Security System for KOREN/APII-Testbed

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
APNOMS 2003 Security Gateway System Team Design and Implementation of Security Gateway System for Intrusion Detection on High-speed Links Byoung-Koo Kim,
Fraunhofer FOKUS 2007 VoIP Defender The Future of VoIP Protection Fraunhofer FOKUS Institute, Germany.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Denial of Service, Firewalls, and Intrusion Detection
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Lecture 11 Intrusion Detection (cont)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
IIT Indore © Neminah Hubballi
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Broadband Communication Lab. Asymmetric Path Detection in BGP Routing 29 January, 2004 Eun Mi, Park Korea Univ. Dept. of Electronics and Computer Engineering.
Web Application Firewall (WAF) RSA ® Conference 2013.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Module 7: Advanced Application and Web Filtering.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Intrusion Detection Cyber Security Spring Reading material Chapter 25 from Computer Security, Matt Bishop Snort –
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
DoS/DDoS attack and defense
DDoS flooding attack detection through a step-by-step investigation
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon
Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
IDS Intrusion Detection Systems
Snort – IDS / IPS.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
NETWORK SECURITY LAB Lab 9. IDS and IPS.
DDoS Attack Detection under SDN Context
Intrusion Detection Systems (IDS)
Intrusion Detection system
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Presentation transcript:

Security System for KOREN/APII-Testbed Sungkwan Youm Korea Univ. A Study of TE for KOREN/APII-Testbed

Research Goal Deploy attack defense system to KOREN for improving security Yearly Plan 2003 : Security system design and algorithm proposal Proposal of dynamic and adaptive detecting algorithm Design system which detects and defends attack Implementation of signature detector 2004 : Implementation of system and deployment of KOREN Implementation of dynamic detecting component Implementation of agent, manager Main goal of this research is to deploy attack defense system to KOREN to improve security. And first year goal is security system design and algorithm proposal. Specific plan is to propose dynamic and adaptive detecting algorithm, and design a system which detects and defends attacks, and to implement signature detector. And second year goal is to implement system and to deploy it to KOREN. For this we are going to implement dynamic detection component, agent, manager A Study of TE for KOREN/APII-Testbed

System Architecture AGENT Filtering Manager Security DB Libcap Server Filtering Manager AGENT Security DB To another agent Libcap Signature Detector Visualization NetFlow Flow isolation Anomaly Detector Elementary classification There are two detectors. First one is signature detector. We determine to use Snort. Snort matches pattern with predefine DB. And Second one is anomaly detector. It uses against DDoS attack. It monitors traffic, and maintain statistical average of packet attributes. If some attributes exceed average, then anomaly detector considers that attack happened. Signatures which were created these two detectors are transferred to filtering manager and other agent’s manager. And then filtering manager performs filtering process based on signatures. These signatures are visualized by visualization tool. attack Adaptive classification A Study of TE for KOREN/APII-Testbed

Configuration for Security Agent Detecting KOREN Protected Server Agent Filtering Agent Filtering Another Network attack Agent Filtering Filtering This slide shows a configuration of security agent. It is deployed at protected server or router. If agent detects attack, it creates signature. And detecting agent transfers this signature to other agents. Then, they perform filtering process based on signatures. Agent Agent attack User A Study of TE for KOREN/APII-Testbed

Signature Detector Using Snort Perform as NIDS Optimize RuleSet Deployed in Suwon, Deajeon Seoul Seoul XP Suwon Snort Server Daegu Snort Server Daejeon Signature detector uses snort which is well-known open source IDS. It performs as NIDS. It has too many rulesetes. So it needs to be optimized for using in high speed network. We delete some ruleset which causes meaningless detection. And It is deployed in Suwon(163.180.118.68) and Daejeon(203.255.255.93). Busan Kwangju A Study of TE for KOREN/APII-Testbed

Signature Detector Detection Results Alert List <Signature > <Classification > <Total#> Sensor# < Src. Addr. > < Dest. <First> < Last > [arachNIDS][snort] ICMP PING CyberKit 2.2 Windows   misc- activity   4690 (15%) 1 299 2003-11-21 20:19:39 2003-11-24 19:18:41 [snort] SCAN Squid Proxy attempt   attempted-  recon     12 (0%) 2 2003-11-22 08:06:48 2003-11-24 03:17:13    url[snort] SCAN SOCKS Proxy attempt      attempted- recon   30 (0%) 5 2003-11-24 09:25:26 [snort] SCAN Proxy (8080) attempt   [cve][icat][bugtraq][snort] BAD-TRAFFIC IP Proto 103 (PIM)      non- standard- protocol   25792 (84%) 2003-11-21 20:18:55 2003-11-24 19:18:36    url[bugtraq][bugtraq][snort] MS-SQL Worm propagation attempt      misc- attack   2 (0%) 2003-11-23 06:19:00 [snort] ICMP superscan echo   2003-11-23 20:02:04 [arachNIDS][snort] ICMP PING NMAP  2003-11-23 21:20:50 [cve][icat][cve][icat][cve][icat][snort] SNMP public access u에   2003-11-24 23:13:27 These are alert list of snort. In this result, ICMP Superscan echo, Scan proxy 8080, Scan socks proxy attemps, Scan squid proxy attempt will be attacker’s scan attempt of network. But if the proxy is behind a firewall or trusted host, it will be normal access into network and other hosts. If we can know trusted host’s IP, can classify scan attempt and normal access. Badtraffic IP Protocol can be DDoS attack traffic using weak point of CISCO router or Hello message traffic that router sends to neighboring PIM routers. The OSs for KOREN's routers have weak point about DDoS attack, so it needs to be versioned up or patched. And also we detect MS-SQL worm propagation attempt. For defending this worm, it needs to close port 1434 or filtering attack packets. A Study of TE for KOREN/APII-Testbed

