Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL."— Presentation transcript:

1 Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL

2 Current Intrusion Detection Network 1 Network 2 Network 3 Network 4 Network 5 Uses Rules  Alerts How about collaborating?

3 Potential reasons for collaboration: Provides global picture of attack Detecting low rate distributed attackers Detecting stepping stones But benefit depends on networks/IDSs seeing Correlated Attacks?

4 Talk Is About Correlated Attacks Define Correlated Attacks: as attacks from the same sources IP on different IDSs/networks

5 Talk Is About Correlated Attacks Define Correlated Attacks: as attacks from the same source IP on different IDSs/networks Correlated Attacks Correlated IDS

6 This Talk 40% of alerts are correlated Correlated attacks within 10min An IDS sees correlated attacks with 8 IDSs (out of 1700), and the group does not change  Collaboration is useful  Realtime  Collaborate with a few IDSs Logs from 1700 IDSs show: Collaboration with correlated IDSs increases detection by 75% and as good as collaborating with all.

7 Dataset # of IDS & Address space Richness Volume #alerts/day/IDS ISP40, Class ARaw40,000 DSHIELD 1657, 5 Class B & 45 Class C Anonymized15,000 University Networks 3, 2 Class B & 1 Class C Anonymized30,000 Full packet headers, unanonymized src/dest addresses Anonymized dest IP; no packet headers or alert type

8 Method Correlation is based on sharing the same source IP –Adding info about attack type and dest port did not matter Correlated IDSs – IDSs for which more than 10% of their attacks are correlated

9 Do IDSs see Correlated Attacks? 20% of attacking IPs are common attackers 40% of the attacks are correlated On average, 1500 correlated attackers/ day/IDS YES, Many

10 Interarrival of Correlated Attacks 10.110100100010000100000 0.4 0.6 0.8 1.0 0.0 0.2 CDF Interarrival time in mins Correlated attacks within a few minutes  Need realtime collaboration! 75% of correlated attacks happen within 10 minutes of each other

11 Size of Correlation Groups For each IDS compute the # of IDSs with which it is correlated 0.4 0.6 0.8 1.0 0.0 0.2 IDS correlation 90% of IDS are correlated with less than 8 IDS (out of 1700) # IDSs in Correlation Group CDF 21416832 IDS correlate within small groups!  Scalable collaboration

12 Do Correlation Groups Change? If an IDS is correlated with 4 other IDS and the group changes by one, the percentage change is 25% 5 01015202530 0.03 0.04 0.05 0.06 0.01 0.02 0.07 0.08 Avg. Change in Correlation Group No. of days Correlation is persistent!  Establish trust out of band Change

13 Why IDS correlate? Is it proximity in IP space?

14 Is Proximity in IP Space the Reason? Compute cross correlation between proximity in IP space and correlated IDS 5010152040253035 -0.5 0 0.5 1.0 Distance in IP space IDS ID Cross Correlation Cross correlation with IP space distance hovers around 0 Attack Correlation is independent of proximity in IP space Complete positive correlation No correlation

15 Why IDS correlate? Is it proximity in IP space? Is it because attackers target sites with similar software and services (e.g., Santy worm) ? More than 60% of attacks in a correlation group target particular service (e.g. SMTP groups, IBM Tivoli, IIS servers)

16 5010152040253035 -0.5 0 0.5 1.0 IDS ID Cross Correlation Is Similarity in Software the Reason? Compute cross correlation between similarity in software & attack correlation Similarity in software is positively correlated Similarity distance Decreasing similarity Decreasing correlation Complete positive correlation No correlation

17 So, what does it mean for Collaborative Intrusion Detection?

18 Issues for IDS collaboration across networks Is it useful? How often should IDS exchange information? How to make it scale? How does an IDS trust its collaborators to protect the privacy of its information and not lie?

