network security today: finding complex attacks at 100gb/s · sabotage. network security today...

Network Security Today

Robin Sommer!International Computer Science Institute, &!

Lawrence Berkeley National Laboratory

[email protected] http://www.icir.org/robin

Network Security Today: Finding Complex Attacks at 100Gb/s

mailto:[email protected]


The Old Days …

2

Border Traffic!Lawrence Berkeley National Lab (Today)!

10GE upstream, 4,000 user, 12,000 hosts

Total connections


The Old Days …

2

Border Traffic!Lawrence Berkeley National Lab (Today)!

10GE upstream, 4,000 user, 12,000 hosts

Attempted connectionsSuccessful connectionsTotal connections


Today’s Threats

3


Today’s Threats

3

Trend 1: Commercialization of attacks!Thriving underground economy (“Crime-as-a-Service”).!Bear Race: Attack is good enough if it pays.

Source: Gary Larson


Today’s Threats

3


Trend 2: High-skill / high-resource attacks.!Activist Hacking.!Advanced Persistent Threats / Nation-states.

Source: Wikimedia CommonsSource: Computer Security Articles Source: EFF


Today’s Threats

3


Trend 2: High-skill / high-resource attacks.!Activist Hacking.!Advanced Persistent Threats / Nation-states.

Trend 3: Insider Attacks!Exfiltration !Sabotage


Defender Challenges

Varying threat models.!No ring rules them all.

4


Defender Challenges


Semantic complexity.!The action is really at the application-layer.

4


Defender Challenges


Semantic complexity.!The action is really at the application-layer.

Volume and variability.!Network traffic is an enormous haystack.

4


Deep Packet Inspection at High Speed

5


Analyzing Semantics

6


Analyzing Semantics

6

Tap

Internet Internal

Network

IDS

Example: Finding downloads of known malware. !


Analyzing Semantics

6

Tap

Internet Internal

Network

IDS

1. Find and parse all Web traffic.!2. Find and extract binaries.!3. Compute hash and compare with database.!4. Report, and potentially kill, if found.

Example: Finding downloads of known malware. !


Back in 2005 …

7

Data: Leibniz-Rechenzentrum, München

020

4060

80

TByt

es/m

onth

1997 1998 1999 2000 2001 2002 2003 2004 2005

Total bytesIncoming bytes

Total upstream bytesIncoming bytes

Munich Scientific Network (2005)!3 major universities, 1 GE upstream!~100,000 Users!~50,000 Hosts


Back in 2005 …

8

Data: Leibniz-Rechenzentrum, München

050

010

0015

00

TByt

es/m

onth

1996 1998 2000 2002 2004 2006 2008 2010 2012

Total bytesIncoming bytes

Oct 2005

Total upstream bytesIncoming bytes

Munich Scientific Network (Today)!3 major universities, 2x10GE upstream!~100,000 Users!~65,000 Hosts


Traditional Gap: Research vs. Operations

Conceptually simple tasks can be hard in practice.!Academic research often neglects operational constraints.!Operations cannot leverage academic results. !

We focus on working with operations.!Close collaborations with several large sites.!Extremely fruitful for both sides.

9


Research Platform: Bro

10


Research Platform: Bro

10

Originally developed by Vern Paxson in 1996.!

Open-source, BSD-license, maintained at ICSI and NCSA.!

In operational use since the beginning. !

Conceptually very different from other IDS.

http://www.bro.org


Architecture

11

Network

Packets


Architecture

11

Network

Event EngineProtocol Decoding

Events

Packets


Architecture

11

Network


Script InterpreterAnalysis Logic

Logs

Events

Packets

Notification


Architecture

11

Network



Logs

Events

Packets

Notification“User Interface”


Script Example: Matching URLs

12

Task: Report all Web requests for a file “passwd”


Script Example: Matching URLs

12

Task: Report all Web requests for a file “passwd”

!event http_request(c: connection, # Connection.! method: string, # HTTP method.! original_URI: string, # Requested URL.! unescaped_URI: string, # Decoded URL.! version: string) # HTTP version.!{! if ( method == "GET" && unescaped_URI == /.*passwd/! )! NOTICE(...); # Alarm.!}


Script Example: Scan Detector

13

Task: Count failed connection attempts per source address.


Script Example: Scan Detector

13

Task: Count failed connection attempts per source address.

global attempts: table[addr] of count &default=0;!!event connection_rejected(c: connection)!{! local orig = c$id$orig_h; # Get originator address.!! local n = ++attempts[orig]; # Increase counter.! ! if ( n == SOME_THRESHOLD ) # Check for threshold.! NOTICE(...); # Alarm.!}


“Who’s Using It?”

14

Diverse Deployment Base Universities

Research Labs Supercomputer Centers

Government Organizations Fortune 20 Enterprises

Recent User Meetings Bro Workshops 2011/13 at NCSA

Bro Exchange 2012 at NCAR

Attended by about 50-80 operators from from 30-40 organizations

Examples Lawrence Berkeley National Lab

National Center for Supercomputing Applications National Center for Atmospheric Research

Indiana University !

... and many more sites

Fully integrated into Security Onion Popular security-oriented Linux distribution

http://ncar.ucar.edu/


1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011

Bro History

1995 20101996 2012

Vern writes 1st line of code!

2013


1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011

Bro History

1995 20101996 2012


2013

Bro SDCI!

v2.0!New Scripts

v0.2!1st CHANGES!

entry!

v0.6!RegExps!

Login analysis!!

v0.8aX/0.9aXSSL/SMB!

STABLE releases!BroLite

v1.1/v1.2!when Stmt!Resource

tuning!Broccoli!

DPD!

v1.5!BroControl!

v0.7a90!Profiling!

State Mgmt

v1.4!DHCP/BitTorrent!

HTTP entities!NetFlow!

Bro Lite Deprecated!

v1.0!BinPAC!

IRC/RPC analyzers!64-bit support!Sane version

numbers!

v0.4 HTTP analysis!Scan detector!IP fragmentsLinux support!

v0.7a175/0.8aX !Signatures!

SMTP!IPv6 support!User manual!!

v0.7a48!Consistent CHANGES

v1.3!Ctor expressions!

GeoIP!Conn Compressor

0.8a37!Communication!

Persistence!Namespaces!Log Rotation

LBNL starts using Bro!

operationally

v2.1!IPv6!

Input Framew.

v2.2!File Analysis!

Summary Stat.

Bro Center!


1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011

Bro History

1995

USENIX Paper!Stepping Stone

Detector!

AnonymizerActive Mapping!Context Signat.!

TRWState Mgmt.!

Independ. State!

Host Context!Time Machine!

Enterprise Traffic

BinPAC!DPD!

2nd Path

Bro ClusterShunt

Autotuning

Parallel Prototype

20101996

Academic Publications

Input Framework

2012


2013

Bro SDCI!

v2.0!New Scripts

v0.2!1st CHANGES!

entry!

v0.6!RegExps!

Login analysis!!




tuning!Broccoli!

DPD!

v1.5!BroControl!

v0.7a90!Profiling!

State Mgmt




v1.0!BinPAC!


numbers!










operationally

v2.1!IPv6!

Input Framew.

v2.2!File Analysis!

Summary Stat.

Bro Center!


1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2011

Bro History

1995

USENIX Paper!Stepping Stone

Detector!

AnonymizerActive Mapping!Context Signat.!

TRWState Mgmt.!

Independ. State!

Host Context!Time Machine!

Enterprise Traffic

BinPAC!DPD!

2nd Path

Bro ClusterShunt

Autotuning

Parallel Prototype

20101996

Academic Publications

Input Framework

2012


2013

Bro SDCI!

v2.0!New Scripts

v0.2!1st CHANGES!

entry!

v0.6!RegExps!

