Empirically Based Analysis: The DDoS Case

Similar documents
2013 US State of Cybercrime Survey

ARINC653 AADL Annex Update

Service Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003

Multi-Modal Communication

DoD Common Access Card Information Brief. Smart Card Project Managers Group

Kathleen Fisher Program Manager, Information Innovation Office

FUDSChem. Brian Jordan With the assistance of Deb Walker. Formerly Used Defense Site Chemistry Database. USACE-Albuquerque District.

4. Lessons Learned in Introducing MBSE: 2009 to 2012

Using Model-Theoretic Invariants for Semantic Integration. Michael Gruninger NIST / Institute for Systems Research University of Maryland

Dana Sinno MIT Lincoln Laboratory 244 Wood Street Lexington, MA phone:

Running CyberCIEGE on Linux without Windows

Data Warehousing. HCAT Program Review Park City, UT July Keith Legg,

Vision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day. Sensors from Laser Weapons Date: 17 Jul 09 UNCLASSIFIED

Components and Considerations in Building an Insider Threat Program

COMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II)

MODELING AND SIMULATION OF LIQUID MOLDING PROCESSES. Pavel Simacek Center for Composite Materials University of Delaware

The State of Standardization Efforts to support Data Exchange in the Security Domain

Space and Missile Systems Center

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

Current Threat Environment

Web Site update. 21st HCAT Program Review Toronto, September 26, Keith Legg

Space and Missile Systems Center

A Review of the 2007 Air Force Inaugural Sustainability Report

Washington University

Towards a Formal Pedigree Ontology for Level-One Sensor Fusion

A Distributed Parallel Processing System for Command and Control Imagery

Cyber Threat Prioritization

Concept of Operations Discussion Summary

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

Information, Decision, & Complex Networks AFOSR/RTC Overview

Exploring the Query Expansion Methods for Concept Based Representation

Topology Control from Bottom to Top

Accuracy of Computed Water Surface Profiles

ENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb)

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Setting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series. Digital IF Standardization

BUPT at TREC 2009: Entity Track

Wireless Connectivity of Swarms in Presence of Obstacles

Monte Carlo Techniques for Estimating Power in Aircraft T&E Tests. Todd Remund Dr. William Kitto EDWARDS AFB, CA. July 2011

Distributed Real-Time Embedded Video Processing

Energy Security: A Global Challenge

Technological Advances In Emergency Management

Fall 2014 SEI Research Review Verifying Evolving Software

Architecting for Resiliency Army s Common Operating Environment (COE) SERC

SURVIVABILITY ENHANCED RUN-FLAT

73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation

75th Air Base Wing. Effective Data Stewarding Measures in Support of EESOH-MIS

David W. Hyde US Army Engineer Waterways Experiment Station Vicksburg, Mississippi ABSTRACT

73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation

ASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD

HEC-FFA Flood Frequency Analysis

Use of the Polarized Radiance Distribution Camera System in the RADYO Program

DEVELOPMENT OF A NOVEL MICROWAVE RADAR SYSTEM USING ANGULAR CORRELATION FOR THE DETECTION OF BURIED OBJECTS IN SANDY SOILS

Using Templates to Support Crisis Action Mission Planning

Corrosion Prevention and Control Database. Bob Barbin 07 February 2011 ASETSDefense 2011

LARGE AREA, REAL TIME INSPECTION OF ROCKET MOTORS USING A NOVEL HANDHELD ULTRASOUND CAMERA

An Update on CORBA Performance for HPEC Algorithms. Bill Beckwith Objective Interface Systems, Inc.

Shallow Ocean Bottom BRDF Prediction, Modeling, and Inversion via Simulation with Surface/Volume Data Derived from X-Ray Tomography

U.S. Army Research, Development and Engineering Command (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC

WAITING ON MORE THAN 64 HANDLES

C2-Simulation Interoperability in NATO

Introducing I 3 CON. The Information Interpretation and Integration Conference

ICTNET at Web Track 2010 Diversity Task

An Efficient Architecture for Ultra Long FFTs in FPGAs and ASICs

Better Contextual Suggestions in ClueWeb12 Using Domain Knowledge Inferred from The Open Web

Using the SORASCS Prototype Web Portal

Edwards Air Force Base Accelerates Flight Test Data Analysis Using MATLAB and Math Works. John Bourgeois EDWARDS AFB, CA. PRESENTED ON: 10 June 2010

Office of Global Maritime Situational Awareness

ASPECTS OF USE OF CFD FOR UAV CONFIGURATION DESIGN

Data Reorganization Interface

UMass at TREC 2006: Enterprise Track

Enhanced Predictability Through Lagrangian Observations and Analysis

The C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links

CENTER FOR ADVANCED ENERGY SYSTEM Rutgers University. Field Management for Industrial Assessment Centers Appointed By USDOE

