Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern."— Presentation transcript:

1 Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen ({lizc,ygao,ychen}@cs.northewstern.edu) Northwestern Lab for Internet and Security Technology (LIST) Department of Computer Science, Northwestern University http://list.cs.northwestern.edu/hpnaidm.html Router LAN Internet Switch (a) Router LAN (b) HRAID system scan port Splitter Router (c) Splitter HRAID system HRAID system HRAID system Switch LAN Internet Attach HRAID black boxes to high-speed routers (a) original configuration, (b) distributed configuration for which each port is monitored separately, (c) aggregate configuration for which a splitter is used to aggregate the traffic from all the ports of a router. Current Intrusion Detection Systems and Shortcomings Mostly host-based and not scalable to high- speed networks Slammer worm infected 75,000 machines in <10 mins High speed gateways and backbone are vantage points to detect attacks Mostly signature-based and cannot recognize unknown anomalies/intrusions existing flow level approach not scalable to high volume traffic. overall traffic based detection cannot cooperate with attack mitigation EWMA RS((DIP, Dport), SYN-SYN/ACK) RS((SIP, DIP), SYN-SYN/ACK) RS((SIP, Dport), SYN-SYN/ACK) The design of a HRAID system Features of HRAID System Online traffic recording compact data structure: reversible k -ary sketch small memory usage (fit in SRAM) small memory accesses per packet Online flow-level anomaly/intrusion detection & mitigation TCP SYN flooding, horizontal and vertical scan even when mixed Infer key characteristics of malicious flows for mitigation HRAID: First flow-level intrusion detection that can sustain 10s Gbps bandwidth even for worst case traffic of 40-byte packet streams Attack typesRS((DIP, Dport), SYN-SYN/ACK) RS((SIP, DIP), SYN-SYN/ACK) RS((SIP, Dport), SYN-SYN/ACK) SYN floodingYes Vertical scansNoYesNo Horizontal scansNo Yes Reversible Sketch Based Anomaly Detection Input stream: (key, update) (e.g., SIP, SYN-SYN/ACK) Sketch module Forecast module(s) Anomaly detection module (k,u) … Sketches Error Sketch Alarms Report flows with large forecast errors Infer the (characteristics) key for mitigation Summarize input stream using sketches Build forecast models on top of sketches Array of hash tables: T j [K] (j = 1, …, H) Similar to count sketch, counting bloom filter, multi- stage filter, … 1 j H 01K-1 … … … hj(k)hj(k) hH(k)hH(k) h1(k)h1(k) Update (k, u): T j [ h j (k)] += u (for all j) k -ary Sketch: Update, Combine and Estimate Sketches are linear – Can combine sketches + = – Can aggregate data from different times, locations, and sources Estimate v(S, k): sum of updates for key k Streaming data recording reversible k -ary sketch value stored value Modular hashing IP mangling key Original k -ary sketch 2-universal hashing Heavy key detection reversible k -ary sketch Reverse hashing Reverse IP mangling heavy keys threshold Verified w/ original sketch Iterative approach The two-phase heavy key inference of Reversible k -ary Sketch Preliminary Evaluation Evaluated with NU traces (239M flows, 1.8TB traffic/day) Scalable - Can handle hundreds of millions of time series Accurate Anomaly Detection w/ Reversible Sketch - Compared with detection using complete flow-level tables - Provable probabilistic accuracy guarantees - Even more accurate on real Internet traces Efficient - For the worst case traffic, all 40 byte packets * 16 Gbps on a single FPGA board * 526 Mbps on a Pentium4 3.2 GHz PC - Only less than 3MB memory used - Only 15 memory access per packet for 48 bit reversible sketches and 16 per packet for 64 bit reversible sketches DescriptionDportcount SQLSnake14335 W32.Rahack48992 unknown scan61011 Scan SSH221 MySQL Bot scans102021 DescriptionDportcount Sasser or Korgo worm4453 W32.Sasser.B.Worm55541 Nachi or MSBlast worm1353 NetBIOS scan1393 Top 10 horizontal scans Bottom 10 horizontal scans 25 SYN flooding, 936 horizontal scans and 19 vertical scans detected (after sketch-based false positive reduction) 18 out of 25 SYN flooding verified w/ backscatter Scans verified (all for vscan, top and bottom 10 for hscan) Acknowledgment: Thank Yin Zhang for the original k -ary sketch slides

Download ppt "Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern."

Similar presentations

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.

Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.

OpenSketch Slides courtesy of Minlan Yu 1. Management = Measurement + Control Traffic engineering – Identify large traffic aggregates, traffic changes.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.

Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University

1 Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Computer Science Northwestern University
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University

Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Yan Chen Department of Electrical Engineering and Computer Science Northwestern.
1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.

1 Reversible Sketches for Efficient and Accurate Change Detection over Network Data Streams Robert Schweller Ashish Gupta Elliot Parsons Yan Chen Computer.
Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.

Polytechnic University,ECE Department1 Detection of “Hot Spots” Paper Title : Joint Data Streaming and Sampling Techniques for Detection of Super Sources.
Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Router-based Anomaly/Intrusion Detection and Mitigation (RAIDM) Systems Scalable.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.

High-Performance Network Anomaly/Intrusion Detection & Mitigation System (HPNAIDM) Zhichun Li Lab for Internet & Security Technology (LIST) Department.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Similar presentations

Ads by Google