1. Detecting Attacks in Routers Using Sketches Dhiman Barman Piyush Satapathy Gianfranco Ciardo

2. Network Attack Detection  Network anomalies are prevalent  Flash crowds, DoS, failures, worms, …  Detect Anamolies quickly and accurately  Two basic approaches  Statistics-based: looking for abnormal behavior  E.g., heavy hitters, big changes  Prior knowledge not required  Signature based: Looking for known patterns  Port scan, address scan, Mal wares

3. Problem Addressed  Accurate, memory efficient and scalable techniques to detect attacks  worms, viruses, superspreaders and DoS.  Enabling change detection in the routers by looking only at the IP headers  A general methodology to use sketches to recognize attacks in the routing architectures

4. Example of Attack Domain W to Domain J Domain X to Domain J Domain Y to Domain J Domain Z to Domain K Domain J Domain K Router Router A Attacker 2 2 2 3 4 Link C Link B 10 Mbps 15 Mbps 35 Mbps Link Capacity: 50 Mb/s 1 1. Attacker Compromises Router A 2. Update Message Sent Setting Link B’s cost to 10,000 3. Traffic rerouted around link B (lower cost) 4. Congestion occurs on link C DoS on domains W, X, Y and Z

5. Outline  Introduction  Attack Definitions  Sketch Background  Proposed Methods  Simulation and Evaluation  Conclusion

6. Background Worm spreads and gains control of hundreds of computers in a few minutes –Example: Code Red version 1 and 2, Nimda etc State of the art: –PCA (offline) [Lakhina et. al SIGCOMM’04], –Data mining [KrishnaMurthy et. al IMC’03] –Time series analysis [Estan SIGCOMM’03] Our Focus: Detecting and filtering attacks at short time scale by online Methods

7. Architecture Put Sketch in the Router Line Card Sketches will update the flow cache for each given time interval Data Collection and Analysis part will analyze the change detection based on the algorithm and distance calculation functions. Data Collection And Analysis Over Forwarding Hard Ware Software NetFlow Flow Cache Processor Terminated Flow Records Sketches Bus Update Alarm / No Alarm

8. Attack Definitions S is a sequence of packets identified by (, v) where –i and j denote packet source IP address and port –p and q denote the destination IP address and port –v denotes size of the packet Flow given by Cisco's NetFlow, R(i, j, p, q) is the multi set containing all the packets corresponding to a given (i, j, p, q) combination

9. Port Scans Attacks where a particular IP address and port pair connects to a destination on several ports PortScan(i, j, p)  |{q : | R(i, j, p, q)| > 0}| > δ PS srcIP srcPort destPort destIP

10. Address Scans Attacks where a particular IP address connects to multiple destination IP addresses on a particularly vulnerable port AddrScan(I, j, q)  |{p : | R(i, j, p, q) > 0}| > δ AS or AddrScan(i, q)|  |{(j, p) : |R(i, j, p, q)| > 0}| > δ AS srcIP srcPort destPort destIP

11. Malware Attacks where a number of sources try to connect to a particular destination or a set of destinations on any ports. WormMalwSpam (i)  |{(j, p, q) : | R(i, j, p; q)| > 0}| > δ WMS srcIP srcPort destPort destIP

12. Sketch Background  A sketch of a data stream is a compact summarization  Sketched summary is much smaller than the data stream itself  Sketching is randomized projection of a signal (using hashing) Examples: Count Min Sketch [Cormode 2003] Count Bloom Filter [Broder Internet Mathematics 2004] Multi Count Bloom filter [Broder IM 2004] Flajolet Martin Sketch [Flajolet CS Journal1985]

13. Count Min Sketch  CM sketch maintains an array of width (K) and depth (H).  Hashed by choosing a hash function uniformly at random from a pair wise independent family of hash functions.  Update (Key t, Value t ): T j [ h j (key t )] += Value t (for all j) 1 j H 01K-1 … … … +C t hj(k)hj(k) hH(k)hH(k) h1(k)h1(k) Key t

14. Bloom Filter An array of (m) bits initially all set to 0 An incoming element is hashed through (k) hash functions and bit positions returned are set to 1 Update (Key t ): T j [ H j (key t )] = 1 (for all j) Update (Key t, Value t ): T j [ h j (key t )] += Value t (for all j) for Counting Bloom Filter H1H1 H2H2 H3H3 HkHk 1 1 1 1 1 m bit Vector K hash Functions Key t

