Efficient Traffic Monitoring for Science DMZ with Side-Channel Traffic Winnowing

This study explores efficient traffic monitoring for Science DMZ using side-channel based traffic winnowing. It introduces a lightweight detection system to address the limitations of traditional high-performance data transfer methods. The proposed approach enhances security policies, improves network performance, and enables easier performance monitoring. By leveraging Science DMZ architecture and threat modeling, the research identifies the tension between traffic monitoring requirements and high-performance data transfer. The study also discusses the limitations of existing approaches and suggests strategies for improving the processing capacity of Intrusion Detection Systems (IDSes).

• Traffic monitoring
• Science DMZ
• Side-channel
• Lightweight detection system
• High-performance data transfer

joyl_770 Follow

Uploaded on Sep 23, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Towards Efficient Traffic Monitoring for Science DMZ with Side-Channel based Traffic Winnowing Hongda Li, Fuqiang Zhang, Lu Yu, Jon Oakley, Hongxin Hu, and Richard R. Brooks SDN-NFV Security 2018

2. Outline Introduction Approach Overview Lightweight Detection System Development Evaluation

3. Traditional High Performance Data Transfer Campus Router/Firewall Campus Router/Firewall WAN Campus LAN Campus LAN Data Servers Data Servers

4. Traditional High Performance Data Transfer 1.Inappropriate security policies Campus Router/Firewall Campus Router/Firewall WAN 2.Low-performance general-purpose networks Campus LAN Campus LAN 3.Hard to monitor performance 4.Low-performance general-purpose data servers Data Servers Data Servers

5. Science DMZ Campus Router/Firewall Campus Router/Firewall Border Router WAN Border Router Virtual/Dedicated Connection Science DMZ Router Science DMZ Router Campus LAN Campus LAN High performance Data Transfer Nodes High performance Data Transfer Nodes

6. Threat Model Border Router WAN Traffic monitoring to capture the anomalies Science DMZ Router Compromised Data Transfer Node Malicious programs are installed and launched

7. Tension Between Two Requirements Border Router WAN Traffic monitoring to capture the anomalies High-performance data transfer 100 Gbps or higher Low-performance traffic monitoring Snort with 800 Mbps per processor Bro with 80 Mbps per core Compromised Data Transfer Node Malicious programs are installed and launched

8. Limitations of Existing Approaches Improving the processing capacity of IDSes Multi-thread/core IDSes Cluster-based IDSes Special hardware IDSes

9. Limitations of Existing Approaches Improving the processing capacity of IDSes Multi-thread/core IDSes Devoting more resources Cluster-based IDSes Special hardware IDSes

10. Limitations of Existing Approaches Improving the processing capacity of IDSes Multi-thread/core IDSes Devoting more resources Cluster-based IDSes Special hardware IDSes Tuning the IDSes based on traffic pattern Predicting the traffic pattern

11. Limitations of Existing Approaches Improving the processing capacity of IDSes Multi-thread/core IDSes Devoting more resources Cluster-based IDSes Special hardware IDSes Tuning the IDSes based on traffic pattern Predicting the traffic pattern Lack of dynamics

12. Limitations of Existing Approaches Improving the processing capacity of IDSes Multi-thread/core IDSes Devoting more resources Cluster-based IDSes Special hardware IDSes Tuning the IDSes based on traffic pattern Predicting the traffic pattern SciPass Lack of dynamics Totally bypassing IDSes

13. Limitations of Existing Approaches Improving the processing capacity of IDSes Multi-thread/core IDSes Devoting more resources Cluster-based IDSes Special hardware IDSes Tuning the IDSes based on traffic pattern Predicting the traffic pattern SciPass Lack of dynamics Totally bypassing IDSes Lack of visibility after bypassing

14. Overview of Our Approach Continuous monitoring Border Router Lightweight Detection System WAN Update flow rules Reflected Traffic OpenFlow switch Filtered Traffic IDS Instances Virtualization Platform Dynamically adapting to load variations High Performance Data Transfer Nodes

15. Lightweight Detection System Requirements Very low false negative rate Malicious traffic is rarely considered as benign Benign traffic can be considered as malicious Efficient detection Process each packet faster Analyze only a small portion of traffic to filter

16. Insight #1 of Science DMZ Domain-specific applications Lustre/GPFS (high-speed parallel file system) GridFTP/FTD (high-speed data transfer) XRootD (discipline-specific tools)

