the dynamics and control of internet attacks
play

The Dynamics and Control of Internet Attacks James G. Garnett Liz - PowerPoint PPT Presentation

Sep 23, 2022 •8 likes •358 views

The Dynamics and Control of Internet Attacks James G. Garnett Liz Bradley University of Colorado Department of Computer Science (JGG now at Secure64) 1 Internet fundamentals, part I Design assumes that users are good citizens and that

  1. The Dynamics and Control of Internet Attacks James G. Garnett Liz Bradley University of Colorado Department of Computer Science (JGG now at Secure64) 1

  2. Internet fundamentals, part I • Design assumes that users are good citizens and that hosts don’t move around • No screening, address verification, … • Source of many current woes 2

  3. “Malware” • popups • spam • worms, viruses • botnets • spoofing • sniffers • direct attacks • denial-of-service (DoS) attacks • … 3

  4. Solutions • popups: good browser design & hygiene • spam: spam filters • worms, viruses: anti-virus software • botnets: anti-virus software • spoofing: authentication • sniffers: cryptography, anti-virus software • direct attacks: firewalls • denial-of-service (DoS) attacks: this talk 4

  5. Internet fundamentals, part II: • Design assumes that data can get lost • So retransmission is built into its protocols • Which means that it’s OK to drop resource requests • The trick is to drop as few of them as possible to keep the resource unclogged. 5

  6. Internet fundamentals, part III: • The “black hats” observe the defenses and adapt • Rapid co-evolution • So any kind of static response won’t work • Have to respond adaptively… 6

  7. • Build an adaptive stochastic model of resource usage • Use a nonlinear model-reference PID controller to screen resource requests 7

  8. What computer systems typically do to handle overload: • Set hard limits (e.g., drop-tail queue mgmt) • Control average demand • Use ad hoc linear proportional closed-loop controllers (at best) 8

  9. The model: Birth/Death Markov chain 1-p-q 1-p-q p p q p 0 1 n-1 n q q • Well known, widely used, and broadly applicable • State ranges from 0 to n • Edges denote possible state transitions • Edges are annotated with transition probabilities 9

  10. Stationary distributions of the BD chain: Key point: can calculate the distribution shape from p and q 10

  11. What if you wanted a different distribution? Key point: can calculate what p and q would give rise to this shape Control strategy: Calculate desired p, q • Estimate actual p, q • 11 Gatekeep on the difference •

  12. Controller architecture: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 12 Serviced Resource Requests

  13. System under control 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 13 Serviced Resource Requests

  14. Reference distribution: Q(i) 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 14 Serviced Resource Requests

  15. Q(i): The control goal specification 15

  16. Reference distribution: Q(i) 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 16 Serviced Resource Requests

  17. Calculate transition ratios: Q(i+1)/Q(i) 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 17 Serviced Resource Requests

  18. Estimate transition probabilities: Incoming Resource 1.00 – p d /p in Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 18 Serviced Resource Requests

  19. Calculate desired p d and drop resource requests accordingly: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 19 Serviced Resource Requests

  20. Model-reference feedback control loop: Model 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Controller Filter Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 20 Serviced Resource Requests

  21. What if R( β -1) is incorrect? QoS spec 21

  22. That second feedback loop adjusts it: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 22 Serviced Resource Requests

  23. Nonlinear transform accelerates convergence: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 23 Serviced Resource Requests

  24. Denial of Service (DoS) example: Attacker Victim Bystander 1 2 • identical unix machines • 10 Mb/sec networks • NB: single s/w manager in victim handles all incoming traffic 24

  25. Without control: Attacker Victim Bystander 1 2 96.9% packet loss 97.0% packet loss 25

  26. With control: Attacker Victim Bystander 1 2 93.4% loss 0.0% loss 26

  27. Results: • It works. • It converges fairly quickly (1-3 sec in our tests). • It’s lightweight: – Small amount of code (~100 lines of C) – Low computational and memory overhead • |Q| subtracts are primary computational load; runs in µ sec • 128 bytes per controller for state information – Advantages of RED, without RED’s disadvantages (this is the IETF’s standard for congestion control) 27

  28. Half a dozen equations, really… 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 28 Serviced Resource Requests

  29. How you implement this: Resource existing incoming manager requests s/w slots 29

  30. Conclusions: • It works. • It converges fairly quickly (1-3 sec in our tests). • It’s lightweight: – Small amount of code (~100 lines of C) – Low computational and memory overhead • |Q| subtracts are primary computational load; runs in µ sec • 128 bytes per controller for state information – Advantages of RED, without RED’s disadvantages • It’s broadly applicable (any system that can be modeled by a G/G/1 queue) • And it has been already been deployed in practice… 30

