Transcript TRUST Meeting, Berkeley, March 2007

Network Defense Research
Anthony D. Joseph
Ken Birman, Robbert van Renesse
Vern Paxson
Deirdre K. Mulligan, Aaron Burstein, Maryanne
McCormick
"Network Defense Research,"
Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
1
Outline





DETER Testbed
Network Defense Research at Cornell
Network Defense Research at ICSI
Access to Data (UCB)
Network Defense Research at UCB
"Network Defense Research,"
Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
2
The DETER Testbed
Anthony D. Joseph
Shankar Sastry
University of California, Berkeley
TRUST Meeting, Berkeley, March 2007
DETER Testbed Motivation

Inadequate deployment of security technologies
–

Lack of experimental infrastructure
–
–

Despite 10+ years investment in network security
research
Testing and validation occurs mostly at small scales
Lack of objective test data, traffic and metrics
cyber DEfense TEchnology Experimental
Research Testbed
–
Open to all researchers (gov’t, industrial, academic)
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
4
DETER Testbed Goals
1)Design & construct testbed for network security
experiments
–
Attack scenarios/simulators, topology generators,
background traffic, monitoring/visualization tools
2)Do research on experimental methodology for
network security
–
Scientifically rigorous frameworks/methodologies
3)Do research on network security
–
Attack detection and countermeasure tools
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
5
DETER Testbed Capabilities

“Real systems, Real code, Real attacks!”
–
–

Modeling large-scale wide-area networks
–
–

~400 PCs with 5+ Gigabit Ethernet links each
Supports all x86 OSes: Windows, Linux, UNIX
Nodes can be used as clients, routers, and servers
Examining the effects of “rare events”
Evaluating commercial hardware/prototypes
–
Vendor-neutral environment

–
–
Intrusion detection/protection appliances
Interactions between different vendors’ products
Performance testing: normal and under attack
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
6
Example Experiments

Slammer: BW-limited
Scanning Worm
–
–
–

ICSI and PSU: modeling
propagation through the
Internet [WORM’04 paper]
Virtual node model of the
response of subnets
1/64th scale Internet
Other experiments:
–
–
Collaborative defenses
Large-scale enterprise
network simulation
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
7
User
Internet
FW
ISI Cluster
User
files
FW
UCB Cluster
‘Boss’
Server
‘User’
Server
Download
Server
Node Serial
Line Server
Node Serial
Line Server
PC
PC
…
PC
Cisco/Nortel SW
DETER Testbed, Anthony D. Joseph
Control
Network
IPsec
Control Network
Power
Cont’ler
Power
Cont’ler
PC
…
PC
IPsec
trunk
trunk
Foundry/Nortel SW
TRUST Meeting, Berkeley, March 2007
8
DETER Project Timeline

Funding
–
–
–
–

Experience to date – over 40 projects
–
–
–

DETER: NSF and DHS HSARPA (Sept 03 – Feb 07)
DECCOR: NSF CRI program (Jul 05 – Jun 07)
DIPLOMAT: DHS HSARPA (Sept 06 – )
DIRECT: AFOSR DURIP program (Apr 06 – Mar 07)
DDoS Attack-Defense, Worm Behavior Characterization,
Network Routing Attack-Defense
Security course support at UCB, commercial devices
DHS cybersecurity 2006 exercise
Working with Cornell to federate
with their testbed
DETER Community Workshop
August 6 - 7, 2007
– Interesting latency challenges
(before USENIX Tech Conf)
– Also Utah and Vanderbilt testbeds Boston, MA
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
9
DETER Testbed Software

Extended Utah Emulab control plane software
–

Experimental node OS support
–
–

Experiment creation GUI and security features
RedHat Linux 7.3, FreeBSD 4.9, or Windows XP
Users can load arbitrary code, in fact
User has root access to all allocated nodes!
–
No direct IP path into experimental network

–
–
Encrypted tunnels across Internet (SSL/SSH/IPsec)
Secure process replaces OS after each experiment
Optional disk scrub after experiments
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
10
Upcoming Software Capabilities

Reusable library of realistic, rigorous,
reproducible, impartial tests (Archived
Experiments)
–
–

For assessing attack impact/defense effectiveness
Test data, test configurations, analysis software, and
experiment automation tools
Usage examples and methodologies
(WorkBench)
–
–
Test selection recommendations
Test cases, results, and benchmarks
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
11
Related Effort with OSD/NII

GIG context: Vast Networks, People and Technical
Systems, and Embedded systems
–
–
Insufficient large complex systems analytical methods limit
sensor, data, and network capabilities – Tactical Edge and
Warfighter Assurance
NSF System of Networked Embedded Devices workshop (10/05)


