1

Network-based Intrusion Detection, Prevention and Forensics System

Yan ChenDepartment of Electrical Engineering and

Computer ScienceNorthwestern University

Lab for Internet & Security Technology (LIST)http://list.cs.northwestern.edu

2

The Spread of Sapphire/Slammer Worms

3

Current Intrusion Detection Systems (IDS)

• Mostly host-based and not scalable to high-speed networks– Slammer worm infected 75,000 machines in <10

mins– Host-based schemes inefficient and user dependent

»Have to install IDS on all user machines !• Mostly simple signature-based

– Cannot recognize unknown anomalies/intrusions– New viruses/worms, polymorphism

4

Current Intrusion Detection Systems (II)

• Cannot provide quality info for forensics or situational-aware analysis– Hard to differentiate malicious events with

unintentional anomalies» Anomalies can be caused by network element faults,

e.g., router misconfiguration, link failures, etc., or application (such as P2P) misconfiguration

– Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc.

5

Network-based Intrusion Detection, Prevention, and

Forensics System• Online traffic recording

[SIGCOMM IMC 2004, INFOCOM 2006, ToN to appear]– Reversible sketch for data streaming computation– Record millions of flows (GB traffic) in a few hundred KB– Small # of memory access per packet– Scalable to large key space size (232 or 264)

• Online sketch-based flow-level anomaly detection[IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06]– Adaptively learn the traffic pattern changes – As a first step, detect TCP SYN flooding, horizontal and

vertical scans even when mixed• Online stealthy spreader (botnet scan) detection

[IWQoS 2007]

6

Network-based Intrusion Detection, Prevention, and

Forensics System (II)• Polymorphic worm signature generation &

detection[IEEE Symposium on Security and Privacy 2006] [IEEE ICNP 2007 to appear]

• Accurate network diagnostics [ACM SIGCOMM 2006] [IEEE INFOCOM 2007]

• Scalable distributed intrusion alert fusion w/ DHT[SIGCOMM Workshop on Large Scale Attack Defense 2006]

• Large-scale botnet and P2P misconfiguration event forensics [work in progress]

7

System Deployment• Attached to a router/switch as a black box• Edge network detection particularly powerful

Original configuration Monitor each port separately

Monitor aggregated traffic from all ports

Router

LAN

Internet

Switch

LAN

(a)

Router

LAN

Internet

LAN

(b)

RANDsystem

scan

po

rtsc

an

port

Splitter

Router

LAN

Internet

LAN

(c)

Splitter

RA

ND

syst

em

Switch

Switch

Switch

Switch

Switch

HPNAIDMsystem

RANDsystem

Yan Chen, Hai ZhouDept. of Electrical Engineering

and Computer ScienceNorthwestern University

Vulnerability Analysis for WiMAX Networks

Z. Judy FuMotorola Labs

The Current Threat Landscape and Countermeasures of WiMAX

Networks • WiMAX: next wireless phenomenon

– Predicted multi-billion dollar industry • WiMAX faces both Internet attacks and wireless

network attacks– E.g., 6 new viruses, including Cabir and Skulls, with

30 variants targeting mobile devices• Goal: secure WiMAX networks through intrusion

prevention/detection• Big security risks for WiMAX networks

– No formal analysis about WiMAX security vulnerabilities

Our Approach • Vulnerability analysis of various layers

Focus on 802.16e specs (WiMAX standards) and mobile IP v4/6 protocols so far– Intelligent and complete checking through combo of

manual analysis + auto search through formal methods

– First, manual analysis provide hints and right level of abstraction for auto search

– Then specify the specs and potential capabilities of attackers in a formal language TLA+ (the Temporal Logic of Actions)

– Then model check for any possible attacks

Mobile IPv6 (RFC 3775)

• Provides mobility at IP Layer

• Enables IP-based communication to continue even when the host moves from one network to another

• Host movement is completely transparent to Layer 4 and above

Mobile IPv6 - Entities

• Mobile Node (MN) – Any IP host which is mobile

• Correspondent Node (CN) – Any IP host communicating with the MN

• Home Agent (HA) – A host/router in the Home network which:– Is always aware of MN’s current location– Forwards any packet destined to MN– Assists MN to optimize its route to CN

