1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.

Slides:

Advertisements

Similar presentations

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

Advertisements

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Check Point DDoS Protector June 2012.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Software Engineering Techniques for the Development of System of Systems Seminar of “Component Base Software Engineering” course By : Marzieh Khalouzadeh.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

Security Awareness: Applying Practical Security in Your World

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Department Of Computer Engineering

A Survey on Interfaces to Network Security

Anomaly Detection and Mitigation. Outline DoS and DDoS Anomaly Detection and Mitigation Systems Cisco DDoS Anomaly Detection and Mitigation Solutions.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Software-Defined Networks Jennifer Rexford Princeton University.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Web Application Firewall (WAF) RSA ® Conference 2013.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

© 2014 VMware Inc. All rights reserved. Palo Alto Networks VM-Series for VMware vCloud ® Air TM Next-Generation Security for Hybrid Clouds Palo Alto Networks.

Master Thesis Defense Jan Fiedler 04/17/98

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Chapter 5: Implementing Intrusion Prevention

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Network security Product Group 2 McAfee Network Security Platform.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Cryptography and Network Security Sixth Edition by William Stallings.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Intrusion Detection System

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—10-1 Lesson 10 Attack Guards, Intrusion Detection, and Shunning.

Advanced Anti-Virus Techniques

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

SRS Kickoff Meeting, Arlington, VA, July 21, 2004

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Virtualized Execution Realizing Network Infrastructures Enhancing Reliability Application Communities PI Meeting Arlington, VA July 10, 2007.

© 2002, Cisco Systems, Inc. All rights reserved..

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

SQL Server 2012 Session: 1 Session: 4 SQL Azure Data Management Using Microsoft SQL Server.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Securing Access to Data Using IPsec Josh Jones Cosc352.

ODL based AI/ML for Networks Prem Sankar Gopannan, Ericsson

SDN/NFV DDoS Requirements "The Mobile Use Case – 5G" Bipin Mistry, VP Product Management © 2015 Corero

Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.

DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.

Some Great Open Source Intrusion Detection Systems (IDSs)

Leverage Big Data With Hadoop Analytics Presentation by Ravi Namboori Visit

Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.

SDN and Security Security as a service in the cloud

Organizations Are Embracing New Opportunities

Real-time protection for web sites and web apps against ATTACKS

Rules of Thumb to Mathematical Rule- A Cyber Security Journey

Introduction to Networking

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

DDoS Attack Detection under SDN Context

AKAMAI INTELLIGENT PLATFORM™

Concept of VLAN (Virtual LAN) and Benefits

The MobileIron® Threat Detection difference:

Microsoft Data Insights Summit

Presentation transcript:

1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan (with Vijay Gurbani, Alan Mc Bride, Jie Yang) Bell Labs & CTO Security Group, Alcatel-Lucent Oct 6, 2015

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 2 THE DYNAMICS OF CLOUD & SOFTWARE DEFINED NETWORKS: OPPORTUNITIES AND THREATS Current state: Emerging network technologies are enabling applications to become portable, mobile, and borderless. Threats exploiting networks and applications are unpredictable and on the rise. Problem: Real-time prediction, detection and mitigation of security is lagging behind the fast paced migration of applications to the cloud environment Our approach: Develop new algorithms and data analytics techniques to predict and detect known and unknown security threats. Automate reconfiguration of virtualized security functionality for networks and applications Our goal Enable networks to automatically detect security threats in real- time, dynamically reconfigure themselves to protect against these threats, and automatically immunize themselves against emerging and evolving threats

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 3 Cloud and software-defined networking brings new security challenges Emerging, evolving, and unknown threats on new kinds of virtualized networks Virtualized networks bring new opportunities Dynamically change security policy (e.g. firewall rules) Instantiate virtualized security functions closer to threats Dynamically migrate functionality to other virtual machines or other parts of the network when security issue detected Real-time machine-learning based streaming analytics + streaming anomaly detection Can help to proactively identify and detect unknown threats Limitations of current technologies (e.g., traditional SIEM) Signature based, can only address known threats Lack of flexibility, scalability, usability Require very labor intensive setup and tuning to be effective Motivation

