Security Research in 100x100

1
Security Research in 100x100

• Mike Reiter
• Carnegie Mellon University

2
A Clean Slate Design

• Many fundamental questions to consider, e.g.
• Should source authentication be intrinsic (or
  eschewed) in 100x100?
• Should the network support anonymous /
  pseudonymous access?
• Should connectivity be the default?
• What auditing capabilities should be present?
• What is the interaction between addressing and
  security?

3
Our Initial Work Sekar, Xie, Maltz, Reiter,
Zhang

• Thesis A framework for forensic analysis is
  fundamental for future networks
• Initial demonstration primarily focused on
  attacks that exploit the scale of the network
• Epidemic attacks
• Though contemplated for future networks, also
  have an eye toward todays Internet
• Realistically, deployment would be incremental
• May have additional applications, as well

4
The Structure of Attacks
Attackers
Involved hosts (e.g., zombies)
Identified Victims
Worm Infection
Distributed DoS

• Modern attacks are multi-level
• Large scale difficult to defend
• Hidden trail difficult to identify initial
  launch point

5
Our Position

• A fundamental capability --- network auditing and
  forensic analysis
• Keep communication records
• Permit post-mortem analysis of patterns across
  network and time
• Scope Internet and intranet
• Correct weak points in a network perimeter
• Deter future similar attacks

6
Two Applications
t4
t1
t3
B
F
E
t7
t2
t5
H
D
C
t6
G

• Attack Reconstruction infer which communication
  carry the attack forward
• Attacker Identification pinpoint the attack
  source(s)

7
Power of Network Auditing/Forensic

• Attackers and victims must communicate for the
  attack to propagate
• Independent of attacks
• Visible to the network
• Globally analyze communication events
• General across a wide range of attacks
• Applicable to different attack propagation speeds
• Possible with/without attack signature

8
Worm Origin Identification

• Future worm attacks
• Different time scales seconds, hours, days
• Various security exploits
• Different propagating methods random scan,
• hit list scan
• Is it possible to identify the worm origin
  without any a priori knowledge about the attack?

9
A Graph Representation

• A directed host contact graph G ltV, Egt
• V H x T (H the set of all hosts, T time)
• e ? E a network flow ltsource, destination,
  start-time, end-timegt
• Assumption flow directionality consistent with
  causality

• Normal edge
• Causal edge
• flows infect destinations
• successfully
• Non-causal attack edge
• failed infection attempts
• with infectious payload

J
I
H
G
F
E
D
C
T
10
Problem Formulation

• Input an unlabeled directed host contact graph G

• Desired output label causal edges initial in time

J
I
H
G
?
F
E
D
C
Causal tree
T
11
Accuracy of Realistic Algorithms

• False positives
• Non-causal attack edges and normal edges
• False negatives
• Causal edges that are not identified

Input
J
I
H
G
F
E
D
C
T
12
Random Moonwalks

• A random moonwalk on the host contact graph
• Start with an arbitrarily chosen flow
• Pick a next step flow randomly to walk backward
  in time
• Observation epidemic attacks have a tree
  structure
• Initial causal flows emerge as high frequency
  flows

J

• Parameters
• d maximum path length
• ?t sampling window size

I
H
G
F
E
D
45
C
T
13
The Sampling Process

• Each random moonwalk
• A sample of path into the history
• Given a network trace

• Step 1 Select sampling parameters
• Chosen based on the given trace
  

• Step 2 Perform moonwalks repeatedly
• Update the count of each edge being traversed

Step 3 Output Z highest frequency edges
14
Intuition

• Each walk samples a potential causal chain of
  events
• High frequency edges are indirectly responsible
  for a large number of edges
• Normal host contact graphs are sparse
• Incoming flows to normal hosts are likely
  suspicious
• Direct walks to infected hosts
• More edges lead to infected hosts than edges lead
  away
• Sending attack traffic increases the rate of
  outgoing flows
• Concentrate walks backward to the attack origin

15
Real Trace Evaluation

• Is random moonwalk effective for slow
• attacks with real background
  traffic?
• Data CMU campus backbone trace
• 1.4 million flows over 4 hour period, 8040 campus
  hosts
• Worm flow injection
• 10 of vulnerable hosts, 1 attack flow per t
  seconds (t 2 10, 100)
• 90th normal flow rate 1 flow per 20 seconds
• Detection accuracy
• Target_flows / selected_flows after 104 walks

16
Detect the Existence of an Attack
17
Identify the Initial Causal Flows

• High accuracy with a small number of walks
• Note total 804 causal flows from 1.52 million
  flows
• Majority of identified causal edges are initial
  ones

18
Structure of the Selected Flows
Worm source

• Top Frequency Flows display a tree-like structure

19
Ongoing Prototyping Effort

• Collaboration with CMU campus network
• Phase 1 Flow-level Argus trace at campus
  backbone (done)
• Phase 2 Enhanced traffic monitoring system
  (ongoing)
• Phase 3 Real time attack detection and
  reconstruction (in near future)
• Collaboration with Internet2
• Deployment of dragnet at large educational
  backbones
• Goal A framework of attack investigation based
  on multiple network monitors and views

20
Toward 100x100

• One possibility for the 100x100 is a regular mesh
  structure
• This may substantially simplify where monitors
  are placed
• Placement in todays networks is a topic of
  ongoing research

21
Other Work

• Analysis of the predictive value of traffic
  Collins, Reiter
• Multi-resolution detection of worm propagation
  Sekar, Xie, Maltz, Reiter, Zhang