SCICEX Data Stewardship: FY2012 Report

Dr. Stuart Dickinson Dr. Donald H. Steinbrecher Naval Undersea Warfare Center, Newport, RI May 10, 2011

CASE STUDY: Using Field Programmable Gate Arrays in a Beowulf Cluster

INTEGRATING LOCAL AND GLOBAL NAVIGATION IN UNMANNED GROUND VEHICLES

US Army Industry Day Conference Boeing SBIR/STTR Program Overview

NEW FINITE ELEMENT / MULTIBODY SYSTEM ALGORITHM FOR MODELING FLEXIBLE TRACKED VEHICLES

SETTING UP AN NTP SERVER AT THE ROYAL OBSERVATORY OF BELGIUM

From Signature-Based Towards Behaviour-Based Anomaly Detection (Extended Abstract)

Basing a Modeling Environment on a General Purpose Theorem Prover

Detection, Classification, & Identification of Objects in Cluttered Images

DoD M&S Project: Standardized Documentation for Verification, Validation, and Accreditation

Parallelization of a Electromagnetic Analysis Tool

QuanTM Architecture for Web Services

Agile Modeling of Component Connections for Simulation and Design of Complex Vehicle Structures

Approaches to Improving Transmon Qubits

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

Advanced Numerical Methods for Numerical Weather Prediction

ATCCIS Replication Mechanism (ARM)

AFRL-ML-WP-TM

Use of the Polarized Radiance Distribution Camera System in the RADYO Program

SNUMedinfo at TREC CDS track 2014: Medical case-based retrieval task

Report Documentation Page

Guide to Windows 2000 Kerberos Settings

A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud

REPORT DOCUMENTATION PAGE

SINOVIA An open approach for heterogeneous ISR systems inter-operability

Transcription:

Empirically Based Analysis: The DDoS Case Jul 22 nd, 2004 CERT Analysis Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Analysis Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. 2003 by Carnegie Mellon University

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 22 JUL 2004 2. REPORT TYPE 3. DATES COVERED 00-00-2004 to 00-00-2004 4. TITLE AND SUBTITLE Empirically Based Analysis: The DDoS Case 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES presented at FloCon 2004, Crystal City, VA, July 2004. 14. ABSTRACT 11. SPONSOR/MONITOR S REPORT NUMBER(S) 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 13 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Introduction Access to the dataset gives us a large enough record of traffic to test hypotheses in network security. Given this, we select and evaluate various security measures against real traffic Or a reasonable facsimile thereof One example: target resident DDoS Filters Heavily constrain the problem not considering SYN floods, smurfing, reflection attacks

Attacks like this Traffic(Packets) Time(s)

How Do We Test? Any analysis opens a can of worms err, assumptions The network constantly changes What is a representative host? Rerunning attacks is of debatable value Most of the legitimate traffic is dropped, that s what a DoS is for We want our results to be representative Test and summarize over multiple machines We want our results to be reproducible Depend heavily on SiLK structures and tools

Evaluation Trained filters on 15 days of legitimate traffic Built a representation of IP address: volume relationship (via rwaddrcount) Then generated a simulated DoS Botnet IPs collected with rwset Normal traffic selected from another day Resulting traffic was then evaluated for failure rates Tested 2 types of filters: Clustering groups of adjacent IP addresses PI path marking approach

DoS Filters

Initial Observations Two groups One group assumes a magic DoS Detection Oracle That s the group with better results In general, the filters don t do well Should we compare IP addresses, or packets? Is traffic different for different servers? Let s look at one result in more depth

One result in more depth

Observations Normal traffic varies extensively Although it seems to vary more with smaller servers And it s better when you look at packet counts Which makes sense, given the absurd number of scanners we see. False negative rate (attackers accepted) seems to be related to server activity the busier the higher. Attackers don t vary as much

Learning Curves 95% threshold

Other Observations In the majority of cases, packets are dropped because they ve never been seen before Short learning curves effectively no change in false positive rate after a week of learning. Especially true for spoofed traffic Entropy is lower than expected Filters that rely on spoof defense (HCF, PI) drop less than 10% of their packets because they detect a spoof

Further Work Exploiting our DoS attack traffic records further We know how the network reacts We know how the attack starts and ends Which impacts learning curve for defenses that only profile the attack Further use of other network maps Skitter (used for PI), &c. Formalization of the techniques used Developed a matrix based approach for the final iteration Tools are going to be available publicly

A Final Note URL for the SiLK tools: http://silktools.sourceforge.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback