Upload
sharyl-sanders
View
219
Download
1
Embed Size (px)
Citation preview
TRUST Meeting, Berkeley, March 2007
Anthony D. JosephKen Birman, Robbert van Renesse
Vern Paxson
Deirdre K. Mulligan, Aaron Burstein, Maryanne McCormick
Network Defense Research
"Network Defense Research," Anthony D. Joseph 1
TRUST Meeting, Berkeley, March 2007
Outline
DETER Testbed Network Defense Research at Cornell Network Defense Research at ICSI Access to Data (UCB) Network Defense Research at UCB
2"Network Defense Research," Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
The DETER Testbed
Anthony D. Joseph
Shankar Sastry
University of California, Berkeley
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 4
DETER Testbed Motivation
Inadequate deployment of security technologies– Despite 10+ years investment in network security
research
Lack of experimental infrastructure– Testing and validation occurs mostly at small scales– Lack of objective test data, traffic and metrics
cyber DEfense TEchnology Experimental Research Testbed– Open to all researchers (gov’t, industrial, academic)
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 5
DETER Testbed Goals
1) Design & construct testbed for network security experiments– Attack scenarios/simulators, topology generators,
background traffic, monitoring/visualization tools
2) Do research on experimental methodology for network security– Scientifically rigorous frameworks/methodologies
3) Do research on network security– Attack detection and countermeasure tools
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 6
DETER Testbed Capabilities
“Real systems, Real code, Real attacks!”– ~400 PCs with 5+ Gigabit Ethernet links each– Supports all x86 OSes: Windows, Linux, UNIX
Modeling large-scale wide-area networks– Nodes can be used as clients, routers, and servers– Examining the effects of “rare events”
Evaluating commercial hardware/prototypes– Vendor-neutral environment
Intrusion detection/protection appliances
– Interactions between different vendors’ products– Performance testing: normal and under attack
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 7
Example Experiments
Slammer: BW-limited Scanning Worm
– ICSI and PSU: modeling propagation through the Internet [WORM’04 paper]
– Virtual node model of the response of subnets
– 1/64th scale Internet
Other experiments:– Collaborative defenses – Large-scale enterprise
network simulation
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 8
PC
‘User’Server
PC
ISI Cluster
Userfiles
Cisco/Nortel SW Foundry/Nortel SW
Node Serial Line Server
‘Boss’Server
PC PC
UCB Cluster
Node Serial Line Server
DownloadServer
PowerCont’ler
PowerCont’ler
PC … …
trunk trunk
Internet
IPsec
IPsec
User
FW FW
CE
NIC
Control NetworkControl Network
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 9
DETER Project Timeline
Funding– DETER: NSF and DHS HSARPA (Sept 03 – Feb 07)– DECCOR: NSF CRI program (Jul 05 – Jun 07)– DIPLOMAT: DHS HSARPA (Sept 06 – )– DIRECT: AFOSR DURIP program (Apr 06 – Mar 07)
Experience to date – over 40 projects– DDoS Attack-Defense, Worm Behavior Characterization, Network
Routing Attack-Defense– Security course support at UCB, commercial devices– DHS cybersecurity 2006 exercise
Working with Cornell to federate with their testbed
– Interesting latency challenges– Also Utah and Vanderbilt testbeds
DETER Community WorkshopAugust 6 - 7, 2007(before USENIX Tech Conf) Boston, MA
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 10
DETER Testbed Software
Extended Utah Emulab control plane software– Experiment creation GUI and security features
Experimental node OS support– RedHat Linux 7.3, FreeBSD 4.9, or Windows XP– Users can load arbitrary code, in fact
User has root access to all allocated nodes!– No direct IP path into experimental network
Encrypted tunnels across Internet (SSL/SSH/IPsec)
– Secure process replaces OS after each experiment– Optional disk scrub after experiments
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 11
Upcoming Software Capabilities
