Estimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen
|
|
- Lillian Thomas
- 6 years ago
- Views:
Transcription
1 Estimating Persistent Spread in High-speed Networks Qingjun Xiao, Yan Qiao, Zhen Mo, Shigang Chen Southeast University of China University of Florida
2 Motivation for Persistent Stealthy Spreaders Imagine a scenario A farm of servers are located in an Intranet The intranet is protected by a gateway router, which inspects the bypass traffic flows
3 Motivation for Persistent Stealthy Spreaders (cont.) Various malicious attacks may come from the Internet, for example, network/port scanning distributed denial-of-service (DDoS) attacks
4 Traditional Defense Technique Deployed at the Gateway Router Flow-based traffic monitoring For DDoS: monitor per-destination flow, the stream of packets sent to a common destination IP. For network scanner: monitor per-source flow, the stream of packets sent from a source IP. gateway gateway source destination source destination Per-destination Flow Per-source Flow
5 Traditional Defense Technique: Super-spreader Detection The spread of a flow is the number of distinct elements The spread of a per-destination flow is the number of distinct source addresses The spread of a per-source flow is the number of distinct destination addresses gateway gateway source destination source destination
6 Traditional Defense Technique: Super-spreader Detection The spread of a flow is the number of distinct elements The spread of a per-destination flow is the number of distinct source addresses A super-spreader detector locates the elephant flows whose spread exceeds a predefined The spread of threshold. a per-source [ref1, flow is ref2] the number of distinct destination addresses gateway gateway source destination source destination
7 Why New Techniques? The super-spreader detector may fail to discover malicious activities Example: Stealthy Degrade-of-Quality Attack Reduce the number of attacking machines to the scale of the number of legitimate users. Difficult to differentiate too many users and under attack
8 Why New Techniques? (cont.) Another Example: Stealthy Network Scan Reduce the probing rate to avoid detection gateway gateway gateway source destination Period 1 source destination Period 2 source destination Period 3 Attacker probes the intranet at a low rate, and it scans different network sections in different time periods Or use botnet to perform coordinated scan
9 A Useful Traffic Feature to Detect Stealthy Attacks The traffic of stealthy attackers will persist for much longer time than legitimate users Case 1: Stealthy Degrade-of-Quality attacks Legitimate users, when contacting web servers, typically stay for less than 20 minutes In contrast, attackers will send requests persistently to web servers to degrade their performance Case 2: Stealthy network scan attackers will scan the protected network for a long duration, in order to find the vulnerabilities avoid the network section scanned in one period to overlap with another for better efficiency
10 An Intuitive Explanation of Persistent Spread e 1 e 2 e 3 e 4 e 5 e 6 Period 1 e 1 Period 2 e 1 Period 3 e 2 e 2 e 3 e 3 e 4 e 4 e 5 e 5 e 6 e 6 persistent elements transient elements Persistent spread is the number of persistent elements, e.g., {e 1, e 4, e 6 } = 3
11 Problem Definition: Persistent Spread Estimation Notations: Let t be the number of measurement periods For a flow of interest, let S i be the set of elements that have been observed in the i th period,1 i t Problem: Estimate the cardinality of the intersection of t sets, e.g., S 1, S 2,, S t S* = S 1 S 2 S t
12 Challenges Constraint of Memory Usage: A good estimator design must use on-chip SRAM of NIC to support high packet processing speed It must use only a small portion of on-chip SRAM (e.g.,1 Mb), since on-chip SRAM are shared by many other functions --- routing/security/... Line Card or NIC (Network Interface Card) Bus On-chip SRAM Router Architecture Data Plane Control Plane Switch Fabric Main Memory CPU
13 Challenges (cont.) Fast online-operation (encoding) to keep up with line speed. Scalability: Simultaneously measuring large number of flows. Wide operating range to effectively measure elephant flows.
