Transcript Motorola-proposalTal.. - Computer Science Division

1
Adaptive Intrusion Detection
and Mitigation Systems for
WiMAX Networks
Yan Chen
Northwestern Lab for Internet
and Security Technology (LIST)
Dept. of Computer Science
Northwestern University
http://list.cs.northwestern.edu
Motorola Liaisons
Gregory W. Cox, Z. Judy Fu,
Philip R. Roberts
Motorola Labs
Battling Hackers is a Growth Industry!
2
--Wall Street Journal (11/10/2004)
• The past decade has seen an explosion in the
concern for the security of information
• Denial of service (DoS) attacks
– Cost $1.2 billion in 2000
• Viruses and worms faster and more powerful
– Cause over $28 billion in economic losses in 2003,
growing to over $75 billion in economic losses by 2007.
The Current Internet: Connectivity
Cable
and Processing
Modem
Premisesbased
Access
Networks
Core Networks
WLAN
Transit Net
WLAN
WLAN
Operatorbased
Cell
Cell
Cell
Regional
LAN
LAN
Transit Net
Premisesbased
Analog
Public
Peering
Voice
LAN
Private
Peering
NAP
Data
3
Transit Net
H.323
RAS
H.323
PSTN
DSLAM
Data
Voice
Wireline
Regional
Motivation
4
• Viruses/worms moving into the wireless world …
– 6 new viruses, including Cabir and Skulls, with 30 variants
targeting mobile devices
• IEEE 802.16 WiMAX networks emerging
– Predicted multi-billion dollar industry
– No existing research/product tailored towards 802.16
anomaly/intrusion detection and mitigation
• 802.16 IDS development can potentially lead to
critical gain in market share
– All major WLAN vendors integrated IDS into products
• Strategically important to lead in WiMAX product
portfolio with security & trouble shooting capability
– Simply buy off-the-shelf IDSes blind to their limitations
Existing Intrusion Detection Systems (IDS)
Insufficient
• Mostly host-based and not scalable to high-speed
networks
– Slammer worm infected 75,000 machines in < 10 mins
– Host-based schemes inefficient and user dependent
» Have to install IDS on all user machines !
• Mostly signature-based
– Cannot recognize unknown anomalies/intrusions
– New viruses/worms, polymorphism
5
Current IDS Insufficient (II)
• Statistical detection
– Hard to adapt to traffic pattern changes
– Unscalable for flow-level detection
» IDS vulnerable to DoS attacks
» WiMAX, up to 134Mbps, 10 min traffic may take 4GB memory
– Overall traffic based: inaccurate, high false positives
» Most existing high-speed IDS here
• Cannot differentiate malicious events with
unintentional anomalies
– E.g., signal interference of wireless network
6
Adaptive Intrusion Detection System
for Wireless Networks (WAIDM)
• Online traffic recording and analysis for highspeed WiMAX networks
– Leverage sketches for data streaming computation
– Record millions of flows (GB traffic) in a few Kilobytes
• Online flow-level intrusion detection & mitigation
– Leverage statistical learning theory (SLT) adaptively
learn the traffic pattern changes
– Flow-level mitigation of attacks
– Combine with 802.16 specific signature-based detection
» Automatic polymorphic worm signature generation
7
WAIDM Systems (II)
• Anomaly diagnosis for false positive reduction
– Use statistics from MIB of base station to
understand the wireless network status
» E.g., distinguish packet flooding, signal interference, and
other intrusions
» Successfully experimented with 802.11 networks
– Root cause analysis for diagnose link failures, routing
misconfiguration, etc.
– Useful for managing and trouble-shooting the WiMAX
networks
8
WAIDM Deployment
User
s
802.16
BS
802.16
BS
802.16
BS
User
s
Internet
Users
Inter
net
scan
port WAIDM
system
• Attached to a switch connecting BS as a black box
• Enable the early detection and mitigation of global
scale attacks
• Highly ranked as “powerful and flexible" by the
DARPA research agenda
Switch/
BS controller
Switch/
BS controller
802.16
BS
Users
(a)
Original configuration
(b) WAIDM
deployed
9
WAIDM
Architecture
Normal flows
Reversible
k-ary sketch
monitoring
Streaming
packet
data
Filtering
Remote
aggregated
sketch
records
Sent out for
aggregation
Local
sketch
records
Sketch based
statistical anomaly
detection (SSAD)
Keys of suspicious flows
10
Part I
Sketchbased
monitoring
& detection
Keys of normal flows
Statistical
detection
Suspicious flows
Per-flow
monitoring
Signature
-based
detection
Network fault
detection
Traffic
profile
checking
Data path
Control path
Modules on
the critical
path
Part II
Per-flow
monitoring
& detection
Intrusion or
anomaly alarms
to fusion centers
Modules on
the non-critical
path
Intrusion Mitigation
P
O
R
T
N
U
M
B
E
R
11
V
E
R
T
I
C
A
L
BLOCK
HORIZONTAL
SOURCE IP
Attacks detected
Mitigation
Denial of Service (DoS), SYN defender, SYN proxy, or SYN
e.g., TCP SYN flooding
cookie for victim
Port Scan and worms
Ingress filtering with attacker IP
Vertical port scan
Quarantine the victim machine
Horizontal port scan
Monitor traffic with the same port
# for compromised machine
Spywares
Warn the end users being spied
Evaluation of Sketch-based Detection
12
• Evaluated with NU traces (536M flows, 3.5TB traffic)
• Scalable and efficient traffic monitoring
– For the worst case traffic, all 40 byte packets:
» 16 Gbps on a single FPGA board
» 526 Mbps on a Pentium-IV 2.4GHz PC
– Only less than 10MB memory used
• Accurate and fast detection
– 19 SYN flooding, 1784 horizontal scans and 29 vertical
scans detected in one-day NU traces in 719 seconds
– Validation
» All flooding and vertical scans, and top 10 and bottom 10 for
horizontal scans
» Both well-known and new worms found (new confirmed in DShield)
• Patent filed
Research methodology
Combination of theory, synthetic/real trace
driven simulation, and real-world implementation
and deployment
13
14
Backup Slides
Scalable Traffic Monitoring and
Analysis - Challenge
• Potentially tens of millions of time series !