Reusable library of realistic, rigorous, reproducible, impartial tests (Archived Experiments)– For assessing attack impact/defense effectiveness– Test data, test configurations, analysis software, and
experiment automation tools
Usage examples and methodologies (WorkBench)– Test selection recommendations– Test cases, results, and benchmarks
TRUST Meeting, Berkeley, March 2007DETER Testbed, Anthony D. Joseph 12
Related Effort with OSD/NII
GIG context: Vast Networks, People and Technical Systems, and Embedded systems
– Insufficient large complex systems analytical methods limit sensor, data, and network capabilities – Tactical Edge and Warfighter Assurance
– NSF System of Networked Embedded Devices workshop (10/05) The few successful distributed systems spent “50-75% of their
development budget on debugging, testing and validation”
Solving the Analytic Gap: Advanced Mathematics for Scale & Complexity (w/ Kirstie Bellman, Aerospace Corp)
– Map DoD operational deficits to potentially important mathematical R&D problems
– Identify new approaches for evaluating the scalability of methods– Three driving problems: Testbed validation, Detecting
anomalous traffic flows, DoD-COTS interactions
TRUST Meeting, Berkeley, March 2007
DETER ClustersISI
UCB
Open to community – request an account at: http:///www.deterlab.net/
TRUST Meeting, Berkeley, March 2007
Network Defense at Cornell
Ken Birman
Robbert van Renesse
TRUST Meeting, Berkeley, March 2007
Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ. 15
Approach
Robust networked middleware for mission-critical distributed applications
Emphasis on many dimensions of scale– High latencies due to physical distances– High overheads due to casual use of
middleware abstractions– High vulnerability due to large number of
components– …
TRUST Meeting, Berkeley, March 2007
Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ. 16
Products
Fireflies: intrusion-tolerant network overlays SecureStream: intrusion-tolerant video streaming Nightwatch: intrusion-tolerant auditing service Quicksilver: next-generation multicast / pubsub Ricochet: FEC for time-critical multicast protocols Maelstrom: FEC for high latency connections SMFS: file system for high latency connections Tempest: middleware for time-critical SOA systems r-Kelips: robust P2P range-index
TRUST Meeting, Berkeley, March 2007
Nightwatch: Auditing of Large Systems; Robbert van Renesse, Cornell Univ. 17
Our cluster
216 blades, 3 100Mbit Ethernet ports each 20 1U servers, 3 1Gbit Ethernet ports each HP ProCurve 100 Mbit switches Nortel 1 Gbit switches 3 Terabyte storage servers
Funded by DURIP grants
TRUST Meeting, Berkeley, March 2007
Vern Paxson
ICSI Network Defense Research
"ICSI Network Defense Research,” Vern Paxson 18
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 19
ICSI Network Defense Research
Research Focus #1: network intrusion detection (& prevention) in an operational environment– Mainly using the Bro system 24x7 at Lawrence
Berkeley National Lab, UCB– Efforts:
Detection algorithms Forensics (the “Time Machine”) High performance (clusters; FPGA/parallel analysis) Disparate context (distributed monitoring; host-based
sensors) Sharing information across sites Integrating honeynet data
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 20
ICSI Network Defense Research
Research Focus #2: addressing the threat of large-scale compromise of Internet hosts– Key enabling technology for today’s bleak Internet
landscape (spam, phishing, identity theft, extortion)– Done in the context of NSF Cybertrust Center for
Internet Epidemiology & Defenses (w/ UCSD)– Scope:
Internet Epidemiology (understanding the threat)
Automated Defenses (protection w/o human-in-the-loop)
Counter-threat Pragmatics (associated legal & economic issues)
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 21
ICSI & TRUST (current)
Effort #1: assessing resilience of network monitoring systems to evasion– Evasion presents fundamentally hard problem– But: no sound benchmark to assess exists ….
