• No results found

A Flow-Based Approach

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "A Flow-Based Approach"

Copied!
1
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 1 pagina )

Hele tekst

(1)

Real-Time and Resilient Intrusion Detection:

A Flow-Based Approach

Rick Hofstede, Aiko Pras

University of Twente, The Netherlands {r.j.hofstede, a.pras}@utwente.nl

Non-attack flows are affected by attack traffic in non-resilient systems [1].

When flow monitoring systems are not resilient against anomalies, the following consequences may need to be faced:

Exporter:

Packet loss

Early-expired flow records

Full flow cache, unaccounted packets and flows

Overall system overload Collector:

Packet loss

Incomplete and/or incorrect results from periodic processes

Due to the design of current flow monitoring technologies, flow-based IDSs are subject to the following problems:

Data is available after delays, caused by record expiration, processing and storage

Monitoring equipment potentially becomes overloaded due to anomalies, affecting the data

2. Problems of flow-based IDSs 3. Consequences

Flow monitoring technologies (e.g. NetFlow and IPFIX) provide an aggregated view of network activity:

Advantages: Scalable for use in high-speed networks and widely deployed in routers, switches and probes.

Procedure:

1. Exporter aggregates packets into flow records 2. Collector stores flow records

3. Analysis application analyzes flow data

1. Why flow-based?

Destination IP

Source IP Source Port Destination Port Protocol IP ToS Input Interface Packets Bytes

Flow Collector Analysis application Flow Exporter NetFlow / IPFIX

Intrusion Detection System (IDS)

Extend architecture:

1. Move intrusion detection partly to Exporter and share detections with Collector

2. Collector and Analysis application

share detected intrusions with Exporter 3. Exporter monitors its own health

4. Proposed solution

Flow Collector Analysis application Flow Exporter NetFlow / IPFIX

Detections + Control

Detections Control

1 3 2

0 50000 100000 150000 200000 250000

34000 35000 36000 37000 38000 39000 40000 41000

flow packets/10s

time [s]

(a) Exported flow packets

0 10000 20000 30000 40000 50000 60000 70000 80000

36000 36500 37000 37500 38000 38500 39000

Unique IP addresses/10s

time [s]

(b) Unique IP addresses

0 50000 100000 150000 200000 250000

0 200 400 600 800 1000

Flow records per IP

duration [s]

(c) Host activity

Fig. 2: Time series (10 sec) of the number of exported flow packets (Fig. (a)), the number of unique IP addresses (Fig. (b)), and attacker activity (Fig. (c)).

number of flow records per flow packet is nearly constant (99%

of all flow packets contain 27 or 28 flow records), Figure 2(a) indeed provides an overview of the evolution of the attack intensity in terms of network flows.

More than 20 000 unique IP addresses participated to the attack, however with varying intensity. 127 attackers sent more than 100 000 packets each, and 3185 attackers sent between 50 000 and 100 000 packets. There are strong indications that the attack was coordinated: Most of the top 10 000 attackers joined in exactly the same second and then stayed active for the entire attack duration. Figure 2(b) shows the number of active unique IP addresses per 10 seconds. When the attack begins, we observe a sharp rise from a base line of around 10 unique IPs to almost 70 000 and the number fluctuates from 70 000 to 60 000 during the duration of the attack. The figure also shows sudden drops in the number of attacking hosts around the second 37600. This is due to packet loss occurred when the load on the collector was too high (see Section VI-A).

An additional proof that the attack has been coordinated is given by Figure 2(c). The figure shows, on the x-axis, the time in seconds during which an attacker has been active (and contacted the target at least 50 times); on the y-axis, the number of flow records generated by each attacker. We can see that a large portion of the attackers has been active for precisely 800 seconds, as indicated by the vertical line at the right side of the figure. Moreover, it also becomes evident that a second group of attackers has been active for an interval of time varying from few seconds to 800 seconds, but with a constant rate of flows per second (corresponding to a rate of 100 SYN packets per second). In addition, a third group of attackers have sent a relatively low number of SYN packets per second, and they generate the uneven baseline in the figure. The major characteristic of such hosts is that they are clustered in groups of attackers sending the same number of SYN packets. Finally, from the figure we can also infer that several other hosts have contacted the target with varying activity durations and intensity (the dots in the plot that do not follow any of the three behaviors previously indicated).

