TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph Ken Birman, Robbert van Renesse Vern Paxson Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick

TRUST Meeting, Berkeley, March 2007

Anthony D. JosephKen Birman, Robbert van Renesse

Vern Paxson

Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick

Network Defense Research

"Network Defense Research," Anthony D. Joseph 1


Outline

DETER Testbed Network Defense Research at Cornell Network Defense Research at ICSI Access to Data (UCB) Network Defense Research at UCB

2"Network Defense Research," Anthony D. Joseph


The DETER Testbed

Anthony D. Joseph

Shankar Sastry

University of California, Berkeley

TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 4

DETER Testbed Motivation

Inadequate deployment of security technologies– Despite 10+ years investment in network security

research

Lack of experimental infrastructure– Testing and validation occurs mostly at small scales– Lack of objective test data, traffic and metrics

cyber DEfense TEchnology Experimental Research Testbed– Open to all researchers (gov’t, industrial, academic)


DETER Testbed Goals

1) Design & construct testbed for network security experiments– Attack scenarios/simulators, topology generators,

background traffic, monitoring/visualization tools

2) Do research on experimental methodology for network security– Scientifically rigorous frameworks/methodologies

3) Do research on network security– Attack detection and countermeasure tools


DETER Testbed Capabilities

“Real systems, Real code, Real attacks!”– ~400 PCs with 5+ Gigabit Ethernet links each– Supports all x86 OSes: Windows, Linux, UNIX

Modeling large-scale wide-area networks– Nodes can be used as clients, routers, and servers– Examining the effects of “rare events”

Evaluating commercial hardware/prototypes– Vendor-neutral environment

Intrusion detection/protection appliances

– Interactions between different vendors’ products– Performance testing: normal and under attack


Example Experiments

Slammer: BW-limited Scanning Worm

– ICSI and PSU: modeling propagation through the Internet [WORM’04 paper]

– Virtual node model of the response of subnets

– 1/64th scale Internet

Other experiments:– Collaborative defenses – Large-scale enterprise

network simulation


PC

‘User’Server

PC

ISI Cluster

Userfiles

Cisco/Nortel SW Foundry/Nortel SW

Node Serial Line Server

‘Boss’Server

PC PC

UCB Cluster

Node Serial Line Server

DownloadServer

PowerCont’ler

PowerCont’ler

PC … …

trunk trunk

Internet

IPsec

IPsec

User

FW FW

CE

NIC

Control NetworkControl Network


DETER Project Timeline

Funding– DETER: NSF and DHS HSARPA (Sept 03 – Feb 07)– DECCOR: NSF CRI program (Jul 05 – Jun 07)– DIPLOMAT: DHS HSARPA (Sept 06 – )– DIRECT: AFOSR DURIP program (Apr 06 – Mar 07)

Experience to date – over 40 projects– DDoS Attack-Defense, Worm Behavior Characterization, Network

Routing Attack-Defense– Security course support at UCB, commercial devices– DHS cybersecurity 2006 exercise

Working with Cornell to federate with their testbed

– Interesting latency challenges– Also Utah and Vanderbilt testbeds

DETER Community WorkshopAugust 6 - 7, 2007(before USENIX Tech Conf) Boston, MA


DETER Testbed Software

Extended Utah Emulab control plane software– Experiment creation GUI and security features

Experimental node OS support– RedHat Linux 7.3, FreeBSD 4.9, or Windows XP– Users can load arbitrary code, in fact

User has root access to all allocated nodes!– No direct IP path into experimental network

Encrypted tunnels across Internet (SSL/SSH/IPsec)

– Secure process replaces OS after each experiment– Optional disk scrub after experiments


Upcoming Software Capabilities

Reusable library of realistic, rigorous, reproducible, impartial tests (Archived Experiments)– For assessing attack impact/defense effectiveness– Test data, test configurations, analysis software, and

experiment automation tools

Usage examples and methodologies (WorkBench)– Test selection recommendations– Test cases, results, and benchmarks