Anomaly Detection Algorithm Entropy Measure randomness of packet attribute (ex. Source address) Maintain average of entropy Detect attack with threshold setting Chi-square test Measure distribution of attribute Use anomaly detection of various packet attributes We use Entropy computation and Chi-square test as anomaly detection algorithm. First one is entropy computation method. In this formula, Pi is probability about n packet attributes. Entropy computation measure the randomness of packet attribute, and maintain average of entropy. If current entropy exceeds average value, It can detect attack And Chi-square test measures distribution of attribute. B is binning value that is combining a set of possible values. The Chi-Square defines Ni as the number of packets whose value falls in the ith bin under current state and ni as expected number of packets under typical distribution. This can use for anomaly detection of various packet attributes A Study of TE for KOREN/APII-Testbed

Anomaly Detection Mechanism Adaptive Classification Incoming traffic (attack and normal packets) Elementary Classification Suspicious Signature Malicious Signature Using single detecting algorithm (entropy) with low accuracy Using multiple detecting algorithms (chi-square) with high accuracy Filtering Manager This slide shows anomaly detection Mechanism. There are two classification processes; Elementary classification and adaptive classification. Elementary classification uses single entropy computation with low accuracy. Another words, this classification is achieved widely about attack packet. This process will reduce network congestion. Adaptive classification uses multiple chi-square test with high accuracy. This will reduce error detecting rate. Signatures that are created by these two classification is transferred to filtering manager Malicious Suspicious Incoming traffic (attack and normal packets) Secure packets A Study of TE for KOREN/APII-Testbed

Anomaly Detection Mechanism Elementary classification Apply suspicious signature with high sensitive Classification achieved widely about attack packets Reduce congestion problem of network Use entropy calculation with low threshold value Adaptive classification Apply malicious signature with high sensitive Reduce error detection rate Use chi-square test with high threshold value This slide is contents that is discussed at previous slide. So I will skip. A Study of TE for KOREN/APII-Testbed

Flowchart of Signature Creation Pick up next packet attributes (as sa or ma) Calculate entropy of packet attribute, sa and compare with average Exceed threshold? Update average value of entropy Create suspicious signature based on packet attribute, sa Do number of packets that belong to suspicious signature exceed upper-bound threshold n? Filtering based on signatures Calculate chi-square value of packet attribute ma and update average Calculate chi-square value of packet attribute ma of suspicious packets Create malicious signature by adding ma to suspicious signature Yes No This flowchart is creation process of signature. A Study of TE for KOREN/APII-Testbed

Anomaly Detection Process Example of detection process Entropy (About source address) Entropy Average Current Entropy Signature 7(threshold 8) 8.7 {Src=201.170.123.6} Chi-square (about packet length) This slide shows example of detecting process. First one is entropy computation about source address. If entropy average is 7 and threshold is 8 and current entropy is 8.7, then detecting module creates signature based on source address. And next is Chi-square test about source port number. At this case If the value of average is 1200, and current value is 2000, then signature is created with source port number. Chi-square Average Current Chi-square value Signature 1200(threshold 1300) 2000 {leng=1-64byte} A Study of TE for KOREN/APII-Testbed

Anomaly Detector Architecture Monitoring Tool Agent Detecting Module 1 Detecting Module 2 Detecting Module n Packet attributes Source address Destination address Source port number Destination port number Protocol Anomaly Detection Manager Suspicious, Malicious Signature This slice shows a system architecture. First, measuring tool collect packet attributes. And detecting components compute about attributes and create signature. These signatures are transmitted to filtering manager and the other agents. And the filtering manager performs filtering process. And anomaly detection manager manages detecting module, and sets threshold value, transfer signature to other filtering manager. Also, it supports user interface. Filtering Manager A Study of TE for KOREN/APII-Testbed

