The Internet Motion Sensor

50 %
50 %
Information about The Internet Motion Sensor
Science-Technology

Published on October 7, 2007

Author: Arley33

Source: authorstream.com

The Internet Motion Sensor: A Distributed Blackhole Monitoring System:  The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, David Watson. 12th Annual Network and Distributed System Security Symposium (NDSS'05) Presentation Outline:  Presentation Outline The Threat Problem Why the Internet Motion Sensor (IMS) was created? Introduction to IMS What is it? What is it supposed to do? What are the components? Observations What nasty stuff did IMS find? My comments and Conclusion What rocked? What sucked? Suggestions for improvement? The Threat Problem:  The Threat Problem A network that is always connected is highly vulnerable to threats. Threats Properties: Globally Scoped. Can have no patches or fixes. Evolutionary. Can spread through the entire network within minutes. The Threat Problem:  The Threat Problem Promising Method to Investigate Threats: Monitor unused or dark address space. Issues: Sensor Coverage. Visibility of the system into Internet threats. Service Emulation What services to emulate and at what level to emulate them? The Internet Motion Sensor (What is it?):  The Internet Motion Sensor (What is it?) Definition: A globally scoped Internet monitoring system whose objective is to measure, characterize, and track threats. Goals: Maintain a level of interactivity that can differentiate traffic on the same service. Provide visibility into Internet threats beyond address, geographical, and operational boundaries. Enable characterization of emerging threats while minimizing incremental effort. The Internet Motion Sensor (Architecture – Basic Idea):  The Internet Motion Sensor (Architecture – Basic Idea) Consist of a set of distributed blackhole sensors, each monitoring a dedicated range of unused IP address space. Blackhole sensors contain passive and active component. Passive Component: Records packets sent to sensor’s address space. Responds to specific packets to elicit more data from source. Active Component: Designed to extract the first payload of data across the major protocols. The Internet Motion Sensor (Architecture – Diagram):  The Internet Motion Sensor (Architecture – Diagram) The Internet Motion Sensor (Architecture - Main Components):  The Internet Motion Sensor (Architecture - Main Components) Distributed Blackhole Network Used to increase visibility into global threats. Lightweight Active Responder Provides enough interactivity that traffic on the same service can be differentiated independent of application semantics. Payload Signatures & Caching Used to avoid recording duplicate payloads. The Internet Motion Sensor (Distributed Blackhole Network):  The Internet Motion Sensor (Distributed Blackhole Network) A large distributed sensor network built from address blocks of many sizes that are scattered throughout the network. Using Moore’s Telescopes Analogy, blocks of larger sizes have a broader detection coverage. Different sensors observe different magnitudes and types of traffic. /16 Address Sensor /8 Address Sensor The Internet Motion Sensor (Lightweight Responder):  The Internet Motion Sensor (Lightweight Responder) Main responsibility is to elicit payloads for TCP connections. Two key contributions: Ability to elicit payloads to differentiate traffic. Ability to get responses across ports without application semantic information. The Internet Motion Sensor (Lightweight Responder – Other Characteristics):  The Internet Motion Sensor (Lightweight Responder – Other Characteristics) Differentiate Services: By using payload signatures, IMS can identify the presence of new worms even in extremely noisy conditions. Service Agnostic: Enables insight into less popular services. Example: Backdoor ports on existing worms One Limitation: IMS provides little or no information on threats that depend on application level responses. The Internet Motion Sensor (Payload Signatures and Caching):  The Internet Motion Sensor (Payload Signatures and Caching) Basic idea: Check the MD5 checksum of the payload. If the checksum is found in cache, then Only log the signature. (DO NOT store the payload.) Else Store both payload and signature. With a 96% cache hit rate, this method saves over 100 GB/day per address sensor!!! The Internet Motion Sensor (Payload Signatures and Caching Example):  The Internet Motion Sensor (Payload Signatures and Caching Example) 9e107d9d372bb6826bd81d3542bt569g MD5 Signature + Payload Blackhole Sensor The Internet Motion Sensor (Payload Signatures and Caching Example):  The Internet Motion Sensor (Payload Signatures and Caching Example) e56d4cd98f00b204e9800998ecf8427e MD5 Signature + Payload Blackhole Sensor The Internet Motion Sensor (Payload Signatures and Caching Example):  The Internet Motion Sensor (Payload Signatures and Caching Example) 9e107d9d372bb6826bd81d3542bt569g MD5 Signature + Payload Blackhole Sensor The Internet Motion Sensor (Observations):  The Internet Motion Sensor (Observations) An IMS prototype developed at University of Michigan consisted of 28 address sensors at 18 physical locations. 3 events captured: Internet Worms Scanning Distributed Denial of Service (DDoS) Attacks The Internet Motion Sensor (Internet Worms):  The Internet Motion Sensor (Internet Worms) IMS detection of various behaviors from worms: Worm Virulence How much traffic resulted from worm? What routers/paths got congested? Worm Demographics Number of hosts infected? Operating System and other information of host? Worm Propagation How does the worm select next target? Community Response What organizations reacted the fastest? Who is still infected? The Internet Motion Sensor (The Blaster Worm):  The Internet Motion Sensor (The Blaster Worm) Description: Affected Windows 2000/XP systems running DCOM RPC services and used a buffer overflow attack to run code on target machine. In a 7 day period, IMS detected 3 Phases: 1st Phase – Growth 2nd Phase – Decay 3rd Phase – Persistence The Internet Motion Sensor (The Blaster Worm – Phases Diagram):  The Internet Motion Sensor (The Blaster Worm – Phases Diagram) The Internet Motion Sensor (The Blaster Worm):  The Internet Motion Sensor (The Blaster Worm) Other observation: The Blaster Worm sends an exploit on TCP port 135, then follows with some commands on TCP port 4444. Conclusion from Blaster Worm observations: IMS provides data that can differentiate between different variants of worms. Passive blackhole sensors can not do that! The Internet Motion Sensor (Blaster Worm Captured):  The Internet Motion Sensor (Blaster Worm Captured) The Internet Motion Sensor (Blaster Worm Captured):  The Internet Motion Sensor (Blaster Worm Captured) The Internet Motion Sensor (Blaster Worm Captured):  The Internet Motion Sensor (Blaster Worm Captured) The Internet Motion Sensor (Scanning):  The Internet Motion Sensor (Scanning) Attackers scan for vulnerable services to exploit them. Beagle and MyDoom Worm: SMTP worms that began spreading in 2004. Listens to port 2745 (Beagle) and port 3127 (MyDoom) for backdoors to load malicious software. Conclusion from observations: Lightweight Responder allowed IMS to detect the backdoor ports. Since both worms have variants, having the responder made it less time consuming than creating handcrafted service modules for each variant. The Internet Motion Sensor (Beagle and MyDoom Scanning Activity Chart):  The Internet Motion Sensor (Beagle and MyDoom Scanning Activity Chart) The Internet Motion Sensor (Distributed Denial of Service):  The Internet Motion Sensor (Distributed Denial of Service) These attacks rely on many end hosts to consume network resources. The SCO Group Attack: Attacked www.sco.com on December 10, 2003 Attacked 3 web servers, an FTP server, and a SMTP server. Since the attackers used spoofed IP addresses, IMS was able to observe some backscatter from these attacks. Conclusion from observation: Showed the need for address diversity (having different blocks of many sizes). The Internet Motion Sensor (Backscatter Diagram from SCO Attack):  The Internet Motion Sensor (Backscatter Diagram from SCO Attack) The Internet Motion Sensor (Strengths):  The Internet Motion Sensor (Strengths) IMS’ variety of address blocks allows it to find various worms that passive sensors can not detect. Payload Signature and Caching System can save over 100GB of memory per sensor per day! The Internet Motion Sensor (Weaknesses):  The Internet Motion Sensor (Weaknesses) Provides little or no information on threats that depend on application level responses. NetBIOS services requires RPC bind() before being able to do RPC request(). IMS can detect RPC bind(), but not RPC request() since no application level response was sent. Requires a relatively powerful machine. x86 machine with at least 1GB RAM.1 1 From Internet Motion Sensor FAQ Site. http://ims.eecs.umich.edu/faq/index.html The Internet Motion Sensor (Suggestions for Improvement):  The Internet Motion Sensor (Suggestions for Improvement) Find a way to get information on threats that depend of application level responses. Get IMS to fully learn the behavior of worms so it can automatically develop patches. The Internet Motion Sensor (Conclusion):  The Internet Motion Sensor (Conclusion) The IMS uses a variety of blackhole sensors of various sizes to track, characterize, and measure threats. It can detect various types of threats that passive sensors can’t detect! It would be great to run if you have a relatively powerful computer!

Add a comment

Related presentations

Related pages

The Internet Motion Sensor: A Distributed Blackhole ...

The Internet Motion Sensor: A Distributed Blackhole Monitoring System Michael Bailey,* Evan Cooke,* Farnam Jahanian,*† Jose Nazario,† David Watson*
Read more

CiteSeerX — The Internet Motion Sensor: A Distributed ...

CiteSeerX - Document Details (Isaac Councill, Lee Giles, Pradeep Teregowda): As national infrastructure becomes intertwined with emerging global data ...
Read more

The Internet Motion Sensor: A distributed global scoped ...

- 1 - The Internet Motion Sensor: A distributed global scoped Internet threat monitoring system Evan Cooke, Michael Bailey, David Watson, and Farnam Jahanian
Read more

Sensors empower the "Internet of Things" | EDN

The "Internet of Things" will rely on sensors as data inputs. As many as a trillion or more sensor nodes will instrument much of our environment. Sensor ...
Read more

Monitor and Find Everything from the Internet - Wireless ...

Wireless WiFi sensors for locating items, logging and monitoring presence, temperature, humidity and motion events from anywhere with Internet access, on ...
Read more

The Internet Motion Sensor: A distributed blackhole ...

1 The Internet Motion Sensor: A distributed blackhole monitoring system Evan Cooke, Michael Bailey, David Watson, Farnam Jahanian Jose Nazario Electrical ...
Read more

The Internet motion sensor: A distributed global scoped ...

Publication » The Internet motion sensor: A distributed global scoped Internet threat monitoring system.
Read more

PPT - The Internet Motion Sensor: PowerPoint Presentation

A Distributed Blackhole Monitoring System. Authors: Michael Bailey, Evan Cooke, Farnam ... Distributed globally scoped Internet threat monitoring system ...
Read more

Wireless Motion Sensor | ConnectSense

Wireless Motion Sensor for Home or Business. Cloud based monitoring, Rule Management, Notifications via Text Message, Phone, and Email. No Monthly Fee.
Read more

The Internet motion sensor: A distributed global scoped ...

The Internet motion sensor: A distributed global scoped Internet threat monitoring system (2004)
Read more