Presentation is loading. Please wait.

Presentation is loading. Please wait.

2018/5/8 An approach for detecting encrypted insider attacks on OpenFlow SDN Networks Author: Charles V. Neu , Avelino F. Zorzox , Alex M. S. Orozcoy and.

Published byMarshall Sherman Modified over 6 years ago

Similar presentations

Presentation on theme: "2018/5/8 An approach for detecting encrypted insider attacks on OpenFlow SDN Networks Author: Charles V. Neu , Avelino F. Zorzox , Alex M. S. Orozcoy and."— Presentation transcript:

1 2018/5/8 An approach for detecting encrypted insider attacks on OpenFlow SDN Networks Author: Charles V. Neu , Avelino F. Zorzox , Alex M. S. Orozcoy and Regio A. Michelin Presenter: Yi-Hsien Wu Conference: The 11th International Conference for Internet Technology and Secured Transactions (ICITST-2016) Date: 2017/2/22 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2 Outline Introduction Related Work Proposed Approach
Architecture and Evaluation Conclusion National Cheng Kung University CSIE Computer & Internet Architecture Lab

3 2018/5/8 Introduction IDS : Intrusion Detection Systems are used to monitor, identify, register and report systems and/or networks managers when some suspect activity is detected. Those systems analyze packet information on the network to define if they could be malicious or not. Insider attack : Also called Insider threats , may have authorized system access and may also know the network architecture and system policies and procedures, which give them an advantage over external attackers. Those attacks could be used, for example, to steal sensitive data or to damage a company’s image. Moreover, an insider may also be able to compromise system availability by overloading computer resources, like network, storage or processing capacity, performing, for example, Denial of Service (DoS) attacks , which can lead to system crashes. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

4 Introduction Outsider threats are generally outside the corporation (rivals, enemies or criminals) and they have limited opportunity to carry out their attacks. Outside attackers can only gain access by exploiting gaps or weaknesses in protection systems. Insider threats have privileged access that enables them to cause serious consequences, compared to outsiders. Normally, the access that enables insider attackers to cause so much damage is also essential to enable them to do their propose. National Cheng Kung University CSIE Computer & Internet Architecture Lab

5 2018/5/8 Introduction On way to reduce the chance for either internal or external attacks, would be to provide communication using cryptography. When using cryptography, even if an attacker is able to capture network packets, if the data is transmitted using cryptography, its reading will be hampered or not even possible. Although cryptography reduces overall chances of successful attacks, an attacker could also use cryptography in order to mask an attack. As a consequence, usually this ciphered attack will bypass the protection systems, since traditional IDS do not analyze ciphered packets. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

6 2018/5/8 Introduction Intrusion Detection System (IDS) usually use two main detection approaches : Signature-based: Using this approach, an IDS uses a database with information about known attacks. To identify an intrusion attempt, the content of each packet is analyzed, by searching for a set of characters that identifies the attack. This set of characters is called Attack Signature. Anomaly-based: An IDS is able to identify an attack when some behavior is different from any pattern considered normal, for example, some application performing an attempt of unauthorized access to a system resource. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 2018/5/8 Introduction An SDN signature-based IDS typically cannot analyze encrypted packets, because they need to analyze the payload data that is encrypted. However, anomaly-based IDS may be applied, using three main approaches: 1. Protocol-based analysis : this approach searches deviations from the packets in each state of the protocol. However, since this type of approach only analyses whether the protocol is being applied in a proper way, it is not possible to detect attacks that are being performed at the application layer. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

8 Introduction 2. Modification-based: This approach consists on changing the encryption protocol and infrastructure to detect attacks in encrypted data on the network. Basically, the key (password) to encrypt and decrypt the data is distributed to the IDS. With this secret, the IDS can decipher the package payload and analyze it. However, this technique can turn the network vulnerable and the privacy principle may be broken and it also consumes lots of processing power. 3. Based on statistical analysis : It uses statistical analysis of observable parameters on encrypted data traffic. Some information, like source and destination IP address, besides the used ports, the header fields and payload size are analyzed. National Cheng Kung University CSIE Computer & Internet Architecture Lab

