Jul 8, 2005 - Contributors at USC : Min Cai, Shanshan Song, Ricky Kwok,Yu Chen,. Runfang Zhou, Ying Chen, and Xiaosong Lou http://GridSec.usc.edu.
Presentation Outline:
Trusted Grid and P2P Computing:
Internet, Grid, and P2P Computing Arena System and Network Security Requirements
Security Binding, Worm Containment, DDoS Defense, and New Research Frontiers and Approaches
Collaborative Internet Worm Containment Cardinality Counting for DDoS Defense
Professor Kai Hwang
Other Hot Topics for Trusted Computing
Internet and Grid Computing Laboratory University of Southern California, Los Angeles, California USA
Presentations at Shanghai Jiaotong University, June 27, 2005 and Univ. of Science and Technology of China, June 29, 2005
Web
site: http://GridSec.usc.edu/
Fuzzy Trust Model and Reputation Systems
Game-theoretic Modeling of Realistic Grids
Grid Performance Metrics and DETER Experiments
Interoperability between Wired and Wireless Grids
Concluding Remarks and Relevant Publications
Contributors at USC : Min Cai, Shanshan Song, Ricky Kwok,Yu Chen, Runfang Zhou, Ying Chen, and Xiaosong Lou 1
Security and Privacy Demands in Internet, Grid, and P2P Services [6]:
July 8, 2005, Kai Hwang
Three Generations of Defense Technology Towards Cyberspace Security Assurance 1st Generation
Trusted E-Commerce over the Internet
(Prevent Intrusions) Trusted Computing Base
Secure communications in E-mail, FTP, etc.
(Detect Intrusions, Limit Damage)
Firewalls, packet filters, VPN gateways, traffic monitors, security overlays, PKI services, etc. Self-defense toolkits, middleware, overlays for defense against viruses, worms, and flood attacks
Cryptography
Multiple Levels of Security
2nd Generation
System Intrusions and Network Anomalies
Access Control & Physical Security
Intrusions will Occur
Protected download of digital contents (P2P)
2
http://GridSec.usc.edu
Anonymity, confidentiality, data integrity, access control, resolving policy conflicts, etc.
Firewalls
PKI
Intrusion Detection Systems Boundary Controllers
VPNs
Some Attacks will Succeed
3rd Generation (Operate Through Attacks)
Intrusion Tolerance
Big Board View of Attacks Real-Time Situation Awareness & Response
Hardened Core
Performance
Graceful Degradation July 8, 2005, Kai Hwang
http://GridSec.usc.edu
3
Worms and DDoS Attacks z
z
July 8, 2005, Kai Hwang
Functionality
ty uri Sec
http://GridSec.usc.edu
4
Internet Epidemic Outbreaks in Recent Years
Network Worms ¾
Self-propagating program across a network
¾
Exploit vulnerabilities in widely-deployed homogeneous software
¾
Various malicious payloads, e.g. host spam-relays, launch DDoS attacks, etc.
¾
CodeRed in 2001, Slammer in 2003
Distributed Denial-of-Service (DDoS) Attacks ¾
Overwhelm victim’s resources with high-volume traffic
¾
Exploit Internet’s unrestricted communication model
¾
Could exploit victim’s protocol or software vulnerability
¾
Worms used to perform DDoS attacks automatically
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
5
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
Nimda, CodeRed, Slammer, Blaster, etc. CodeRed affected 360,000 web servers in 16 hours Slammer was the fastest worm at large - it scanned 90% of the Internet in less than 10 minutes.
6
1
The NetShield Architecture with Distributed Security Enforcement over a DHT Overlay
GridSec: A Network Security Research Project at USC
(IEEE Security and Privacy Magazine, May/June 2005 [1] )
Site S1 Host
3
VPN Gateway
3
Host
Internet
Serious hackers
3 Host
2 3
3
Host 3
2
Host 1
Site S2
Host
3
VPN Gateway
Host
3
Host
3 VPN Gateway
3
Host
Site S3
Steps for automated self-defense at resource site : Step 1: Intrusion detected by host-based firewall /IDS Step 2: All VPN gateways are alerted with the intrusions Step 3: Gateways broadcast response commands to all hosts July 8, 2005, Kai Hwang
http://GridSec.usc.edu
7
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
8
The WormShield Built with a DHT-based Overlay with Six Worm Monitors [1]
Internet Worm Containment : Reduce Vulnerability: Preventing worms by upgrading software quality and reducing the system vulnerability.
Serious hackers
Scan Detection: Filtering traffic destined at detected ports where worms appear to be scanning and spreading.