C. Impact of the attack on the flow exporter

We now concentrate our attention to the impact of the attack on the flow exporter. As described in Section IV-B,

0 1e+006 2e+006 3e+006 4e+006 5e+006 6e+006 7e+006

36000 36500 37000 37500 38000 38500 39000 0

50000 100000 150000 200000 250000 300000

exported flow records/10s (attacked host) exported flow records/10s (other hosts)

time [s]

attacked host other hosts

Fig. 3: Number of exported flow records per 10 seconds, for flow records of the attacked host and of the other hosts.

a SYN flood attack will force the monitoring probe to deal with an anomalous number of flow records. In order to better understand how the attack affects the flow records, we have split up them into two sets: (i) flow records of flows from/to the attacked host and (ii) flow records of flows from/to the other hosts. Figure 3 shows the resulting two timeseries of the number of exported flow records per 10 seconds. Note the different scales on the two y-axes. We can see that the attacked host is not very active before the attack. In average, only 10 to 15 records per second contain the attacked host as source or destination. As expected, the flow record export rate for the attacked host sharply increases when the attack starts because every SYN packet creates a new flow record.

However, we can also observe that the export rate for the other hosts increases as well during the attack. This behavior has been predicted in Section IV-B. As described there, if a very large number of flows with unique flow keys is created, as happens in the DDoS attack, the internal memory of the probe is quickly exhausted and new flow records displace existing records. This mechanism is also responsible for the extreme peak in the export rate for the other hosts at the begin of the attack (timestamp 37140): The new flow records for the malicious traffic ”push” most of the existing flow records out

Currently, flow monitoring systems are subject to the negative effects of network anomalies. IDSs will therefore operate suboptimal due to both artifacts in the affected flow data and delays in the data collection process. We aim to make flow-based IDSs more resilient against anomalies and applicable to real-time data streams.

5. Conclusions

[1] R. Sadre, A. Sperotto, A. Pras, The Effects of DDoS Attacks on Flow Monitoring Applications, NOMS 2012.

Referenties

Download het nu ( PDF - 1 pagina - 3.06 MB )

GERELATEERDE DOCUMENTEN

The Flow of Glass

The literature that has been studied concerns subjects like chemical (trace) elements, isotopic Pb, Sr and Nd research and composition, glass composition,

The Flow Story

Marketing can create cash flows for the firm, either di- rectly or by contributing to stock variables that result in future cash flows even when new marketing expenditures are

C ONTROLLING THE ORDER FLOW IN A JOB SHOP

These specific tasks are: order acceptance and rush order criteria, daily release of orders based on the shop load, operators works according the working list, production

Over Flow

92. Zoveel niet gezegd, zoveel niet gemaakt, zoveel niet ge- 14 94. Maar je moest waarschijnlijk gaan, man... B4: Dansplaat in versregels Aantal lettergrepen: 1. zoenen is zilver

Passing to the limit in a Wasserstein gradient flow : from diffusion to reaction

This is not the first paper to give an answer to the question that was raised in [PSV10], Can we prove convergence using the Wasserstein gradient flow.. In [HN11], Herrmann and

A computational approach to patient flow logistics in hospitals

The performances of the state- dependent policies with and without prediction are comparable for small resource costs (G 1 ≤ 70). For larger resource costs the use of

Non-parallel Support Vector Classifiers with Different Loss Functions Siamak Mehrkanoon

It is the purpose of this paper to formulate a non-parallel support vector machine classifier for which we can directly apply the kernel trick and thus it enjoys the primal and

of a starting flow from

The work was initiated by the University of Eindhoven, to validate the results of a computer program, which simulates a starting flow that leaves a square-edged nozzle.. This