Login analysis!!




tuning!Broccoli!

DPD!

v1.5!BroControl!

v0.7a90!Profiling!

State Mgmt




v1.0!BinPAC!


numbers!










operationally

v2.1!IPv6!

Input Framew.

v2.2!File Analysis!

Summary Stat.

Bro Center!

Example: Processing performance!LBNL operations had trouble keeping up.!Research question: How can Bro scale up?


Load-balancing Architecture

16



16

Detection LogicPacket Analysis

NIDS

10G



16

10G

Exte

rnal

Pac

ket L

oad-

Bala

ncer!

Flows

Detection Logic

Packet Analysis

NIDS 2

Detection Logic

Packet Analysis

NIDS 1

Detection Logic

Packet Analysis

NIDS 3

1G

1G

1G



16

10G

Exte

rnal

Pac

ket L

oad-

Bala

ncer!

Flows

Detection Logic

Packet Analysis

NIDS 2

Detection Logic

Packet Analysis

NIDS 1

Detection Logic

Packet Analysis

NIDS 3

Communication

Communication

1G

1G

1G



16

10G

Exte

rnal

Pac

ket L

oad-

Bala

ncer!

Flows

“Bro Cluster”

Detection Logic

Packet Analysis

NIDS 2

Detection Logic

Packet Analysis

NIDS 1

Detection Logic

Packet Analysis

NIDS 3

Communication

Communication

1G

1G

1G


A Production Load-Balancer

1717


A Production Load-Balancer

1717

cFlow: 10GE line-rate, stand-alone load-balancer

10 Gb/s in/out!Web & CLI!

Filtering capabilities!!


Next Stop: 100 Gb/s

18

Source: ESNet

Now these sites need a monitoring solution ... Working with cPacket on a 100GE load-balancer!

DOE/ESNet !100G Advanced Networking Initiative

2011

Source: ESNet


Next Stop: 100 Gb/s

19

Source: ESNet

2014


On Deck: 400G Connectivity

20

Computational Research and Theory Building.

Oakland Scientific Facility.

100G

2 x 100G

File System Links

Inter-site Traffic

100G WAN 100G WAN

Berkeley National Laboratory

Sources: ESNet/LBNL/NERSC


10G 10G10G

Science DMZ

21

Campus LAN

Internet


100G 100G100G

Science DMZ

21

Campus LAN

Internet


10G 10G

Science DMZ

21

Campus LAN

100GInternet


10G 10G

Science DMZ

21

Campus LAN

100G

100G

Transfer/Storage Nodes

100G

Science DMZ Switch

Internet


10G 10G

Science DMZ

21

Campus LAN

100G

Clean, high-bandwith path

Low-bandwidth!campus access

100G


100G

Science DMZ Switch

Internet


10G 10G10G

100G

Science DMZ

22

Campus LAN

100G


100G

Science DMZ Switch

100GInternet


100G

10G 10G10G

100G

Science DMZ

22

Campus LAN

100G


100G

Science DMZ Switch

100GInternet


100G Bro Cluster

23

100G

Science DMZ Switch


100G Bro Cluster

23

100G Load-balancer

100G

Science DMZ Switch


100G Bro Cluster

23

100G Load-balancer

10G

100G

Science DMZ Switch


100G Bro Cluster

23

100G Load-balancer

10G

Bro Cluster

100G

Science DMZ Switch


100G Bro Cluster

23

100G Load-balancer

10G

Bro Cluster

API

Con

trol

100G

Science DMZ Switch


100G Bro Cluster

23

100G Load-balancer

10G

Bro Cluster

API

Con

trol

100G

Science DMZ Switch

Con

trol

API


Parallelizing DPI on Multi-core Systems

24


Going Multi-Core …

Bro is single-threaded!Cluster backends have muitple cores, mostly idle.!Work-around: “Cluster in a box”!