– Need to work at very low aggregation level (e.g., IP
level)
– Each access point (AP) can have 200 Mbps – a
collection of 10-100 APs can easily go up to 2-20 Gbps
– The Moore’s Law on traffic growth … 
• Per-flow analysis is too slow or too expensive
– Want to work in near real time
15
Sketch-based Change Detection
16
(ACM SIGCOMM IMC 2003, 2004)
(k,u) …
Sketch
module
Sketches
Forecast
module(s)
Error
Sketch
Change Alarms
detection
module
•
• Input stream: (key, update)
Summarize input stream using sketches
•
Build forecast models on top of sketches
•
Report flows with large forecast errors
GRAID Sensor
Architecture
Normal flows
Reversible
k-ary sketch
monitoring
Streaming
packet
data
Filtering
Remote
aggregated
sketch
records
Sent out for
aggregation
Local
sketch
records
Sketch based
statistical anomaly
detection (SSAD)
Keys of suspicious flows
17
Part I
Sketchbased
monitoring
& detection
Keys of normal flows
Statistical
detection
Suspicious flows
Per-flow
monitoring
Signature
-based
detection
Network fault
detection
Traffic
profile
checking
Data path
Control path
Modules on
the critical
path
Part II
Per-flow
monitoring
& detection
Intrusion or
anomaly alarms
to fusion centers
Modules on
the non-critical
path
Current IDS Insufficient for
Wireless Networks
• Most existing IDS signature-based
– Especially for wireless networks
– Detect denial-of-service attacks caused by the WEP
authentication vulnerability, e.g., Airespace
• Current statistical IDS has manually set
parameters
– Cannot adapt to the traffic pattern changes
• However, wireless networks often have transient
connections
– Hard to differentiate collisions, interference, and
attacks
18
Statistical Anomaly/Intrusion Detection
and Mitigation for Wireless Networks
• Use statistics from MIB of BS to understand
the current wireless network status
– Interference Detection MIB Group
» Retry count, FCS err count, Failed count …
– Intrusion Detection MIB Group
» Duplicate count, Authentication failure count, EAP
negotiation failure count, Abnormal termination percentage
…
– DoS Detection MIB Group
» Auth flood to BS, De-Auth flood to SS
• Automatically adapt to different learned
profiles on observing status changes
19
20
Preliminary Algorithm
Collect MIBs
Process Interference
Collision MIB Group
Inter
H
Interference
L
Process Intrusion
Detection MIB Group
Process DoS MIB
Group
Intru
DoS
H
H
Intrusion
DoS Attack
21
Project Review
Internet
2.4 GHz
Attacker AP
CS AP
Client1
MIB,
Attacker
SysLog
IDS
AiroPeek
22
Info Measurements
• Info Resources
– SNMP MIB
» A collection of objects that can be accessed
via a network management protocol
– System Log
» Event/Trap Captures
– Wireless Capture
23
Info Measurements
• Info Collection Tools
– Hardware
» Cisco Access Point
» Cisco Wireless Card
– Software
»
»
»
»
Visual Studio
Net SNMP
AiroPeek
Netstumbler
24
MIB Collection & Storage
25
SysLog
26
Data Analysis
• Measurement Based Analysis
• Correlate Parameters w/ Events
–
–
–
–
Contention Interference
RF Interference
Wireless Intrusion
Wireless DoS Attack
27
Sample Experiments
• Contention Interference
Chl 9
Chl 9
CS AP
Test AP
MIB
Client2
Client1
28
Contention Interference
• MIB
–
–
–
–
–
–
–
–
dot11ACKFailureCount.1
dot11FailedCount.1
dot11FCSErrorCount.1
dot11FrameDuplicateCount.1
dot11MulticastTransmittedFrameCount.1
dot11MultipleRetryCount.1
dot11RTSFailureCount.1
dot11TransmittedFrameCount.1
29
Contention Interference
dot11ACKFailureCount.1
100
80
60
40
20
781
716
651
586
521
456
391
326
261
196
131
66
1
0
30
Contention Interference
dot11FailedCount.1
100
80
60
40
20
781
716
651
586
521
456
391
326
261
196
131
66
1
0
31
Contention Interference
dot11FCSErrorCount.1
781
716
651
586
521
456
391
326
261
196
131
66
1
400
350
300
250
200
150
100
50
0
32
Contention Interference
dot11TransmittedFrameCount.1
600
500
400
300
200
100
781
716
651
586
521
456
391
326
261
196
131
66
1
0
33
802.16 Protocol Layering
34
802.16 MIB Structure
35
802.16 MIB Structure
36
802.16 MIB Structure
37
802.16 MIB Structure
38
Thank You!
More Questions?