Skip to main content

Distributed Security Monitoring System for Survivable Networks

Researcher: Hyong Kim

Research Area: Survivable Distributed Systems


Distributed Security Monitoring System for Survivable Networks Based on Network Tomography

The network management system consists of monitoring and configuration functions.  The monitoring capability ranges from high quality telephone networks to unstructured and unregulated Internet.  Monitoring minute details of each call time, location, and duration in telephone networks contrasts with that of the Internet where a simple mapping of the network is a challenge due to diverse ownership and heterogeneous infrastructure.  Many networks are joined by peering points in the Internet and details of these networks are hidden from each other except for generalized routing information via BGP.  The heterogeneous and unregulated infrastructure of the Internet makes monitoring of service provisioning, service-level monitoring and verification, and detection of anomaly or malicious behavior increasingly difficult and challenging.  In order to provide a survivable network infrastructure in the presence of failures and malicious attacks, two functions are required: an intelligent detection of anomaly or malicious behavior and a mechanism to isolate the problem sources from the rest of network. 

Currently proposed network monitoring systems assume the complete knowledge and access to network elements such as switches and routers.  However, the Internet consists of many unstructured and heterogeneous sub-networks and they are not easily accessible and visible to the network operators who do not own them.  Thus, it is difficult to protect the network against malicious attacks from invisible network elements.  Even a simple tracing of the problem elements could be challenging.  Many sources of malicious attacks could be hidden from the network operator who does not have the control over them.

In this work, we plan to develop a distributed security monitoring system for the Internet where not all network elements are visible and accessible.  We focus on the monitoring and detection of anomaly in the Internet.  Distributed monitoring and inference techniques will be used to detect and identify the problems arising from malicious attacks and network failures.  In the research area of signal processing, there have been numerous studies to solve “inverse problem” where a system is identified in which key aspects of the system are not directly observable (i.e. Internet).  The tomographic reconstruction of anatomical images from MRI equipment is a well known example of “inverse problem”.  The internal organs are reconstructed through processing of the differences in the effects on the passage of the energy waves generated by multiple arrays of sensors impinging on these objects.  Recently there have been efforts in extracting the network performance metrics such as delay and throughput by applying tomographic technique on the networks.  Multiple edge nodes in the unknown network infrastructure actively send the probe packets throughout the network.  Then the statistics and the behavior of such probes are analyzed to identify the network topology and to estimate its performance metrics using the presumed basic network model.  Effective use of probe packets could give fairly accurate delay estimates for certain network topologies.

We propose to develop a distributed security monitoring system for detecting network anomaly and malicious attacks using the network tomography concept.  Prior works in network tomography focus on the measurement of the network performance while we focus on detecting the network anomaly.  Unlike the prior works that assume complete ignorance of the network information, we assume that we have islands of networks in the Internet that are visible and accessible.  We assume that network providers or operators have their islands of networks that are accessible in terms of providing more detailed information of each network nodes via SNMP, for example.  There will be blind spots that interconnect such islands of known networks.  Thus, our approach assumes that more information is available and they should help us in identifying the network anomaly.  At the same time, we do not assume the complete knowledge of the network elements.  The proposed plan consists of the following tasks.

  • Network tomography based DDOS attack model:  The key parameters for tomographic model of DDOS will be identified and mapped for our “inverse problem”.  The number of flows will be used as one of the parameters.  The degree of flow connectivity from the originating node to the receiving nodes will be another parameter of interest.  We plan to investigate several network topology scenarios to construct DDOS behavior based on the network tomography model.  We also plan to estimate network performance metrics and correlate them to malicious attacks and to legitimate user traffic to further identification and tomography model.
  • Two measurement methods for the probe packets will be investigated: unicast probe packets and multicast probe packets.  In the unicast probe model, each monitoring node sends a single probe packet to rest of the monitoring nodes.  The probe packet could be a simple packet with modified TTL and timestamps or more sophisticated SNMP commands and responses.  Obviously unicast model increases overhead as there need to be N2 communications among the monitors.  In fact, the unicast model emulates the MRI topography.  We will also investigate the effect of multicast probe packets.  Although the multicast model will result in lower communication overhead, it is not always possible since not all networks allow multicasting.  In addition to a single probe either in unicast or multicast model, a series of probes can be used to obtain additional information.  For instance, the throughput and delay information is much easily obtained if a pair of probes is sent in a fixed time pattern.  Furthermore, by varying the packet length in the pair, one can also obtain additional information on delay and packet loss probability estimates.
  • We consider two modes of probing: active mode and passive mode.  In the active mode, the probe packets contain the response from the remote nodes such as number of flows and buffer occupancy or modified packet headers for inference purposes. In the passive mode, the model parameters are determined solely based on the inference from the arrival behaviors of probe packets.  We plan to use each mode and a mix of both modes for identification and modeling purpose. 
  • Centralized and distributed analysis: We will first use a centralized analysis of collected data for identification.  We then plan to develop a distributed version using the resulting centralized algorithm.  These two algorithms will be studied for their complexity and effectivenes.