Affiliations:Affiliations:Graduate School of Information Sciences
Tohoku UniversitySendai Intelligent Knowledge Cluster
Intelligent Cosmos Research Institute
Experiences within the Sendai Intelligent Knowledge Cluster Project:
Research Achievements in Network Security, Satellite Communications, and Wireless Networks
Dr. Tarik TALEB, Ph. D
__________ 2006 Sendai Int’l Workshop on Internet Security & Management ____________________________________________ Sendai, Japan, Jan. 2006 1
Outline
In brief:Major Research Projects
Wireless Communication SystemsInternet Security
In detail:An Efficient Signature-Based Framework for Early Detection of Internet Worms over Large Scale Networks
2
Research Projects
Next Generation Wireless Communications Systems
Transmission protocolsMobility management and QoS Routing ProtocolsOn-Demand Multimedia Transmission
Internet SecurityInternet WormsTrace back of DoS AttacksIntrusion Detection Systems
3
REFWARecursive, Explicit, and Fair Window Adjustment
A new transport protocol to efficiently and fairlyadjust the sending rates of TCP connections inbroadband satellite communication systems
DSBPDummy Segment-based Bandwidth Probing
A novel technique to improve the efficiency of TCP in heterogeneous wireless networks
Research ProjectsTransmission Protocols for Wireless Commun.
4
Research ProjectsREFWA: Recursive, Explicit, and Fair Window Adjustment
A Non-Geostationary Satellite Network in the Sky
Direct Users
Terrestrial Wired Network B
DESKPRO SB
Ω
DeskPro
Internet Service Provider
Gateway
Server
Internet
DeskPro
GatewayDeskPro
GatewayDeskPro
Gateway
Terrestrial Wired Network A
Terrestrial Wireless Networks
DESKPRO SB
Ω
DeskPro
Internet Service Provider
Gateway
Server
Internet
• T. Taleb, N. Kato, and Y. Nemoto, "REFWA: An Efficient and Fair Congestion Control Scheme for LEO Satellite Networks", to appear in IEEE/ACM Transactions on Networking Journal.• T. Taleb, N. Kato, and Y. Nemoto, "An Explicit and Fair Window Adjustment Method to Enhance TCP Efficiency and Fairness over Multi-Hops Satellite Networks", IEEE J. Select. Areas in Commun., vol. 22, no. 2, Feb. 2004.
Aim:To find optimum sending rates for TCP connections in NGEO broadband satellite systemsTo solve issues related to handoff and unfairness due to RTT variance
Concept:Use of hops count to estimate connections RTTUse of RTT to notify TCP senders of their optimum sending rates
Further applications:Multi-homing over hybrid wired/wireless networks
5
Aim:To solve issues related to the bandwidth disparity in heterogeneous wireless networks
Concept:Use of low-priority dummy segments to probe bandwidth of the new network
Further applications:RTP/RTCP-based multimedia streaming
Research ProjectsDSBP: Dummy Segment-based Bandwidth Probing
BS1 BS2
CorrespondentNode
HomeAgent
MobileNode
Dummy SegmentsData Traffic(TCP)
• T. Taleb, K. Kashibuchi, N. Kato, and Y. Nemoto, “A Dummy Segment Based Bandwidth Probing Technique to Enhance the Performance of TCP over Heterogeneous Networks”, IEEE WCNC 2005. • K. Kashibuchi, T. Taleb, A. Jamalipour, N. Kato, and Y. Nemoto, “A New Smooth Handoff Scheme for Mobile Multimedia Streaming using RTP Dummy Packets and RTCP Explicit Handoff Notification”, IEEE WCNC 2006.
6
ELB (Explicit Load Balancing)A new routing protocol to better distribute traffic and to accordingly alleviate congestion in Non-Geostationary satellite systems
VHRP (Vehicle-Heading based Routing Protocol)A stable and reliable routing mechanism for Inter-Vehicular Communications to reduce the number of link breakage events and increase the end-to-end throughput in VANET networks
DEMAPS (Dynamic & Efficient MAP Selection)A dynamic MAP management strategy for the selection of the most appropriate MAP with the lightest traffic load based on an estimation of MAP load transition.
Research ProjectsMobility Management and Routing QoS Protocols
7
Aim:To deal with scenarios where some satellites get congested while others remain underutilizedTo better distribute traffic over the entire constellation, reduce congestion due packet drops, and to improve network utilization
Concept:Explicit & periodic exchange of information on queue status among neighboring satellites
Applications:Delay insensitive applicationsPossible application to terrestrial networks
Research ProjectsELB: Explicit Load Balancing
•T. Taleb, A. Jamalipour, N. Kato, and Y. Nemoto, "IP Traffic Load Distribution in NGEO Broadband Satellite Networks", in Proc. of 20th Int. Symposium on Computer & Information Sciences, Oct. 2005. (Invited Paper)
Sender Receiver
Congested
8
Research ProjectsVHRP: Vehicle-Heading based Routing Protocol
Aim:To guarantee stable and reliable routes for communicationTo reduce the number of link breakage eventsTo increase E2E throughput and to guarantee routing QoS in VANET networks
Concept:To group vehicles based on their velocity headings and to establish routes among vehicles from same groups
Applications:Inter-Vehicular CommunicationsHot spots to vehicles communications
• T. Taleb, M. Ochi, A. Jamalipour, N. Kato, and Y. Nemoto, " An Efficient Vehicle-Heading Based Routing Protocol for VANET Networks", in Proc. of IEEE WCNC 2006
N
F
C
D
B
A
DestinationSource
9
Aim:To solve issues related to handoff management in Mobile IPv6 networksTo better distribute traffic among MAPsTo alleviate congestion, to enhance network resources utilization, and to ultimately guarantee QoS
Concept:Use of Exponential Moving Average to predict transitions of MAPS load
Applications:Mobile IPv6 networks
Research ProjectsDEMAPS: Dynamic & Efficient MAP Selection
•T. Taleb, T. Suzuki, N. Kato, and Y. Nemoto, "A Dynamic and Efficient MAP Selection for Mobile IPv6 Networks ", in Proc. of IEEE Globecomm 2005.
AR3
Internet
MAP2MAP1
MAP4MAP3
AR1 AR2
AR4MN
CorrespondentNode
HomeAgent
10
NBB VoD (Neighbors Buffering Based VoD)An interactive and scalable scheme for the provision of VoDservice in multicast environments
Theatre in the SkyAn architecture based on Quasi-GEO Stationary Satellites for global streaming of on-demand multimedia services to hybrid networks made of both mobile and fixed users
Research ProjectsOn-Demand Multimedia Transmission
11
Research ProjectsNBB-VoD: Neighbors Buffering Based VoD
Request
New UserOld User
start stop
Server
Aim:To increase the capacity of VoD servers and the scalability of the systemTo efficiently utilize the network resources (e.g. bandwidth)
Concept:Serve new users willing to join a session from their neighbors, already members of the session
Applications:On-demand multimedia services in multicast environments, distance learning…
• T. Taleb, N. Kato, and Y. Nemoto, "On-Demand Media Streaming to Hybrid Wired/Wireless Networks over Quasi-Geo Stationary Satellite Systems", Elsevier Journal on Computer Networks, Feb. 2005.•T. Taleb, T. Suzuki, N. Kato, and Y. Nemoto, "Neighbors-Buffering Based Video-on-Demand Architecture", Signal Processing: Image Communication, Aug. 2003.
12
Research ProjectsTheatre in the Sky
Metropolitan Server
Storage Data(Popular Video)
Core Network
Local Service ManagerReplicated Data
Multicast (data)Control Message
Current Channel
Upcoming Channel
Request Time
Unicast (data)
13
Research ProjectsTheatre in the Sky
The Quasi-Geostationary Satellites Constellation
Inter-System LinksA Quasi-GSO system
Metropolitan Service Areas
• T. Taleb, A. Jamalipour, N. Kato, and Y. Nemoto, "A Theatre in the Sky: A Ubiquitous Broadband Multimedia-on-Demand Service over a Novel Constellation Composed of Quasi-Geostationary Satellites", to appear in Wiley Int. J. of Satellite Commun. and Networking.
14
DoS Attacks in Mobile NetworksDesign of a prevention system to secure mobile networks from high Rate TCP-based DoS attacks originated from malicious mobile users
Intrusion Detection SystemDevelopment of a hybrid system for the detection, prevention, and trace back of cryptographic protocol intrusions
Internet WormsAn Efficient Signature-Based Framework for Early Detection of Internet Worms over Large Scale Networks
Research ProjectsInternet Security
15T. Taleb, H. Nishiyama, N. Kato, and Y. Nemoto, "Securing Hybrid Wired/Mobile IP Networks from TCP-Flooding Based Denial-of-Service Attacks", in Proc. of IEEE Globecomm 2005.
Research ProjectsSecuring Hybrid Wired/Mobile IP Networks
Aim:To demonstrate the inefficiency of trace back techniques in mobile networksTo design of a prevention system to secure hybrid wired/mobile networks from high Rate TCP-based DoS attacks coming from malicious mobile users
Concept:Send suspicious TCP senders a test feedback requesting them to decrease their sending ratesJudge senders’ legitimacy based on their responsiveness
Applications:Security in mobile networks, WIMAX, WLAN….
Server(Victim)
InternetInternet
BS
AR
Attacker
Tracingfails
Attack
Attacker
16
DoS Attacks in Mobile NetworksDesign of a prevention system to secure mobile networks from high Rate TCP-based DoS attacks from malicious mobile users
Intrusion Detection SystemDevelopment of a hybrid system for the detection, prevention, and trace back of cryptographic protocol intrusions
Internet WormsAn Efficient Signature-Based Framework for Early Detection of Internet Worms over Large Scale Networks
Research ProjectsInternet Security
17
Outline
BackgroundRelated WorkFramework DescriptionPerformance EvaluationConcluding Remarks
18
EmailEmailEmailScanScanScanScan
Type
2.3 million2004MyDoom6.1 million2004NetSky500 thousands2004Beagle20 thousands (in 1 hour)2004Witty330 thousands (in 5 days)2003Blaster75 thousands (in 10 minutes)2003SQL Slammer360 thousands (in 14 hours)2001Code Red
Number of Infected HostsYearWorm
Internet Worms have caused significant damage during the last few years
Protection against Internet worms is criticalfor overall network security
Damage due to Worms
19
Signatures are generated after infectionSignificant damageFast propagation of the worm
Signatures are manually generatedTime consumingCostly in terms of infrastructure and human resources
Worms are becoming polymorphicEasiness in evading detectionNeed for new signatures for each variant
Limitations of Current Worm Detection Systems
20
Use honeypots to verify traffic’s contamination with worms Can themselves be compromised by worms as wellHave the credit of achieving low false alarm ratesRequire long period of time until a worm attack is confirmed
D. Dagon, X. Qin, G. Gu, W. Lee, and J. Grizzard, “HoneyStat: Local Worm Detection Using Honeypots,” Recent Advances in Intrusion Detection (RAID), 2004. C. Kreibich and J. Crowcroft, “HoneyComb: Creating Intrusion Detection Signatures using Honeypots,” In Proc. of the 2nd Workshop on Hot Topics in Networks (HotNets-II), Nov. 2003.
Related Work (1)Honeypots-based detection systems
21
Assume worm contents unchangeable during propagationUse Fingerprints or Hash to identify invariant (or repetitive) portions in the worm payloadNot applicable for Polymorphic worms (ex. Mimail)
M. Bhattacharya, S. Hershkop, and E. Eskin, “MET: An Experimental System for Malicious Email Tracking,” In Proc. of the 2002 New Security Paradigms Workshop, Sep. 2002.P. Akritidis, K. Anagnostakis, and E.P. Markatos, “Efficient Content Based Detection of Zero-Day Worms,” In Proc. of ICC May 2005.
dfkl98034nkdfkja90343dkja0adfasdewreSame hash value fordifferent payloadshash function
hash value Worm alert
Related Work (2)Content-based detection systems
22
DAW (Distributed Anti-Worm) Collects ICMP host unreachable packets from routers at the edge
of Internet Service Providers (ISP) to detect scannersUnpractical for global detection of worms as most routers are designed not to return ICMP host unreachable packets
INDRA (INtrusion Detection and Rapid Action)Peer-to-Peer Detection System (only interested and trusted peers
are involved)Failure in detecting locally-biased worms
DOMINO (Distributed Overlay for Monitoring Inter-Net Outbreaks)Hybrid of P2P and hierarchical detection architectureComplex system
S. Chen, and Y. Tang “Slowing Down Internet Worms,” In Proc. of 24th Int. Conf. on Distributed Computing Systems (ICDCS’04), Mar. 2004.R. Janakiraman, M. Waldvogel, and Q. Zhang, “Indra: A peer-to-peer approach to network intrusion detection and prevention,” In Proc. 2003 IEEE WETICE Workshop on Enterprise Security, Jun. 2003V. Yegneswaran, P. Barford, and S. Jha, “Global Intrusion Detection in the DOMINO Overlay System”, 11th Annual Network and Distributed System Security Symposium, 2004.
Related Work (3)Distributed Detection Systems
23
Early detection of Internet WormsBefore damaging other systems
Self-protectionNetworks should protect themselves by themselves
Automatic Generation of robust signaturesDetection of polymorphic worms
Detection in a hierarchical mannerAccurate step-wise detection (low false alarm rate)Easy-to-manage and scalable system
Research Objectives
24
Local Security Manager
Metropolitan Security Manager
Global Security Manager
Local managers regard flows with suspicious contentsMetropolitan managers identify worms form suspicious flows and generate signaturesThe global manager relay signatures to warn areas yet to be targeted
suspicious flows
signatures
AAXRA, BXRAAXRA, BXR
yArchitecture
25
Signature Update Unit(SUU)
Anomaly Detection Unit(ADU)
Metropolitan SecurityManager Normal Traffic
Network Traffic
Initial-phase filtered traffic
Suspicious flows
Signatures Detected worms
Local Security Manager
Signature Update UnitA set of existing Intrusion Detection SystemsUses available signatures to detect already-known wormsRegularly updated with signatures relayed from high-hierarchical managers
Anomaly Detection UnitCollects suspicious (worm-like) flows
Local Worm Detection Approach
26
How does Anomaly Detection Unit function?
Carries out analysis on a port basisWorms usually target specific ports (specific vulnerabilities)
Checks for repeatedly appearing character sequencesActively propagating worms usually contain same character sequences (Unix commands or parts of executable programs)
Extracts a fixed number (NS) of sample tokens from each inbound flow
Character sequences within the flow of constant length (LS)
Sends suspicious flows to the metropolitan manager Flows that contain tokens with occurrence frequency exceeding a predefined threshold (∆TH) 27
Sample Tokens
Occurrence frequency (f)
- Length of strings (LS) = 5 bytes- Number of strings/flow (NS) = 2- Repetitive Occurrence Threshold (∆TH) = 2
XAAAAxmrRstkdladfAAAA
RadfAAAAAAAAAdfkapjdn
AAAAAALkkmfn57tbrDx8A
fkapjAAALkkmfnddfwe8AAAfkapjAAALkkmfnddfwe8AAA
Database of Normal Flows
daAxBrddyzdhydfddzdf
x56dd3 > ∆TH2Incoming Flow
mafdfXdfsfdaAxBrdabgdAAALksdfdaAxBrdabg ydfdd
1AxBrd 1
1daAxBrddyzdhydfddzdfdAAALksdfdaAxBrdabgdAAALksdfdaAxBrdabgksdfd 1
dAAALksfdamn8fKbg6dAAALksfdamn8fKbg6dAAALksfdamn8fKbg6dAAALksfdamn8fKbg
ALksfmn8fK
11
mafdfXdfsfdaAxBrdabg
Flow containing a repetitivelyoccurring string
Suspicious flow
How does Anomaly Detection Unit function?
28
Signature Generation Procedures@Metropolitan Security Managers
Metropolitan managers are likely to receive similar information from their monitored local managers in case of an actively propagating worm
Using this information, metropolitan mangers conduct three major procedures:
Sort worm flows from suspicious flowsGenerate accordingly a highly accurate signatureSubmit the worm signature to the global manager
29
Signature Generation Procedures1- Sorting worm flows
Number of clusters: 1615148
Convert the payload of all suspicious flows to points in a 256 dimension spaceConsider all points as clusters, join the closest ones, and repeat until the number of clusters becomes less than half of the original numberIdentify the cluster with the largest number of points as a worm cluster
worm??
256 dimension space( 256 ASCII characters )
30
stbrDxt9eDxfdfeasdfrkXsadfbrk0
fdfeassfbrk0tbrDxdfr8gdfkXsadf
stbrDxdfrteDxfdfeasdbrk0fkXsad
Sorted Worm Flows
fdfeas kXsad brk0
)(C
Exclude normal tokens & generate the signature
)Bytes 4( =MINL
Extract common tokenswith minimum length
tbrDx fdfeas
kXsad brk0
MINL
Signature Generation Procedures2- Generating the worm Signature
XAAAAxmrRstkdladfAAAA
RadfAAAAAAAAAAdfkapjdn
AAAAAALkkmfn57tbrDx8A
fkapjAAALkkmfnddfwe8AAA
Database of Normal flows
Any normal tokens?
31
XAAAAkXsadstkdladfAAAA
RAbrk0AAAAfdfeasAkapjdnfdfeas kXsad brk0
)(C
Test Flow 1
Test Flow 2
Normal
Worm
Attack Tolerance Level (ATL) Minimum number of signature tokens needed in a flow to set up an alarmDepends on the alert level of the network and needs to be fixed by the system administrator
How to judge the legitimacy of a flow?
Example: Total number of signature tokens = 20ATL = 10 (50%)
kXsad :7th token to appear
fdfeas: 10th token to appear
32
Performance EvaluationTwo quantifying parameters:
True Positives: Number of successful detections of wormsFalse Positives: Number of wrong alerts
Two major experimental set-ups:Performance of the Anomaly Detection Unit at Local Security Managers: Accuracy in detecting suspicious trafficPerformance of Metropolitan Managers: Efficiency of the Signature Generation Procedure
33
Experimental Set-upOffline real network traffic: 3028 normal flows and 26 Beagle worms Tokens Caching Time = 60 minutes (can be set to lower values in case of fast spreading worms such as Slammer)
Adjustable parametersRepetitive occurrence threshold (∆TH)Length of sample tokens (LS)Number of tokens/flow (NS)
AimTo find the best tradeoff between true positives and false positives Max(true positives) Min(false positives)
Performance @ Local Security Managers
34
Reducing False Positives
Large values of ∆TH and LS Small False Positives
∆TH = 4, LS = 10
True positivesFalse positives
# of sample tokens per flow5 10 15 20
0
10
20
30
0
20
40
60
# of
true
pos
itive
s
# of
fals
e po
sitiv
es
∆TH = 6, LS = 30
True positivesFalse positives
# of sample tokens per flow5 10 15 20
0
10
20
30
0
20
40
60
# of
true
pos
itive
s
# of
fals
e po
sitiv
es
35
Increasing True Positives
Large values of NS High True Positives
NS = 5, LS = 30
05
10
15
20
25
# of
true
pos
itive
s
0
20
10
30
40
# of
fals
e po
sitiv
es
Threshold ∆TH4 6 82
True positivesFalse positives
NS = 15, LS = 30
05
10
15
20
25
# of
true
pos
itive
s
0
20
10
30
40
# of
fals
e po
sitiv
es
Threshold ∆TH4 6 82
True positivesFalse positives
36
Overall Performance of Local Security Managers