14 Baseline Solution: Hash Table with Partial Signatures In the i th period, set S i is recorded as a hash table A i, maintained in on-chip SRAM A i : array of hash buckets h(element) At the end of ith period, download A i to the main memory for post-processing Output: A 1 A 2 A t 8 bit partial signature + 32 bit pointer
15 Baseline Solution: Hash Table with Partial Signatures In the i th period, set S i is recorded as a hash table A i, maintained in on-chip SRAM A i : array of hash buckets h(element) At Since the end S of ith period, download A i to i is stored uncompressed, it has high the main memory memory cost for of 40 post-processing bits per element. Output: A 1 A 2 A t 8 bit partial signature + 32 bit pointer
16 Another Solution: Flajolet-Martin (FM) Sketches Set S i is compressed to store as a continuous variant of FM sketches [ref 5] Array of Buckets Y: 0.3 But inaccurate by estimating h(element) A bucket = A float number Exponential distribution with elem# S 1 S 2 S t S 1 U S 2 U U S t When the number of periods t grows, the ratio reduces, and becomes harder to estimate accurately
17 3 rd Solution based on Union of Bitmaps In the i th period, set S i is stored as a bitmap in on-chip SRAM h(element) bitmap B: B[h(element)] := 1 When the i th period ends, download B i to main memory in main memory, there are t bitmaps B 1, B 2.B t, which correspond to sets S 1, S 2, S t of t periods
18 3 rd Solution based on Union of Bitmaps (cont.) Inclusion-exclusion rule converts intersection cardinality to weighted sum of union cardinalities Union cardinality S 1 U S 2 U U S t can be estimated from the bitwise OR B 1 ٧ B 2 ٧ ٧ B t However, when the number of periods t grows, B 1 ٧ B 2 ٧ ٧ B t become too dense
19 B 1 B 2 B 3 Our Solution based on Intersection of Bitmaps Our solution: Use the intersection bitmap B 1 ٨ B 2 ٨ ٨ B t Intuition: A persistent element sets the same bit in B 1, B 2,, B t to one, which distinguish it from transient elements transient element 1 persistent element transient element 2
20 Our Solution based on Intersection of Bitmaps (cont.) Notations: Z i is the fraction of zero bits in B i that are zeros Z* is the ratio of zero bits in bit array B* B* = B 1 B 2 B t n* is the number of persistent elements to estimate When t = 2, give a closed-form estimator: When t = 3, give a closed-form estimator:
21 Our Solution based on Intersection of Bitmaps (cont.) When t > 3, propose a numerical method where is calculated iteratively by the following procedure
22 Next Question: How big bit-maps are? One-size-for-all: If too big è waste of memory If too small è inaccurate elephant flows Flow spread distribution: # of Flows Power law distribution in log-log plot Flow Spread From CAIDA Traces -- Measurement Duration=1 Min
23 Myungkeun Yoon, Tao Li, Shigang Chen, Jih-kwon Peir, Fit a Compact Spread Estimator in Small High-Speed Memory, TON, vol. 19, no. 5, Virtual Bitmaps: one physical bitmap shared by all flows Our Design All flows share a single physical bitmap Each flow constructs a virtual bitmap by drawing bits pseudo-randomly from the shared physical bitmap Physical Bitmap virtual bitmap for a flow x:
24 Advantages Compactness: With sharing, elephant flows could borrow space from mice flows. Scalability: Able to estimate much more flows simultaneously. Simple online-operation: For each packet (src, dst), set: M[i] := 1, where i = H(H(src) mod m) dst ) mod u.
25 Bias of Virtual Bitmaps Positive Bias due to Bit Sharing Two virtual bitmaps may share the same bits For one flow, the elements coming from other flows are called noises Noises cause positive estimation bias Physical Bitmap 1 virtual virtual bitmap 1: 1 bitmap 2: 1 Myungkeun Yoon, Tao Li, Shigang Chen, Jih-kwon Peir, Fit a Compact Spread Estimator in Small High-Speed Memory, TON, vol. 19, no. 5, 2011.