The few successful distributed systems spent “50-75% of their
development budget on debugging, testing and validation”
Solving the Analytic Gap: Advanced Mathematics for
Scale & Complexity (w/ Kirstie Bellman, Aerospace Corp)
–
–
–
Map DoD operational deficits to potentially important
mathematical R&D problems
Identify new approaches for evaluating the scalability of methods
Three driving problems: Testbed validation, Detecting
anomalous traffic flows, DoD-COTS interactions
DETER Testbed, Anthony D. Joseph
TRUST Meeting, Berkeley, March 2007
12
DETER Clusters
ISI
UCB
Open to community –
request an account at:
http:///www.deterlab.net/
TRUST Meeting, Berkeley, March 2007
Network Defense at Cornell
Ken Birman
Robbert van Renesse
TRUST Meeting, Berkeley, March 2007
Approach


Robust networked middleware for missioncritical distributed applications
Emphasis on many dimensions of scale
–
–
–
–
High latencies due to physical distances
High overheads due to casual use of
middleware abstractions
High vulnerability due to large number of
components
…
Nightwatch: Auditing of Large
Systems; Robbert van Renesse,
Cornell Univ.
TRUST Meeting, Berkeley, March 2007
15
Products









Fireflies: intrusion-tolerant network overlays
SecureStream: intrusion-tolerant video streaming
Nightwatch: intrusion-tolerant auditing service
Quicksilver: next-generation multicast / pubsub
Ricochet: FEC for time-critical multicast protocols
Maelstrom: FEC for high latency connections
SMFS: file system for high latency connections
Tempest: middleware for time-critical SOA systems
r-Kelips: robust P2P range-index
Nightwatch: Auditing of Large
Systems; Robbert van Renesse,
Cornell Univ.
TRUST Meeting, Berkeley, March 2007
16
Our cluster

216 blades, 3 100Mbit Ethernet ports each
20 1U servers, 3 1Gbit Ethernet ports each
HP ProCurve 100 Mbit switches
Nortel 1 Gbit switches
3 Terabyte storage servers

Funded by DURIP grants




Nightwatch: Auditing of Large
Systems; Robbert van Renesse,
Cornell Univ.
TRUST Meeting, Berkeley, March 2007
17
ICSI Network Defense Research
Vern Paxson
"ICSI Network Defense
Research,” Vern Paxson
TRUST Meeting, Berkeley, March 2007
18
ICSI Network Defense Research

Research Focus #1: network intrusion
detection (& prevention) in an operational
environment
–
–
Mainly using the Bro system 24x7 at Lawrence
Berkeley National Lab, UCB
Efforts:






Detection algorithms
Forensics (the “Time Machine”)
High performance (clusters; FPGA/parallel analysis)
Disparate context (distributed monitoring; host-based
sensors)
Sharing information across sites
Integrating honeynet data
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
19
ICSI Network Defense Research

Research Focus #2: addressing the threat of
large-scale compromise of Internet hosts
–
–
–
Key enabling technology for today’s bleak Internet
landscape (spam, phishing, identity theft, extortion)
Done in the context of NSF Cybertrust Center for
Internet Epidemiology & Defenses (w/ UCSD)
Scope:

Internet Epidemiology (understanding the threat)

Automated Defenses (protection w/o human-in-theloop)

Counter-threat Pragmatics (associated legal &
economic issues)
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
20
ICSI & TRUST (current)

Effort #1: assessing resilience of network
monitoring systems to evasion
–
–
Evasion presents fundamentally hard problem
But: no sound benchmark to assess exists ….

–
–
–
…. And thus no pressure on vendors to address it
Goal: develop a modular, open source testing
framework to facilitate emergence of
benchmarks
Work done in context of TRUST’s ICAST
collaboration
Year 1: trace-based, off-line
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
21
ICSI & TRUST (current)

Effort #2: understanding fingerprinting of offport applications
–
Context: many apps today avoid well-known
ports (P2P; Skype; botnet C&C)

–
–
–
Also highly relevant for anonymizers
Significant body of work aims identify via
statistical (non-content) techniques
Our premise: these are fundamentally weak …
… which we aim to show
Analytically
 Empirically

–
Effort w/ Alvaro Cardenas (TRUST Postdoc)
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
22
ICSI & TRUST (current)

Effort #3: informing development of legal
frameworks for network security research
–
Maryanne McCormick, Aaron Burstein (Law)
–
Issues:
Sharing data, traces
 Containment: how do you control potential
infections?
 Participating in botnets
 Interacting with botmasters, buyers & sellers

ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
23
ICSI & TRUST (future)

Widen evasion testing methodology
–
–
Live hosts to facilitate normalization, active
mapping, host agent defenses
Evasion-by-stress