…. And thus no pressure on vendors to address it
– Goal: develop a modular, open source testing framework to facilitate emergence of benchmarks
– Work done in context of TRUST’s ICAST collaboration
– Year 1: trace-based, off-line
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 22
ICSI & TRUST (current)
Effort #2: understanding fingerprinting of off-port applications– Context: many apps today avoid well-known
ports (P2P; Skype; botnet C&C)Also highly relevant for anonymizers
– Significant body of work aims identify via statistical (non-content) techniques
– Our premise: these are fundamentally weak …– … which we aim to show
AnalyticallyEmpirically
– Effort w/ Alvaro Cardenas (TRUST Postdoc)
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 23
ICSI & TRUST (current)
Effort #3: informing development of legal frameworks for network security research– Maryanne McCormick, Aaron Burstein (Law)– Issues:
Sharing data, tracesContainment: how do you control potential
infections?Participating in botnetsInteracting with botmasters, buyers & sellers
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 24
ICSI & TRUST (future)
Widen evasion testing methodology– Live hosts to facilitate normalization, active
mapping, host agent defenses– Evasion-by-stress
Particularly state management stresses
Cross-site information sharing– Architecture #1: global database, local reputation– Arch. #2: “detectives” and “witnesses”– Arch. #3: confederation of sites that mostly trust
one another Seeding vision proposed by ICSI to Cybertrust:
– Sites send scripts describing activity of interest– Recipients can automatically both search retrospectively
and instrument for the future
TRUST Meeting, Berkeley, March 2007
Deirdre K. Mulligan
Aaron Burstein
Maryanne McCormick
Access to Data
"Access to Data," Deirdre K. Mulligan 25
TRUST Meeting, Berkeley, March 2007"Access to Data," Deirdre K. Mulligan 26
Access to Cyber Security Data
Access to real datasets could produce a “paradigm shift” for computer, network security research
Problems:– Relevant data regulated by disparate laws; research
exceptions are weak or non-existent No coherent policy view of “cyber security”
– Data needs highly varied– Data controllers highly dispersed, incentives conflict
Current situation:– Few common datasets for comparisons, testbeds– “Every firm for itself,” with some exceptions
TRUST Meeting, Berkeley, March 2007"Access to Data," Deirdre K. Mulligan 27
Access-to-data: DMCA
Need to understand sources of vulnerabilities on end-users’ computers
– Digital Millennium Copyright Act (DMCA) prohibits circumventing “technological protection measures” that control access to copyrighted works
– Weak “security testing” exception Sony BMG “rootkit” episode
– Audio CDs installed copy-prevention software that hid from user, left machines vulnerable
– Researchers delayed reporting findings because of fear of legal liability
– Meanwhile ~500,000 users installed software– Librarian of Congress granted DMCA exemption — for audio
CDs only
TRUST Meeting, Berkeley, March 2007"Access to Data," Deirdre K. Mulligan 28
Access-to-data: Communications Privacy
Internet traffic datasets needed to understand worm & virus propagation, DDoS attacks
– Cross-organizational sharing needed to understand large-scale attacks
No research exceptions for intercepting communications contents (Wiretap Act) or disclosing stored contents or addressing information (Stored Communications Act)
– Provider protection exceptions not always applicable
Very difficult to get good picture of Internet traffic– Govt. (including state universities) researchers at particular
disadvantage– Examining institutions, legal reforms to allow sharing
TRUST Meeting, Berkeley, March 2007"Access to Data," Deirdre K. Mulligan 29
Access-to-data: Computer abuse
“Honeynets” (networks of computers intended to be attacked) offer way to study attack tactics, malware
Computer Fraud & Abuse Act prohibits knowingly accessing another computer on Internet “without authorization” – No research exception– Researchers liable for compromised machines?– Researchers liable for infiltrating attack networks?
Legal concerns mitigated by statutory mental state requirement
TRUST Meeting, Berkeley, March 2007
Anthony D. Joseph
UCB Network Defense Research
"Access to Data," Deirdre K. Mulligan 30
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 31
UCB Network Defense Research
Research Focus #1: Novel Worm/Virus Detection and Machine Containment– Leverage machine learning to identify and
quarantine e-mail worms and viruses before signatures are available
– Efforts: Learning on a single user’s outgoing e-mail behavior Using a multi-tiered modeling approach Leveraging existing anti-virus solutions to improve results Containing (or slowing) infection until scanners can detect it
– Results: Very low false positive and false negative rates Could be effective containment even with 50% deployment
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 32
UCB Network Defense Research
Research Focus #2: Efficient Detection of Network-Wide Anomalies– Detecting sudden changes in Origin-Destination
flows (from DDoS, device failure, misconfigs, …) using only link traffic measurements
– Efforts: Applying distributed Principal Component Analysis to
separate normal from anomalous traffic Working to reduce detection time scales, increase number
of monitor nodes
– Results User-specified level of accuracy Order of magnitude reduction in network monitoring traffic
TRUST Meeting, Berkeley, March 2007ICSI & TRUST,V. Paxson 33
UCB Network Defense Research
Research Focus #3: Attacks Against Machine Learning-based Security Systems– Attacking ML-based security systems such as
Intrusion Detection Systems and spam filters– Efforts:
Developing a taxonomy of attacks (dodging and numbing) Determining an attacker’s work function for altering a
learner based on different levels of knowledge and control Building a test platform for attacks and countermeasures
– Results Theoretical analysis of attacker work function for simple
mean-centered hypersphere classifier Modified SpamBayes platform for adversarial learning