Signature Detector Testing (DDoS) Testing Environment Attack Packet Target Control Msg. Attack Packet Snort : impossible to detect attack packet (203.255.255.94, Daejeon) Control Msg. Control Msg. Master Agent Agent Snort’s ruleset about DDoS attack is focused on control message that exchanged by master and agent. So as you look at this slide, if a snort is locates in same local network as master and agent, snort can detect their control messages. But if it doesn’t, snort can’t detect control messages as well as attack packets. We test snort to confirm this factor. We set TFN2K at Suwon node as attack tool and deploy snort server at Suwon and Daejeon nodes. Snort : possible to detect control message (163.180.118.68, Suwon) A Study of TE for KOREN/APII-Testbed

Signature Detector Testing (DDoS) TFN2K icmp possible communication detection ID < Signature > < Timestamp > <Source Address> < Dest.Address > < Layer 4Proto > #150-(2-3872) [snort] tfn2k icmp possible communication      2003-11-22 14:18:52   163.180.118.68 163.180.118.98 ICMP #151-(2-3871) [snort] tfn2k icmp possible communication    #152-(2-3870) [snort] tfn2k icmp possible communication    2003-11-22 14:18:53 #153-(2-3869)    2003-11-22 14:18:53   DDoS TFN client command BE detection ID < Signature > < Timestamp > <Source Address> < Dest.Address > < Layer 4Proto > #156-(2-3866) [snort] DDOS TFN client command BE     2003-11-22 14:18:56  163.180.118.98 163.180.118.68 ICMP #157-(2-3865) [snort] DDOS TFN client command BE       2003-11-22 14:18:56   #158-(2-3864) [snort] DDOS TFN client command BE    2003-11-22 14:18:56 #159-(2-3863)    2003-11-22 14:18:57   #160-(2-3862)    2003-11-22 14:18:57 #161-(2-3863) This slide shows Suwon’s snort testing result. It detects tfn2k icmp possible communication and DDoS TFN client command BE. But Daejeon node’s snort doesn’t create any signature about TFN2K. So we can confirm that if snort is located in same local as attack tool, snort can detect control message of master and agent. A Study of TE for KOREN/APII-Testbed

Anomaly Detector Algorithm Testing (DDoS) Testing Environment Local Network (Normal Traffic) DDoS Attack(TFN2K) Analyze Packet, Flow’s attribute using detecting algorithm Attribute DB Monitoring Tool (Libcap, NetFlow) Source Address Destination Address We also test about anomaly detecting algorithm. This test uses modified Libcap which gathers packet’s attributes and NetFlow which gathers flow’s attributes. These monitoring data is saved to attribute DB. We analyze attribute DB data with applying detecting algorithm. Source Port Num Destination Port Num Victim Packet Length A Study of TE for KOREN/APII-Testbed

Anomaly Detector Testing (DDoS) About Packet Attributes These are analyzing results used detecting algorithm. Left figure is result that computed entropy of source address. This process corresponds to Elementary Classification. X axis is packet number and Y axis is entropy value. This process detectes 10,000 packets to be sent by TFN2K. At this case we can detect DDoS attack to set threshold value as 8.5. Second figure is result that analyzed Packet Length of packets that is detected as suspicious by Elementary Classification. In this process, we decrease packet’s sampling size to analyze with high accuracy. In this result, there are three places that value is more than 1000. These are normal packet, that are falsely detected. And measured the degree of distribution of normal packets about attack packets. A Study of TE for KOREN/APII-Testbed

Anomaly Detector Testing (DDoS) This slide shows the result that performs Chi-Square test about destination address and source port number. We can divide packet into normal packets and attack packets using destination address. But If we use source port number we can’t classify. So in this test, source port number is not valid attribute. In this case, packet length is not valid attribute A Study of TE for KOREN/APII-Testbed

Anomaly Detector Testing (DDoS) About Flow Attributes These are test result that use flow’s attributes to know that NetFlow can use as monitoring tool. As you see, these figures are similar to analyzing packet’s attributes. But total value of entropy and chi-square test is a little fell down. So it needs to be set threshold value lower. And therefore detecting algorithm can apply to attributes of packet and flow A Study of TE for KOREN/APII-Testbed

Anomaly Detector Testing (DDoS) Need to set threshold value lower A Study of TE for KOREN/APII-Testbed

Conclusion Signature Detector detect well-known attack Anomaly Detector detect DDoS attack that can’t detect by Signature Detector Security system will improve KOREN’s security Security system uses signature IDS and anomaly IDS. Signature IDS can detect well-known pattern attack. And anomaly IDS detect DDoS flooding attack that can’t be detected by snort. If we can construct system which control traffic automatically without administrator's intervention using signature that is created in IDSs, may improve security of KOREN. A Study of TE for KOREN/APII-Testbed

Future Works Monitor malicious traffic using signature detector Design filtering manager Implement detecting module We will monitor and analyze malicious traffic using signature detector continually. And we have a plan that designs filtering manager and implements detecting module. A Study of TE for KOREN/APII-Testbed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.