measurement for cooperative network defense demons and
play

Measurement for Cooperative Network Defense: DEMONS and BlockMon - PowerPoint PPT Presentation

Apr 22, 2023 •30 likes •220 views

Measurement for Cooperative Network Defense: DEMONS and BlockMon Brian Trammell Communication Systems Group, ETH Zrich Flocon 2012, January 11, Austin, Texas USA The problem The attack landscape has become more complex and cooperative.

  1. Measurement for Cooperative Network Defense: DEMONS and BlockMon Brian Trammell Communication Systems Group, ETH Zürich Flocon 2012, January 11, Austin, Texas USA

  2. The problem • The attack landscape has become more complex and cooperative. – Botnets, XSS, APT, *(scary_buzzword_ary++) • Network defense remains largely isolated. – Siloed within single administrative domains •  Tools and processes for defense must become more cooperative than (implicit) processes for attack. January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 2

  3. Centralization of Traffic Data • Passive measurement collects enormous amounts of data. – "Congratulations, you just pointed a ten gig firehose at yourself" • (Almost) all of it is simultaneously – quite sensitive, – and completely uninteresting. January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 3

  4. Sharing Traffic Data • Cooperative incident handling requires sharing of data across domains. • Data sharing is fraught with peril. – Legal, regulatory, and business-sensitivity restrictions on data protection and disclosure – Anonymization not a solution to the problem • Pattern injection on Internet traffic practically undetectable [1]; partial offline reversal of anonymization possible. [1] Burkhart et al., "The Role of Network Trace Anonymization Under Attack", ACM Computer Communications Review, vol. 40 no. 1, January 2010 January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 4

  5. Cooperative Network Defense DEMONS January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 5

  6. The DEMONS Approach Centralized DEMONS January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 6

  7. DEMONS: The Project • EC-funded, FP7 ICT IP, Sep 2010–Mar 2013 • Goal: Enable cooperative detection and mitigation of incidents effecting network stability and security. • Consortium of 13 in 9 countries, includes three network operators (Telefónica, FT, TP) January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 7

  8. The DEMONS approach: decentralization • Move processing to the edge • Support iterative analysis on live traffic using programmable edge devices. • Emphasize stream processing over retrospective analysis, use existing processes for forensics. • Data reduction on the measurement device improves scalability and reduces sensitivity of collected data. • Integration with existing mitigation processes. January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 8

  9. The DEMONS approach: sharing • Share analysis, not data Analyses built by composition • of well-defined processing modules Inspection of intermediate • results before export Application of secure • multiparty computation schemes, where appropriate Realism about technical • limitations of data protection January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 9

  10. DEMONS Components and Interfaces • Measurement layer nodes provide capture and analysis. • Interdomain exchange point (IXP) provides "sharing" interfaces to external domains. • Mitigation control point (MCP) provides interface to existing processes. – Additional research within the project WRT policy-driven pseudo-automatic mitigation, MPLS-based quarantining January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 10

  11. Composable Network Measurement BLOCKMON January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 11

  12. Introducing BlockMon: Goals • Composable measurement using small blocks – Increases parallelizability, measurement performance on multicore hardware – Code reuse for measurement development • Platform for understanding composable measurement application development • Enable code and analysis interchange in the form of compositions of modules from a standard, trusted base January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 12

  13. BlockMon • Compositions of blocks exchange messages connected via gates. • Blocks are implemented in C++, framework and scheduling in C++, focus on performance • XML-based composition schema • Python-based CLI and JSON-RPC daemon January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 13

  14. BlockMon: out-of-box experience • Core messages, bridged to IPFIX – Packet, with lazy parsing & cache-aware allocation – Flow, allows use of BlockMon as a streaming flow analysis tool – Message base class allows tagging for adding features or annotations to a message in flight • Source, exporter, simple counter blocks • Current work on taxonomy of blocks – filters, metrics, features, correlations, feedback January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 14

  15. BlockMon: How fast is fast? Synthetic traffic (10Gbps) Trace replay (6Gbps peak) 10000 1 9000 0.9 8000 0.8 7000 Proportion of packets received 0.7 Data Rate Kbps 6000 0.6 5000 4000 0.5 3000 0.4 2000 0.3 1000 0.2 0 0 500 1000 1500 0.1 Packet Size 0 BlockMon YAF Click CoMo BlockMon YAF Click CoMo January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 15

  16. Case Study: VoIPSTREAM Abuse Detection January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 16

  17. Play Along at Home • BlockMon to be released as open-source software, BSD licensed. • Development of the core presently very active • Find me this week or e-mail <trammell@tik.ee.ethz.ch> if you're interested. January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 17

  18. Conclusions • Current attacks require cooperative defense. • Data sharing is fraught with peril. • Move processing to the edge. • Share analysis, not data. • Composable measurement makes it possible. January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 18