  31. Commercialization… • Patent filing (6/26/2004) • Secure64 Wildfire/CE 2 (12/1/2004) • And then shot down. JGG’s thesis proposal was circulated to other students by a committee member, which constituted “prior disclosure” and kills a patent. (You have one year from the first disclosure to file it.) Moral: be careful with your ideas if you’re thinking of patenting them — keep dated, initialed notebooks, don’t share ideas until you’re ready to patent, etc. www.cs.colorado.edu/~lizb/papers/dos.html 31

  32. On the stove: Nonlinear dynamics Nonlinear dynamics • Modeling & control of internet attacks • Nonlinear time-series analysis of computer systems • MEMS-based flow control in jets • Recurrence plots • Computational topology & topology-based filters Artificial intelligence Artificial intelligence • Nonlinear system identification • Radioisotope dating • Movement patterns • Clear-air turbulence forecasting www.cs.colorado.edu/~lizb 32

  33. Collaborators • graduate students: Jenny Abernethy, Matt Easley, James Garnett, John Giardino, Kenny Gruchalla, Joe Iwanski, Zhichun Ma, Ricardo Mantilla, Todd Mytkowicz, Laura Rassbach, Vanessa Robins, Natalie Ross, Reinhard Stolle • postdocs: Tom Peacock (now at MIT) • undergrads: Ellenor Brown, Nate Farrell, Jesse Negretti, John Nord, Alex Renger, Roscoe Schenk, Stephen Schroeder, Evan Sheehan, Josh Stuart (now at UCSC) • faculty: — Jessica Hodgins, Computer Science, CMU — David Capps, Theater & Dance, Hunter College — Jean Hertzberg & YC Lee, Mechanical Engineering, CU — Amer Diwan, Computer Science, CU 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of Control Methods of Taking Control Common Points of Attack Multifront Attacks Chapter 12 Auditing to Recognize Attacks Malicious

535 views • 7 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet

Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet

Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet architecture was designed to delivery packets to the destination efficiently. Even if the destination does not want them. Congestion control and

391 views • 28 slides
Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion

Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion

Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion Avoidance and Control" (Jacobson/Karels) Combined congestion/flow control for TCP Goal: stability - in equilibrum, no packet is sent into the

482 views • 24 slides
Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O.

Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O.

Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O. Morkyn, Y. Shavitt Presenter: Shiva Kasiviswanathan Pennsylvania State University University Park Internet Resiliency to Attacks and Failures under BGP

920 views • 61 slides
Internet Congestion Control Research Group Mark Handley UCL Congestion Control The Internet

Internet Congestion Control Research Group Mark Handley UCL Congestion Control The Internet

Internet Congestion Control Research Group Mark Handley UCL Congestion Control The Internet only functions because TCPs congestion control does an effective job of matching traffic demand to available capacity. TCPs Window Time

628 views • 14 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 < > - + A study of denial of service attacks on the Internet p.1/39 Outline Background

761 views • 54 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
ICMP attacks against TCP Fernando Gont UTN/FRH, OpenBSD Project FIRST Technical Colloquium

ICMP attacks against TCP Fernando Gont UTN/FRH, OpenBSD Project FIRST Technical Colloquium

ICMP attacks against TCP Fernando Gont UTN/FRH, OpenBSD Project FIRST Technical Colloquium Buenos Aires, Argentina, October 5 th -7 th , 2005 Fault Isolation in the Internet Architecture The Internet Architecture relies on the Internet

484 views • 16 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Out of Control: Stealthy Attacks on Robotic Vehicles Protected by Control-Based Techniques Pritam

Out of Control: Stealthy Attacks on Robotic Vehicles Protected by Control-Based Techniques Pritam

Out of Control: Stealthy Attacks on Robotic Vehicles Protected by Control-Based Techniques Pritam Dash, Mehdi Karimi, and Karthik Pattabiraman University of British Columbia, Vancouver, Canada 1 Robotic Vehicle (RV) in Industrial Sector

441 views • 23 slides
Attacks on routing: IP hijacks How Internet number resources are managed

Attacks on routing: IP hijacks How Internet number resources are managed

Attacks on routing: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP #1 ISP NIC.br NIC.MX LIRs/ISPs

919 views • 40 slides
Perspective on Internet Congestion Control by Nathan Jay *, Noga H. Rotman*, Brighten Godfrey,

Perspective on Internet Congestion Control by Nathan Jay *, Noga H. Rotman*, Brighten Godfrey,