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 4 ANALYTICS-DRIVEN DETECTION AND RESPONSE Analytics and Autonomics Use machine learning to automatically detect anomalies Normal behavior not fully known -- cannot accurately label past data and/or train machine learning algorithms on past normal behavior Leverage dynamic capabilities of NFV and SDN networks for autonomic response (Distributed) Denial of Service Distinguish abnormally high rates of legitimate traffic from malicious traffic Legitimate traffic: input to cloud growth engine to instantiate new resources Malicious traffic: input to cloud growth engine not to increase resources, security autonomics CAN UNSUPERVISED MACHINE LEARNING ON STREAMING DATA BE USED? Legitimate traffic -> cloud growth Malicious traffic -> security mitigations

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 5 ANOMALY DETECTION FOR SIP FLOODING GENERAL-PURPOSE UNSUPERVISED LEARNING TO IDENTIFY ANOMALIES No distinction between abnormally high rates of legitimate traffic and malicious traffic Abnormally high rates of legitimate traffic Malicious traffic (attack traffic does not send ACKs) Used a general- purpose anomaly detection application based on unsupervised machine learning for streaming data SIP = “Session Initiation Protocol”

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 6 OUR APPROACH: DOMAIN-SPECIFIC ALGORITHMS BASED ON TEMPORAL LOGIC & STATE MACHINES Normal sequence: [INVITE, 200OK, ACK] Aim to distinguish abnormally high rates of legitimate traffic from malicious traffic SIP protocol specifies a 3-way handshake: [client sends INVITE to server, server responds with 200 OK to client, client sends a matching ACK within 32 seconds] Open handshake: [INVITE, 200OK, time-out] can indicate malicious behavior (forces server to keep state waiting for ACK) Incorporate domain-specific knowledge: e.g. every 200 OK must be followed by a matching ACK within 32 seconds Invoke run-time verification algorithm when anomalies are detected by general-purpose anomaly detection – avoids run- time costs of running continually Learn blacklist (based on open handshakes) and incorporate into algorithm to provide information to security autonomics EXTEND ANOMALY DETECTION WITH DOMAIN-SPECIFIC ALGORITHMS High rates of time-outs can indicate distributed denial of service (DDoS) attack

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 7 PROOF-OF-CONCEPT ARCHITECTURE Commercial analytics platform with a machine learning application Our run-time verification algorithms built using the Python SDK of commercial platform Temporal logic/ state machine based properties monitored at run-time: e.g. “every 200 OK must be followed by a matching ACK within 32 seconds” SIP = “Session Initiation Protocol”, SIPp traffic generator

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 8 SCENARIO: LEGITIMATE AND MALICIOUS SIP TRAFFIC Period 1 (High rate of legitimate traffic) Two peaks of legitimate traffic Period 2 (Malicious traffic) Two peaks of malicious traffic Period 3 (Mixed traffic) One peak of each Peak traffic 30 msg/sec, baseline 10 msg/sec, addresses spoofed from a pool

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 9 GENERAL-PURPOSE ANOMALY DETECTION ON SCENARIO Does NOT correctly identify the three periods However, this anomaly detection application can be used as a trigger for our domain- specific algorithms

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 10 IDENTIFYING SUSPICIOUS TRAFFIC Our domain- specific algorithm identifies suspicious traffic based on open handshakes Suspicious calls detected after 32 seconds (timeout period)

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 11 MALICIOUS TRAFFIC AND BLACKLISTS (SIMULATION) Source addresses for malicious calls are placed on blacklist Suspicious calls blocked by blacklistSuspicious calls placed on blacklist

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 12 MALICIOUS TRAFFIC AND BLACKLIST FILTERING (FIREWALL) Suspicious calls are filtered by dynamically adding a new firewall rule PUTTING IT TOGETHER: ANALYTICS-DRIVEN SECURITY AUTONOMICS

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 13 INCREASING ATTACK TRAFFIC Increasing rates of attack can be detected through anomaly detection More significant attack drives more sophisticated security autonomics, e.g. instantiation of a new virtualized firewall LEVERAGING VIRTUALIZED NETWORK CAPABILITIES FOR SECURITY AUTONOMICS

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 14 Summary: Analytics-driven security autonomics that leverages dynamic reconfiguration capabilities of virtualized networks Analytics approach based on a combination of machine learning and run-time verification through domain-specific algorithms Proof-of-concept architecture applied to SIP DDoS scenarios Future work Extend machine learning algorithms and domain-specific knowledge to known and unknown threats on a broad range of protocols, and more fully integrate machine learning and run-time verification Extend proof-of-concept architecture to include open-source analytics platforms such as Spark Streaming, and build upon Python machine learning libraries Extend approach and proof-of-concept studies to include more sophisticated security autonomics CONCLUSIONS AND FUTURE WORK

COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. 15