Slide - Computer Science and Engineering

Download Report

Transcript Slide - Computer Science and Engineering

How to start a company: the NetSift
story
CSE 91 Goals
 Essence: To convince you that Computer
Science is not just programming but creatively
solving the world’s problems using computers
 Careers: To show there are exciting career
options that can change the world
 UCSD CSE: To show you that UCSD CSE has a
number of cool professors doing cool work
 Startups: To give you a glimpse of how CSE
ideas can convert to business opportunities
 Students: To showcase students like you
You may be a entrepreneur in disguise




I loved teaching and research.
Disorganized, naïve about business
But: passionate about ideas
Circumstances swept me into starting a
company: you may too.
The Problem: Large Scale Attacks
Our definition of a Large Scale Attack
 Definition: Large scale attack is one that involves several
attackers and attacked machines, or significant traffic footprint.
 Examples: Worms (Code Red, Blaster), Viruses (Lovebug),
DDOS (Yahoo attack), SPAM, application level DoS
 Costs to customers: Worms (billions in themselves); adding
viruses, spam, and DDOS make total costs astronomical
 State of Products Today: Small scale attacks are solved;
threat and consequence of large scale attacks were not (2004).
Worms as example of Large Scale Attack
Infected machine
New
Victim
Enterprise
Worm, virus: exploit (that takes over a single machine)
plus propagation code
Response today: humans notice (hours), analyze (days) to create
signatures.
Missing: Automatic signature extraction of new large scale
attacks (e.g., worms, viruses) will be a disruptive technology.
Our definition of a Large Scale Attack
 Definition: Large scale attack is one that involves several
attackers and attacked machines, or significant traffic footprint.
 Examples: Worms (Code Red, Blaster), Viruses (Lovebug),
DDOS (Yahoo attack), SPAM, Blended Attacks (SoBig,MyDoom)
 Costs to customers: Worms (billions in themselves); adding
viruses, spam, and DDOS make total costs astronomical
 State of Products in 2004: Small scale attacks are solved;
threat of large scale attacks growing exponentially.
Attack Trends
HIGH
Intruder
Knowledge Needed
Worms
DDOS
DDOS
Toolkits
DOS
Attack
Sophistication
LOW
Session
hijacking
Source: CERT
Password
cracking
1980
1985
1990
1995
2000
Trends
1. Increased virulence: (1 in 12 emails for MyDoom vs 1 in 28 for Lovebug (2000)
2. Increased ease of use: (script kiddies, toolkits), less barriers to entry
3. Increased scale: canonical attack moves from 1 computer to many (e.g., worms)
Response time is crucial
Ultimate metric: how fast from onset of new attack to
clean up. Today response time is in days. Our schemes:



Basic: seconds to obtain signatures.
Fast blocking, Known exploits: Reduce time to zero
seconds (prevention) for known exploit via
subscription service.
Fast blocking, unknown exploits: First infected sites
relay to central site which relays to others via
service. Seconds for first infection, but zero for
other customers.
Reducing response time to zero keeps enterprises free of attack
The Technology: Content Sifting
How it started
 A student like you (barely finished BS),
Sumeet Singh, realized the problem
 Came to my office and said that worms
repeat, watch content  signatures
 We helped add other ideas (checking for
sources, fast implementation)
 In 2 weeks, he had a prototype. He
caught Blaster when it happened.
 Here’s the technology in more detail
Extracting Worm Signatures by Content Sifting
 Unsupervised learning: monitor network
for strings with worm-like behavior
 Signatures can then be used for
detection.
PACKET HEADER
SRC: 11.12.13.14.3920 DST: 132.239.13.24.5000 PROT: TCP
PACKET PAYLOAD (CONTENT)
00F0
0100
0110
0120
0130
0140
. . .
90
90
90
90
90
66
90
90
90
90
90
01
90
90
90
90
90
80
90 90 90 90 90 90 90 90 90 90 90 90 90 ................
signature
captured
by............M?.w
90 Kibvu.B
90 90 90 90
90 90 90 90
4D 3F E3 77
90 FF 63 64 90 90 90 90 90 90
90 90 .....cd.........
th,902004
EarlyBird
on
May
14
90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 90 EB 10 5A 4A 33 C9 66 B9 ..........ZJ3.f.
34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 f..4...........p
Worm Characteristics for Learning
 Content Prevalence
Payload of worm is seen frequently
 Address Dispersion
Payload of worm is seen traversing
between many distinct hosts
 Can we do this learning at Gigabit
speeds?
The Basic Algorithm
Detector at
Vantage Point
A
B
C
cnn.com
E
Prevalence Table
D
Address Dispersion Table
Sources
Destinations
The Basic Algorithm
Detector at
Vantage Point
A
B
C
cnn.com
E
D
Prevalence Table
1
Address Dispersion Table
Sources
Destinations
1 (A)
1 (B)
The Basic Algorithm
Detector at
Vantage Point
A
B
C
cnn.com
E
D
Prevalence Table
1
1
Address Dispersion Table
Sources
Destinations
1 (A)
1 (C)
1 (B)
1 (A)
The Basic Algorithm
Detector at
Vantage Point
A
B
C
cnn.com
E
D
Prevalence Table
Address Dispersion Table
Sources
Destinations
2
1
2 (A,B) 2 (B,D)
1 (C)
1 (A)
The Basic Algorithm
Detector at
Vantage Point
A
B
C
cnn.com
E
D
Prevalence Table
3
1
Address Dispersion Table
Sources
Destinations
3
(A,B,D)
1 (C)
3
(B,D,E)
1 (A)
What are the challenges?
 Computation
– We have a total of 12 microseconds processing
time for a packet at 1Gbps line rate
– Not just talking about processing packet
headers, but learning frequent strings.
 State
– On a fully-loaded 1Gbps link the basic
algorithm could generate a 1GByte table in less
than 10 seconds
What are the challenges?
 Computation
– We have a total of 12 microseconds processing
time for a packet at 1Gbps line rate
– Not just talking about processing packet
headers, but learning frequent strings.
 State
– On 1Gbps could generate a 1GByte table in
less than 10 seconds
 We used some sophisticated algorithms.
Multistage filters and bitmap counters
 Google “Earlybird” for details in paper
Idea 1:
Index fixed length substrings
 Approach 1: Index all substrings
– Problem: too many substrings  too much
computation  too much state
 Approach 2: Index packet as a single
string
– Problem: easily evadable (e.g., Witty, Email
viruses)
 Approach 3: Index all contiguous
substrings of a fixed length ‘S’
A– Will
B track
C Deverything
E FthatG is H
I J‘S’ and
K
of length
larger
NetSift IDS : Initial Validation
 Deployment (UCSD network vantage point)
–
–
–
–
Tap on CISCO Catalyst switch
Software on Dell server
1 Gbps line rate
no packet drops
 Attack Signatures Found (with no prior knowledge!):
• NetBios Attack, Code Red, Linux Slapper, Blaster, MyDoom,
Sasser, backdoor probing
• Application Level DDOS from UCSD outwards etc.
 Minimal false positives, no false negatives in 8
months of testing.
VIEW:
TYPE:
INFORMATION:
Anomaly Sasser-A
Details
Characterization
Manager selects the day old Sasser A
anomaly to see current state of attack
Summary of the Anomaly
and Actions the user can
take for this Anomaly
List of Infected Source
associated with Sasser-A
Ability to download a “FLOW”
associated with this anomaly in
tcpdump format
Fist packet payload of Sasser
from which a signature (not
shown) is constructed
Button to download Sasser
signatures for various blocking
devices
Manager obtained
a signature of
Sasser-A and used
it to begin
blocking the worm
Copyright NetSift, Inc. 2004
The bytes in red represent one of
the content fragments of Sasser
that the system is tracking
Output of Traffic test:: cumulative
count of packets containing
infection over various time periods
The time at which the system
classified the Sasser anomaly
as a WORM
Output of Dispersion Test:
cumulative count of infected
sources and destinations over
various time periods (this plot
is in days but plots can be in
hours or minutes as well.
Business Model: How to generate revenue
Business Model: How to generate revenue
Mission (Elevator Pitch)
 Preventing known and unknown
large-scale attacks on enterprises
without human intervention, using
behavioral analysis of packet (including
payload content) seen at network
vantage points.
 (Less Formal) What Norton Antivirus
does in a day using humans, we do
automatically in minutes
A Value Hierarchy
 Give away your work to maximize impact
(DRR), zero dollars, intangibles
 File a patent and market to companies, (IP
Lookups), 100K to 1 Million
 Create a technology you can find a buyer for:
1 to 5 million
 Create a product and find some initial
customers: (NetSift), 10 to 100 million
 Create a product and market: 500M-1B
 Standalone company, and IPO: > 1 B
 Venture Capitalists will require last few steps
The Venture Process
 VCs are like a high-risk mutual fund.
Generally manage 100M to 1 Billion
 Only a few partners: so can do only a
few gigs. Must put money to work
 Given that 1 in 10 companies fail, they
look for TAMs of 1 Billion and possible
exits only as a line of defense
 If VC values you at 3 million (premoney) and gives you 3 million:
– Post money = 6M, VC owns 50% (3/6)
Our Business Model (Tom Clancy)
 TAM Upper Limit for worms: Tens of
billions ($300-1000 per host, Code Red
itself > 2 billion) in worm costs alone.
Pain
 TAM Lower Limit: Global 2000
companies, each spending at least 250K
on IDS = 1 Billion. Failure of IDS.
 Exits: IDS companies (NetScreen, Cisco,
Intruvert). Typical acquisutions: 50 Mill
The Pitch: Presenting the Idea
Elements of a Pitch
 Problem: (show its important, 2 -3
slides, see start on Large Scale Attacks)
 The Technology (cool, different,
defensible). Content Sifting. 2-3 slides
 The Business opportunity (see earlier)
 The Competitive Landscape (why you
are better than others (2-3 slides)
 The Team (why you can deliver, 1 slide)
Competitive Landscape (NetSift example)