9 Related Work Attacks Detection in SDNs
2018/5/8 Related Work Attacks Detection in SDNs In recent studies, there are a few proposals to use SDN's capabilities for intrusion detection mechanism. The four sample solutions are shown in Table 1. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 Related Work National Cheng Kung University CSIE Computer & Internet Architecture Lab

11 2018/5/8 Proposed Approach A Controller can request some statistical information to an OpenFlow switch. Specific messages, called Read_State. It can be used to collect statistics from the switch flow tables, ports and individual entries for each flow. Table 1 shows the statistical information that an SDN Controller can request to an OpenFlow switch. In this way, those data can be used as a data source for intrusion detection methods. For detection, our proposed IDS uses some OpenFlow provided statistic features like average bytes per flow, average packets per flow, grow of single flows, grow of different ports, percent of pair-flow and average of flow duration. Besides, destination and source IP address and port numbers of transport layer will be used in order to match traffic flows. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

12 Proposed Approach National Cheng Kung University CSIE Computer & Internet Architecture Lab

13 2018/5/8 Proposed Approach Initially, it is necessary to identify encrypted flows, which are under TLS connections. On IPv6 connections, the OpenFlow protocol defines that encrypted payloads have an extension header with the flag OFPIEH_ESP set to 1. By default , TLS connections are done trough the port Then the OpenFlow switch sends the flows to the Controller. After this, the flow may be sent to the flow information logger in order to extract the features using the new flow, stores the flow information, and sends the features to our proposed statistical-based IDS. This IDS performs anomaly detection to verify if the flow has normal or malicious behavior. The presented approach is based on the flows classification using statistical features from the transport layer level. Hence, it is possible to identify a specific connection representing the unauthorized action that may characterize a malicious activity flow from an insider. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

14 Architecture and Evaluation
2018/5/8 Architecture and Evaluation Setup : This testbed will be based on a Mininet [32] architecture , and use the controller of OpenDayLight. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

15 Architecture and Evaluation
2018/5/8 Architecture and Evaluation Initially, a traffic-generator is used to inject normal and encrypted flows. Besides, some insider attacks will be injected as well. These insider attacks will also be encrypted. Therefore, four types of flows will be produced by our traffic-generator. In the next step, a method to identify encrypted flows is applied. This is an important step because our approach is intended only to identify encrypted insider attacks. After that, a statistical information collector is used to get important information about the flows (from Table I). Finally, our proposed IDS is used to perform insider intrusion detection on the encrypted flows based on the collected statistics. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

16 Architecture and Evaluation
2018/5/8 Architecture and Evaluation National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

17 2018/5/8 Conclusion Since current IDS do not detect attacks on encrypted data, the development of a new IDS is necessary. This paper presented an approach to identify encrypted insider attacks on SDN OpenFlow networks. This method is based only on statistical information requested by an SDN OpenDaylight Controller to the OpenFlow switches. This strategy will provide a lightweight IDS. As a future work, we will implement this method on a real SDN environment, creating a new IDS as described on this paper. 近期因為ruleset size快速成長,因此ruleset複雜度造成一般封包分類方法memory表現很差 Swintop是一種將ruleset去分類的方式 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Download ppt "2018/5/8 An approach for detecting encrypted insider attacks on OpenFlow SDN Networks Author: Charles V. Neu , Avelino F. Zorzox , Alex M. S. Orozcoy and."

Similar presentations

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:

Two stage packet classification using most specific filter matching and transport level sharing Authors: M.E. Kounavis *,A. Kumar,R. Yavatkar,H. Vin Presenter:
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Author: Xiaofei Wang, Junchen Jiang, Yi Tang, Bin Liu, and Xiaojun Wang Publisher:
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM 2007. 26th IEEE International.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.
Intrusion Detection Systems. 1980-Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
Early Detection of DDoS Attacks against SDN Controllers

Early Detection of DDoS Attacks against SDN Controllers
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.

Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.

Similar presentations

Ads by Google