Networkbased Intrusion Detection Prevention and Forensics System Yan
Network-based Intrusion Detection, Prevention and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University Lab for Internet & Security Technology (LIST) http: //list. cs. northwestern. edu 1
The Spread of Sapphire/Slammer Worms 2
Current Intrusion Detection Systems (IDS) • Mostly host-based and not scalable to highspeed networks – Slammer worm infected 75, 000 machines in <10 mins – Host-based schemes inefficient and user dependent » Have to install IDS on all user machines ! • Mostly simple signature-based – Cannot recognize unknown anomalies/intrusions – New viruses/worms, polymorphism 3
Current Intrusion Detection Systems (II) • Cannot provide quality info forensics or situational-aware analysis – Hard to differentiate malicious events with unintentional anomalies » Anomalies can be caused by network element faults, e. g. , router misconfiguration, link failures, etc. , or application (such as P 2 P) misconfiguration – Cannot tell the situational-aware info: attack scope/target/strategy, attacker (botnet) size, etc. 4
Network-based Intrusion Detection, Prevention, and Forensics System • Online traffic recording [SIGCOMM IMC 2004, INFOCOM 2006, To. N to appear] – Reversible sketch for data streaming computation – Record millions of flows (GB traffic) in a few hundred KB – Small # of memory access per packet – Scalable to large key space size (232 or 264) • Online sketch-based flow-level anomaly detection [IEEE ICDCS 2006] [IEEE CG&A, Security Visualization 06] – Adaptively learn the traffic pattern changes – As a first step, detect TCP SYN flooding, horizontal and vertical scans even when mixed • Online stealthy spreader (botnet scan) detection [IWQo. S 2007] 5
Network-based Intrusion Detection, Prevention, and Forensics System (II) • Polymorphic worm signature generation & detection [IEEE Symposium on Security and Privacy 2006] [IEEE ICNP 2007 to appear] • Accurate network diagnostics [ACM SIGCOMM 2006] [IEEE INFOCOM 2007] • Scalable distributed intrusion alert fusion w/ DHT [SIGCOMM Workshop on Large Scale Attack Defense 2006] • Large-scale botnet and P 2 P misconfiguration event forensics [work in progress] 6
System Deployment • Attached to a router/switch as a black box • Edge network detection particularly powerful LAN Switch Router Splitter Switch Inter net Splitter scan port Router Switch LAN HPNAIDM system (b) Original configuration LAN Switch LAN (a) RAND system Router Switch LAN Inter net RAND system Inter net LAN scan port RAND system Monitor each port separately (c) Monitor aggregated 7 traffic from all ports
Vulnerability Analysis for Wi. MAX Networks Yan Chen, Hai Zhou Dept. of Electrical Engineering and Computer Science Northwestern University Z. Judy Fu Motorola Labs
The Current Threat Landscape and Countermeasures of Wi. MAX Networks • Wi. MAX: next wireless phenomenon – Predicted multi-billion dollar industry • Wi. MAX faces both Internet attacks and wireless network attacks – E. g. , 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices • Goal: secure Wi. MAX networks through intrusion prevention/detection • Big security risks for Wi. MAX networks – No formal analysis about Wi. MAX security vulnerabilities
Our Approach • Vulnerability analysis of various layers Focus on 802. 16 e specs (Wi. MAX standards) and mobile IP v 4/6 protocols so far – Intelligent and complete checking through combo of manual analysis + auto search through formal methods – First, manual analysis provide hints and right level of abstraction for auto search – Then specify the specs and potential capabilities of attackers in a formal language TLA+ (the Temporal Logic of Actions) – Then model check for any possible attacks
Mobile IPv 6 (RFC 3775) • Provides mobility at IP Layer • Enables IP-based communication to continue even when the host moves from one network to another • Host movement is completely transparent to Layer 4 and above