Mobile IPv6 - Process

• (Initially) MN is in home network and connected to CN

• MN moves to a foreign network:– Registers new address with HA by sending Binding

Update (BU) and receiving Binding Ack (BA)– Performs Return Routability to optimize route to CN

by sending HoTI, CoTI and receiving HoT, CoT– Registers with CN using BU and BA

Mobile IPv6 in Action

Home AgentCorrespondent

Node

Home Network

Foreign Network

InternetMobile Node

Mobile Node

HA – MN TunnelBU

BAHoTI

HoTI

CoTI

HoT

HoT

CoT

BU

BA

Mobile IPv6 Vulnerability• Nullifies the effect of Return Routability• BA with status codes 136, 137 and 138

unprotected• Man-in-the-middle attack

– Sniffs BU to CN– Injects BA to MN with one of status codes above

• MN either retries RR or gives up route optimization and goes through HA

MIPv6 Attack In ActionMN HA AT CN

HoTI

HoTI

CoTI

CoT

HoTHoT

Start Return

Routability

Restart Return

Routability

Silently Discard

Bind Ack

Bind Update (Sniffed by AT along the way)

Bind Ack Spoofed by AT

Bind Ack

• Only need a wireless network sniffer and a spoofed wired machine (No MAC needs to be changed !)

• Bind ACK often skipped by CN

MIPv6 Vulnerability - Effects

• Performance degradation by forcing communication through sub-optimal routes

• Possible overloading of HA and Home Link• DoS attack, when MN repeatedly tried to

complete the return routability procedure • Attack can be launched to a large number of

machines in their foreign network– Small overhead for continuously sending spoofed

Bind ACK to different machines

TLA Analysis and Experiments

• With the spec modeled in TLA, the TLC search gives two other similar attacks w/ the same vulnerability– Complete the search of vulnerabilities w/ unprotected

messages

• Implemented and tested in our lab– Using Mobile IPv6 Implementation for Linux (MIPL)– Tunnel IPv6 through IPv4 with Generic Routing

Encapsulation (GRE) by Cisco– When attack in action, MN repeatedly tried to

complete the return routability procedure – DOS attack !

Extensible Authentication Protocols (EAP)

PPP802.3

Ethernet802.5

Token Ring802.11WLAN

802.16

EAP-FASTEAP-TTLS EAP-SIM EAP-AKAEAP-TLS

EAP Over LAN (EAPOL)

Extensible Authentication Protocol (EAP)

EAP Layer

Data Link Layer

Authentication method layer

GSM CDMA

PEAP

Extensible Authentication Protocols (EAP)

• EAP is an authenticaiton framework– Support about 40 different EAP methods

• Current targets– EAP-SIM for GSM cellular networks– EAP-AKA for 3G networks, such as UMTS and

CDMA2000– EAP-FAST (Flexible Authentication via Secure

Tunneling)»Most Comprehensive and secure EAP method

for WLAN»Will compare it w/ EAP-SIM and EAP-AKA

Insider Attack Analysis • Not hard to become a subscriber• Can five subscribers bring down an entire

WiMAX network ?• Check vulnerability after authentication

• Plan to analyze various layers of WiMAX networks– IEEE 802.16e: MAC layer– Mobile IP v4/6: network layer– EAP layer

802.16e SS Init Flowchart

Work Done

Future work

Outline

• Overview of Network Intrusion Detection, Prevention and Forensics System

• Case Study: Vulnerability analysis of the MIP v6 system

• Student recruiting

Northwestern Lab for Internet and Security

Technology (LIST)• About Northwestern Univ.

– US News and World Report, overall ranking #14, the Engineering grad school ranking #21.– On the Michigan lake, close to Chicago downtown

•Sponsors for LIST: – Department of Energy (Early CAREER Award)– Air Force Office of Scientific Research (Young

Investigator Award)– National Science Foundation – Microsoft Research– Motorola Inc.

27

Recruiting Ph.D. Students

• Bachelor in Computer Science or Computer Engineering

• Research experience a big plus• TOEFL• GRE• Strongly motivated in independent research

• Feel free to talk to me after the talk