1 / 31

Detecting Attacks in Routers Using Sketches

Detecting Attacks in Routers Using Sketches. Dhiman Barman Piyush Satapathy Gianfranco Ciardo. Network Attack Detection. Network anomalies are prevalent Flash crowds, DoS, failures, worms, … Detect Anamolies quickly and accurately Two basic approaches

lisle
Télécharger la présentation

Detecting Attacks in Routers Using Sketches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detecting Attacks in Routers Using Sketches Dhiman Barman Piyush Satapathy Gianfranco Ciardo

  2. Network Attack Detection • Network anomalies are prevalent • Flash crowds, DoS, failures, worms, … • Detect Anamolies quickly and accurately • Two basic approaches • Statistics-based: looking for abnormal behavior • E.g., heavy hitters, big changes • Prior knowledge not required • Signature based: Looking for known patterns • Port scan, address scan, Mal wares

  3. Problem Addressed • Accurate, memory efficient and scalable techniques to detect attacks • worms, viruses, superspreaders and DoS. • Enabling change detection in the routers by looking only at the IP headers • A general methodology to use sketches to recognize attacks in the routing architectures

  4. Example of Attack Domain J Domain W to Domain J Attacker 1 10 Mbps 2 2 15 Mbps Router A Link B 2 Domain X to Domain J Router Router 15 Mbps 3 4 Domain Y to Domain J Router Link C Router Router 35 Mbps Link Capacity: 50 Mb/s 1. Attacker Compromises Router A Domain K Domain Z to Domain K 2. Update Message Sent Setting Link B’s cost to 10,000 3. Traffic rerouted around link B (lower cost) 4. Congestion occurs on link C DoS on domains W, X, Y and Z

  5. Outline • Introduction • Attack Definitions • Sketch Background • Proposed Methods • Simulation and Evaluation • Conclusion

  6. Background • Worm spreads and gains control of hundreds of computers in a few minutes • Example: Code Red version 1 and 2, Nimda etc State of the art: • PCA (offline) [Lakhina et. al SIGCOMM’04], • Data mining [KrishnaMurthy et. al IMC’03] • Time series analysis [Estan SIGCOMM’03] • Our Focus: Detecting and filtering attacks at short time scale by online Methods

  7. Architecture Software Data Collection And Analysis Over Processor NetFlow Flow Cache Terminated Flow Records Update Alarm / No Alarm Sketches Bus Forwarding Hard Ware • Put Sketch in the Router Line Card • Sketches will update the flow cache for each given time interval • Data Collection and Analysis part will analyze the change detection • based on the algorithm and distance calculation functions.

  8. Attack Definitions • S is a sequence of packets identified by (<i, j, p, q>, v) where • i and j denote packet source IP address and port • p and q denote the destination IP address and port • v denotes size of the packet • Flow given by Cisco's NetFlow, R(i, j, p, q) is the multi set containing all the packets corresponding to a given (i, j, p, q) combination

  9. Port Scans • Attacks where a particular IP address and port pair connects to a destination on several ports PortScan(i, j, p)  |{q : | R(i, j, p, q)| > 0}| > δPS srcIP srcPort destIP destPort

  10. Address Scans • Attacks where a particular IP address connects to multiple destination IP addresses on a particularly vulnerable port AddrScan(I, j, q)  |{p : | R(i, j, p, q) > 0}| > δAS or AddrScan(i, q)| |{(j, p) : |R(i, j, p, q)| > 0}| > δAS srcIP srcPort destPort destIP

  11. Malware • Attacks where a number of sources try to connect to a particular destination or a set of destinations on any ports. WormMalwSpam (i)  |{(j, p, q) : | R(i, j, p; q)| > 0}| > δWMS srcPort srcIP destPort destIP

  12. Sketch Background • A sketch of a data stream is a compact summarization • Sketched summary is much smaller than the data stream itself • Sketching is randomized projection of a signal (using hashing) • Examples: • Count Min Sketch [Cormode 2003] • Count Bloom Filter [Broder Internet Mathematics 2004] • Multi Count Bloom filter [Broder IM 2004] • Flajolet Martin Sketch [Flajolet CS Journal1985]

  13. h1(k) 0 1 K-1 1 +Ct … hj(k) j +Ct hH(k) … H +Ct Count Min Sketch • CM sketch maintains an array of width (K) and depth (H). • Hashed by choosing a hash function uniformly at random from a pair wise independent family of hash functions. • Update (Keyt, Valuet): Tj [ hj(keyt)] += Valuet (for all j) Key t