26 Consider Multiple Monitoring Periods Physical Bitmap in Period 1: Virtual Bitmap 1: Virtual Bitmap 2: Physical Bitmap in Period 2: Virtual Bitmap 1: Virtual Bitmap 2:
27 Consider Multiple Monitoring Periods Physical Bitmap in Period 1: Virtual Bitmap 1: Virtual Bitmap 1: Virtual Bitmap 2: Physical Bitmap in Period 2: Virtual Bitmap 2: Intersection of Virtual Bitmaps of Flow 1 in Time Periods 1, 2,., t
28 Compensate Positive Bias For Virtual Bitmaps in Multiple Periods Use t = 2 as an Example. The equations for t = 3, 4, can be derived similarly. a) Estimate the number of persistent elements that have been mapped to the virtual bit vector b) Estimate the number of persistent elements for all flows in physical bitmap c) Estimate for the number of persistent elements that belongs to the flow of interest Noise Removal
29 Simulation Settings Persistent spread is in the range of 0 to 10 4 Signal-to-Noise Ratio (SNR) ranges: 1 to 0.4 SNR = S 1 S 2 S t S i - S 1 S 2 S t FM & our solution: <1 bit per element.
30 Simulation Results Hash table with partial signature FM sketch method based on S 1 S 2 S t S 1 U S 2 U U S t Our intersection-based virtual bitmap method based on B 1 ٨۸ B 2 ٨۸ ٨۸ B t
31 Summary of Contributions Propose a new primitive for network flow monitoring, named persistent spread estimator, which can detect stealthy network activities over long periods Describe a solution that can accurately estimate the persistent spread, and the accuracy improves as the increase of time periods t Provide extensive analysis of statistical properties of proposed methods, including estimator bias and variance Present comparative evaluation for 3 algorithms: Hash table with partial signature, FM sketch, and virtual bitmap.
32 Thanks! Questions? Presented by: Yan Qiao Ph.D., University of Florida
Highly Compact Virtual Maximum Likelihood Sketches for Counting Big Network Data
Highly Compact Virtual Maximum Likelihood Sketches for Counting Big Network Data Zhen Mo Yan Qiao Shigang Chen Department of Computer & Information Science & Engineering University of Florida Gainesville,
More informationHighly Compact Virtual Counters for Per-Flow Traffic Measurement through Register Sharing
Highly Compact Virtual Counters for Per-Flow Traffic Measurement through Register Sharing You Zhou Yian Zhou Min Chen Qingjun Xiao Shigang Chen Department of Computer & Information Science & Engineering,
More informationFit a Compact Spread Estimator in Small High-Speed Memory MyungKeun Yoon, Tao Li, Shigang Chen, and Jih-Kwon Peir
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 19, NO. 5, OCTOBER 2011 1253 Fit a Compact Spread Estimator in Small High-Speed Memory MyungKeun Yoon, Tao Li, Shigang Chen, and Jih-Kwon Peir Abstract The spread
More informationOrigin-Destination Flow Measurement in High-Speed Networks
Origin-Destination Flow Measurement in High-Speed Networks Tao Li Shigang Chen Yan Qiao Department of Computer & Information Science & Engineering University of Florida, Gainesville, FL, USA Abstract An
More informationOrigin- des*na*on Flow Measurement in High- Speed Networks
IEEE INFOCOM, 2012 Origin- des*na*on Flow Measurement in High- Speed Networks Tao Li Shigang Chen Yan Qiao Introduc*on (Defini*ons) Origin- des+na+on flow between two routers is the set of packets that
More informationLecture 2: Streaming Algorithms for Counting Distinct Elements
Lecture 2: Streaming Algorithms for Counting Distinct Elements 20th August, 2008 Streaming Algorithms Streaming Algorithms Streaming algorithms have the following properties: 1 items in the stream are
More informationRobust TCP Stream Reassembly In the Presence of Adversaries
Robust TCP Stream Reassembly In the Presence of Adversaries Sarang Dharmapurikar and Vern Paxson Washington Univ. UC Berkeley Usenix Security 2005 Presented by N. Sertac Artan Motivation TCP Reassembly