  19. Acknowledgments • FP7-DEMONS project – funded by the European Commission • BlockMon Team – NEC Laboratories Europe – CNIT (Consorzio Nationale Interuniversitario per le Telecomunicazioni) January 11, 2012 DEMONS/BlockMon - Flocon 2012 Austin 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Spirits Spirits in in the the Mater Material Wo World: Demons Demons and and Theophani

Spirits Spirits in in the the Mater Material Wo World: Demons Demons and and Theophani

Spirits Spirits in in the the Mater Material Wo World: Demons Demons and and Theophani Theophanies es in the in the Me Medica cal Clin Clinic ic W. Curt LaFrance Jr., MD, MPH Director, Neuropsychiatry and Behavioral Neurology, Rhode Island

721 views • 10 slides
Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement

Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement

Community Oriented Network Measurement March 30, 2005 Welcome Internet Measurement Kleinrock and Naylor, 1974: Original ARPANET had built-in abilities to: Trace a single packets passage through the network Obtain

475 views • 28 slides
Full Spectrum Computer Network (Active) Defense Black hat USA 2013 Agenda Disclaimer

Full Spectrum Computer Network (Active) Defense Black hat USA 2013 Agenda Disclaimer

Legal Aspects of Full Spectrum Computer Network (Active) Defense Black hat USA 2013 Agenda Disclaimer Errata Self Defense in Physical World Applying Self Defense to Computer Network Defense Technology Pen Testing/Red

1.17k views • 82 slides
Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching

Cooperative Web Caching Cooperative Web Caching Cooperative Caching Cooperative Caching Previous work has shown that hit rate increases with population size [Duska et al. 97, Breslau et al. 98] However, single proxy caches have practical limits

868 views • 53 slides
Bro: The Network Defense Framework Comprehensive Visibility &amp; Defense for Every Corner of

Bro: The Network Defense Framework Comprehensive Visibility &amp; Defense for Every Corner of

Bro: The Network Defense Framework Comprehensive Visibility &amp; Defense for Every Corner of Your Network Robin Sommer International Computer Science Institute, &amp; Broala, Inc. robin@icsi.berkeley.edu robin@broala.com

422 views • 40 slides
non-cooperative active measurement Rocky K. C. Chang (with Ricky Mok, Weichao Li, and Star Poon)

non-cooperative active measurement Rocky K. C. Chang (with Ricky Mok, Weichao Li, and Star Poon)

Improving the accuracy of non-cooperative active measurement Rocky K. C. Chang (with Ricky Mok, Weichao Li, and Star Poon) Department of Computing The Hong Kong Polytechnic University AIMS 2015 1 Our recent works &quot;On the Accuracy

643 views • 32 slides
Condor and Cooperative Linux Honors College Undergraduate Thesis Defense Marc Nol December

Condor and Cooperative Linux Honors College Undergraduate Thesis Defense Marc Nol December

Condor and Cooperative Linux Honors College Undergraduate Thesis Defense Marc Nol December 2006 Motives Total LSU HPC Capacity SuperMike 6.267 TFLOPS SuperHelix 1.024 TFLOPS Plican 0.851 TFLOPS Nemeaux 0.256 TFLOPS Santaka 0.192

443 views • 16 slides
Cooperative Choice Cooperative and non-cooperative motives and their consequences via Mark

Cooperative Choice Cooperative and non-cooperative motives and their consequences via Mark

Cooperative Choice Cooperative and non-cooperative motives and their consequences via Mark L oczy Livia.Markoczy@ucr.edu Gary A. Anderson Graduate School of Management University of California, Riverside Cooperative Choice p.1/26

413 views • 26 slides
PacketLab: A Universal Network Measurement Platform Kirill Levchenko with Amogh Dhamdhere,

PacketLab: A Universal Network Measurement Platform Kirill Levchenko with Amogh Dhamdhere,

PacketLab: A Universal Network Measurement Platform Kirill Levchenko with Amogh Dhamdhere, Bradley Huffaker, Nicholas Weaver, Vern Paxson Edge Measurement Active measurement from end hosts where vantage point is an experimental factor

719 views • 28 slides
Measurement of Cosmic Ray Proton + Helium Flux with the DAMPE Experiment PhD thesis defense Gran

Measurement of Cosmic Ray Proton + Helium Flux with the DAMPE Experiment PhD thesis defense Gran

Measurement of Cosmic Ray Proton + Helium Flux with the DAMPE Experiment PhD thesis defense Gran Sasso Science Institute 23/04/2020 Candidate Zhaomin Wang Supervisor Prof. Ivan De Mitri CONTENTS 05 01 Summary Introduction 04 02

1.19k views • 97 slides
On Using Symbiotic Relationship to Repel Network Flooding Defense

On Using Symbiotic Relationship to Repel Network Flooding Defense

On Using Symbiotic Relationship to Repel Network Flooding Defense draft-haddad-mipshop-netflood-defense-00 What is a Symbiotic Relationship (SR)? An SR is a unidirectional cryptographic relation between two nodes or between one