We really want multi-threading, though.!Needs to scale well with increasing numbers of cores.!Needs to be transparent to the operator.!

For some IDS, that’s not so hard.!For others, it is ...

25


Concurrent Analysis

26

Network



Logs

Events

Packets

Notification


Concurrent Analysis

26

Single Thread

Network



Logs

Events

Packets

Notification


Concurrent Analysis

27

Event Engine

Network

Packets

Events

Notification

Script ThreadsScripting Language

Event Engine! ThreadsPacket Analysis

Detection Logic

Dispatcher Kernel or NIC


Concurrent Analysis

27

Event Engine

Network

Packets

Events

Notification


Event Engine! Threads

“Cluster in a Box”

Packet Analysis

Detection Logic



Concurrent Analysis

27

Event Engine

Network

Packets

Events

Notification


Event Engine! Threads

“Cluster in a Box”

Packet Analysis

Detection Logic


How to parallelize!a scripting language?


How to Parallelize Event Handlers?

28

Simple: State-less Analysis


How to Parallelize Event Handlers?

28

Simple: State-less Analysis

!event http_request(c: connection, # Connection.! method: string, # HTTP method.! original_URI: string, # Requested URL.! unescaped_URI: string, # Decoded URL.! version: string) # HTTP version.!{! if ( method == "GET" && unescaped_URI == /.*passwd/! )! NOTICE(...); # Alarm.!}


How to Parallelize Event Handlers? (2)

29

Challenging: Analysis that keeps global state.


How to Parallelize Event Handlers? (2)

29

Challenging: Analysis that keeps global state.

global attempts: table[addr] of count &default=0;!!event connection_rejected(c: connection)!{! local orig = c$id$orig_h; # Get originator address.!! local n = ++attempts[orig]; # Increase counter.! ! if ( n == SOME_THRESHOLD ) # Check for threshold.! NOTICE(...); # Alarm.!}


!!

connection_rejected(c):!

!

s = c.originator !

! ++attempts[s]!

Parallelizing Event Execution

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30

attempts[addr] of count


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

LOCK(attempts)!

++attempts[s]!

UNLOCK(attempts)!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

LOCK(attempts)!

++attempts[s]!

UNLOCK(attempts)!

Thread 2!!


# 192.150.187.12!

s = c.originator !

LOCK(attempts)!

++attempts[s]!

UNLOCK(attempts)!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

attempts_1

attempts_2

attempts_3


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator!

!

++attempts_1[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_3[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts_2[s]!

!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

attempts_1

attempts_2

attempts_3


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator!

!

++attempts_1[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_3[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts_2[s]!

!

hash(addr)1

1

2

2

3

3

hash: addr -> {1, 2 ,3}


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

attempts_1

attempts_2

attempts_3


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator!

!

++attempts_1[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_3[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts_2[s]!

!

hash(addr)1

1

2

2

3

3

hash: addr -> {1, 2 ,3}

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts_(hash(s))[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_(hash(s))[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!


!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

attempts_1

attempts_2

attempts_3


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator!

!

++attempts_1[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_3[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts_2[s]!

!

hash(addr)1

1

2

2

3

3

hash: addr -> {1, 2 ,3}

Thread 1!!


# 134.96.7.179 !

s = c.originator !


!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!


!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!


!

Thread hash(s)!!


# 134.96.7.179 !

s = c.originator !


!

Thread hash(s)!!


# 131.159.15.49 !

s = c.originator !

!


!

Thread hash(s)!!


# 192.150.187.12!

s = c.originator !

!


!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

attempts_1

attempts_2

attempts_3


!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator!

!

++attempts_1[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_3[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts_2[s]!

!

hash(addr)1

1

2

2

3

3

hash: addr -> {1, 2 ,3}

Thread 1!!


# 134.96.7.179 !

s = c.originator !