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Chapter 7 - Network Measurements Introduction Architecture & Mechanisms
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationKNOM Tutorial Internet Traffic Matrix Measurement and Analysis. Sue Bok Moon Dept. of Computer Science
KNOM Tutorial 2003 Internet Traffic Matrix Measurement and Analysis Sue Bok Moon Dept. of Computer Science Overview Definition of Traffic Matrix 4Traffic demand, delay, loss Applications of Traffic Matrix
More informationAnalyzing Dshield Logs Using Fully Automatic Cross-Associations
Analyzing Dshield Logs Using Fully Automatic Cross-Associations Anh Le 1 1 Donald Bren School of Information and Computer Sciences University of California, Irvine Irvine, CA, 92697, USA anh.le@uci.edu
More informationFast and Evasive Attacks: Highlighting the Challenges Ahead
Fast and Evasive Attacks: Highlighting the Challenges Ahead Moheeb Rajab, Fabian Monrose, and Andreas Terzis Computer Science Department Johns Hopkins University Outline Background Related Work Sampling
More informationAlgorithms and Applications for the Estimation of Stream Statistics in Networks
Algorithms and Applications for the Estimation of Stream Statistics in Networks Aviv Yehezkel Ph.D. Research Proposal Supervisor: Prof. Reuven Cohen Motivation Introduction Cardinality Estimation Problem
More informationOutline. Motivation. Our System. Conclusion
Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve
More informationBloom Filters. References:
Bloom Filters References: Li Fan, Pei Cao, Jussara Almeida, Andrei Broder, Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol, IEEE/ACM Transactions on Networking, Vol. 8, No. 3, June 2000.
More informationNew Directions in Traffic Measurement and Accounting. Need for traffic measurement. Relation to stream databases. Internet backbone monitoring
New Directions in Traffic Measurement and Accounting C. Estan and G. Varghese Presented by Aaditeshwar Seth 1 Need for traffic measurement Internet backbone monitoring Short term Detect DoS attacks Long
More informationDistributed Data Streaming Algorithms for Network Anomaly Detection
Graduate Theses and Dissertations Iowa State University Capstones, Theses and Dissertations 2017 Distributed Data Streaming Algorithms for Network Anomaly Detection Wenji Chen Iowa State University Follow
More informationAS Router Connectedness Based on Multiple Vantage Points and the Resulting Topologies
AS Router Connectedness Based on Multiple Vantage Points and the Resulting Topologies Steven Fisher University of Nevada, Reno CS 765 Steven Fisher (UNR) CS 765 CS 765 1 / 62 Table of Contents 1 Introduction
More informationVirtual Dispersive Networking Spread Spectrum IP
Virtual Dispersive Networking Spread Spectrum IP DSI Proprietary 1 DSI Proprietary 2 Problem Lies Outside of Existing Security: On the Internet Internet Routers Virus Software Phishing Software etc POLICY
More informationStochastic Analysis of Horizontal IP Scanning
Stochastic Analysis of Horizontal IP Scanning Derek Leonard, Zhongmei Yao,, Xiaoming Wang, and Dmitri Loguinov Internet Research Lab Department of Computer Science and Engineering Texas A&M University
More informationThe UCSD Network Telescope
The UCSD Network Telescope Colleen Shannon cshannon @ caida.org NSF CIED Site Visit November 22, 2004 UCSD CSE Motivation Blocking technologies for automated exploits is nascent and not widely deployed
More informationChapter 12: Indexing and Hashing
Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B+-Tree Index Files B-Tree Index Files Static Hashing Dynamic Hashing Comparison of Ordered Indexing and Hashing Index Definition in SQL
More informationProvision of Quality of Service with Router Support
Provision of Quality of Service with Router Support Hongli Luo Department of Computer and Electrical Engineering Technology and Information System and Technology Indiana University Purdue University Fort