15. Multi Count Bloom Filter Counting Bloom Filter with m counters and divided into k groups of size (m / k) each i th Hash function maps from [m*(i-1)/k]+1 to [m*i/k] Update (key t, value t ): T j [ h j (key t )] += value t (for all j) Key t H1H1 H2H2 H3H3 HkHk m counters Divided into K groups K hash Functions

16. FM Sketch Estimates the number of distinct items in a stream of values from [0,…, M-1] Assume a hash function h(x) that maps incoming values x in [0,…, M- 1] uniformly across [0,…, 2 L-1 ], where L = O(logM) Let lsb(y) denote the position of the least-significant 1 bit in the binary representation of y –A value x is mapped to lsb(h(x)) Maintain FM Sketch = BITMAP array of L bits, initialized to 0 –For each incoming value x, set BITMAP[ lsb(h(x)) ] = 1 Data stream: 3 0 5 3 0 1 7 5 1 0 3 7 Number of distinct values: 5 x = 5 h(x) = 101100 lsb(h(x)) = 2 00 0 00 1 BITMAP 5 4 3 2 1 0

17. Space-Time Complexity SketchesSpaceUpdate TimeQuery Time Count-Min1/ε ; O(K)11 Bloom Filterm ; Constantkk Count Bloom Filter mC; O(m)kk Multi Counting Bloom filter mC; O(m)kk FMML O(M)MM C = Number of Bits in the Counter in Bloom Filter M = Number of Bit Maps used in FM Sketch L = Number of Bits in FM Sketch All Notations Described Earlier

18. Our proposals  Linear Combination Approach  Change between two sketches S 1 (α 1 ; β 1 ) and S 2 (α 2 ; β 2 ) is given as S d = S 2 - kS 1 (sketches are closed under linear combination)  If S d > δ then there is an anomaly and Alarm raised  Use Count Min sketch, Count and Multi Count Bloom Filter  Change Detection By Sliding Window Method  Using two windows, one static and one moving  Parallel Execution of all the given window lengths.  Use FM, Change Detection Algorithm and Distance function

19. Change Detection using FM Sketch A bit vector of length equal to k K different windows sizes Forming 2 diff. windows M 510 0.05 48 0.04 24 0.03 Set the bit to 1 Inputs: (A,M); A is a mX1 matrix and M is a KX3 matrix 1: c 0  0 2: for i = 1 do 3: s i  FM i 4: Window x,i  m x,i intervals from time c 0 5: Window y,i  m y,i intervals from in coming data streams 6: end for 7: while more flow counts to process do 8: slide window y,i by 1 sample 9: if distance (window x,i,window y,i ) ≥ α i then 10: c 0  current time 11: Output change at time c 0 12: clear all windows and GOTO step 1 13: end if 14: end while Output: c 0

20. Distance Function Difference between two windows calculated using: –Probability Distribution [Kifer VLDB 2004] –L 1 Distance –KL Distance (Empirical Distribution Function)

21. Sketches in Action Traces of given Time slots Sketching Change detection module (k,u) … Alarms Pre Processing sketches W, d, m K A, M δ Header Payload Time Key Count LBNL & NLANR Traces CAIDA’s Coral Software Sketch Library Functions

22. Experimental Issues  Experiments Run on Intel Xeon 1.4Ghz processor with 512 MB of RAM  Implementation of Sketches  H ash functions are created randomly  Random numbers are generated with the max number of 2 61 -1  Following Hash Functions for all the 4 sketches  Update (key,value)  getFrequency (key)  Synthetics traces generated where attack flows are injected

23. Evaluation (Accuracy) Sketches of 10 heavy ranked flows Sketching changes in heavy ranked flows between two time intervals

24. Evaluation (Accuracy) FM sketch of 10 Intervals of normal traffic FM sketch of 10 Intervals of malicious traffic trace

25. Scatter Plot (Accuracy)

26. Count Min Sketch in Attack Detection

27. Attacks Vs Sketches (Efficiency)

28. Evaluation by FM Sketch (Accuracy) Change Detection Accuracy by FM sketch using probability distribution distance function Comparison of two different distance functions on exact flow counts

29. Evaluation by FM Sketch (Efficiency) Accuracy of two distance functions on synthetic traces. The x-axis represents values such as threshold is mean(X)+ std(X) where X is the flows counts.

30. Conclusions Sketches can detect heavy changes quickly and accurately Compact sketch-like data structures can be implemented on-chip hardware Reverse hashing of sketches to identify malicious flows is challenging

31. Thank you!