Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph Ken Birman, Robbert van Renesse Vern Paxson Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick.

Similar presentations


Presentation on theme: "TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph Ken Birman, Robbert van Renesse Vern Paxson Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick."— Presentation transcript:

1 TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph Ken Birman, Robbert van Renesse Vern Paxson Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick Network Defense Research "Network Defense Research," Anthony D. Joseph 1

2 TRUST Meeting, Berkeley, March 2007 Outline DETER Testbed Network Defense Research at Cornell Network Defense Research at ICSI Access to Data (UCB) Network Defense Research at UCB 2 "Network Defense Research," Anthony D. Joseph

3 TRUST Meeting, Berkeley, March 2007 The DETER Testbed Anthony D. Joseph Shankar Sastry University of California, Berkeley

4 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph4 DETER Testbed Motivation Inadequate deployment of security technologies – Despite 10+ years investment in network security research Lack of experimental infrastructure – Testing and validation occurs mostly at small scales – Lack of objective test data, traffic and metrics cyber DEfense TEchnology Experimental Research Testbed – Open to all researchers (gov’t, industrial, academic)

5 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph5 DETER Testbed Goals 1)Design & construct testbed for network security experiments – Attack scenarios/simulators, topology generators, background traffic, monitoring/visualization tools 2)Do research on experimental methodology for network security – Scientifically rigorous frameworks/methodologies 3)Do research on network security – Attack detection and countermeasure tools

6 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph6 DETER Testbed Capabilities “Real systems, Real code, Real attacks!” – ~400 PCs with 5+ Gigabit Ethernet links each – Supports all x86 OSes: Windows, Linux, UNIX Modeling large-scale wide-area networks – Nodes can be used as clients, routers, and servers – Examining the effects of “rare events” Evaluating commercial hardware/prototypes – Vendor-neutral environment Intrusion detection/protection appliances – Interactions between different vendors’ products – Performance testing: normal and under attack

7 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph7 Example Experiments Slammer: BW-limited Scanning Worm – ICSI and PSU: modeling propagation through the Internet [WORM’04 paper] – Virtual node model of the response of subnets – 1/64th scale Internet Other experiments: – Collaborative defenses – Large-scale enterprise network simulation

8 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph8 PC ‘User’ Server PC ISI Cluster User files Cisco/Nortel SW Foundry/Nortel SW Node Serial Line Server ‘Boss’ Server PC UCB Cluster Node Serial Line Server Download Server Power Cont’ler Power Cont’ler PC … … trunk Internet IPsec User FW CENIC Control Network

9 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph9 DETER Project Timeline Funding – DETER: NSF and DHS HSARPA (Sept 03 – Feb 07) – DECCOR: NSF CRI program (Jul 05 – Jun 07) – DIPLOMAT: DHS HSARPA (Sept 06 – ) – DIRECT: AFOSR DURIP program (Apr 06 – Mar 07) Experience to date – over 40 projects – DDoS Attack-Defense, Worm Behavior Characterization, Network Routing Attack-Defense – Security course support at UCB, commercial devices – DHS cybersecurity 2006 exercise Working with Cornell to federate with their testbed – Interesting latency challenges – Also Utah and Vanderbilt testbeds DETER Community Workshop August 6 - 7, 2007 (before USENIX Tech Conf) Boston, MA

10 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph10 DETER Testbed Software Extended Utah Emulab control plane software – Experiment creation GUI and security features Experimental node OS support – RedHat Linux 7.3, FreeBSD 4.9, or Windows XP – Users can load arbitrary code, in fact User has root access to all allocated nodes! – No direct IP path into experimental network Encrypted tunnels across Internet (SSL/SSH/IPsec) – Secure process replaces OS after each experiment – Optional disk scrub after experiments

11 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph11 Upcoming Software Capabilities Reusable library of realistic, rigorous, reproducible, impartial tests (Archived Experiments) – For assessing attack impact/defense effectiveness – Test data, test configurations, analysis software, and experiment automation tools Usage examples and methodologies (WorkBench) – Test selection recommendations – Test cases, results, and benchmarks