More informationDDOS Attack Prevention Technique in Cloud
DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing
More informationERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016
Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds
More informationPacket Doppler: Network Monitoring using Packet Shift Detection
Packet Doppler: Network Monitoring using Packet Shift Detection Tongqing Qiu, Nan Hua, Jun (Jim) Xu Georgia Tech Jian Ni, Hao Wang, Richard (Yang) Yang Yale University Presenter: Richard Ma December 10th,
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationDESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN
------------------- CHAPTER 4 DESIGN AND DEVELOPMENT OF MAC LAYER BASED DEFENSE ARCHITECTURE FOR ROQ ATTACKS IN WLAN In this chapter, MAC layer based defense architecture for RoQ attacks in Wireless LAN
More informationJoint Data Streaming and Sampling Techniques for Detection of Super Sources and Destinations
Joint Data Streaming and Sampling Techniques for Detection of Super Sources and Destinations Qi (George) Zhao Abhishek Kumar Jun (Jim) Xu College of Computing, Georgia Institute of Technology Abstract
More informationNetwork Defenses 21 JANUARY KAMI VANIEA 1
Network Defenses KAMI VANIEA 21 JANUARY KAMI VANIEA 1 First, the news The Great Cannon of China https://citizenlab.org/2015/04/chinas-great-cannon/ KAMI VANIEA 2 Today Open System Interconnect (OSI) model
More informationDetection of DNS Traffic Anomalies in Large Networks
Detection of Traffic Anomalies in Large Networks Milan Čermák, Pavel Čeleda, Jan Vykopal {cermak celeda vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014,
More informationIQ for DNA. Interactive Query for Dynamic Network Analytics. Haoyu Song. HUAWEI TECHNOLOGIES Co., Ltd.
IQ for DNA Interactive Query for Dynamic Network Analytics Haoyu Song www.huawei.com Motivation Service Provider s pain point Lack of real-time and full visibility of networks, so the network monitoring
More information3326 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 24, NO. 6, DECEMBER 2016
3326 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 24, NO. 6, DECEMBER 2016 When Bloom Filters Are No Longer Compact: Multi-Set Membership Lookup for Network Applications Yan Qiao, Shigang Chen, Fellow, IEEE,
More informationA Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models
A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models Marc Ph. Stoecklin Jean-Yves Le Boudec Andreas Kind
More informationSecuring Grid Data Transfer Services with Active Network Portals
Securing Grid Data Transfer Services with Active Network Portals Onur Demir 1 2 Kanad Ghose 3 Madhusudhan Govindaraju 4 Department of Computer Science Binghamton University (SUNY) {onur 1, mike 2, ghose
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 12
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 12 Announcements Project 2 is on the web. Due: March 15th Send groups to Jeff Vaughan (vaughan2@seas) by Thurs. Feb. 22nd. Plan for
More informationChapter 12: Indexing and Hashing. Basic Concepts
Chapter 12: Indexing and Hashing! Basic Concepts! Ordered Indices! B+-Tree Index Files! B-Tree Index Files! Static Hashing! Dynamic Hashing! Comparison of Ordered Indexing and Hashing! Index Definition
More informationVery Fast Containment of Scanning Worms. Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL
Very Fast Containment of Scanning Worms Nicholas Weaver, Stuart Staniford, Vern Paxson ICSI, Nevis Networks, ICSI & LBNL 1 Outline Worm Containment Scan Suppression Hardware Implementation Cooperation
More informationA Hybrid Approach to CAM-Based Longest Prefix Matching for IP Route Lookup
A Hybrid Approach to CAM-Based Longest Prefix Matching for IP Route Lookup Yan Sun and Min Sik Kim School of Electrical Engineering and Computer Science Washington State University Pullman, Washington