377 views • 6 slides
Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li,

Cooperative Multicast Scheduling with Random Network Coding in WiMAX Jin Jin, Baochun Li, Department of Electrical Computer Engineering University of Toronto WiMAX MBS IWQoS 2009: Cooperative Multicast Scheduling with Random Network Coding in

856 views • 53 slides
Network Measurement Carey Williamson Department of Computer Science University of Calgary

Network Measurement Carey Williamson Department of Computer Science University of Calgary

CPSC 641: Network Measurement Carey Williamson Department of Computer Science University of Calgary Network Traffic Measurement A focus of networking research for 30+ years Collect data or packet traces showing packet activity on the

462 views • 25 slides
Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer Attacks Objectives After reading this chapter and completing the exercises , you will be able to: Describe the different types of malicious

84 views • 7 slides
Cooperative Broadcast for Cooperative Broadcast for Maximum Network Lifetime Maximum Network

Cooperative Broadcast for Cooperative Broadcast for Maximum Network Lifetime Maximum Network

Cooperative Broadcast for Cooperative Broadcast for Maximum Network Lifetime Maximum Network Lifetime Ivana Maric and Roy Yates Ivana Maric and Roy Yates Wireless Multihop Multihop Network Broadcast Network Broadcast Wireless N nodes

444 views • 28 slides
Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor:

Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor:

Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor: Emile Aben (RIPE NCC) System and Network Engineering February 8, 2012 Razvan Oprea Tra ffi c anomaly detection - distributed measurement network

698 views • 20 slides
Introduction to Community Wealth Buildingand a quick guide on possible careers Steve Dubb

Introduction to Community Wealth Buildingand a quick guide on possible careers Steve Dubb

Introduction to Community Wealth Buildingand a quick guide on possible careers Steve Dubb The Democracy Collaborative, steve@democracycollaborative.org www.community-wealth.org NASCO Institute Ann Arbor, Michigan November 9, 2014 The

504 views • 16 slides
Minimizing Energy Consumption for Cooperative Network and Diversity Coded Sensor Networks WTS

Minimizing Energy Consumption for Cooperative Network and Diversity Coded Sensor Networks WTS

Minimizing Energy Consumption for Cooperative Network and Diversity Coded Sensor Networks WTS 2014 April 9-11, 2014 Washington, DC Gabriel E. Arrobo and Richard D. Gitlin Department of Electrical Engineering University of South Florida,

347 views • 23 slides
Decentralized Cooperative Networking PI: Leonard J. Cimini, Jr. (Univ. of Delaware) Res. Assts.:

Decentralized Cooperative Networking PI: Leonard J. Cimini, Jr. (Univ. of Delaware) Res. Assts.:

Decentralized Cooperative Networking PI: Leonard J. Cimini, Jr. (Univ. of Delaware) Res. Assts.: H. Feng, Y. Xiao Post-Doc: H. Wang Collaborator: C.-C. Shen, Delaware J. Walsh and S.Weber, Drexel S. Sarkar, Penn J. Garcia-Frias, Delaware

645 views • 23 slides
Community Supported Agriculture An overview of the use of Community Finance in CSA in England

Community Supported Agriculture An overview of the use of Community Finance in CSA in England

Community Supported Agriculture An overview of the use of Community Finance in CSA in England Mark Simmonds Co-op Culture Co-op Culture mark@culture.coop Financing CSAs Prepayment model is useful Land is expensive to buy Grants

536 views • 12 slides
Integrating Oceans into the Landscape Conservation Cooperative Network lccnetwork.org Legacy of

Integrating Oceans into the Landscape Conservation Cooperative Network lccnetwork.org Legacy of

Integrating Oceans into the Landscape Conservation Cooperative Network lccnetwork.org Legacy of Success The conservation community has successfully responded to major conservation challenges in the past: Overfishing Environmental

634 views • 38 slides
Evaluation Process Evaluation Process and Findings and Findings Program Activities 300

Evaluation Process Evaluation Process and Findings and Findings Program Activities 300

Evaluation Process Evaluation Process and Findings and Findings Program Activities 300 briefings and presentations 10,000 people 400 workshops 12,000 people 175 service trips 3,000 people Program Evaluation 9 Evaluate effectiveness

460 views • 32 slides
Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

Cooperative versus Full-Duplex Communication in Cellular Networks : A Comparison of the Total Degrees of Freedom Amr El-Keyi and Halim Yanikomeroglu Outline Introduction Full-duplex system Cooperative system Cooperative full-duplex

306 views • 17 slides
NASEO 2018 Western Region Meeting Rural Energy Affordability, Efficiency, and Economic

NASEO 2018 Western Region Meeting Rural Energy Affordability, Efficiency, and Economic

NASEO 2018 Western Region Meeting Rural Energy Affordability, Efficiency, and Economic Development Michael Leitman Strategic Analyst NRECA Business and Technology Strategies michael.leitman@nreca.coop Co-ops in NASEO Western Region 6

285 views • 13 slides

More recommend