12 TRUST Meeting, Berkeley, March 2007 DETER Testbed, Anthony D. Joseph12 Related Effort with OSD/NII GIG context: Vast Networks, People and Technical Systems, and Embedded systems – Insufficient large complex systems analytical methods limit sensor, data, and network capabilities – Tactical Edge and Warfighter Assurance – NSF System of Networked Embedded Devices workshop (10/05) The few successful distributed systems spent “50-75% of their development budget on debugging, testing and validation” Solving the Analytic Gap: Advanced Mathematics for Scale & Complexity (w/ Kirstie Bellman, Aerospace Corp) – Map DoD operational deficits to potentially important mathematical R&D problems – Identify new approaches for evaluating the scalability of methods – Three driving problems: Testbed validation, Detecting anomalous traffic flows, DoD-COTS interactions

13 TRUST Meeting, Berkeley, March 2007 DETER Clusters ISI UCB Open to community – request an account at:

14 TRUST Meeting, Berkeley, March 2007 Network Defense at Cornell Ken Birman Robbert van Renesse

15 TRUST Meeting, Berkeley, March 2007 Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ.15 Approach Robust networked middleware for mission- critical distributed applications Emphasis on many dimensions of scale – High latencies due to physical distances – High overheads due to casual use of middleware abstractions – High vulnerability due to large number of components – …

16 TRUST Meeting, Berkeley, March 2007 Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ.16 Products Fireflies: intrusion-tolerant network overlays SecureStream: intrusion-tolerant video streaming Nightwatch: intrusion-tolerant auditing service Quicksilver: next-generation multicast / pubsub Ricochet: FEC for time-critical multicast protocols Maelstrom: FEC for high latency connections SMFS: file system for high latency connections Tempest: middleware for time-critical SOA systems r-Kelips: robust P2P range-index

17 TRUST Meeting, Berkeley, March 2007 Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ.17 Our cluster 216 blades, 3 100Mbit Ethernet ports each 20 1U servers, 3 1Gbit Ethernet ports each HP ProCurve 100 Mbit switches Nortel 1 Gbit switches 3 Terabyte storage servers Funded by DURIP grants

18 TRUST Meeting, Berkeley, March 2007 Vern Paxson ICSI Network Defense Research "ICSI Network Defense Research,” Vern Paxson 18

19 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson19 ICSI Network Defense Research Research Focus #1: network intrusion detection (& prevention) in an operational environment – Mainly using the Bro system 24x7 at Lawrence Berkeley National Lab, UCB – Efforts: Detection algorithms Forensics (the “Time Machine”) High performance (clusters; FPGA/parallel analysis) Disparate context (distributed monitoring; host-based sensors) Sharing information across sites Integrating honeynet data

20 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson20 ICSI Network Defense Research Research Focus #2: addressing the threat of large-scale compromise of Internet hosts – Key enabling technology for today’s bleak Internet landscape (spam, phishing, identity theft, extortion) – Done in the context of NSF Cybertrust Center for Internet Epidemiology & Defenses (w/ UCSD) – Scope: Internet Epidemiology (understanding the threat) Automated Defenses (protection w/o human-in-the- loop) Counter-threat Pragmatics (associated legal & economic issues)

21 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson21 ICSI & TRUST (current) Effort #1: assessing resilience of network monitoring systems to evasion – Evasion presents fundamentally hard problem – But: no sound benchmark to assess exists …. …. And thus no pressure on vendors to address it – Goal: develop a modular, open source testing framework to facilitate emergence of benchmarks – Work done in context of TRUST’s ICAST collaboration – Year 1: trace-based, off-line

22 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson22 ICSI & TRUST (current) Effort #2: understanding fingerprinting of off- port applications – Context: many apps today avoid well-known ports (P2P; Skype; botnet C&C) Also highly relevant for anonymizers – Significant body of work aims identify via statistical (non-content) techniques – Our premise: these are fundamentally weak … – … which we aim to show Analytically Empirically – Effort w/ Alvaro Cardenas (TRUST Postdoc)

23 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson23 ICSI & TRUST (current) Effort #3: informing development of legal frameworks for network security research – Maryanne McCormick, Aaron Burstein (Law) – Issues: Sharing data, traces Containment: how do you control potential infections? Participating in botnets Interacting with botmasters, buyers & sellers