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationStream Mode Algorithms and. Analysis
Stream Mode Algorithms and Architecture for Line Speed Traffic Analysis Steve Liu Computer Science Department Texas A&M University liu@cs.tamu.edu March 7, 2008 1 Background Network security solutions
More informationDixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites
Characterization and Implications of Flash Crowds and DoS attacks on websites Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 9 Feb
More informationAnalysis of Simulation Results
Analysis of Simulation Results Raj Jain Washington University Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse574-08/
More informationEFFICIENT DATA STRUCTURES AND PROTOCOLS WITH APPLICATIONS IN SPACE-TIME CONSTRAINED SYSTEMS
EFFICIENT DATA STRUCTURES AND PROTOCOLS WITH APPLICATIONS IN SPACE-TIME CONSTRAINED SYSTEMS By YAN QIAO A DISSERTATION PRESENTED TO THE GRADUATE SCHOOL OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
More informationPrimitives for Active Internet Topology Mapping: Toward High-Frequency Characterization
Primitives for Active Internet Topology Mapping: Toward High-Frequency Characterization Robert Beverly, Arthur Berger, Geoffrey Xie Naval Postgraduate School MIT/Akamai February 9, 2011 CAIDA Workshop
More informationA Robust Video Hash Scheme Based on. 2D-DCT Temporal Maximum Occurrence
A Robust Video Hash Scheme Based on 1 2D-DCT Temporal Maximum Occurrence Qian Chen, Jun Tian, and Dapeng Wu Abstract In this paper, we propose a video hash scheme that utilizes image hash and spatio-temporal
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationMethods for Scalable Interactive Exploration of Massive Datasets. Florin Rusu, Assistant Professor EECS, School of Engineering
Methods for Scalable Interactive Exploration of Massive Datasets Florin Rusu, Assistant Professor EECS, School of Engineering UC Merced Open in 2005; accredited in 20 ~5,600 students (Fall 202) DB group
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationOn Optimizing Load Balancing of Intrusion Detection and Prevention Systems. Anh Le, Ehab Al-Shaer, and Raouf Boutaba
On Optimizing Load Balancing of Intrusion Detection and Prevention Systems Anh Le, Ehab Al-Shaer, and Raouf Boutaba Outline 1. Motivation 2. Approach Overview 3. Problem Formalization 4. Online Clustering
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationLecture 6: Overlay Networks. CS 598: Advanced Internetworking Matthew Caesar February 15, 2011
Lecture 6: Overlay Networks CS 598: Advanced Internetworking Matthew Caesar February 15, 2011 1 Overlay networks: Motivations Protocol changes in the network happen very slowly Why? Internet is shared
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationSCREAM: Sketch Resource Allocation for Software-defined Measurement
SCREAM: Sketch Resource Allocation for Software-defined Measurement (CoNEXT 15) Masoud Moshref, Minlan Yu, Ramesh Govindan, Amin Vahdat Measurement is Crucial for Network Management Network Management
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks Computer Sciences Department University of Wisconsin, Madison Introduction Outline Background Example Attack Introduction to the Attack Basic Probe
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
Comparison of Firewall, Intrusion Prevention and Antivirus Technologies (How each protects the network) Dr. Gaurav Kumar Jain Email: gaurav.rinkujain.jain@gmail.com Mr. Pradeep Sharma Mukul Verma Abstract
More informationDeep Packet Inspection of Next Generation Network Devices
Deep Packet Inspection of Next Generation Network Devices Prof. Anat Bremler-Barr IDC Herzliya, Israel www.deepness-lab.org This work was supported by European Research Council (ERC) Starting Grant no.
