Transcript WP3_Annual_review_June08(21)

Workpackage 3
WISDOM
New security algorithm design
ICS-FORTH
Brussels, 9th June 2008
WISDOM WP3: New security
algorithm design
WISDOM
Objectives
• Identify critical security application components which
can be efficiently implemented in the optical domain
• Characterise constraints to algorithmic components and
develop novel analytical techniques for simplified pattern
matching
• Design a Security Application Programming Interface
(SAPI) which will be the interface between high-level
security applications and low-level optical
implementation
Tasks – Deliverables
• WP3.1: Security Applications Partitioning
• WP3.2: Identification of Simplified Security Algorithm
Components
• WP3.3: Definition of a Security Application Programming
Interface: SAPI
WP3.1 Security Applications
Partitioning
WISDOM
Critical security operations in the optical domain
Basic firewall functionality, inspect packet headers
Less than 10% of rules, more than 90% of alerts
Look at specific packet header field
• Block or filter traffic for specific protocols, ports, etc
Optical filtering, optical pattern matching, optical routing
• Block or filter traffic for specific IP addresses
Optical possible but not efficient
Combined inspections of two header fields
• From specific IP addresses to specific ports
Optical possible but combination of optical and electronic more
efficient
WP3.1 Security Applications
Partitioning
Firewall rule example
WISDOM
Inspection
•
•
•
•
•
•
Deny all incoming traffic with IP matching internal IP
source IP address
Deny incoming from black-listed IP addresses
source IP address
Deny all incoming ICMP traffic
IP protocol
Deny incoming TCP/UDP 135/445 (RPC, Windows Sharing) destination port
Deny incoming/outgoing TCP 6666/6667
destination port
Allow incoming TCP 80, 443 (http, https)
destination port
to internal web server
(destination IP address)
• Deny incoming TCP 25 to SMTP server
destination port
from external IP addresses
(destination)/source IP address
• Allow UDP 53 to internal
destination port
DNS server
(destination IP address)
typical port assignments for some services/applications
ftp TCP 21, ssh TCP 22, telnet TCP 23, POP3 TCP 110, IMAP TCP 143
WP3.1 Security Applications
Partitioning
WISDOM
Security Operation
Inspection
Application Example
Match network packet targeting a
specific service
Destination Port
Number
Filtering out e-mail
traffic
Match network packet originating from
a specific service
Source
Port Number
Filtering out a Web
server’s response
Match network packet targeting
specific computer(s)
Destination
IP Address
Preventing contact
with a computer
Match network packet originating from
specific computer(s)
Source
IP Address
Preventing access
from a computer
Match network packet with specific
properties
IP protocol header field
Filtering out ICMP
traffic
Match network packet targeting a
specific service and originating
from specific computers
Destination Port
Number and Source
IP Address
SPAM filter
Denial of Service attack detection
SYN flag
Preventing TCP SYN
flood attacks
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
• Optical pre-processing for more complex pattern
recognition
– Restrictions in optical domain (buffering, level of integration, etc)
– Scalability of security pattern matching algorithms, optimum
balance between optical and electronic processing (WP6)
– Develop algorithms that will allow optical bit-serial processing
subsystems to operate as a pre-processor to more complex
pattern recognition techniques in the electronic domain.
D3.2 Identification of Simplified Security Algorithms
Components
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
• Identify feasible and efficient all-optical operations
– Inspection of specific fields in packet headers (protocol number,
port number, etc)
– Pattern matching
– Routing
• Keep all options for conventional (electronic) IDS
– Design high speed optical pre-processing that makes electronic
processing more efficient
• Demonstration of key security functions
– Example applications with efficient and reliable operation of a
hybrid system consisting of both all-optical and electronic
components
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Combine optical and electronic signature-based detection
• Optical traffic splitters
– optical header processing
– split high speed network traffic
– group packets, e.g., according to port number
• Multiple “specialized” (electronic) processors
– less packets to inspect per processor
– more efficient payload inspection by performing same operations
to same type of packets
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Approach for Hybrid Optical – Electrical Platform
• All-optical inspection of packet headers only
• A few well chosen useful rules optically implemented
– Restrictions in memory and level of integration imply small
number of selected rules can be implemented in optical domain
– Reconfigurable optical systems
– Analysis and statistics of network security threats
• Seamless coupling of optics with electronics
– Electronic processing enhanced by optical preprocessing
– Security applications (including payload inspection) in electronic
domain with more conventional NIDS tools
– Take advantage of “conventional” NIDS/NIPS methods
continuously developed
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Use network traffic monitoring and classification appmon
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Select rules using statistics on suspect packets
NoAH honeypots statistics
Protocols
Ports
Source IP
Packet
Count
Destination
Port
Packet
Count
72.51.18.124
5420
445
57843
84.244.147.70
4618
139
WISDOM
16289
139.91.100.101
4585
135
15014
62.1.178.45
4567
1434
13022
58.20.15.126
4536
137
9092
62.1.249.141
4224
80
6284
61.134.43.254
3333
1026
4889
62.1.179.230
3168
443
4669
62.1.51.100
3081
22
4303
62.1.131.43
2864
1027
4153
62.1.19.19
2718
1433
4138
62.1.60.51
2500
23
3668
218.57.24.97
2286
21
3298
58.255.150.159
2250
2967
2297
221.130.198.244
2087
637
1984
60.222.231.188
2030
704
1917
200.243.156.5
2022
620
1568
62.1.180.164
1915
25
1536
195.113.147.61
1857
23657
1410
62.1.223.32
1820
5900
1388
Country
Trend
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
• Network traffic monitoring
– Deployment of network of sensors for
global view
• Protocols
– ICMP often used in attacks
– TCP most popular, UDP also heavily used
• Ports
HEAnet
– Some high level applications use TCP/IP with pre-assigned port
numbers
– Others use dynamically assigned port numbers, different for
different connections
– Some attacks work on specific ports
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Benefits from optical splitting for electronic processing
Similar approaches already proved successful in intensive
NIDS applications
• Early filtering and forwarding
• Packets of the same type are grouped by the splitter and forwarded
to specialized electronic processors
• Performance benefits (about 20%) with the use of digital network
processors
• Clustering of packets with same destination port number improves
performance of conventional IDS
40% increase in packet processing throughput
60% improvement in packet loss rate
WP3.2 Identification of
Simplified Security Algorithms
Components
Available hybrid integrated optical circuits:
• XOR, AND logic gates
• buffer memory (limited)
• routing switch
• Bit pattern matching circuit
• Target pattern generator
• Pseudo random bit sequence generator
• Header sampler (proposal)
• CRC (proposal)
WISDOM
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Input: flux of packets, consisting of RZ pulses T
Output: packets dropped or allowed to proceed
Preamble
Box: Header sampler
Header
Buffer memory
Header
Header
Header
Payload
Guard band
Preamble
MZI1
Preamble
Preamble
Bit pattern matching
Routing switch
TCP Port #
TCP Port #
Payload
Guard band
Header
TCP Port #
Header
Payload
Guard band
Header
TCP Port #
Header
Payload
Guard band
CRC
WP3.2 Identification of
Simplified Security Algorithms
Components
Same components, simple pipelined configuration
8 bit pattern matching at left box
16 bit pattern matching at center and right boxes
Possible packet collisions, bottleneck
WISDOM
WP3.2 Identification of
Simplified Security Algorithms
Components
“router”:
round-robin, CRC
WISDOM
WP3.2 Identification of
Simplified Security Algorithms
Components
WISDOM
Simulator of optical devices
Basic building blocks are logic gates
Useful for circuit design, testing efficiency of proposed configurations,
analysis of more complex algorithms, hybrid optical-electronic detection,
load balancing, parallel/distributed configurations, anomaly-based
detection, etc.
WP 3.3 Definition of a Security
Application Programming
Interface (SAPI)
WISDOM
• SAPI will bridge the gap between optical execution of
key components and programming of security
applications
• High-level programming, abstract all low-level details
operate independent of system modifications, allow for integration
of additional software and hardware components of increasing
complexity
• Hardware – software interface
fast optical processing, reconfigurable at much slower rates
user interventions rare, at conventional speed of electronics
D3.3 Definition of SAPI
WP3: New security algorithm
design
WISDOM
• Basic Firewall functionality in the optical domain (D3.1)
– Feasible, useful, and efficient packet header fields inspection
• Optical pre-processing for electrical NIDS/NIPS (D3.2)
– Actual security threats taken into account through network
monitoring and attack statistics
– Optical traffic splitters, specialized electronic processors
– Optimum balance between optical and electrical processing:
optical enhances electrical, benefits from conventional electronic
NIDS/NIPS preserved
• SAPI (D3.3)
– High-level programming of security applications running over
optical and electronic hardware
• Functional optical device simulator
–
–
Complex algorithm design
Development that may be of more general interest