Security System for KOREN/APII-Testbed
description
Transcript of Security System for KOREN/APII-Testbed
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Security System for KOREN/APSecurity System for KOREN/AP
II-TestbedII-Testbed
Sungkwan Youm
Korea Univ.
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Research GoalResearch Goal
Deploy attack defense system to KOREN for improving
security
Yearly Plan2003 : Security system design and algorithm proposalProposal of dynamic and adaptive detecting algorithmDesign system which detects and defends attack Implementation of signature detector
2004 : Implementation of system and deployment of KOREN Implementation of dynamic detecting component Implementation of agent, manager
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
System ArchitectureSystem Architecture
Signature Detector
Security DB
Libcap
Anomaly Detector
Elementary classification
Adaptive classification
Filtering
Manager
attack
Server
VisualizationFlow isolation
AGENT
To another agent
NetFlow
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Configuration for Security Agent Configuration for Security Agent
Protected ServerAgent
Agent
Agent Agent
AgentAnotherNetwork
Filtering
FilteringFiltering
Detecting
User
KOREN
attack
attack
Filtering
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Signature DetectorSignature Detector
Using Snort
Perform as NIDS
Optimize RuleSet
Deployed in Suwon, Deajeo
n
Suwon
Daegu
Daejeon
BusanKwangju
SnortServer
Seoul
Seoul XP
SnortServer
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Signature Detector Detection ResultsSignature Detector Detection Results
<Signature ><Classification >
<Total#> Sensor# < Src.Addr. >
< Dest.Addr. > <First> < Last >
[arachNIDS][snort] ICMP PING CyberKit 2.2 Windows
misc-activity
4690 (15%) 1 299 1 2003-11-21 20:19:39
2003-11-24 19:18:41
[snort] SCAN Squid Proxy attempt attempted- recon
12 (0%) 1 2 1 2003-11-22 08:06:48
2003-11-24 03:17:13
url[snort] SCAN SOCKS Proxy attempt attempted-recon
30 (0%) 1 5 1 2003-11-22 08:06:48
2003-11-24 09:25:26
[snort] SCAN Proxy (8080) attempt attempted-recon
12 (0%) 1 2 1 2003-11-22 08:06:48
2003-11-24 03:17:13
[cve][icat][bugtraq][snort] BAD-TRAFFIC IP Proto 103 (PIM)
non-standard-protocol
25792 (84%)
1 2 1 2003-11-21 20:18:55
2003-11-24 19:18:36
url[bugtraq][bugtraq][snort] MS-SQL Worm propagation attempt
misc-attack
2 (0%) 1 1 1 2003-11-23 06:19:00
2003-11-23 06:19:00
[snort] ICMP superscan echo attempted-recon
2 (0%) 1 1 1 2003-11-23 20:02:04
2003-11-23 20:02:04
[arachNIDS][snort] ICMP PING NMAP attempted-recon
2 (0%) 1 1 1 2003-11-23 21:20:50
2003-11-23 21:20:50
[cve][icat][cve][icat][cve][icat][snort] SNMP public access u 에
attempted-recon
2 (0%) 1 1 1 2003-11-24 23:13:27
2003-11-24 23:13:27
Alert List
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detection AlgorithmAnomaly Detection Algorithm
Entropy
Measure randomness of packet attribute (ex. Source address)
Maintain average of entropy
Detect attack with threshold setting
Chi-square test
Measure distribution of attribute
Use anomaly detection of various packet attributes
H = - i = 1
n
pi log pi
x2 = i = 1
B(Ni - ni )2
ni
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detection MechanismAnomaly Detection Mechanism
Incoming traffic(attack and normal
packets)
Using single detecting algorithm(entropy)with low accuracy
Using multipledetecting algorithms(chi-square)with high accuracy
ElementaryClassificatio
n
AdaptiveClassificatio
n
Filtering Manager
SuspiciousSignature
MaliciousSignature
Suspicious
Malicious
Incoming traffic(attack and normal
packets)
Secure packets
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detection MechanismAnomaly Detection Mechanism
Elementary classification
Apply suspicious signature with high sensitive
Classification achieved widely about attack packets
Reduce congestion problem of network
Use entropy calculation with low threshold value
Adaptive classification
Apply malicious signature with high sensitive
Reduce error detection rate
Use chi-square test with high threshold value
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Flowchart of Signature CreationFlowchart of Signature Creation
Pick up next packet attributes (as sa or ma)
Calculate entropy ofpacket attribute, sa and compare with average
Exceed threshold?
Update average value of entropy
Create suspicioussignature based onpacket attribute, sa
Do number of packets that belong
to suspicious signatureexceed
upper-bound threshold n?
Filtering based onsignatures
Calculate chi-squarevalue of packet attributema and update average
Calculate chi-square valueof packet attribute ma of
suspicious packets
Exceed threshold?
