Effective Countermeasures Against Emerging Threats in the Future Internet
Salvatore D’Antonio
Consorzio Interuniversitario Nazionale per l’Informatica
Canada-EU Future Internet Workshop
March 23-24, 2011 – Waterloo, Canada
EC Grant Agreement n. 216585
Project overview
– IN-TE-R-SE-C-T-I-O-N : INfrastructure for heTErogeneous, Resilient, SEcure, Complex, Tightly Inter-Operating Networks
– ICT Call 1 of Seventh Framework Programme (FP7)
– Work programme topic addressed • Challenge 1: Pervasive and Trusted Network and Service
Infrastructures• Objective ICT-2007.1.4: Secure, dependable and trusted
infrastructures
– Start date: January 1st, 2008
– Duration: 24 months
EC Grant Agreement n. 216585
• Security and resilience in network infrastructures– Design of scalable, secure and resilient network architectures
in order to enable • dynamic management policies ensuring end–to-end secure data
transmission and service provisioning across heterogeneous infrastructures and networks;
• real time detection and recovery capabilities against intrusions, malfunctions and failures
• Trusted computing infrastructures– Design of computing infrastructures enabling interoperability
and end-to-end security in order to ensure the design and development of trustworthy applications and services
Context
EC Grant Agreement n. 216585
The Consortium
ACADEMY• Consorzio Interuniversitario Nazionale per
l’Informatica [Italy]• Lancaster University [UK]• Fraunhofer Gesellschaft Zur Foerderung Der
Angewandten Forschung [Germany]• Eidgenoessische Technische Hochschule
Zuerich [Switzerland]
INDUSTRY• Elsag Datamat (Coordinator) [Italy]• Thales Research and Technology [UK]• ITTI (SME) [Poland]
END USERS• Telefonica ID Investigación y Desarollo [Spain]• Telespazio [Italy]• Polska Telefonia Cyfrowa [Poland]
EC Grant Agreement n. 216585
Project motivation
EC Grant Agreement n. 216585
• Identify and classify the vulnerabilities of heterogeneous and interconnected network infrastructures (wired, wireless, satellite, mobile networks)
• Create and maintain a network vulnerability database • Design and implement an integrated network security
framework including different components and tools:– detecting anomalous events– reacting to well-known, as well as new kinds of anomalies– deploying truly distributed countermeasures against ongoing
attacks– providing systems with mechanisms for intrusion tolerance, i.e.
preventing intrusions from generating a system failure
Main objectives
EC Grant Agreement n. 216585
INTERSECTION Vulnerability Database
EC Grant Agreement n. 216585
The INTERSECTION framework
EC Grant Agreement n. 216585
Remediation
ReactionDetection
Visualization
Network
Monitoring
The real-time intrusion detection and tolerance system
EC Grant Agreement n. 216585
The INTERSECTION Intrusion Detection System
E v e n t B u s
EC Grant Agreement n. 216585
• Stealth attacks – “minimize the cost to and visibility of the attacker but
which are about as harmful as brute force attacks” (wireless) – M. Jakobsson et al., Stealth Attacks on Ad Hoc Wireless Networks, 2003
– “become invisible (or at least very difficult to detect) to network-based defences” – A. D. Keromytis et al., Defending Against Next Generation through Network/Endpoint Collaboration and Interaction, 2007
Use case: detection of stealth attacks
EC Grant Agreement n. 216585
• Good candidate as Stealth Attack– “The low-rate attack raises serious concern because it
can be significantly harder to detect than more traditional brute-force, flooding style attacks” – H. Sun et al., Defending Against Low-rate TCP Attacks: Dynamic Detection and Protection, 2004
– “low-rate denial of service attacks, unlike high-rate attacks, are difficult for routers and counter-DoS mechanisms to detect” – E. Knightly et al., Low-rate TCP-targeted denial of service attacks and counter strategies, 2006
Low-rate DoS attack
EC Grant Agreement n. 216585
• Short traffic bursts– maliciously chosen duration– maliciously chosen low frequency
• Evade rate-controlling detection mechanisms• Periodically keeps the network very busy• Influences the TCP congestion control mechanisms of hosts
sharing network segments between the attacker and the attack target
• Throttles other TCP flows' rate far below their ideal value
Detection of stealth attacks
EC Grant Agreement n. 216585
• Generate traffic traces including low-rate attacks– Shrew attack tools
• Define traffic metrics for behavioural modelling– Statistical parameters
• Extract behaviour patterns for attack classification• Machine learning algorithms
Detection approach
EC Grant Agreement n. 216585
• Feature vectors computation through traces processing– Ad-hoc developed Snort plug-in
• Feature vectors classification• Traffic model extraction by means of several supervised
machine learning algorithms– Decision Tree J48– SVM– Bayesian Network– Boosting
Model extraction
EC Grant Agreement n. 216585
The INTERSECTION demonstrator
EC Grant Agreement n. 216585
Contacts
• Website : http://www.intersection-project.eu• Information : [email protected]
Project Coordinator: Stefano Vertechi
Technical Coordinator : Salvatore D’Antonio
Networking Station 29 @ EU-Canada Future Internet Workshop