24 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson24 ICSI & TRUST (future) Widen evasion testing methodology – Live hosts to facilitate normalization, active mapping, host agent defenses – Evasion-by-stress Particularly state management stresses Cross-site information sharing – Architecture #1: global database, local reputation – Arch. #2: “detectives” and “witnesses” – Arch. #3: confederation of sites that mostly trust one another Seeding vision proposed by ICSI to Cybertrust: – Sites send scripts describing activity of interest – Recipients can automatically both search retrospectively and instrument for the future

25 TRUST Meeting, Berkeley, March 2007 Deirdre K. Mulligan Aaron Burstein Maryanne McCormick Access to Data "Access to Data," Deirdre K. Mulligan25

26 TRUST Meeting, Berkeley, March 2007 "Access to Data," Deirdre K. Mulligan26 Access to Cyber Security Data Access to real datasets could produce a “paradigm shift” for computer, network security research Problems: – Relevant data regulated by disparate laws; research exceptions are weak or non-existent No coherent policy view of “cyber security” – Data needs highly varied – Data controllers highly dispersed, incentives conflict Current situation: – Few common datasets for comparisons, testbeds – “Every firm for itself,” with some exceptions

27 TRUST Meeting, Berkeley, March 2007 "Access to Data," Deirdre K. Mulligan27 Access-to-data: DMCA Need to understand sources of vulnerabilities on end- users’ computers – Digital Millennium Copyright Act (DMCA) prohibits circumventing “technological protection measures” that control access to copyrighted works – Weak “security testing” exception Sony BMG “rootkit” episode – Audio CDs installed copy-prevention software that hid from user, left machines vulnerable – Researchers delayed reporting findings because of fear of legal liability – Meanwhile ~500,000 users installed software – Librarian of Congress granted DMCA exemption — for audio CDs only

28 TRUST Meeting, Berkeley, March 2007 "Access to Data," Deirdre K. Mulligan28 Access-to-data: Communications Privacy Internet traffic datasets needed to understand worm & virus propagation, DDoS attacks – Cross-organizational sharing needed to understand large- scale attacks No research exceptions for intercepting communications contents (Wiretap Act) or disclosing stored contents or addressing information (Stored Communications Act) – Provider protection exceptions not always applicable Very difficult to get good picture of Internet traffic – Govt. (including state universities) researchers at particular disadvantage – Examining institutions, legal reforms to allow sharing

29 TRUST Meeting, Berkeley, March 2007 "Access to Data," Deirdre K. Mulligan29 Access-to-data: Computer abuse “Honeynets” (networks of computers intended to be attacked) offer way to study attack tactics, malware Computer Fraud & Abuse Act prohibits knowingly accessing another computer on Internet “without authorization” – No research exception – Researchers liable for compromised machines? – Researchers liable for infiltrating attack networks? Legal concerns mitigated by statutory mental state requirement

30 TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph UCB Network Defense Research "Access to Data," Deirdre K. Mulligan30

31 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson31 UCB Network Defense Research Research Focus #1: Novel Worm/Virus Detection and Machine Containment – Leverage machine learning to identify and quarantine worms and viruses before signatures are available – Efforts: Learning on a single user’s outgoing behavior Using a multi-tiered modeling approach Leveraging existing anti-virus solutions to improve results Containing (or slowing) infection until scanners can detect it – Results: Very low false positive and false negative rates Could be effective containment even with 50% deployment

32 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson32 UCB Network Defense Research Research Focus #2: Efficient Detection of Network-Wide Anomalies – Detecting sudden changes in Origin-Destination flows (from DDoS, device failure, misconfigs, …) using only link traffic measurements – Efforts: Applying distributed Principal Component Analysis to separate normal from anomalous traffic Working to reduce detection time scales, increase number of monitor nodes – Results User-specified level of accuracy Order of magnitude reduction in network monitoring traffic

33 TRUST Meeting, Berkeley, March 2007 ICSI & TRUST,V. Paxson33 UCB Network Defense Research Research Focus #3: Attacks Against Machine Learning-based Security Systems – Attacking ML-based security systems such as Intrusion Detection Systems and spam filters – Efforts: Developing a taxonomy of attacks (dodging and numbing) Determining an attacker’s work function for altering a learner based on different levels of knowledge and control Building a test platform for attacks and countermeasures – Results Theoretical analysis of attacker work function for simple mean-centered hypersphere classifier Modified SpamBayes platform for adversarial learning


Download ppt "TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph Ken Birman, Robbert van Renesse Vern Paxson Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick."

Similar presentations


Ads by Google