Related Effort with OSD/NII

GIG context: Vast Networks, People and Technical Systems, and Embedded systems

– Insufficient large complex systems analytical methods limit sensor, data, and network capabilities – Tactical Edge and Warfighter Assurance

– NSF System of Networked Embedded Devices workshop (10/05) The few successful distributed systems spent “50-75% of their

development budget on debugging, testing and validation”

Solving the Analytic Gap: Advanced Mathematics for Scale & Complexity (w/ Kirstie Bellman, Aerospace Corp)

– Map DoD operational deficits to potentially important mathematical R&D problems

– Identify new approaches for evaluating the scalability of methods– Three driving problems: Testbed validation, Detecting

anomalous traffic flows, DoD-COTS interactions


DETER ClustersISI

UCB

Open to community – request an account at: http:///www.deterlab.net/


Network Defense at Cornell

Ken Birman

Robbert van Renesse


Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ. 15

Approach

Robust networked middleware for mission-critical distributed applications

Emphasis on many dimensions of scale– High latencies due to physical distances– High overheads due to casual use of

middleware abstractions– High vulnerability due to large number of

components– …



Products

Fireflies: intrusion-tolerant network overlays SecureStream: intrusion-tolerant video streaming Nightwatch: intrusion-tolerant auditing service Quicksilver: next-generation multicast / pubsub Ricochet: FEC for time-critical multicast protocols Maelstrom: FEC for high latency connections SMFS: file system for high latency connections Tempest: middleware for time-critical SOA systems r-Kelips: robust P2P range-index



Our cluster

216 blades, 3 100Mbit Ethernet ports each 20 1U servers, 3 1Gbit Ethernet ports each HP ProCurve 100 Mbit switches Nortel 1 Gbit switches 3 Terabyte storage servers

Funded by DURIP grants


Vern Paxson

ICSI Network Defense Research

"ICSI Network Defense Research,” Vern Paxson 18

TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 19


Research Focus #1: network intrusion detection (& prevention) in an operational environment– Mainly using the Bro system 24x7 at Lawrence

Berkeley National Lab, UCB– Efforts:

Detection algorithms Forensics (the “Time Machine”) High performance (clusters; FPGA/parallel analysis) Disparate context (distributed monitoring; host-based

sensors) Sharing information across sites Integrating honeynet data



Research Focus #2: addressing the threat of large-scale compromise of Internet hosts– Key enabling technology for today’s bleak Internet

landscape (spam, phishing, identity theft, extortion)– Done in the context of NSF Cybertrust Center for

Internet Epidemiology & Defenses (w/ UCSD)– Scope:

Internet Epidemiology (understanding the threat)

Automated Defenses (protection w/o human-in-the-loop)

Counter-threat Pragmatics (associated legal & economic issues)


ICSI & TRUST (current)

Effort #1: assessing resilience of network monitoring systems to evasion– Evasion presents fundamentally hard problem– But: no sound benchmark to assess exists ….

…. And thus no pressure on vendors to address it

– Goal: develop a modular, open source testing framework to facilitate emergence of benchmarks

– Work done in context of TRUST’s ICAST collaboration

– Year 1: trace-based, off-line



Effort #2: understanding fingerprinting of off-port applications– Context: many apps today avoid well-known

ports (P2P; Skype; botnet C&C)Also highly relevant for anonymizers

– Significant body of work aims identify via statistical (non-content) techniques

– Our premise: these are fundamentally weak …– … which we aim to show

AnalyticallyEmpirically

– Effort w/ Alvaro Cardenas (TRUST Postdoc)



Effort #3: informing development of legal frameworks for network security research– Maryanne McCormick, Aaron Burstein (Law)– Issues:

Sharing data, tracesContainment: how do you control potential

infections?Participating in botnetsInteracting with botmasters, buyers & sellers


ICSI & TRUST (future)