  14. Bloom Filter • An array of (m) bits initially all set to 0 • An incoming element is hashed through (k) hash functions and bit positions returned are set to 1 • Update (Keyt): Tj [ Hj(keyt)] = 1 (for all j) • Update (Keyt, Valuet): Tj [ hj(keyt)] += Valuet (for all j) for Counting Bloom Filter 1 H1 1 H2 1 Key t H3 Hk 1 K hash Functions 1 m bit Vector

  15. Multi Count Bloom Filter • Counting Bloom Filter with m counters and divided into k groups of size (m / k) each • ith Hash function maps from [m*(i-1)/k]+1 to [m*i/k] • Update (keyt, valuet): Tj [ hj(keyt)] += value t (for all j) H1 H2 Key t H3 Hk K hash Functions m counters Divided into K groups

  16. BITMAP Data stream: 3 0 5 3 0 1 7 5 1 0 3 7 5 4 3 2 1 0 lsb(h(x)) = 2 h(x) = 101100 0 0 0 1 0 0 x = 5 FM Sketch • Estimates the number of distinct items in a stream of values from [0,…, M-1] • Assume a hash function h(x) that maps incoming values x in [0,…, M-1] uniformly across [0,…, 2L-1], where L = O(logM) • Let lsb(y) denote the position of the least-significant 1 bit in the binary representation of y • A value x is mapped to lsb(h(x)) • Maintain FM Sketch = BITMAP array of L bits, initialized to 0 • For each incoming value x, set BITMAP[ lsb(h(x)) ] = 1 Number of distinct values: 5

  17. Space-Time Complexity C = Number of Bits in the Counter in Bloom Filter M = Number of Bit Maps used in FM Sketch L = Number of Bits in FM Sketch All Notations Described Earlier

  18. Our proposals • Linear Combination Approach • Change between two sketches S1(α1; β1) and S2(α2; β2) is given as Sd = S2 - kS1 (sketches are closed under linear combination) • If Sd > δ then there is an anomaly and Alarm raised • Use Count Min sketch, Count and Multi Count Bloom Filter • Change Detection By Sliding Window Method • Using two windows, one static and one moving • Parallel Execution of all the given window lengths. • Use FM, Change Detection Algorithm and Distance function

  19. Change Detection using FM Sketch Inputs: (A,M); A is a mX1 matrix and M is a KX3 matrix 1: c0 0 2: for i = 1 do 3: si FMi 4: Windowx,i mx,i intervals from time c0 5: Windowy,i my,i intervals from in coming data streams 6: end for 7: while more flow counts to process do 8: slide windowy,i by 1 sample 9: if distance(windowx,i,windowy,i) ≥ αithen 10: c0 current time 11: Output change at time c0 12: clear all windows and GOTO step 1 13: end if 14: end while Output: c0 A bit vector of length equal to k K different windows sizes Forming 2 diff. windows • M • 10 0.05 • 8 0.04 • 4 0.03 Set the bit to 1

  20. Distance Function • Difference between two windows calculated using: • Probability Distribution [Kifer VLDB 2004] • L1 Distance • KL Distance (Empirical Distribution Function)

  21. (k,u) … Traces of given Time slots Sketching Change detectionmodule Alarms Sketches in Action Sketch Library Functions A, M W, d, m Pre Processing LBNL & NLANR Traces sketches K δ CAIDA’s Coral Software Key Time Count Header Payload

  22. Experimental Issues • Experiments Run on Intel Xeon 1.4Ghz processor with 512 MB of RAM • Implementation of Sketches • Hash functions are created randomly • Random numbers are generated with the max number of 261-1 • Following Hash Functions for all the 4 sketches • Update (key,value) • getFrequency (key) • Synthetics traces generated where attack flows are injected

  23. Evaluation (Accuracy) Sketching changes in heavy ranked flows between two time intervals Sketches of 10 heavy ranked flows

  24. Evaluation (Accuracy) FM sketch of 10 Intervals of malicious traffic trace FM sketch of 10 Intervals of normal traffic

  25. Scatter Plot (Accuracy)

  26. Count Min Sketch in Attack Detection

  27. Attacks Vs Sketches(Efficiency)

  28. Evaluation by FM Sketch (Accuracy) Comparison of two different distance functions on exact flow counts Change Detection Accuracy by FM sketch using probability distribution distance function

  29. Evaluation by FM Sketch (Efficiency) Accuracy of two distance functions on synthetic traces. The x-axis represents values such as threshold is mean(X)+ std(X) where X is the flows counts.

  30. Conclusions • Sketches can detect heavy changes quickly and accurately • Compact sketch-like data structures can be implemented on-chip hardware • Reverse hashing of sketches to identify malicious flows is challenging

  31. Thank you!

More Related