Firewalls: screening based on headers

Signature Based End-point detection: Norton,
Symantec (screening based on content strings in packets)
~ fails, worms masquerade using headers of legitimate traffic
~ expensive, install at every end-node, not a few network devices.

Signature Based Network detection: Snort, Cisco
NBAR, Tipping Point
~ blocking ifast, signature extraction by human too slow.
Detection in more 30 mins: implies infection spreads to entire
enterprise.

Signature Based
Behavioral based end-point detection: Okena, (zeroday attack detection) analogous to detecting suspicious
behavior.
~ expensive at every host, can only detect attacks against itself!

Behavioral based network detection:
NetSift
Differentiator: sophisticated behavioral tests
to automatically extract signatures that can be Behavior Based
blocked by existing signature based blocking
devices
NetSift Positioning
SIGNATURE BASED
NETWORK
BASED
ENDPOINT
BASED
SourceFire, TippingPoint
BEHAVIORAL
NetSift
Cisco, NetScreen, IntruShield
Symantec, McAfee etc
Okena, WholeNetwork
Entercept, Harris, Sana
We use new behavioral tests to extract signatures
that can be blocked using signature-based hardware
Key Differentiators
Summary: All existing network security products have
trouble with one or more of the following:
1)
False positives: too many alerts
2)
Performance: too slow, unscalable
3)
Lack of agility: cannot handle new or polymorphic
attacks.
We claim to address all three issues.
Team

George Varghese (Founder and CTO): Inventions used in real
products (timing wheels, Linux; DRR, Cisco GSR, IP Lookups; Windows),
designed 40 Gbps Procket lookup engine Packet Processing Algorithms

Sumeet Singh (Founder & Chief Scientist): UCSD Ph.D student, cofounded NetVisions (75 persons at peak) for E-business. Invented and
coded fastest software packet classification algorithm. Software
prototyping

Stefan Savage (Consultant): co-founder Asta Networks for DDOS
detection, invented IP Traceback, DOS Detection via Backscatter;
seminal paper on worm spreading rates. Domain expertise and
innovation in attack detection.