Widen evasion testing methodology– Live hosts to facilitate normalization, active

mapping, host agent defenses– Evasion-by-stress

Particularly state management stresses

Cross-site information sharing– Architecture #1: global database, local reputation– Arch. #2: “detectives” and “witnesses”– Arch. #3: confederation of sites that mostly trust

one another Seeding vision proposed by ICSI to Cybertrust:

– Sites send scripts describing activity of interest– Recipients can automatically both search retrospectively

and instrument for the future


Deirdre K. Mulligan

Aaron Burstein

Maryanne McCormick

Access to Data

"Access to Data," Deirdre K. Mulligan 25

TRUST Meeting, Berkeley, March 2007"Access to Data," Deirdre K. Mulligan 26

Access to Cyber Security Data

Access to real datasets could produce a “paradigm shift” for computer, network security research

Problems:– Relevant data regulated by disparate laws; research

exceptions are weak or non-existent No coherent policy view of “cyber security”

– Data needs highly varied– Data controllers highly dispersed, incentives conflict

Current situation:– Few common datasets for comparisons, testbeds– “Every firm for itself,” with some exceptions


Access-to-data: DMCA

Need to understand sources of vulnerabilities on end-users’ computers

– Digital Millennium Copyright Act (DMCA) prohibits circumventing “technological protection measures” that control access to copyrighted works

– Weak “security testing” exception Sony BMG “rootkit” episode

– Audio CDs installed copy-prevention software that hid from user, left machines vulnerable

– Researchers delayed reporting findings because of fear of legal liability

– Meanwhile ~500,000 users installed software– Librarian of Congress granted DMCA exemption — for audio

CDs only


Access-to-data: Communications Privacy

Internet traffic datasets needed to understand worm & virus propagation, DDoS attacks

– Cross-organizational sharing needed to understand large-scale attacks

No research exceptions for intercepting communications contents (Wiretap Act) or disclosing stored contents or addressing information (Stored Communications Act)

– Provider protection exceptions not always applicable

Very difficult to get good picture of Internet traffic– Govt. (including state universities) researchers at particular

disadvantage– Examining institutions, legal reforms to allow sharing


Access-to-data: Computer abuse

“Honeynets” (networks of computers intended to be attacked) offer way to study attack tactics, malware

Computer Fraud & Abuse Act prohibits knowingly accessing another computer on Internet “without authorization” – No research exception– Researchers liable for compromised machines?– Researchers liable for infiltrating attack networks?

Legal concerns mitigated by statutory mental state requirement


Anthony D. Joseph

UCB Network Defense Research

"Access to Data," Deirdre K. Mulligan 30



Research Focus #1: Novel Worm/Virus Detection and Machine Containment– Leverage machine learning to identify and

quarantine e-mail worms and viruses before signatures are available

– Efforts: Learning on a single user’s outgoing e-mail behavior Using a multi-tiered modeling approach Leveraging existing anti-virus solutions to improve results Containing (or slowing) infection until scanners can detect it

– Results: Very low false positive and false negative rates Could be effective containment even with 50% deployment



Research Focus #2: Efficient Detection of Network-Wide Anomalies– Detecting sudden changes in Origin-Destination

flows (from DDoS, device failure, misconfigs, …) using only link traffic measurements

– Efforts: Applying distributed Principal Component Analysis to

separate normal from anomalous traffic Working to reduce detection time scales, increase number

of monitor nodes

– Results User-specified level of accuracy Order of magnitude reduction in network monitoring traffic



Research Focus #3: Attacks Against Machine Learning-based Security Systems– Attacking ML-based security systems such as

Intrusion Detection Systems and spam filters– Efforts:

Developing a taxonomy of attacks (dodging and numbing) Determining an attacker’s work function for altering a

learner based on different levels of knowledge and control Building a test platform for attacks and countermeasures

– Results Theoretical analysis of attacker work function for simple

mean-centered hypersphere classifier Modified SpamBayes platform for adversarial learning

Documents

TRUST Meeting, Berkeley, March 2007 Anthony D. Joseph Ken Birman, Robbert van Renesse Vern Paxson Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick