1

Yan ChenNorthwestern Lab for Internet

and Security Technology (LIST)

Dept. of Computer Science

Northwestern University

http://list.cs.northwestern.edu

Adaptive Intrusion Detection and Mitigation

Systems for WiMAX Networks

Motorola Liaisons

Gregory W. Cox, Z. Judy Fu, Philip R. Roberts

Motorola Labs

2

Battling Hackers is a Growth Industry!

• The past decade has seen an explosion in the concern for the security of information

• Denial of service (DoS) attacks– Cost $1.2 billion in 2000

• Viruses and worms faster and more powerful– Cause over $28 billion in economic losses in 2003,

growing to over $75 billion in economic losses by 2007.

--Wall Street Journal (11/10/2004)

3

AccessNetworks

Core Networks

The Current Internet: Connectivity and Processing

Transit Net

Transit Net

Transit Net

PrivatePeering

NAP

PublicPeering

PSTNRegional

WirelineRegionalVoiceVoice

CellCell

Cell

CableModem

LAN

LAN

LAN

Premises-based

WLAN

WLAN

WLAN

Premises-based

Operator-based

H.323Data

Data

RAS

Analog

DSLAM

H.323

4

Motivation• Viruses/worms moving into the wireless world …

– 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices

• IEEE 802.16 WiMAX networks emerging– Predicted multi-billion dollar industry – No existing research/product tailored towards 802.16

anomaly/intrusion detection and mitigation

• 802.16 IDS development can potentially lead to critical gain in market share– All major WLAN vendors integrated IDS into products

• Strategically important to lead in WiMAX product portfolio with security & trouble shooting capability– Simply buy off-the-shelf IDSes blind to their limitations

5

Existing Intrusion Detection Systems (IDS) Insufficient

• Mostly host-based and not scalable to high-speed networks– Slammer worm infected 75,000 machines in < 10

mins– Host-based schemes inefficient and user dependent

» Have to install IDS on all user machines !

• Mostly signature-based – Cannot recognize unknown anomalies/intrusions– New viruses/worms, polymorphism

6

Current IDS Insufficient (II)• Statistical detection

– Hard to adapt to traffic pattern changes– Unscalable for flow-level detection

» IDS vulnerable to DoS attacks» WiMAX, up to 134Mbps, 10 min traffic may take 4GB

memory

– Overall traffic based: inaccurate, high false positives

» Existing high-speed IDS here

• Cannot differentiate malicious events with unintentional anomalies– Anomalies can be caused by network element

faults– E.g., signal interference of wireless network

7Adaptive Intrusion Detection System for Wireless Networks

(WAIDM)• Online traffic recording and analysis for high-

speed WiMAX networks– Leverage sketches for data streaming computation– Record millions of flows (GB traffic) in a few Kilobytes

• Online flow-level intrusion detection & mitigation– Leverage statistical learning theory (SLT) adaptively

learn the traffic pattern changes» Successfully detected flow-level SYN flooding and various

port scans with NU, LBL and Fermi network traces

– Flow-level mitigation of attacks– Combine with 802.16 specific signature-based

detection» Automatic polymorphic worm signature generation

8

WAIDM Systems (II)

• Anomaly diagnosis for false positive reduction– Use statistics from MIB of base station to

understand the wireless network status» E.g., busy vs. idle wireless networks, with different level

of interferences, etc.» Successfully experimented with 802.11 networks

– Root cause analysis for diagnose link failures, routing misconfiguration, etc.

– Useful for managing and trouble-shooting the WiMAX networks

9

WAIDM Deployment• Attached to a switch connecting BS as a black

box• Enable the early detection and mitigation of

global scale attacks• Highly ranked as “powerful and flexible" by the

DARPA research agenda

Original configuration WAIDM deployed

Internet

802.16BS

Users

(a)

(b)

802.16BS

Users

Switch/BS controller

Internet

sca

n

po

rtW

AID

Msy

ste

m

802.16BS

Users

802.16BS

Users

Switch/BS controller

10WAIDM Architecture

Reversiblek-ary sketch monitoring

Filtering

Sketch based statistical anomaly detection (SSAD)

Local sketch records

Sent out for aggregation

Remote aggregatedsketchrecords

Per-flow monitoring

Streaming packet data

Normal flows

Suspicious flows

Intrusion or anomaly alarms to fusion centers

Keys of suspicious flows

Keys of normal flows

Data path Control pathModules on the critical path

Signature-based detection

Traffic profile checking

Statistical detection

Part ISketch-basedmonitoring & detection

Part IIPer-flowmonitoring & detection

Modules on the non-critical path

Network fault detection

11

Intrusion Mitigation

Attacks detected MitigationDenial of Service (DoS), e.g., TCP SYN flooding

SYN defender, SYN proxy, or SYN cookie for victim

Port Scan and worms Ingress filtering with attacker IPVertical port scan Quarantine the victim machineHorizontal port scan Monitor traffic with the same

port # for compromised machine

Spywares Warn the end users being spied

HORIZONTAL

PORT NUMBER

SOURCE IP

BLOCK

VERTICAL

12

• Evaluated with NU traces (536M flows, 3.5TB traffic)

• Scalable and efficient – For the worst case traffic, all 40 byte packets:

» 16 Gbps on a single FPGA board» 526 Mbps on a Pentium-IV 2.4GHz PC

– Only less than 10MB memory used

• Accurate– 19 SYN flooding, 1784 horizontal scans and 29

vertical scans detected in one-day NU traces– Validation

» All flooding and vertical scan, and top 10 and bottom 10 for horizontal scans

» Both well-known and new worms found (new confirmed in DShield)

• Patent filed

Evaluation of Sketch-based Detection

13Research methodologyCombination of theory, synthetic/real trace

driven simulation, and real-world implementation and deployment