Mobile IPv 6 - Entities • Mobile Node (MN) – Any IP host which is mobile • Correspondent Node (CN) – Any IP host communicating with the MN • Home Agent (HA) – A host/router in the Home network which: – Is always aware of MN’s current location – Forwards any packet destined to MN – Assists MN to optimize its route to CN
Mobile IPv 6 - Process • (Initially) MN is in home network and connected to CN • MN moves to a foreign network: – Registers new address with HA by sending Binding Update (BU) and receiving Binding Ack (BA) – Performs Return Routability to optimize route to CN by sending Ho. TI, Co. TI and receiving Ho. T, Co. T – Registers with CN using BU and BA
Mobile IPv 6 in Action Home Network Ho. T Mobile Node Correspondent Node Home Agent Ho. TI BA Ho. TI Ho. T BU Co. T BA Foreign Network Co. TI BU Internet
Mobile IPv 6 Vulnerability • Nullifies the effect of Return Routability • BA with status codes 136, 137 and 138 unprotected • Man-in-the-middle attack – Sniffs BU to CN – Injects BA to MN with one of status codes above • MN either retries RR or gives up route optimization and goes through HA
MIPv 6 Attack In Action MN HA AT Start Return Routability Ho. T I Co. TI Co T Bind Update (Sniffed by Silently Discard Bind Ack Ho. T I H o. T Ho. T Restart Return Routability CN AT along the way) ed by AT f Bind Ack Spoo Bind Ack • Only need a wireless network sniffer and a spoofed wired machine (No MAC needs to be changed !) • Bind ACK often skipped by CN
MIPv 6 Vulnerability - Effects • Performance degradation by forcing communication through sub-optimal routes • Possible overloading of HA and Home Link • Do. S attack, when MN repeatedly tried to complete the return routability procedure • Attack can be launched to a large number of machines in their foreign network – Small overhead for continuously sending spoofed Bind ACK to different machines
TLA Analysis and Experiments • With the spec modeled in TLA, the TLC search gives two other similar attacks w/ the same vulnerability – Complete the search of vulnerabilities w/ unprotected messages • Implemented and tested in our lab – Using Mobile IPv 6 Implementation for Linux (MIPL) – Tunnel IPv 6 through IPv 4 with Generic Routing Encapsulation (GRE) by Cisco – When attack in action, MN repeatedly tried to complete the return routability procedure – DOS attack !
Extensible Authentication Protocols (EAP) EAP-TLS EAP-TTLS PEAP EAP-SIM EAP-AKA Authentication method EAP-FAST layer Extensible Authentication Protocol (EAP) EAP Layer EAP Over LAN (EAPOL) PPP 802. 16 802. 3 Ethernet 802. 5 Token Ring 802. 11 WLAN GSM CDMA Data Link Layer
Extensible Authentication Protocols (EAP) • EAP is an authenticaiton framework – Support about 40 different EAP methods • Current targets – EAP-SIM for GSM cellular networks – EAP-AKA for 3 G networks, such as UMTS and CDMA 2000 – EAP-FAST (Flexible Authentication via Secure Tunneling) » Most Comprehensive and secure EAP method for WLAN » Will compare it w/ EAP-SIM and EAP-AKA
Insider Attack Analysis • Not hard to become a subscriber • Can five subscribers bring down an entire Wi. MAX network ? • Check vulnerability after authentication • Plan to analyze various layers of Wi. MAX networks – IEEE 802. 16 e: MAC layer – Mobile IP v 4/6: network layer – EAP layer
802. 16 e SS Init Flowchart
Work Done
Future work
Outline • Overview of Network Intrusion Detection, Prevention and Forensics System • Case Study: Vulnerability analysis of the MIP v 6 system • Student recruiting
Northwestern Lab for Internet and Security Technology (LIST) • About Northwestern Univ. – US News and World Report, overall ranking #14, the Engineering grad school ranking #21. – On the Michigan lake, close to Chicago downtown • Sponsors for LIST: – Department of Energy (Early CAREER Award) – Air Force Office of Scientific Research (Young Investigator Award) – National Science Foundation – Microsoft Research – Motorola Inc.
Recruiting Ph. D. Students • Bachelor in Computer Science or Computer Engineering • Research experience a big plus • TOEFL • GRE • Strongly motivated in independent research • Feel free to talk to me after the talk 27
- Slides: 28