A large number of worms were successfully detected at local managers with minimal false positives when
Tokens length LS ≥ 30 BytesNumber of tokens/flow NS ≥ 15Repetitive occurrence threshold ∆TH ≥ 6
37
Performance @ Metropolitan Managers
Experimental Set-up21 suspicious flows from 4 local managersEntire network traffic consists of 44,922 normal flows and 271Beagle flows
Adjustable parametersMinimum length of tokens (LMIN)Attack Tolerance Level (ATL)
Envisioned ScenariosATL = One token Fire an alert on flows that contain at least one token from the generated signatureATL = Half generated tokens Fire an alert on flows that contain half of the generated tokens
38
Scenario 1:ATL =A single token Scenario 2:
ATL = Half generated tokens
Detection Accuracy @ Metropolitan Managers
A compromise between LMIN and ATL Low False PositivesHigh Detection Accuracy
5 50 100 150 200Minimum length of signatures (Bytes)
250
260
270
0
10
20
30
40
# of
true
pos
itive
s
# of
fals
e po
sitiv
es
True positivesFalse positives
Significantly short tokens and low ATL
True positivesFalse positives
250
260
270
# of
true
pos
itive
s
0
10
20
30
40
# of
fals
e po
sitiv
es
5 50 100 150 200Minimum length of signatures (Bytes)
A 100% detection rate with less than 0.01% false positives
39
During a global propagation of a worm, the global manager is likely to receive similar alerts and signatures from different metropolitan managers
Generation of highly accurate signatureRelease of burden at Anomaly Detection Units of local managers (detection at Signature Update Unit)Mitigation of detection errors that may occur at local managers
Expectations @ the Global Manager
40
Multi-level Security & Overhead Model for Parameter Selection
System ParametersTokens length LS
Number of tokens/flow NS
Repetitive occurrence threshold ∆TH
Minimum length of tokens LMIN
Tokens caching time ӨT
Attack tolerance level (ATL)
System Performance• Detection Accuracy
False and true positives, signature generation time• System Resources
Required memory, processing load
Philosophy behind Parameters Selection
Attack Aggressiveness Level
Optimum level of performance
Best range of parameters
41
Multi-level Security & Overhead Model for Parameter Selection
SevereHigh
ElevatedGuarded
Low
Worm Advisory System
Security/Overhead Policy Control
Alert Level(from above-hierarchy manager)
Security Level Adjustment
Overhead Check
Security Level Si
Overhead Level Oi
Parameter SelectionParameters within Overhead level?
Yes
Failure?
Security Relaxation Request
Yes
Possible?
Policy Relaxation Request
Deploy Parameters
42
Concluding Remarks
We proposed a cooperative strategy for early detection of Internet worms over large scale networks
Local Security Managers search for suspicious flows at local networksMetropolitan Security Managers generate worm signatures and takes adequate measuresGlobal Security Manager relays signatures to stop further propagation of worms
The effectiveness of the system is confirmed for two email worms, namely Beagle and NetSky
43
Thank You!
Q & A
Presentation Menu
• Research Projects• Background• Related Work• Architecture Description• Local Managers Design• Anomaly Detection Unit• Signature Generation• Worms or Normal Flows?• Performance Evaluation• @ Local Managers• @ Metropolitan Managers• @ Global Manger• Framework• Conclusion
_________ 2006 Sendai Int’l Workshop on Internet Security & Management ____________________________________________ Sendai, Japan, Jan. 2006