Northwestern Lab for Internet and Security Technology LIST Yan Chen ychencs.northwestern.edu Departm

1
Northwestern Lab for Internet and Security
Technology (LIST) Yan Chenychen_at_cs.northwestern.
eduDepartment of Computer ScienceNorthwestern
Universityhttp//www.cs.northwestern.edu/ychen
Global Router-based Anomaly/Intrusion Detection
(GRAID) Systems

• Multiple GRAID sensors interconnect through
  distributed hash table (DHT) for alarm fusion
  with
• Scalability
• Load balancing
• Fault-tolerance
• Intrusion correlation

Online traffic recording and analysis for
high-speed routers
Remote aggregated sketch records
Sent out for aggregation
Reversible k-ary sketch monitoring
Part I Sketch-based monitoring detection
Normal flows
Sketch based statistical anomaly detection (SSAD)
Local sketch records
Streaming packet data
Attach GRAID sensors to high-speed routers (a)
original configuration, (b) distributed
configuration for which each port is monitored
separately, (c) aggregate configuration for which
a splitter is used to aggregate the traffic from
all the ports of a router.
Keys of suspicious flows
Filtering
Keys of normal flows
Statistical detection
Sample hardware FPGA board used to implement the
sketch-based traffic stream monitoring (courtesy
of Prof. Memik of ECE Dept)
Signature-based detection
Per-flow monitoring
Network fault detection
Suspicious flows
Part II Per-flow monitoring detection
Traffic profile checking
Integrated approach for false positive reduction
Intrusion or anomaly alarms
Modules on the critical path
Modules on the non-critical path
Data path
Control path
Architecture of a GRAID sensor
Hardware implementation of critical-path for
real-time detection
Tomography-based Overlay network Monitoring (TOM)
Real Adaptive Streaming Media on TOM
Challenge Given an overlay of n end hosts and
O(n2) paths, how to select a minimal subset of
paths to monitor so that the loss rates/latency
of all other paths can be inferred.

• Overlay network monitoring essential for
• Overlay routing/location
• VPN management/provisioning
• Service redirection/placement
• Link failure/congestion diagnosis
• Requirements for E2E monitoring system
• Scalable efficient small amount of probing
  traffic
• Accurate capture congestion/failures
• Adaptive nodes join/leave, topology changes
• Robust tolerate measurement errors
• Balanced measurement load

UC Berkeley

• Our solution Select a basis set of k paths that
  fully describe O(n2) paths (k O(nlogn)).
  Monitor the loss rates of k paths, and infer the
  loss rates of all other paths
• Adaptive to topology changes
• Balanced measurement load
• Topology measurement error tolerance

• Implemented with Winamp client and SHOUTcast
  server
• Congestion introduced with a Packet Shaper
• Skip-free playback server buffering and
  rewinding
• Total adaptation time lt 4 seconds

See our paper in
Collaborators