Distributed Measurements for Attack Detection Distributed - - PDF document

distributed measurements for attack detection distributed
SMART_READER_LITE
LIVE PREVIEW

Distributed Measurements for Attack Detection Distributed - - PDF document

Apr 02, 2023 202 likes •293 views

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

slide-1
SLIDE 1

1

1

Universität Tübingen

Computer Networks and Internet

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection

  • Prof. Dr. Georg Carle

Chair for Computer Networks and Internet University of Tübingen Germany

carle@informatik.uni-tuebingen.de http://net.informatik.uni-tuebingen.de

joint work with Falko Dressler and Gerhard Münz in the context of the IST FP6 project DIADEM Firewall

2

Outline

Introduction DDoS Scenario Challenge of Attack Detection and Prevention Distributed Attack Detection and Defense Conclusions Future Work

slide-2
SLIDE 2

2

3

DDoS Scenario – Location of Attack Detection and Defense

Close to Victim Detection simpler Defense more difficult Close to Attacker Detection difficult Defense easier Within the network Difficulty of Detection? Difficulty of Defense? => DDOS Defense Service? Attacker Victim

4

Distributed Attack Detection Scenario

M M M M DS DS M DS M Network Monitor Detection System DS

Information exchange Measurement Data

Victim Attacker

slide-3
SLIDE 3

3

5

Attack Detection Methods

Knowledge-based Detection

Search for known attack characteristics

  • Known packet sequences
  • known bit sequences in packets
  • known errors

Disadvantage: not suitable to detect new types of attacks

Anomaly detection

Search for deviation from regular behaviour

  • Statistical tests
  • Data analysis (analysis of standard deviation, cluster analysis,...)
  • Pseudo tests (with unspecifiable error range)
  • Methods from pattern recognition (neural networks, Bayes networks,...)

Disadvantage: high probability of false positives, false negatives 6

Defense Initiation

F F F : filter/firewall : response system RS

Notification

RS DS

Configuration

Detection System DS

slide-4
SLIDE 4

4

7

Challenge of Attack Detection

Characteristics of DDoS Attacks

Synchonisation of senders communication among attackers Individual senders send traffic not identifiable as attack itself Aggregation makes attack effective and detectable Forged addresses, masquerade etc. make detection attackers difficult

Challenges

Control traffic among attackers frequently remains undetected Detection requires detecting aggregates Similarity of legitimate traffic and attack traffic Identifying attackers is difficult, requires trace-back - possibly across

domains

Scalability to high speeds 8

Taxonomy of Detection Systems

3 types of distributed detection systems:

Centralized Database Autonomous Subsystem 1 Autonomous Subsystem 3 Autonomous Subsystem 2 Alerts Centralized Database Cooperative Subsystem 1 Cooperative Subsystem 3 Cooperative Subsystem 2 Alerts Exchange of Cooperative Information

(1) Distributed detection system with autonomous subsystems

Control Subsystem Detection Subsystem 1 Detection Subsystem 3 Detection Subsystem 2 Alerts Control

(2) Distributed detection system with cooperative autonomous subsystems (3) Distributed detection system with interdependent subsystems

slide-5
SLIDE 5

5

9

Existing Distributed Attack Detection Systems

EMERALD, Stanford Research Institute (SRI), 1997

Distributed detection and response system Primarily conceived to detect host-based intrusions Employs interdependent monitors on multiple hierarchical levels

Prelude IDS, Open-source project, since 1998

Three functional components: sensors, managers, countermeasure agents Supports various types of sensors (host-based and network-based)

D-WARD, Peter Reiher/Jelena Mirkovic, UCLA, 2002

System of independent subsystems Each subsystem controls traffic originating from a source-end network

COSSACK, Christos Papadopoulos, ISI, 2003

Uses so-called watchdogs located at edge networks to detect and trace

  • ngoing attacks

10

Overview of Distributed Detection Systems

cooperative knowledge-based + anomaly detection network-based CATS cooperative anomaly detection network-based COSSACK autonomous anomaly detection network-based D-WARD interdependent knowledge-based detection host-based and network-based Prelude IDS interdependent knowledge-based + anomaly detection host-based EMERALD Relationship between subsystems Detection methods Type of detection

System

slide-6
SLIDE 6

6

11

Cooperating Autonomous Detection Systems (CATS)

Concept and Benefits

Separation of monitoring and detection Utilization of a distributed monitoring environment Deployment of multiple independently working autonomous detection

systems

Self-X properties of the detection systems Self-configuration Self-maintainance Self-optimisation Improved detection performance through cooperation between multiple

detection systems

Combination of knowledge-based and anomaly detection techniques

using both local and global context information

Export of packet data and flow statistics utilizing standardized

protocols, e.g. IPFIX and PSAMP

12

Monitor Architecture

Packet monitoring & sampling Statistical measures

  • bit rate, packet rate, # of connections,...
  • gathered per aggregate or single flow

Knowledge-based IDS looking for known signatures and misbehavior Raw Packet Data Netflow Data PSAMP Data Netflow Data Events & Characterization Events & Characterization PSAMP Data Anomaly detection looking for unusual behavior without any precognition

  • comparing long-time behavior

to short-time behavior

  • maintaining different profiles

(per destination, aggregate,...) Potential Techniques:

  • statistical tests, neural networks,

Bayes networks

slide-7
SLIDE 7

7

13

Interactions of Autonomous Detection Systems

Autonomous detection systems exchange two types of

information in order to enable attack detection in global context:

Selected monitoring data (sampled packets and flow statistics) Information about suspicious network traffic 14

Assessment

yes no no partly yes Distributed detection yes no no no no

  • Sep. of monitoring

& detection Distributed intelligence yes yes yes no no Autonomous behavior yes yes yes no yes Anomaly detection yes no no yes yes Knowledge-based detection yes yes no no no (host- based) Global context yes yes yes yes yes Local context Attack detection CATS COSS- ACK D-WARD Prelude IDS EMER- ALD

slide-8
SLIDE 8

8

15

Conclusions

Attack detection and defense is an important application are that

benefits from self-organisation

Cooperating Autonomous Detection Systems (CATS) provides

network-based attack detection based on the following main principles:

Distributed monitoring and detection Cooperation between autonomous detection systems Benefits: Scalability by adapting monitoring and detection to the current load Increases detection performance by adding global context

information to the detection process

Robustness due to self-X properties Next Steps Implementation of a proof-of-concept prototype in the context of the

EU project Diadem Firewall (EU FP6 Project IST-2002-002154)

Performance evaluation and comparison with competing systems