Real-Time Visualization of Network Attacks on High-Speed Links Hyogon Kim ( Korea University ) Inhye Kang ( University of Seoul ) Saewoong Bahk ( Seoul National University ) IEEE Network, Sept. 2004 Hargyo T. Nugroho most parts of this presentation are based on slides prepared by: Eric Joonmyung Kang [email_address]

Presentation Outline Introduction Attack Visualization Non-Backbone Environments Automatic Extraction Attack Signatures Implementation Evaluation Related Work Conclusion My thoughts Appendix: RADAR

Introduction

Attack Visualization

Non-Backbone Environments

Automatic Extraction

Attack Signatures

Implementation

Evaluation

Related Work

Conclusion

My thoughts

Appendix: RADAR

Introduction[1] Visualization Deal large noisy data easily Intuitive Come up with new hypotheses higher degree of confidence Faster The Benefits of Visualization Hyunsang Choi , Heejo Lee, CSS 2002 B E C D A

Deal large noisy

data easily

Come up with new hypotheses

Introduction[2] Intuitive visualization of ongoing attacks Network administrator can make good use of, providing quick perceptual clues before other more complicated analyses kick in Numerous types of malicious attacks Denial-of-Service (DoS) or Distributed DoS (DDOS) Worm epidemics ( hostscan, portscan ) Code Red, Nimda, and SQL Slammer Motivation Detecting suspicious network activities and providing early warning to network administrators is an essential yet difficult Goal Devising such a method that simultaneously detects, calibrates, and visualizes multiple ongoing attacks in real-time with great precision

Intuitive visualization of ongoing attacks

Network administrator can make good use of, providing quick perceptual clues before other more complicated analyses kick in

Numerous types of malicious attacks

Denial-of-Service (DoS) or Distributed DoS (DDOS)

Worm epidemics ( hostscan, portscan )

Code Red, Nimda, and SQL Slammer

Motivation

Detecting suspicious network activities and providing early warning to network administrators is an essential yet difficult

Goal

Devising such a method that simultaneously detects, calibrates, and visualizes multiple ongoing attacks in real-time with great precision

Introduction[3] (a) Distributed DoS attack by flooding (b) worm epidemic

Attack Visualization 3 dimension cartesian space Source IP address ( I s ) Destination IP address ( I d ) Destination port number ( P d ) 90Mb/s trans-pacific backbone traffic 2.2 million packets (85-seconds,December 2001) 3d plotting of a trans-pacific traffic The rectangles parallel to Is - Pd plane are source-spoofed DoS attacks The lines parallel to Id is hostscan The lines parallel to Pd is portscan Schematic diagram of attacks

3 dimension cartesian space

Source IP address ( I s )

Destination IP address ( I d )

Destination port number ( P d )

The rectangles parallel to Is - Pd plane are source-spoofed DoS attacks

The lines parallel to Id is hostscan

The lines parallel to Pd is portscan

Non-backbone environments[1] Working best in backbone environment No particular prominent traffics sources and destinations Non-backbone environments Ex) popular web server – like DoS Address validity check schemes Exploiting the global address allocation map Using the local address assignment information Downstream network of the observation point IP address allocation map 2-d projection

Working best in backbone environment

No particular prominent traffics sources and destinations

Non-backbone environments

Ex) popular web server – like DoS

Address validity check schemes

Exploiting the global address allocation map

Using the local address assignment information

Downstream network of the observation point

Automatic Extraction 3-d visualization method Providing network administrators with “eye candy” – intuitively recognizable signs of ongoing attacks Plotting every packet in the 3d space in real time is difficult How to extract only the attack information from the high-speed packet flow in real-time Generating a signature for each incoming packet Signature : < K s , K d , K p > ( binary values ) Whether the coordinate value in the flow was seen “recently” or not RADAR (Real-time Attack Detection And Report) Capturing the “pivoted movement” in one or more of the 3 coordinates Remembering two flows for a finite time duration L

3-d visualization method

Providing network administrators with “eye candy” – intuitively recognizable signs of ongoing attacks

Plotting every packet in the 3d space in real time is difficult

How to extract only the attack information from the high-speed packet flow in real-time

Generating a signature for each incoming packet

Signature : < K s , K d , K p > ( binary values )

Whether the coordinate value in the flow was seen “recently” or not

RADAR (Real-time Attack Detection And Report)

Capturing the “pivoted movement” in one or more of the 3 coordinates

Remembering two flows for a finite time duration L

Attack Signatures Attack Signatures Legitimate signatures <0,0,0> : the first packet in the flow, since RADAR sees this flow for the first time. <1,1,1> : the signature since the s,d,p values have already been observed in the first packet

Attack Signatures

Legitimate signatures

<0,0,0> : the first packet in the flow, since RADAR sees this flow for the first time.

