“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George VargheseRoadmapSlide 3Why do w need scalable attack detection?Why Use Aggregation?Slide 6Problems of AggregationSlide 8Slide 9Kinds of AttacksSlide 11Partial Completion Filters (PCFs)Slide 13Slide 14How do we use PCFs?Where do I deploy PCFs?Slide 17Experiment SetupHow do we take into account bias?ResultsScanning DetectionConclusionsFurther Research/WorkReferences“On Scalable Attack Detection in the Network”Ramana Rao Kompella, Sumeet Singh, and George VarghesePresented by Nadine Sundquist2 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?3 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?4 November 7, 2007 CS-622Why do w need scalable attack detection?•Scalable: Able to detect network behavior at multi-gigabit speeds (at least 1 Gb/s). •Detect behavior over a set of packets at network vantage points such as routers. •Proposed solution: Aggregation (combining multiple connections) for attack detection?5 November 7, 2007 CS-622Why Use Aggregation?•Combining several lines into one is more efficient for forwarding.•Can have millions of flows/connections with no enough high speed memory (on-chip and off-chip SRAM or cache) at router.•Other services use forms of aggregation for faster processing. – Example: Internet lookup routers store 150 000 prefixes for the entire Internet to process requests faster.6 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?7 November 7, 2007 CS-622Problems of AggregationBehavioral Aliasing: Good behaviors aggregateto look like bad behaviors. False positive: Server thinks a resource is under attack,when traffic is in a normal state.192.168.1.1192.168.1.1192.168.1.1192.168.1.1128.1.1.7128.1.1.7128.1.1.7128.1.1.72 computers look like 1 computer due to aggregation.8 November 7, 2007 CS-622SYN 128.1.1.7:80SYN 128.1.1.7:80Problems of AggregationSpoofing – Attacker avoids detection by appearing benign.Our focus is TCP (Transport Control Protocol) SYN flooding, also known as Partial Completion Attacks: ConnectionsOpened, but not closed.SYN – Connection request and connection opened.FIN – Connection finished/closed.SYN 128.1.1.7:80SYN 128.1.1.7:80SYN 128.1.1.7:80FIN 128.1.1.7:80FIN 128.1.1.7:80AttackerVictimFirewall/Proxy/Victim Server(Does detection of SYN flooding)9 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?10 November 7, 2007 CS-622Kinds of Attacks•Partial Completion Attacks•Attacks That Do Scanning•Bandwidth Attacks•Commonality = Bandwidth Tied Upor Resources Tied Up11 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?12 November 7, 2007 CS-622Partial Completion Filters (PCFs)•New data structure.•Can detect scanning attacks and partial completion attacks with small traffic volume.•Can detect victims reacting to an attack.•Only useful for TCP.•Only have a local geographical scope.13 November 7, 2007 CS-622Partial Completion Filters (PCFs)SYN 192.168.1.1:20FIN 192.168.1.1:20SYN 10.1.1.5:24SYN 10.1.1.5:24SYN 10.1.1.5:24Courtesy of Minsoo Choi, University of Southern CaliforniaIf N packets delivered, stay within √N standard deviation.If noise, 3 √N standard deviation. 5000 hash functions in experiments.(Requires 480 Kbits memory)14 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?15 November 7, 2007 CS-622How do we use PCFs?•Partial Completion Attacks•TCP Scanning DetectionPCF(SYN, FIN, <Destination IP: Destination Port>)PCF(SYN, FIN, <Source IP>)16 November 7, 2007 CS-622Where do I deploy PCFs?•Near sources -> Look at Source IP. –Recognizes Scanning–Recognizes too many SYN packets w/o FINs.•Incoming/Outgoing edge of network -> Look at Destination IP. –Recognizes Attack•Outgoing edge of network -> Look at Source IP. –Recognizes false FIN w/o FIN-ACK17 November 7, 2007 CS-622Roadmap•Why do we need scalable attack detection?•What are the difficulties in implementing scalable attack detection?•What kinds of attacks can be detected?•What are Partial Completion Filters (PCFs)?•How do we use Partial Completion Filters?•What are the experimental results?18 November 7, 2007 CS-622Experiment SetupISP A ISP B2 real flows of traffic from 1 dayOC-48 -> 2488.32 Mbits/secondDir = DirectionISP = Internet Service ProviderInternetDir 0Dir 0Dir 1Dir 119 November 7, 2007 CS-622How do we take into account bias?-150 150SYN FIN Difference in Experiment20 November 7, 2007 CS-622Results•5 million destinations (About 30 million ports) & 2 million sources (About 30 million ports).•517 Attack Flows.•6 False Positives -> Too many SYNs.•0 False Negatives -> Too many FINs.•Could measure the time length of the attacks.21 November 7, 2007 CS-622Scanning Detection•SYNs without FINs could mean