Hygiene Enforcement: Discovering infected hosts and keep susceptible hosts off network.
Signature Inference: Detecting payload content substrings to generate and disseminate signatures automatically and throttle to slow down the spread. July 8, 2005, Kai Hwang
http://GridSec.usc.edu
9
z z
http://GridSec.usc.edu
10
Effects of Global Prevalence Threshold
Simulation Results z
July 8, 2005, Kai Hwang
Simulated CodeRed-like worms on an Internet configuration of 105,246 edge networks and 338,562 vulnerable hosts Use BGP table snapshot on July 19th, 2001 from RouteViews Simulated infection progress matches quite well with Moore’s experimental results
z
Collaborative monitors detect signatures about 10 times faster than using independent monitors when Gp=10,000
[Moore et al, INFOCOM 2003]
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
11
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
12
2
WormShield Signature Generation Process
Effects of % Edge Networks Monitored About 27 times reduction of infected hosts as 1% of vulnerable edge networks being monitored
z
A verage of independent m onitors(G p =10,000) A verage of independent m onitors(G p =1,000) M axim um of independent m onitors(G p =10,000) M axim um of independent m onoitors(G p =1,000) W orm S hield m onitors (G p =10,000) W orm S hield m onitors (G p =1,000)
Fraction of vulnerable hosts infected
Serious hackers
1.0 0.8 0.6 0.4 0.2 0.0 61(0.1% )
612(1% )
6121(10% )
30608(50% )
N um ber of v ulne rable edge netw orks m onitored July 8, 2005, Kai Hwang
July 8, 2005, Kai Hwang
13
http://GridSec.usc.edu
A Collaborative Anomaly and Intrusion Detection System (CAIDS), built with the Snort and a custom-designed Anomaly
USC NetShield Intrusion Defense System for Protecting Local Networks of Grid Computing Resources
Detection System at USC Internet and Grid Computing Lab in 2004 [2] Training data from audit normal traffic records
Single-connection attacks detected at packet level Network Router
ISP
Firewall
The NetShield System
The Internet
July 8, 2005, Kai Hwang
Datamining for Anomaly Intrusion Detection (IDS)
Risk Assessment System (RAS)
http://GridSec.usc.edu
14
http://GridSec.usc.edu
Intrusion Response System (IRS)
Victim’s Internal Network
15
NIDS (Snort) Audit records from traffic data Signature Matching Engine
Known attack signatures from ISD provider
Anomalies detected over multiple connections
Episode Mining Engine
New signatures from anomalies detected
Attack Signature Database
July 8, 2005, Kai Hwang
Alert Operations performed in local Grid sites and correlated globally
Episode Rule Database
Unknown or burst attacks
ADS Signature ADS Generator
16
http://GridSec.usc.edu
ROC Curves for 4 Attack Classes on The Simulated CAIDS
Global alert correlation
DHT module
Global alert clustering
Alert classification
Alert merging
Alert formatting Alert clusters Local alert clustering Alerts IDS IDS IDS
Alert correlation Intrusion reports Alert Assessment Reporting, and Reaction
Intrusion Detection Rate (%)
80 Local alert correlation
70 60 DoS Pr obe R2L U2R
50 40 30 20 10 0 0
2
4
6
8
10
12
False Alarm Rate (%) July 8, 2005, Kai Hwang
http://GridSec.usc.edu
17
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
18
3
Cardinality-Based Traffic Matrix Estimation z z z
Serious hackers
z
z
z
Traffic Matrix (TM) for diagnosing deliberate network anomalies Need to obtain TM in a fast and accurate manner Both packet-level TM (PTM) and flow-level TM (FTM) ¾ Unusual increase in small flows, e.g. flooding attacks and scanning worms Limitations of existing TM estimation approaches ¾ Not accurate enough (10% avg. error) ¾ Not fast enough (hourly) ¾ PTM only Statistical Two steps: local information inference collection by global manipulation ¾ Statistical inference ¾ Direct measurement CBTM Cardinality-Based TM Estimation (CBTM) – A balanced method Global manipulation
Packet/Flow Counting for Tracking Attack-Transit Routers (ATRs)
Direct measurement
