Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Loss-Sensitive Decision Rules for Intrusion Detection and Response Linda Zhao Statistics Department University of Pennsylvania Joint work with I. Lee,

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

LOTUS to SharePoint Migration Services. © 2010 Star Knowledge Technology Team Alliance 2 Key Discussion Points Star Knowledge Value Proposition Microsoft.

Guide to Network Defense and Countermeasures Second Edition

Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Internet Traffic Patterns Learning outcomes –Be aware of how information is transmitted on the Internet –Understand the concept of Internet traffic –Identify.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

Lesson 19 Internet Basics.

Lecture 11 Intrusion Detection (cont)

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

Reading Report 14 Yin Chen 14 Apr 2004 Reference: Internet Service Performance: Data Analysis and Visualization, Cross-Industry Working Team, July, 2000.

Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Internet Traffic Management. Basic Concept of Traffic Need of Traffic Management Measuring Traffic Traffic Control and Management Quality and Pricing.

Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.

HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Trends in Internet Measurement Paul Barford Assistant Professor Computer Science University of Wisconsin Fall, 2004.

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Chapter 5: Implementing Intrusion Prevention

QoS monitoring -- Nicolas Simar Monitoring Infrastructure SEQUIN workshop, Amsterdam, 1 February 2002 Nicolas Simar DANTE.

ASCR/ESnet Network Requirements an Internet2 Perspective 2009 ASCR/ESnet Network Requirements Workshop April 15/16, 2009 Richard Carlson -- Internet2.

1 Network Measurement Summary ESCC, Feb Joe Metzger ESnet Engineering Group Lawrence Berkeley National Laboratory.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Resilient Overlay Networks Robert Morris Frans Kaashoek and Hari Balakrishnan MIT LCS

1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.

Network Management Security

Service Level Monitoring. Measuring Network Delay, Jitter, and Packet-loss  Multi-media applications are sensitive to transmission characteristics of.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Measurement in the Internet Measurement in the Internet Paul Barford University of Wisconsin - Madison Spring, 2001.

Sponsored by the National Science Foundation Measurement System Spiral 2 Year-end Project Review University of Wisconsin, Colgate University, Boston University.

Performance Testing Test Complete. Performance testing and its sub categories Performance testing is performed, to determine how fast some aspect of a.

NetVizura A network traffic analysis tool. Agenda Why NetVizura is needed How NetVizura works Where NetVizura is deployed Use cases.

US LHC Tier-2 Network Performance BCP Mar-3-08 LHC Community Network Performance Recommended BCP Eric Boyd Deputy Technology Officer Internet2.

Challenges in the Next Generation Internet Xin Yuan Department of Computer Science Florida State University

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Company LOGO Network Management Architecture By Dr. Shadi Masadeh 1.

Volunteer-based Monitoring System Min Gyung Kang KAIST.

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.

05 October 2001 End-to-End Performance Initiative Network Measurement Matt Zekauskas, Fall 2001 Internet2 Member Meeting Network Measurement.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

IDS Intrusion Detection Systems

Network Administration CNET-443

Based on work by DoIT Network Services, UW-Madison

Presentation transcript:

Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring, 2003

Talk Objectives Motivate and describe Wisconsin Advanced Internet Lab (WAIL) –Internal lab environment –External lab environment Provide some detail on three current projects –Anomaly detection and characterization –Distributed intrusion monitoring –Understanding packet loss

Motivation for New Tools Any area of scientific research is limited by the tools available for experimental study –“If your only tool is a hammer then everything looks like a nail” 2001 NRC report: “network research community is in danger of ossification due to strictures of experimental systems” –Challenge: “Capturing a day in the life of the Internet” New experimental tools can open up areas of research that have not previously been accessible

An Internet Instance Lab A hands-on test environment designed to recreate paths and conditions identical to those in the Internet from end-to-end-through-core –Requires large amount of routing and end host equipment Network and host equipment able to recreate (not emulate) a wide range of services, configurations and traffic conditions –Complete instrumentation of end-to-end paths –Deployment of disruptive prototypes