<1,1,1> : the signature since the s,d,p values have already been observed in the first packet

Execution Result The results of applying the RADAR algorithm vdos – DoS with P d = ‘*’, fdos - P d is fixed ( not found ) (a) 1,277 pkts/s, (b) 40 byte TCP SYN flood ( “6” – IP, “2” = TCP flag), (c) hostscan for ssh

The results of applying the RADAR algorithm

vdos – DoS with P d = ‘*’, fdos - P d is fixed ( not found )

(a) 1,277 pkts/s, (b) 40 byte TCP SYN flood ( “6” – IP, “2” = TCP flag), (c) hostscan for ssh

Implementation Main filter Performs the detection and preliminary classification Poster filter Verifies if the classification is correct and measures the attack

Main filter

Performs the detection and preliminary classification

Poster filter

Verifies if the classification is correct and measures the attack

Evaluation[1] Field Test The campus network gateway at SNU (Seoul National Univ.) Two Gigabit Ethernet interfaces Pentium-4 2.4GHz with 512 MB Ram, Intel PRO/1000MF dual port LAN card, and PCI 2.2(32bit) bus Simulation Synthesize background traffic and inject a prescribed attack therein The resulting contaminated traffic runs through the RADAR Compare the attack calibration reported by the RADAR monitor with the attack prescription

Field Test

The campus network gateway at SNU (Seoul National Univ.)

Two Gigabit Ethernet interfaces

Pentium-4 2.4GHz with 512 MB Ram, Intel PRO/1000MF dual port LAN card, and PCI 2.2(32bit) bus

Simulation

Synthesize background traffic and inject a prescribed attack therein

The resulting contaminated traffic runs through the RADAR

Compare the attack calibration reported by the RADAR monitor with the attack prescription

Evaluation[2] Sensitivity The ratio of detected attack instances to injected instances RADAR algorithm is extremely sensitive to hostscan and port-fixed DoS Relative Error Portscan is not a global threat Sensitivity Relative Error

Sensitivity

The ratio of detected attack instances to injected instances

RADAR algorithm is extremely sensitive to hostscan and port-fixed DoS

Relative Error

Portscan is not a global threat

Evaluation[3] False Positive Rate Used unrealistically low thresholds for the scans and DoS RADAR is sensitive and accurate enough to pinpoint even very low-intensity attacks The false positive rate quickly approaches near zero values for all types of attacks as the attack intensity goes over the thresholds by a factor of 1.2

False Positive Rate

Used unrealistically low thresholds for the scans and DoS

RADAR is sensitive and accurate enough to pinpoint even very low-intensity attacks

The false positive rate quickly approaches near zero values for all types of attacks as the attack intensity goes over the thresholds by a factor of 1.2

Related Work Visualization Shoki Packet Hustler NIDS (network intrusion detection system) 2-d or 3-d visualization open source project FlowScan Analyzing NetFlow data Estan et al new method of traffic characterization that automatically and dynamically groups traffic into minimal clusters of conspicuous consumption Etherape tool, Mazu Network’s Profiler, OpenService’s Security Threat Manager IDS vs. RADAR RADAR is composed of the front end and back end RADAR is better to high-speed links

Visualization

Shoki Packet Hustler

NIDS (network intrusion detection system)

2-d or 3-d visualization

open source project

FlowScan

Analyzing NetFlow data

Estan et al

new method of traffic characterization that automatically and dynamically groups traffic into minimal clusters of conspicuous consumption

Etherape tool, Mazu Network’s Profiler, OpenService’s Security Threat Manager

IDS vs. RADAR

RADAR is composed of the front end and back end

RADAR is better to high-speed links

Conclusion Summary 3-d visualization of ongoing attacks such as DoS and scans( sip, dip, dport ) This representation can visually assist network operators to easily recognize ongoing attacks Instead of employing complex pattern recognition algorithms, RADAR is used RADAR algorithm requires only a few memory lookups per packet, yet the classification error is minimal The simulation and real implementation experiments have been done, and the algorithm indeed performs up to our expectation on high-speed links My thoughts Visualization technologies must be important to network administrators How about using sketches / bloom filter to optimize the performance? How about using 5 tuples? ( 5-d visualization is possible? ) How is this system to real network environment? How about considering the representation of time?

Summary

3-d visualization of ongoing attacks such as DoS and scans( sip, dip, dport )

This representation can visually assist network operators to easily recognize ongoing attacks

Instead of employing complex pattern recognition algorithms, RADAR is used

RADAR algorithm requires only a few memory lookups per packet, yet the classification error is minimal

The simulation and real implementation experiments have been done, and the algorithm indeed performs up to our expectation on high-speed links

My thoughts

Visualization technologies must be important to network administrators

How about using sketches / bloom filter to optimize the performance?

How about using 5 tuples? ( 5-d visualization is possible? )

How is this system to real network environment?

How about considering the representation of time?

Appendix: RADAR Sample visualization of attacks seen on a Korean backbone, Dec. 14 th , 2001 (from 9:35 a.m. through 10:16 a.m.)

Sample visualization of attacks seen on a Korean backbone, Dec. 14 th , 2001 (from 9:35 a.m. through 10:16 a.m.)

Thank You Any Questions?