Local information collection July 8, 2005, Kai Hwang
http://GridSec.usc.edu
19
Scalability of Adaptive Counting z z z z
Root Mean Squared Error (RMSE), reflects both bias and standard errors Same memory (320 Kb) for three algorithms Cardinalities vary from 4K to 16M Scalable to cover small cardinalities and large ones
July 8, 2005, Kai Hwang
20
http://GridSec.usc.edu
Packet-Level and Flow-Level Internet Traffic Monitory for Worm and DDoS Flooding Control
Serious hackers
linear counting loglog counting
adaptive counting
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
21
Other Hot Topics on Security Research for Realistic Grid Platforms and P2P Networks: z
Fuzzy Aggregation for Trust Integration over a DHT-based Overlay Network [3] V
Site S3
V
Site S2
Site S1
Game-theoretic Model for modeling selfish and
Physical backbone Site S4
V
V
NSF/HSD DETER testbed – An isolated Internet simulator built VPN Gateway
at USC/ISI and UC Berkeley for Large-scale security benchmark experiments z
SeGO Server
Interoperability between wired Grids and wireless
DHT Overlay Ring
V
non-cooperative Grids in real-life world [5]. z
22
http://GridSec.usc.edu
Fuzzy trust Model for security binding in Grids [3] and reputation system for P2P services over the Internet [4]
z
July 8, 2005, Kai Hwang
Trust Vector Trust vector propagation User application and SeGO server negotiation
Hosts
Grids - a new challenge for pervasive Grid/P2P computing. Cooperating gateways working together to establish VPN tunnels for trust integration July 8, 2005, Kai Hwang
http://GridSec.usc.edu
23
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
24
4
eBay transaction trace by ranks, hot spots, request interval, and transaction amounts.
Trusted P2P Transactions with Fuzzy Reputation Aggregation [4]
1 .0
e-Trust: A peer reputation system built with a P2P overlay network for
2
=
4
w6 = 0.8
Aggregation
15
Aggregation Threshold = 0.8
Aggregation Threshold = 0.5
w9 = 0.9
6
w 12 = 0.7
9
using Fuzzy
w17 = 0.9
w20 = 0.3
17
12
10 0
0 .8
0 .6
0 .4
0 .2
0 .0
100
1000
10000
110
100000
220
330
440
50
60
77 0
880
990
11000
P e r c e n t a g e o f O r d e r e d T r a n s a c t io n s ( % )
26
http://GridSec.usc.edu
Simulated Performance of the eTrust system compared with the EigenTrust system in processing eBay traces
Trust
w15 = 0.7 t15,2 = 0.9
w4 = 0.9 t42 = 0.8
20
July 8, 2005, Kai Hwang
w15 w4 t + t w4 + w15 4,2 w4 + w15 15,2 0.9 0.7 × 0.8 + × 0.9 = 0.84 0.9 + 0.7 0.9 + 0.7
30
Detection Rate (%)
T2 =
Aggregation Threshold = 0.6
40
T im e In t e rv a l B e tw e e n 2 C o n s e c u tiv e T ra n s (m in )
25
http://GridSec.usc.edu
50
10
trusted commodity exchanges over the Internet, like eBay transactions July 8, 2005, Kai Hwang
super use r s m a ll u s e r
60
Percentage of Amount (%)
Percentage of Transactions (%)
70
Inferences
20
100
N = 1000
N = 100
80
N = 5000 N = 10000
60 40 20
Peer id = 2 ….
Peer id = 17 …
Peer id = 15
Buyer’s local trust score
Seller’s local trust score
Fuzzy inference
Fuzzy inference
…. …. ….
Peer id = 12 …
Payment method
Payment Time
Goods Quality
Deliver Time
Peer ID = 6
http://GridSec.usc.edu
0.1
1
50
10
Remote Peer’s Trust Value
Transaction Date
Fuzzy Inference
4
10
Transaction Amount
2
10
1
10
0
10
Aggregation weight
27
Game-Theoretic Approach to Solving the Selfish Grid Computing Problem Game theory is intended to provide a theory of strategic behavior when all parties in the game interact directly, rather than through the third party, and with the goal to maximize all the individual benefits.
EigenTrust eTrust
3
10
0
Remote Peer’s Lifetime
Peer ID = 9
July 8, 2005, Kai Hwang
0.01
Time (minute)
Peer id = 4
…. ….
0.001 1E-3
No. of Messages by Individual Peer
Peer id = 20
200
400
600
800
1000
Peer ID July 8, 2005, Kai Hwang
28
http://GridSec.usc.edu
Hierarchical Grids Inter-domain Game — combine reputation based and game theoretical approaches Grid Resource Registry
Utility = f (trust)
Tr. 1 Tr. 2 … Tr. M
UCLA USC
What is benefit if I accept jobs from UCLA?
USC UCSD
Accept jobs from UCLA or USC? USC, benefit more, then USC
Internet and Grid Computing Lab.
USC Grids ISD
UCSD
UCLA
ISI
HPC
CS
Grid Computing Lab
SDSC
Intra-domain Game
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
29
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
30
5
Grid Performance Enhancement under Different Gaming Strategies
Performance Metrics for Trusted Grid Computing [6] Risky
Makespan [0, 3.3×106s] 1- Utilization [0, 1.0]
2.0×106s 0.38
Response Time [0, 4.2×105s]
1.7×105s
O
0.65 Failure Rate [0, 1.0]
65
Slowdown Ratio [0, 152]
ε = 1- 17.8% = 82.8% July 8, 2005, Kai Hwang
31
http://GridSec.usc.edu
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
32
Wired Grids vs. Wireless Grids
DETER Testbed Benchmark Experiments
– The Interoperability Issues User
Wireless Ad Hoc Network/ Wireless Grid
Internet Ethernet Bridge with Firewall
Control DB
'G atekeeper'
Sensor
'Boss' Server
‘User’ Server User files
Sensor
Sensor Network Sensor
W eb/DB/SNM P, switch m gm t
User Acct & Data logging
Internet / Wired Grid Digital Camera
N ode Serial Line Serve …r
Cell phone
Control N etw ork VLAN
Power Serial Line Server N @ 100bT Control ports
PC
PC
PC
PDA
Pow er 160Controller
Laptop Laptop
N x 4 @ 1000bT D ata ports
Wireless Ad Hoc Network/ Wireless Grid
Program m able Patch Panel (VLAN sw itch)
DETER Project – Aug 04
DETER Testbed funded by the National Science Foundation (NSF) and the Department of Homeland Security (DHS) in the USA July 8, 2005, Kai Hwang
http://GridSec.usc.edu
33
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
34
( Download from http://GridSec.usc.edu )
The NetShield built with DHT-based security overlay networks support distributed intrusion and anomaly detection, alert correlation, collaborative worm containment, and flooding attack monitory, detection, and suppression. Extensive benchmark experiments on the DETER testbed will prove the effectiveness, still a long way to achieve assurance. Fuzzy trust model is effective to support distributed security enforcement in both computational Grids and P2P systems. Game-theoretic approach provides a viable solution to the selfish and non-cooperative problems in realistic network platforms Wireless Grids needed for pervasive applications must be built to be interoperable with existing wired backbone networks
July 8, 2005, Kai Hwang
Air interfaces, admission control, disconnection handling, wireless PKI, security binding, and QoS all demand extensive research and development Interoperability demands to support wired and wireless communications in distributed clusters, grids , and pervasive computing applications
Related Publications:
Final Remarks
http://GridSec.usc.edu
35
1.
M. Cai, K. Hwang, Y. K. Kwok, Y. Chen, and S. S. Song, “Fast Internet Worm Containment”, IEEE Security and Privacy, May/June, 2005.
2.
K. Hwang, Y. Chen, and H. Liu, “ Defending Distributed Computing Systems from Malicious Intrusions and Network Anomalies”, Keynote address at IEEE Workshop on Security in Systems and Networks (SSN’05) in conjunction with IEEE IPDPS 2005, Denver, April 8, 2005.
3.
S. Song, K. Hwang, and Y.K. Kwok, “ Trusted Grid Computing with Security Binding and Trust Integration”, Journal of Grid Computing, August, 2005.
4.
S. Song, K. Hwang, R Zhou, and Y.K. Kwok, “ Trusted P2P Transactions with Fuzzy Reputation Aggregation”, IEEE Internet Computing Magazine Special Issue on Security for P2P and Ad Hoc Networks, submitted March 2005.
5.
Y. K. Kwok, S. Song, and K. Hwang, “Selfish Grid Computing: Game Theoretic Modeling and NAS Performance Results”, ACM/IEEE Int’l Conf. on Cluster Computing and The Grids (CCGrid 2005), Cardiff, U.K., May 9-12, 2005
6.
K. Hwang, Y. Kwok, S. Song, M. Cai, R. Zhou, Yu. Chen, Ying. Chen, and X. Lou, “GridSec: Trusted Grid Computing with Security Binding and SelfDefense against Network Worms and DDoS Attacks”, Int’l Workshop on Grid Computing Security and Resource Management (GSRM’05), in conjunction with the ICCS 2005, Emory University, Atlanta, May 22-25, 2005.
July 8, 2005, Kai Hwang
http://GridSec.usc.edu
36
6
