Network-based Intrusion Detection, Prevention and Forensics System

1
Network-based Intrusion Detection, Prevention and
Forensics System

• Yan Chen
• Department of Electrical Engineering and Computer
  Science
• Northwestern University
• Lab for Internet Security Technology (LIST)
• http//list.cs.northwestern.edu

2
The Spread of Sapphire/Slammer Worms
3
Current Intrusion Detection Systems (IDS)

• Mostly host-based and not scalable to high-speed
  networks
• Slammer worm infected 75,000 machines in lt10 mins
• Host-based schemes inefficient and user dependent
• Have to install IDS on all user machines !
• Mostly simple signature-based
• Cannot recognize unknown anomalies/intrusions
• New viruses/worms, polymorphism

4
Current Intrusion Detection Systems (II)

• Cannot provide quality info for forensics or
  situational-aware analysis
• Hard to differentiate malicious events with
  unintentional anomalies
• Anomalies can be caused by network element
  faults, e.g., router misconfiguration, link
  failures, etc., or application (such as P2P)
  misconfiguration
• Cannot tell the situational-aware info attack
  scope/target/strategy, attacker (botnet) size,
  etc.

5
Network-based Intrusion Detection, Prevention,
and Forensics System

• Online traffic recording
• SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear
• Reversible sketch for data streaming computation
• Record millions of flows (GB traffic) in a few
  hundred KB
• Small of memory access per packet
• Scalable to large key space size (232 or 264)
• Online sketch-based flow-level anomaly detection
• IEEE ICDCS 2006 IEEE CGA, Security
  Visualization 06
• Adaptively learn the traffic pattern changes
• As a first step, detect TCP SYN flooding,
  horizontal and vertical scans even when mixed
• Online stealthy spreader (botnet scan) detection
• IWQoS 2007

6
Network-based Intrusion Detection, Prevention,
and Forensics System (II)

• Polymorphic worm signature generation detection
• IEEE Symposium on Security and Privacy 2006
• IEEE ICNP 2007 to appear
• Accurate network diagnostics
• ACM SIGCOMM 2006 IEEE INFOCOM 2007
• Scalable distributed intrusion alert fusion w/
  DHT
• SIGCOMM Workshop on Large Scale Attack Defense
  2006
• Large-scale botnet and P2P misconfiguration event
  forensics work in progress

7
System Deployment

• Attached to a router/switch as a black box
• Edge network detection particularly powerful

Monitor each port separately
Monitor aggregated traffic from all ports
Original configuration
8
Northwestern Lab for Internet and Security
Technology (LIST)

• Sponsors for LIST
• Department of Energy (Early CAREER Award)
• Air Force Office of Scientific Research (Young
  Investigator Award)
• National Science Foundation
• Microsoft Research
• Motorola Inc.
• Additional industry collaborators
• SANS(SysAdmin, Audit, Network, Security)
  Institute
• AT T Labs

9
Team of LIST

• Prof. Bin Liu from Tsinghua Univ., partially
  supported as an Eshbach Scholar of Northwestern
  University
• Jiazhen Chen (M.S. student)
• Kai Chen (Ph.D. student)
• Anup Goyal (Ph.D. student)
• Zhichun Li (Ph. D. student)
• Ying He (visiting Ph.D. student)
• Chengchen Hu (visiting Ph.D. student)
• Rahul Potharaju (M.S. student)
• Sagar Vemuri (M.S. student)
• Gao Xia (visiting Ph.D. student from Tsinghua
  University)
• Yao Zhao (Ph.D. student)
• Yanmei Zhang (visiting Ph.D. student)
• Zhaosheng Zhu (Ph.D. student)

10
? ? ?