19  Collaboration is useful  Realtime  Scale by collaborating with IDS in same correlation group  Check trust out-of band Exploiting Correlation for collaboration 40% of alerts are correlated Correlated attacks within 10min An IDS sees correlated attacks with small correlation groups (8 out of 1700 IDS) The correlation group does not change

20 Correlation Based Collaboration (CBC) Attack Correlation Detector (ACD) for finding correlation groups (e.g., DShield) Since groups persist for months  ACD computation scale It is up to each network to decide whether to collaborate or not

21 Correlation Based Collaboration (CBC) ACD IDS send logs to ACD ACD tells each IDS its correlation group

22 Evaluation of CBC Blacklisting Flag an attacking IP address if # alerts cross a threshold Compare with –Local detection –Collaborating with all IDSs –Random Collaboration - Collaborating with the same sized random subset as the correlation group

23 Evaluation Method IDS queries its collaborators when # alerts from an IP exceeds Querying Threshold IDS blacklists IP if aggregate # alerts exceeds Blacklisting Threshold Thresholds picked to minimize false positives (for ISP dataset)

24 Speed! 0400080001600012000 100 1000 10000 100000 10 0 Detection Time in mins Attacking IP addresses Local Compute time taken to blacklist a source in each scheme

25 Speed! 0400080001600012000 100 1000 10000 100000 10 0 Detection Time in mins Attacking IP addresses Random Local Local detection and random collaboration are almost identical Compute time taken to blacklist a source in each scheme

26 Speed! 0400080001600012000 100 1000 10000 100000 10 0 Detection Time in mins Attacking IP addresses All IDS Random Local Compute time taken to blacklist a source in each scheme 800 mins 150 mins

27 Speed! 0400080001600012000 100 1000 10000 100000 0 Detection Time in mins Attacking IP addresses All IDS CBC Random Local CBC speeds up detection for 75% of the studied sources No difference for fast attackers CBC performs almost as well as collaborating with all IDS Compute time taken to blacklist a source in each scheme 10

28 Significant Reduction in Alert Volume CBC Local Detection RandomAll IDSs Alert Reduction 73.44%35.48%37.77%80.56% CBC halves the volume of the alert logs a network administrator has to examine!

29 Low Overhead CBC Local Detection RandomAll IDSs Alert Reduction 73.44%35.48%37.77%80.56% Overhead (query/min) 1.3- 454.9 CBC requires orders of magnitude less querying overhead for the same benefits!

30 Conclusions 40% of alerts are correlated Correlated attacks within 10min An IDS sees correlated attacks with small correlation groups (8 out of 1700 IDS) The correlation group does not change  Collaboration is useful  Realtime  Scale by collaborating with IDS in same correlation group  Check trust out-of band CBC exploits the above; is as good as collaborating with all but with 0.3% of the overhead.

31 Is the structure due to random scans? Simulate random scans by attackers and measure the difference in entropies of the distributions of correlated IDS 546789 0.4 0.6 0.8 1.0 0.0 0.2 CDF Difference in bits Empirical distribution has 7.2 bits less entropy than the one generated by random scanning The sets of correlated IDS in the dataset are not random; they are generated by targeted attacks Difference in Entropy

32 False Negatives CBC Local Detection RandomAll IDSs Alert Reduction 73.44%35.48%37.77%80.56% Overhead (query/min) 1.3- 454.9 False negatives 5.02%38.65%36.69%0 CBC misclassifies very few source IP addresses relative to All IDS Compute the no. of source IP addresses missed by each scheme relative to All IDS

Download ppt "Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Zhichun Li Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS 2003.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)

CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)
Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.

Internet Intrusions: Global Characteristics and Prevalence Presented By: Elliot Parsons Using slides from Vinod Yegneswaran’s presentation at SIGMETRICS.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.

On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.
Defense Questions # of correlated attacks: under-estimated or over-estimated? Conservative estimation –Average across all the three dataset? Dataset w/

Defense Questions # of correlated attacks: under-estimated or over-estimated? Conservative estimation –Average across all the three dataset? Dataset w/
Distributed Cluster Repair for OceanStore Irena Nadjakova and Arindam Chakrabarti Acknowledgements: Hakim Weatherspoon John Kubiatowicz.

Distributed Cluster Repair for OceanStore Irena Nadjakova and Arindam Chakrabarti Acknowledgements: Hakim Weatherspoon John Kubiatowicz.
Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.

Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.
DIDS part II The Return of dIDS 2/12 CIS 610. 2 GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.

DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Similar presentations

Ads by Google