17. Insight #1 of Science DMZ Domain-specific applications Lustre/GPFS (high-speed parallel file system) GridFTP/FTD (high-speed data transfer) XRootD (discipline-specific tools) Baseline of what traffic should be deemed as benign

18. Insight #1 of Science DMZ Domain-specific applications Lustre/GPFS (high-speed parallel file system) GridFTP/FTD (high-speed data transfer) XRootD (discipline-specific tools) Baseline of what traffic should be deemed as benign Side-Channel Analysis Model of benign traffic

19. Modeling Network Protocols Network protocol modeling via Hidden Markov Models (HMMs) C. Lu, et al. A normalized statistical metric space for hidden markov models. L. Yu, et al. Inferring statistically significant hidden markov models. X. Zhong, et al. Side channel analysis of multiple pmu data in electric power systems. It s been proved feasible to model the network protocol by time intervals of packets

20. Insight #2 of Science DMZ Elephant flows Size of flows is huge Duration of flows is long

21. Insight #2 of Science DMZ Elephant flows Size of flows is huge Duration of flows is long Sufficient observation to infer HMMs for each flow Relatively small portion of traffic to analyze

22. Lightweight Detection System Design Incoming Traffic Symbol Table Online Detection Offline Training Detection Results HMMs Flow Rule Management Flow Rule Update

23. Offline Training Process Traffic Capturing Extracting Time Intervals Symbolization Symbol Table Inferring HMMs HMMs

24. Online Detection Process Packet Acquisition Traffic Capturing Compute Time Interval Extracting Time Intervals Symbolization Assign Symbol Symbol Table Count Probability of each Symbol Inferring HMMs HMMs Insufficient sampling Sufficient sampling Chi-square test Malicious Benign Not matched Matched

25. Evaluation The processing time of each packet Lightweight detection system IDS instances Expectation of the hybrid of two False positive rate lightweight detection system

26. Evaluation Setup Data Collection GridFTP (benign) vs. SCP (malicious) Each flow transfers 10GB data Generated through VMs on CloudLab at Clemson System Configuration Implement lightweight detection system Bro as IDS instances

27. Processing Time of Each Packet T: expectation of processing time of each packet L: processing time of lightweight detection system I: processing time of IDS instances : the ratio of traffic to analyze for filtering : the ratio of malicious traffic : false positive rate g a b

28. Result Analysis Tested Variables Observed Value Parameters a b Value L 0.66 microsecond (Analysis ratio) 0.1 I 44.46 microseconds (Malicious ratio) 0.5 g 0.38 T 32.7 microseconds

29. Result Analysis Tested Variables Observed Value Parameters a b Value L 0.66 microsecond (Analysis ratio) 0.1 I 44.46 microseconds (Malicious ratio) 0.5 g 0.38 T 32.7 microseconds Processing Time Per Packet (microsecond) 50 40 Saved 26% 30 20 10 0 LDS IDS instance Expectation

30. Result Analysis T = L+aI +(1-a)(bI +g (1-b)I) 0 a,b,g 1 Malicious ratio and FPR fixed T =a(1-b)(1-g )I +C1 Parameters a b g Value (Analysis ratio) 0.1 (Malicious ratio) 0.5 Analysis ratio and FPR fixed T = b(1-a)(1-g )I +C2 (FPR) 0.38 Analysis ratio and malicious ratio fixed T =g (1-a)(1-b)I +C3 Decreasing any of this parameters will further reduce the expectation of processing time!

31. Conclusion and Future Work Conclusion Present a new architecture for traffic monitoring in Science DMZ Demonstrate efficiency of side-channel based traffic winnowing Future work Evaluate on real-world Science DMZ data More protocols More use scenarios Investigate more side-channel features Packet size, time interval deviations, etc. Employ advanced machine learning techniques

32. Q & A Thank you!

33. Science DMZ Campus Router/Firewall Campus Router/Firewall Border Router WAN Border Router Science DMZ Router Science DMZ Router Campus LAN Campus LAN High performance Data Transfer Nodes High performance Data Transfer Nodes

34. Threat Model Border Router WAN Compromised Data Transfer Node Malicious programs are installed and launched

35. Modeling Network Protocols Network protocol modeling via Hidden Markov Models (HMMs) C. Lu, et al. A normalized statistical metric space for hidden markov models. L. Yu, et al. Inferring statistically significant hidden markov models. X. Zhong, et al. Side channel analysis of multiple pmu data in electric power systems.