCP, UDP and ICMP- To evaluate the sensitivity of our detector over attacks of various configurations.
• Persistency - Intermittent : send malicious packets in on-off type at 3-minute interval- Persistent : continue to assault through the attack
• IP address : target IP address type - Single destination : (semi) single destination - Semi-random : mixed type ( fixed portion + randomly changeable portion )- Random : randomly generated
• Port- Reserved, randomly generated and ephemeral client ports.
Simulated attacks
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
21
Input Traffic – Simulated attacks
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
22
Output Traffic – simulated attacks
Non class-based Buffer management
Flexible Buffer management
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
23
Forwarded Traffic by Protocol in flexible buffer
Forwarded traffic proportion by protocol in non class-based
Forwarded traffic proportion by protocol in flexible-based
• Output / input traffic volume (%)
• In the 360 ~ 1080, the gradual decrease comes from not by attacks but by congestion drops, due to processing limitations of system
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
24
Evaluation of Anomaly DetectionEvaluation Results of protocol composition signals
Tracesmajorit
yT.P. F.P. LR 3 NLR 4
SimulatedAttacks
1 out of 4
92.5%767/829
0.48% 17/3516
191.4 0.08
2 out of 4
80.1%664/829
0.17% 6/3516
455.2 0.20
ICMP72.9%
570/7821.94%
69/356337.6 0.28
RealAttacks
TCP81.0%
633/7820.42%
15/3563192.3 0.19
UDP77.5%
606/7820.39%
14/3563197.2 0.23
ETC.31.7%
248/7820.00% 0/3563
0.68
1 out of 4
89.8%702/782
2.30% 82/3563
39.0 0.10
2 out of 4
82.4%644/782
0.73% 26/3563
112.9 0.181.True Positive rate2.False Positive rate3.Likelihood Ratio by /, ideally it is infinity4.Negative Likelihood Ratio by 1-/1-, ideally it is zero
• Composite detection signal
- Logical OR
- Majority voting
• Detection signal is used for switching the buffer management
• Complexity
- O(1) processing cost per packet
- O(n) storage cost per sample, n is number of protocols
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
25
Contents• Introduction and Motivation
• Our Approach- Nature of Network Attacks in Protocol- Structure of flexible buffer management non class-based flexible class-based buffer management
• Implementation- Weighted Fair Queuing- Thresholds- Exponential Weighted Moving Average (EWMA)
• Experiment & Discussion- Input Traffic by Protocol and Detection- Output Traffic by Protocol- Forwarded Traffic by Protocol- Evaluation of Anomaly Detection
• Conclusion
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
26
Conclusion• We studied the feasibility of detecting anomalies
through variations in protocol traffic.• We evaluated the effectiveness of our approach by
employing real and simulated traffic traces• The protocol composition signal could be a useful
signal• Real-time traffic monitoring is feasible
– Simple enough to be implemented inline• Flexible buffer management effective in
containing attacks
Seong Soo Kim and A. L. Narasimha Reddy
Texas A & M University ICC 2005
27
Thank you !!http://ee.tamu.edu/~reddy