!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!


!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!


!

Thread hash(s)!!


# 134.96.7.179 !

s = c.originator !


!

Thread hash(s)!!


# 131.159.15.49 !

s = c.originator !

!


!

Thread hash(s)!!


# 192.150.187.12!

s = c.originator !

!


!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

Thread 1’s attempts




!!


!

s = c.originator !

! ++attempts[s]!

!!


# 192.150.187.12!

s = c.originator !

! ++attempts[s]!

Thread 1!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!

Thread 1!!


# 134.96.7.179 !

s = c.originator!

!

++attempts_1[s]!

!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!

++attempts_3[s]!

!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!

++attempts_2[s]!

!

hash(addr)1

1

2

2

3

3

hash: addr -> {1, 2 ,3}

Thread 1!!


# 134.96.7.179 !

s = c.originator !


!

Thread 3!!


# 131.159.15.49 !

s = c.originator !

!


!

Thread 2!!


# 192.150.187.12!

s = c.originator !

!


!

Thread hash(s)!!


# 134.96.7.179 !

s = c.originator !


!

Thread hash(s)!!


# 131.159.15.49 !

s = c.originator !

!


!

Thread hash(s)!!


# 192.150.187.12!

s = c.originator !

!


!

Thread hash(s)!!


# 134.96.7.179 !

s = c.originator !

! ++attempts[s]!

!

Thread hash(s)!!


# 131.159.15.49 !

s = c.originator !

!

++attempts[s]!

!

Thread hash(s)!!


# 192.150.187.12!

s = c.originator !

!

++attempts[s]!

!


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

30


addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1

addr count131.234.142.33 12

134.96.7.179 32

141.142.192.147 71

192.150.187.12 8

128.3.41.105 555

131.159.15.49 1





Parallel Event Scheduling

31



31

Thread!1

Thread!2

Thread!3

Thread!4 … Thread!

n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

http_request

Conn X

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

http_request

Conn X

http_request

Conn Y

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

http_request

Conn X

http_reply

Conn

http_request

Conn Y

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

http_request

Conn X

http_reply

Conn

http_request

Conn Y

http_reply

Conn Y

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

http_request

Conn X

http_reply

Conn

http_request

Conn Y

http_reply

Conn Y

conn_rejected

Orig A

conn_rejected

Orig A



31

Thread!1

Thread!2

Thread!3


n

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

Que

ue

conn_rejected

Orig A

conn_rejected

Orig B

http_request

Conn X

http_reply

Conn

http_request

Conn Y

http_reply

Conn Y

conn_rejected

Orig A

conn_rejected

Orig A

Challenge: Implementing this …


New Platform: Abstract Machine

32

A High-Level Intermediary Language for Traffic Inspection


New Platform: Abstract Machine

32

First-class networking types

built-in

Containers with state management

support

Platform for building high-level, reusable

functionality onDomain-specific

concurrency modelWell-defined,

contained execution environment

Domain-specific Data Types

Robust/Secure Execution

Concurrent Analysis

High-level Standard

Components

State Management

Timers can drive execution

Real-time Performance

Support for incremental processing

Extensive optimization

potential

Scalability through parallelization

Static type-system, and robust error

handlingCompilation to

native code

A High-Level Intermediary Language for Traffic Inspection


Summary

33


Conclusions

Threats have changed.!Detection requires deep, flexible, semantic analysis.!

Working to push the limits. !Leverage capabilities of modern network hardware.!Exploit parallelism inherent in network traffic analysis.!

Bro is an ideal platform for such work.!Operationally deployed across the country.!Bridges traditional gap between academia and operations. !

34


Robin Sommer!International Computer Science Institute, &!

Lawrence Berkeley National Laboratory

[email protected] http://www.icir.org/robin

Thanks for you attention!

35

mailto:[email protected]

network security today: finding complex attacks at 100gb/s · sabotage. network security today...

Documents