Key Challenges Design Configurations and management Traffic generation Propagation delay Validation

The Wisconsin Advanced Internet Lab Our realization of an IIL Developed over past 18 months by UW/Cisco team Supported by $3.5M equipment grant from Cisco and UW matching funds –Used to purchase over 75 pieces of networking equipment Phase 1 nearing completion => Abilene recreation Other partners: EMC, Spirent, Intel, Fujitsu, Sun Research initiatives in many areas…

External Environment Essential complement to internal environment Existing infrastructure –DOMINO systems (1 class A + 2 class B’s + Dshield) –Surveyor + WAWM systems (~70 nodes) New database and front end by summer ‘03 Partnerships and other available systems –Condor/Grid Infrastructures Passive flow measurements –FlowScan data from UW, Internet2, others…

Project 1: Detecting Anomalies in IP Flows Motivation: Anomaly detection remains difficult Objective: Improve understanding of traffic anomalies Approach: Multiresolution analysis of data set that includes IP flow, SNMP and an anomaly catalog Method: Integrated Measurement Analysis Platform for Internet Traffic (IMAPIT) Results: Identify anomaly characteristics using wavelets and develop new method for exposing short-lived events

Our Data Sets Consider anomalies in IP flow and SNMP data –Collected at UW border router (Juniper M10) –Archive of ~6 months worth of data (packets, bytes, flows) –Includes catalog of anomalies (after-the-fact analysis) Group observed anomalies into four categories –Network anomalies (41) Steep drop offs in service followed by quick return to normal behavior –Flash crowd anomalies (4) Steep increase in service followed by slow return to normal behavior –Attack anomalies (46) Steep increase in flows in one direction followed by quick return to normal behavior –Measurement anomalies (18) Short-lived anomalies which are not network anomalies or attacks

Multiresolution Analysis Wavelets provide a means for describing time series data that considers both frequency and time –Powerful means for characterizing data with sharp spikes and discontinuities –Using wavelets can be quite tricky We use tools developed at UW which together make up IMAPIT –FlowScan software –The IDR Framenet software

Ambient IP Flow Traffic

Flow Traffic During DoS Attacks

Deviation Score for Three Anomalies

Project 2: Coordinated Intrusion Detection Motivation: Intrusion detection is a moving target Objective: Coordinate intrusion monitoring between multiple sites around the Internet Approach: Share data from firewalls, NIDS and tarpits (on unused IP space) Method: Distributed Overlay for Monitoring Internet Outbreaks (DOMINO) Results: Blacklists can be rapidly generated, false positives can be substantially lowered, new outbreaks can be easily identified

DOMINO: A new approach to DNIDS Partnership with dshield.org –1600 firewall and NIDS logs Tarpits –Active monitor of unused IP space –1 class A (this week), 2 class B’s A protocol for node participation, data sharing and alert clustering –Chord-based overlay network –Extension of Intrusion Detection Message Exchange Format – Various clustering methods

Marginal Utility of Adding Nodes

SQL-Sapphire Analysis

Project 3: Understanding Packet Loss Motivation: Many of the most basic aspects of packet loss are not understood –Where, when, how long, how often? Focus: Developing a comprehensive understanding of packet loss in the Internet Approach: Combine understanding of protocols and queue behavior to create a probe train which can accurately measure delay and loss. Implications: End-to-end tools for pin-pointing loss, better transport protocols, better network management for congestion

Active versus Passive Loss Measures Hypothesis: Active measures of loss are correlated with passive measures of loss Assessment in Abilene –SNMP loss measures on all backbone routers –Active probes via Ping/Zing in Surveyor nodes at 10Hz, 20Hz and 100Hz –Tests in full mesh over one month period

Result: Active <> Passive

Summary Both internal lab building initiatives and external measurement initiatives in WAIL Internal facilities are intended to be open We are seeking partnerships in external measurement projects. –DOMINO in particular