Title: Northwestern Lab for Internet and Security Technology LIST Yan Chen ychencs.northwestern.edu Departm
1Northwestern Lab for Internet and Security
Technology (LIST) Yan Chenychen_at_cs.northwestern.
eduDepartment of Computer ScienceNorthwestern
Universityhttp//www.cs.northwestern.edu/ychen
Global Router-based Anomaly/Intrusion Detection
(GRAID) Systems
- Multiple GRAID sensors interconnect through
distributed hash table (DHT) for alarm fusion
with - Scalability
- Load balancing
- Fault-tolerance
- Intrusion correlation
Online traffic recording and analysis for
high-speed routers
Remote aggregated sketch records
Sent out for aggregation
Reversible k-ary sketch monitoring
Part I Sketch-based monitoring detection
Normal flows
Sketch based statistical anomaly detection (SSAD)
Local sketch records
Streaming packet data
Attach GRAID sensors to high-speed routers (a)
original configuration, (b) distributed
configuration for which each port is monitored
separately, (c) aggregate configuration for which
a splitter is used to aggregate the traffic from
all the ports of a router.
Keys of suspicious flows
Filtering
Keys of normal flows
Statistical detection
Sample hardware FPGA board used to implement the
sketch-based traffic stream monitoring (courtesy
of Prof. Memik of ECE Dept)
Signature-based detection
Per-flow monitoring
Network fault detection
Suspicious flows
Part II Per-flow monitoring detection
Traffic profile checking
Integrated approach for false positive reduction
Intrusion or anomaly alarms
Modules on the critical path
Modules on the non-critical path
Data path
Control path
Architecture of a GRAID sensor
Hardware implementation of critical-path for
real-time detection
Tomography-based Overlay network Monitoring (TOM)
Real Adaptive Streaming Media on TOM
Challenge Given an overlay of n end hosts and
O(n2) paths, how to select a minimal subset of
paths to monitor so that the loss rates/latency
of all other paths can be inferred.
- Overlay network monitoring essential for
- Overlay routing/location
- VPN management/provisioning
- Service redirection/placement
- Link failure/congestion diagnosis
- Requirements for E2E monitoring system
- Scalable efficient small amount of probing
traffic - Accurate capture congestion/failures
- Adaptive nodes join/leave, topology changes
- Robust tolerate measurement errors
- Balanced measurement load
UC Berkeley
- Our solution Select a basis set of k paths that
fully describe O(n2) paths (k O(nlogn)).
Monitor the loss rates of k paths, and infer the
loss rates of all other paths - Adaptive to topology changes
- Balanced measurement load
- Topology measurement error tolerance
- Implemented with Winamp client and SHOUTcast
server - Congestion introduced with a Packet Shaper
- Skip-free playback server buffering and
rewinding - Total adaptation time lt 4 seconds
See our paper in
Collaborators