Create malicious signatureby adding ma to suspicious
signature
Yes
Yes
Yes
No
No
No
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detection ProcessAnomaly Detection Process
Example of detection processEntropy (About source address)
Entropy Average Current Entropy Signature
7(threshold 8) 8.7 {Src=201.170.123.6}
Chi-square (about packet length)
Chi-square Average Current Chi-square value Signature
1200(threshold 1300) 2000 {leng=1-64byte}
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detector ArchitectureAnomaly Detector Architecture
Monitoring
ToolAgent
Anomaly Detection Manager
DetectingModule 1
Detecting
Module 2
Filtering Manager
Packet attributesSource addressDestination addressSource port numberDestination port numberProtocol Suspicious,
Malicious Signature
Detecting
Module n
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Signature Detector Testing (DDoS) Signature Detector Testing (DDoS)
Agent AgentMaster
Control M
sg.
Control Msg.
Control Msg.
Snort : possible to detect control message (163.180.118.68, Suwon)
Attack Packet
Attack
Packet
Target
Snort : impossible to detect attack packet
(203.255.255.94, Daejeon)
Testing Environment
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Signature Detector Testing (DDoS) Signature Detector Testing (DDoS)
ID < Signature > < Timestamp > <Source Address> < Dest.Address > < Layer 4Proto >
#150-(2-3872) [snort] tfn2k icmp possible communication
2003-11-22 14:18:52 163.180.118.68 163.180.118.98 ICMP
#151-(2-3871) [snort] tfn2k icmp possible communication
2003-11-22 14:18:52 163.180.118.68 163.180.118.98 ICMP
#152-(2-3870) [snort] tfn2k icmp possible communication
2003-11-22 14:18:53 163.180.118.68 163.180.118.98 ICMP
#153-(2-3869) [snort] tfn2k icmp possible communication
2003-11-22 14:18:53 163.180.118.68 163.180.118.98 ICMP
ID < Signature > < Timestamp ><Source Address>
< Dest.Address > < Layer 4Proto >
#156-(2-3866) [snort] DDOS TFN client command BE
2003-11-22 14:18:56 163.180.118.98 163.180.118.68 ICMP
#157-(2-3865) [snort] DDOS TFN client command BE
2003-11-22 14:18:56 163.180.118.98 163.180.118.68 ICMP
#158-(2-3864) [snort] DDOS TFN client command BE
2003-11-22 14:18:56 163.180.118.98 163.180.118.68 ICMP
#159-(2-3863) [snort] DDOS TFN client command BE
2003-11-22 14:18:57 163.180.118.98 163.180.118.68 ICMP
#160-(2-3862) [snort] DDOS TFN client command BE
2003-11-22 14:18:57 163.180.118.98 163.180.118.68 ICMP
#161-(2-3863) [snort] DDOS TFN client command BE
2003-11-22 14:18:57 163.180.118.98 163.180.118.68 ICMP
TFN2K icmp possible communication detection
DDoS TFN client command BE detection
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detector Algorithm Testing (DDoS) Anomaly Detector Algorithm Testing (DDoS)
Testing Environment
DDoS Attack(TFN2K)Local Network(Normal Traffic)
Monitoring Tool(Libcap, NetFlow) Source Address
Destination Address
Source Port Num
Destination Port Num
Packet Length
Attribute DB AnalyzePacket, Flow’s
attributeusing
detectingalgorithm
Victim
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detector Testing (DDoS) Anomaly Detector Testing (DDoS)
About Packet Attributes
Entropy Value for Source IP address
0123456789
10
1 21 41 61 81 101 121
Packet Number(500)
Entr
opy
Valu
e
Chi- Square Value for Packet Length
0
500
1000
1500
2000
2500
1 11 21 31 41
Packet Number(250)
Chi
-Squ
are
Valu
e
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detector Testing (DDoS) Anomaly Detector Testing (DDoS)
In this case, packet length is not valid attribute
Chi-Square Value for Destination Address
0200400600800
1000120014001600
1 11 21 31
Packet Number(250)
Chi-
Squa
re V
alue
Chi- Square Value for Source Port Number
0
200
400
600
800
1000
1200
1 11 21 31
Packet Number(250)
Chi
-Squ
are
Valu
e
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detector Testing (DDoS) Anomaly Detector Testing (DDoS)
About Flow Attributes
Chi- Square Value for Flow Length
0200400600800
1000120014001600
1 11 21 31 41
Flow Number(250)C
hi-S
quar
e Va
lue
Entropy Value for Source IP Address(Flow)
0123456789
1 21 41 61 81 101
Flow Number(250)
Entro
py V
alue
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Anomaly Detector Testing (DDoS) Anomaly Detector Testing (DDoS)
Need to set threshold value lower
Chi- Square Value for Destination Address(Flow)
0
500
1000
1500
1 11 21 31
Flow Number(250)
Chi
-Squ
are
Valu
e
Chi- Square Value for Source Port Number(Flow)
0
200
400
600
800
1000
1200
1 11 21 31
Flow Number(250)
Chi-
Square
Valu
e
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
ConclusionConclusion
Signature Detector detect well-known attack
Anomaly Detector detect DDoS attack that can’t detect b
y Signature Detector
Security system will improve KOREN’s security
A Study of TE forA Study of TE forKOREN/APII-TestbedKOREN/APII-Testbed
Future WorksFuture Works
Monitor malicious traffic using signature detector
Design filtering manager
Implement detecting module