More informationChapter 2: Memory Hierarchy Design Part 2
Chapter 2: Memory Hierarchy Design Part 2 Introduction (Section 2.1, Appendix B) Caches Review of basics (Section 2.1, Appendix B) Advanced methods (Section 2.3) Main Memory Virtual Memory Fundamental
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationCS 561, Lecture 2 : Hash Tables, Skip Lists, Bloom Filters, Count-Min sketch. Jared Saia University of New Mexico
CS 561, Lecture 2 : Hash Tables, Skip Lists, Bloom Filters, Count-Min sketch Jared Saia University of New Mexico Outline Hash Tables Skip Lists Count-Min Sketch 1 Dictionary ADT A dictionary ADT implements
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationSecurity: Worms. Presenter: AJ Fink Nov. 4, 2004
Security: Worms Presenter: AJ Fink Nov. 4, 2004 1 It s a War Out There 2 Analogy between Biological and Computational Mechanisms The spread of self-replicating program within computer systems is just like
More informationIntruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:
Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence
More informationProject Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio
Project Proposal ECE 526 Spring 2006 Modified Data Structure of Aho-Corasick Benfano Soewito, Ed Flanigan and John Pangrazio 1. Introduction The internet becomes the most important tool in this decade
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationAttack Prevention Technology White Paper
Attack Prevention Technology White Paper Keywords: Attack prevention, denial of service Abstract: This document introduces the common network attacks and the corresponding prevention measures, and describes
More informationNetwork Security and Cryptography. 2 September Marking Scheme
Network Security and Cryptography 2 September 2015 Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers to the questions,
More informationBloom Filter for Network Security Alex X. Liu & Haipeng Dai
Bloom Filter for Network Security Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University Bloom Filters Given a set S = {x 1,x 2,x
More informationNetwork Defenses 21 JANUARY KAMI VANIEA 1
Network Defenses KAMI VANIEA 21 JANUARY KAMI VANIEA 1 Similar statements are found in most content hosting website privacy policies. What is it about how the internet works that makes this statement necessary
More informationSecuring Grid Data Transfer Services with Active Network Portals
Securing with Active Network Portals Onur Demir 1 2 Kanad Ghose 3 Madhusudhan Govindaraju 4 Department of Computer Science Binghamton University (SUNY) {onur 1, mike 2, ghose 3, mgovinda 4 }@cs.binghamton.edu
More informationStochastic Pre-Classification for SDN Data Plane Matching
Stochastic Pre-Classification for SDN Data Plane Matching Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Presenter: Luke McHale Ph.D. Student, Texas A&M University Contact: luke.mchale@tamu.edu
More informationDistributed Denial of Service
Distributed Denial of Service Vimercate 17 Maggio 2005 anegroni@cisco.com DDoS 1 Agenda PREFACE EXAMPLE: TCP EXAMPLE: DDoS CISCO S DDoS SOLUTION COMPONENTS MODES OF PROTECTION DETAILS 2 Distributed Denial
More informationUncertainties: Representation and Propagation & Line Extraction from Range data
41 Uncertainties: Representation and Propagation & Line Extraction from Range data 42 Uncertainty Representation Section 4.1.3 of the book Sensing in the real world is always uncertain How can uncertainty
More informationPrivCount: A Distributed System for Safely Measuring Tor
PrivCount: A Distributed System for Safely Measuring Tor Rob Jansen Center for High Assurance Computer Systems Invited Talk, October 4 th, 2016 University of Oregon Department of Computer and Information
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationChapter 12: Indexing and Hashing
Chapter 12: Indexing and Hashing Database System Concepts, 5th Ed. See www.db-book.com for conditions on re-use Chapter 12: Indexing and Hashing Basic Concepts Ordered Indices B + -Tree Index Files B-Tree
More informationNetwork Security (and related topics)
Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton
More informationConfiguring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationNext Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.