Particularly state management stresses
Cross-site information sharing
–
–
–
Architecture #1: global database, local reputation
Arch. #2: “detectives” and “witnesses”
Arch. #3: confederation of sites that mostly trust
one another

Seeding vision proposed by ICSI to Cybertrust:
–
Sites send scripts describing activity of interest
– Recipients can automatically both search retrospectively
and instrument for the future
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
24
Access to Data
Deirdre K. Mulligan
Aaron Burstein
Maryanne McCormick
"Access to Data," Deirdre K. Mulligan
TRUST Meeting, Berkeley, March 2007
25
Access to Cyber Security Data


Access to real datasets could produce a “paradigm
shift” for computer, network security research
Problems:
–
Relevant data regulated by disparate laws; research
exceptions are weak or non-existent

–
–

No coherent policy view of “cyber security”
Data needs highly varied
Data controllers highly dispersed, incentives conflict
Current situation:
–
–
Few common datasets for comparisons, testbeds
“Every firm for itself,” with some exceptions
"Access to Data," Deirdre K. Mulligan
TRUST Meeting, Berkeley, March 2007
26
Access-to-data: DMCA

Need to understand sources of vulnerabilities on endusers’ computers
–
–

Digital Millennium Copyright Act (DMCA) prohibits
circumventing “technological protection measures” that
control access to copyrighted works
Weak “security testing” exception
Sony BMG “rootkit” episode
–
–
–
–
Audio CDs installed copy-prevention software that hid from
user, left machines vulnerable
Researchers delayed reporting findings because of fear of
legal liability
Meanwhile ~500,000 users installed software
Librarian of Congress granted DMCA exemption — for audio
CDs only
"Access to Data," Deirdre K. Mulligan
TRUST Meeting, Berkeley, March 2007
27
Access-to-data: Communications Privacy

Internet traffic datasets needed to understand worm &
virus propagation, DDoS attacks
–

No research exceptions for intercepting
communications contents (Wiretap Act) or disclosing
stored contents or addressing information (Stored
Communications Act)
–

Cross-organizational sharing needed to understand largescale attacks
Provider protection exceptions not always applicable
Very difficult to get good picture of Internet traffic
–
–
Govt. (including state universities) researchers at particular
disadvantage
Examining institutions, legal reforms to allow sharing
"Access to Data," Deirdre K. Mulligan
TRUST Meeting, Berkeley, March 2007
28
Access-to-data: Computer abuse


“Honeynets” (networks of computers intended
to be attacked) offer way to study attack
tactics, malware
Computer Fraud & Abuse Act prohibits
knowingly accessing another computer on
Internet “without authorization”
–
–
–

No research exception
Researchers liable for compromised machines?
Researchers liable for infiltrating attack networks?
Legal concerns mitigated by statutory mental
state requirement
"Access to Data," Deirdre K. Mulligan
TRUST Meeting, Berkeley, March 2007
29
UCB Network Defense Research
Anthony D. Joseph
"Access to Data," Deirdre K. Mulligan
TRUST Meeting, Berkeley, March 2007
30
UCB Network Defense Research

Research Focus #1: Novel Worm/Virus
Detection and Machine Containment
–
–
Leverage machine learning to identify and
quarantine e-mail worms and viruses before
signatures are available
Efforts:




–
Learning on a single user’s outgoing e-mail behavior
Using a multi-tiered modeling approach
Leveraging existing anti-virus solutions to improve results
Containing (or slowing) infection until scanners can detect it
Results:


Very low false positive and false negative rates
Could be effective containment even with 50% deployment
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
31
UCB Network Defense Research

Research Focus #2: Efficient Detection of
Network-Wide Anomalies
–
–
Detecting sudden changes in Origin-Destination
flows (from DDoS, device failure, misconfigs, …)
using only link traffic measurements
Efforts:


–
Applying distributed Principal Component Analysis to
separate normal from anomalous traffic
Working to reduce detection time scales, increase number
of monitor nodes
Results


User-specified level of accuracy
Order of magnitude reduction in network monitoring traffic
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
32
UCB Network Defense Research

Research Focus #3: Attacks Against Machine
Learning-based Security Systems
–
–
Attacking ML-based security systems such as
Intrusion Detection Systems and spam filters
Efforts:



–
Developing a taxonomy of attacks (dodging and numbing)
Determining an attacker’s work function for altering a
learner based on different levels of knowledge and control
Building a test platform for attacks and countermeasures
Results


Theoretical analysis of attacker work function for simple
mean-centered hypersphere classifier
Modified SpamBayes platform for adversarial learning
ICSI & TRUST,V. Paxson
TRUST Meeting, Berkeley, March 2007
33