View
214
Download
0
Category
Tags:
Preview:
Citation preview
1
Yan ChenNorthwestern Lab for Internet
and Security Technology (LIST)
Dept. of Computer Science
Northwestern University
http://list.cs.northwestern.edu
Adaptive Intrusion Detection and Mitigation
Systems for WiMAX Networks
Motorola Liaisons
Gregory W. Cox, Z. Judy Fu, Philip R. Roberts
Motorola Labs
2
Battling Hackers is a Growth Industry!
• The past decade has seen an explosion in the concern for the security of information
• Denial of service (DoS) attacks– Cost $1.2 billion in 2000
• Viruses and worms faster and more powerful– Cause over $28 billion in economic losses in 2003,
growing to over $75 billion in economic losses by 2007.
--Wall Street Journal (11/10/2004)
3
AccessNetworks
Core Networks
The Current Internet: Connectivity and Processing
Transit Net
Transit Net
Transit Net
PrivatePeering
NAP
PublicPeering
PSTNRegional
WirelineRegionalVoiceVoice
CellCell
Cell
CableModem
LAN
LAN
LAN
Premises-based
WLAN
WLAN
WLAN
Premises-based
Operator-based
H.323Data
Data
RAS
Analog
DSLAM
H.323
4
Motivation• Viruses/worms moving into the wireless world …
– 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices
• IEEE 802.16 WiMAX networks emerging– Predicted multi-billion dollar industry – No existing research/product tailored towards 802.16
anomaly/intrusion detection and mitigation
• 802.16 IDS development can potentially lead to critical gain in market share– All major WLAN vendors integrated IDS into products
• Strategically important to lead in WiMAX product portfolio with security & trouble shooting capability– Simply buy off-the-shelf IDSes blind to their limitations
5
Existing Intrusion Detection Systems (IDS) Insufficient
• Mostly host-based and not scalable to high-speed networks– Slammer worm infected 75,000 machines in < 10
mins– Host-based schemes inefficient and user dependent
» Have to install IDS on all user machines !
• Mostly signature-based – Cannot recognize unknown anomalies/intrusions– New viruses/worms, polymorphism
6
Current IDS Insufficient (II)• Statistical detection
– Hard to adapt to traffic pattern changes– Unscalable for flow-level detection
» IDS vulnerable to DoS attacks» WiMAX, up to 134Mbps, 10 min traffic may take 4GB
memory
– Overall traffic based: inaccurate, high false positives
» Existing high-speed IDS here
• Cannot differentiate malicious events with unintentional anomalies– Anomalies can be caused by network element
faults– E.g., signal interference of wireless network
7Adaptive Intrusion Detection System for Wireless Networks
(WAIDM)• Online traffic recording and analysis for high-
speed WiMAX networks– Leverage sketches for data streaming computation– Record millions of flows (GB traffic) in a few Kilobytes
• Online flow-level intrusion detection & mitigation– Leverage statistical learning theory (SLT) adaptively
learn the traffic pattern changes» Successfully detected flow-level SYN flooding and various
port scans with NU, LBL and Fermi network traces
– Flow-level mitigation of attacks– Combine with 802.16 specific signature-based
detection» Automatic polymorphic worm signature generation
8
WAIDM Systems (II)
• Anomaly diagnosis for false positive reduction– Use statistics from MIB of base station to
understand the wireless network status» E.g., busy vs. idle wireless networks, with different level
of interferences, etc.» Successfully experimented with 802.11 networks
– Root cause analysis for diagnose link failures, routing misconfiguration, etc.
– Useful for managing and trouble-shooting the WiMAX networks
9
WAIDM Deployment• Attached to a switch connecting BS as a black
box• Enable the early detection and mitigation of
global scale attacks• Highly ranked as “powerful and flexible" by the
DARPA research agenda
Original configuration WAIDM deployed
Internet
802.16BS
Users
(a)
(b)
802.16BS
Users
Switch/BS controller
Internet
sca
n
po
rtW
AID
Msy
ste
m
802.16BS
Users
802.16BS
Users
Switch/BS controller
10WAIDM Architecture
Reversiblek-ary sketch monitoring
Filtering
Sketch based statistical anomaly detection (SSAD)
Local sketch records
Sent out for aggregation
Remote aggregatedsketchrecords
Per-flow monitoring
Streaming packet data
Normal flows
Suspicious flows
Intrusion or anomaly alarms to fusion centers
Keys of suspicious flows
Keys of normal flows
Data path Control pathModules on the critical path
Signature-based detection
Traffic profile checking
Statistical detection
Part ISketch-basedmonitoring & detection
Part IIPer-flowmonitoring & detection
Modules on the non-critical path
Network fault detection
11
Intrusion Mitigation
Attacks detected MitigationDenial of Service (DoS), e.g., TCP SYN flooding
SYN defender, SYN proxy, or SYN cookie for victim
Port Scan and worms Ingress filtering with attacker IPVertical port scan Quarantine the victim machineHorizontal port scan Monitor traffic with the same
port # for compromised machine
Spywares Warn the end users being spied
HORIZONTAL
PORT NUMBER
SOURCE IP
BLOCK
VERTICAL
12
• Evaluated with NU traces (536M flows, 3.5TB traffic)
• Scalable and efficient – For the worst case traffic, all 40 byte packets:
» 16 Gbps on a single FPGA board» 526 Mbps on a Pentium-IV 2.4GHz PC
– Only less than 10MB memory used
• Accurate– 19 SYN flooding, 1784 horizontal scans and 29
vertical scans detected in one-day NU traces– Validation
» All flooding and vertical scan, and top 10 and bottom 10 for horizontal scans
» Both well-known and new worms found (new confirmed in DShield)
• Patent filed
Evaluation of Sketch-based Detection
Recommended