Next Week No sections Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other
More informationDENIAL OF SERVICE ATTACKS
DENIAL OF SERVICE ATTACKS Ezell Frazier EIS 4316 November 6, 2016 Contents 7.1 Denial of Service... 2 7.2 Targets of DoS attacks... 2 7.3 Purpose of flood attacks... 2 7.4 Packets used during flood attacks...
More informationNetDefend Firewall UTM Services
NetDefend Firewall UTM Services Unified Threat Management D-Link NetDefend UTM firewalls (DFL-260/860/1660/2560/2560G) integrate an Intrusion Prevention System (IPS), gateway AntiVirus (AV), and Web Content
More informationFailure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data
Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data Anurag Srivastava, Bo Cui, P. Banerjee Washington State University NASPI March 2017 Outline
More informationOpenFlow DDoS Mitigation
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering Introduction Distributed Denial of Service attacks Types of attacks Application layer attacks
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition Network Attacks Denial of service Attacks Introduction: What is DoS? DoS attack is an attempt (malicious or selfish) by an attacker to cause
More informationScalable and Robust DDoS Detection via Universal Monitoring
Scalable and Robust DDoS Detection via Universal Monitoring Vyas Sekar Joint work with: Alan Liu, Vladimir Braverman JHU Hun Namkung, Antonis Manousis, CMU DDoS a&acks are ge-ng worse Increasing in number
More informationOne Memory Access Bloom Filters and Their Generalization
This paper was presented as part of the main technical program at IEEE INFOCOM 211 One Memory Access Bloom Filters and Their Generalization Yan Qiao Tao Li Shigang Chen Department of Computer & Information
More informationAccess Methods. Basic Concepts. Index Evaluation Metrics. search key pointer. record. value. Value
Access Methods This is a modified version of Prof. Hector Garcia Molina s slides. All copy rights belong to the original author. Basic Concepts search key pointer Value record? value Search Key - set of
More informationDNS SECURITY BEST PRACTICES
White Paper DNS SECURITY BEST PRACTICES Highlights Have alternative name server software ready to use Keep your name server software up-to-date Use DNSSEC-compliant and TSIG-compliant name server software
More informationSpoofing Detection in Wireless Networks
RESEARCH ARTICLE OPEN ACCESS Spoofing Detection in Wireless Networks S.Manikandan 1,C.Murugesh 2 1 PG Scholar, Department of CSE, National College of Engineering, India.mkmanikndn86@gmail.com 2 Associate
More informationConfiguring ARP attack protection 1
Contents Configuring ARP attack protection 1 ARP attack protection configuration task list 1 Configuring unresolvable IP attack protection 1 Configuring ARP source suppression 2 Configuring ARP blackhole
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationTopic: Duplicate Detection and Similarity Computing
Table of Content Topic: Duplicate Detection and Similarity Computing Motivation Shingling for duplicate comparison Minhashing LSH UCSB 290N, 2013 Tao Yang Some of slides are from text book [CMS] and Rajaraman/Ullman
More informationCCNA R&S: Introduction to Networks. Chapter 11: It s a Network
CCNA R&S: Introduction to Networks Chapter 11: It s a Network Frank Schneemann 11.0.1.1 Introduction 11.0.1.2 Activity Did You Notice? Take a look at the two networks in the diagram. Visually compare and
More informationINTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4
TESTING & INTEGRATION GROUP TECHNICAL DOCUMENT DefensePro out of path with Cisco router INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4 CONFIGURATION... 4 TRAFFIC FLOW... 4 SOFTWARE AND
More informationset active-probe (PfR)
set active-probe (PfR) set active-probe (PfR) To configure a Performance Routing (PfR) active probe with a forced target assignment within a PfR map, use the set active-probe command in PfR map configuration
More informationResearch in the Network Management Laboratory
Research in the Network Management Laboratory Adarsh Sethi Professor Department of Computer & Information Sciences University of Delaware About Myself PhD Indian Institute of Technology (IIT) Kanpur On
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More information