Growing Engineering Team:
– Bashir Eghbali (ex Cisco IOS), Mike Semanko (ex Entropia), John Huber (ex
Yunni Networks), Clifton Mclellan (ex Enosys), Sri Narayan (ex Hughes)
Overall Summary

Importance of large-scale attacks: growing, billions in damage due to
each of worms, viruses, spam, DDOS

Unique Approach: first behavioral based network approach that
automatically extracts attack signatures for signature blockers.

New Algorithms: Scalable (can run at 10 Gbps) algorithms to identify
abstract characteristics of new, blended, and polymorphic attacks.
Found Blaster, MyDoom signatures within 5 seconds despite
polymorphism. No false positives in 8 months of testing.

Team track record: world-class team with track record of inventing fast
scalable network algorithms (George Varghese) and innovative solutions
to security problems (Stefan Savage).

New Products: LIDS box that can detect standard intrusions as well as
automatically identify large scale attacks; LIPS box that can prevent
attacks; Host software to block detected attacks.
Mechanics: Starting and Proceeding
Starting and Proceeding
 Need to make a pitch to VCs till a deal is
reached (like buying a house, get comps)
 Need a lawyer to help draw up a Term Sheet
(legal document w/ Cap Table).
 VCs help you outsource: finding space, paying
salary, taxes, insurances.
 You need to hire employees, buy equipment,
build first product,
 Everyone has do everything: e.g., write manual
though can hire part-timers
 Money must last till next value creating
inflection point (e.g., build product or exit)
Capital Table
 Employees: CEO (8-12%), VPs (3%),
Engineers: Senior 1, mid 0.3, start 0.1
VCs (40-60%)
Employees
(20-30%)
Founders
(20-30%)
Timelines










Feb 2004: Conception, prototype, results
Sep 2004: Decision to make a company
Sep – March 2004: Pitch SD,SJ
April 2004: First round (3M), 1 room
Aug 2004: Real space, 10 employees
Sept 2004: Prototype running at 1 ISP
Oct 2004: VP Eng, VP Marketing (no CEO)
Dec 2004: Cisco, first talks, break down
Feb 2005: Cisco re-engages
March 2005: First term sheet, many-way
negotiation
Motivations
 While our employees all did well
(including recent UCSD grads), no
guarantee of financial success.
 Need to be excited about the mission
(automatically identifying attacks), the
technology, and learning.
 A good atmosphere of joy in the journey
is crucial. Have fun!
Some things we did right
 Pitched widely: Von Liebig, KP, NEA. Pitches
matter! Good books exist.
 Hired UCSD Grads: they were the best in SD
 Used friends who had done it before: review
term sheet, hires, options, board member
 Did not hire a CEO at early stage
 Hired a very good VP Eng (Hunt) and
Marketing (Mehta). Cachet helped sale
 Had high quality VCs (Stensrud, board of
Juniper, Clancy, Conn)
 Sold at right time: next step in value had
much more risk, hard for VCs though
 Did the right thing by employees: all did well
Some things I wished we had done
 Assumed experts knew it all: instead common
sense and diligence goes a long way
– Negotiation with VPs
– Negotiation with University
– Negotiation with Cisco
 Hired without sufficient diligence. Too eager
to believe good things.
– Firing can be traumatic. Better to hire with care
 Should have trusted more and opened up
more of the technology early.
Students like you . . . Sumeet Singh, UCSD 02