A Deep Reinforcement Learning Perspective on Internet Congestion Control by Nathan Jay *, Noga H. Rotman*, Brighten Godfrey, Michael Schapira, and Aviv Tamar *Equal contribution Internet Congestion Control The Internet (maybe?) End Host

480 views • 28 slides
HTS ACTIVITIES AT CEA-PARIS SACLAY Helene Felice for the Superconducting Magnet Lab at CEA

HTS ACTIVITIES AT CEA-PARIS SACLAY Helene Felice for the Superconducting Magnet Lab at CEA

OVERVIEW OF LTS AND HTS ACTIVITIES AT CEA-PARIS SACLAY Helene Felice for the Superconducting Magnet Lab at CEA Special thanks to: M. Durante, P. Fazilleau, C. Lorin, T. Lecrevisse, A. Madur, D. Simon, E. Rochepault 1 4 MATERIALS NbTi Nb 3 Sn

227 views • 22 slides
Algebra II Exponential Growth and Decay 2015-11-19 www.njctl.org Slide 3 / 128 Table of

Algebra II Exponential Growth and Decay 2015-11-19 www.njctl.org Slide 3 / 128 Table of

Slide 1 / 128 Slide 2 / 128 Algebra II Exponential Growth and Decay 2015-11-19 www.njctl.org Slide 3 / 128 Table of Contents Click on topic to go to that section. Simple Annual Interest Compound Interest The Constant, e Population

1.13k views • 66 slides
Heavy isotopes cosmic ray spectrometer (HICRS) for the NUCLEON-2 mission D. Karmanov, I. Kovalev,

Heavy isotopes cosmic ray spectrometer (HICRS) for the NUCLEON-2 mission D. Karmanov, I. Kovalev,

Heavy isotopes cosmic ray spectrometer (HICRS) for the NUCLEON-2 mission D. Karmanov, I. Kovalev, A. Kurganov, M. Panasyuk, A. Panov, D. Podorozhny, G. Sedov, L. Tkatchev, A. Turundaevskiy Skobeltsyn Institute of Nuclear Physics, Moscow State

373 views • 23 slides
NASA Planetary Protection Independent Review Board (PPIRB) Summary Briefing Alan Stern PPIRB

NASA Planetary Protection Independent Review Board (PPIRB) Summary Briefing Alan Stern PPIRB

NASA Planetary Protection Independent Review Board (PPIRB) Summary Briefing Alan Stern PPIRB Chair PPIRB Background PPIRB Term: July-September 2019 PPIRB Membership: Planetary scientists, biologists, private and civil sector space

107 views • 7 slides
earth nucleus 154 Dy G. L. Zimba 1,2 , S. P Bvumbi 1 , L. P. Masiteng 1 , P. Jones 2 , S. N. T.

earth nucleus 154 Dy G. L. Zimba 1,2 , S. P Bvumbi 1 , L. P. Masiteng 1 , P. Jones 2 , S. N. T.

First observation of E1 transitions from the octupole band to the excited 0 + 2 pairing isomer band in the rare earth nucleus 154 Dy G. L. Zimba 1,2 , S. P Bvumbi 1 , L. P. Masiteng 1 , P. Jones 2 , S. N. T. Majola 2,3 , T. S. Dinoko 2,4 , J. F.

522 views • 20 slides
Current and Future balloon and space experiments L. Derome (LPSC Grenoble) Tango, May 4-6th,

Current and Future balloon and space experiments L. Derome (LPSC Grenoble) Tango, May 4-6th,

Current and Future balloon and space experiments L. Derome (LPSC Grenoble) Tango, May 4-6th, 2009 L. Derome, Tango, May 4-6th 2009 1 Plan I will focus on: Future experiments which are going to measure e + and e - CR in the forthcoming

477 views • 20 slides
Radiological Protection System Radiological Protection Collection and Collection and

Radiological Protection System Radiological Protection Collection and Collection and

Principles of Radiological Protection System Radiological Protection Collection and Collection and Establishment of Establishment of Nuclear power and Nuclear power and evaluation of evaluation of radiation safety radiation safety

126 views • 11 slides
Radiology PACS Department of Radiology and Biomedical Imaging UCSF Outline PACS Impact

Radiology PACS Department of Radiology and Biomedical Imaging UCSF Outline PACS Impact

Radiology PACS Department of Radiology and Biomedical Imaging UCSF Outline PACS Impact PACS Workflow PACS Infrastructure Collaborations Implementation Challenges PACS Impact Distribution of medical

723 views • 19 slides

More recommend