Systems Seminar - CSE

Toward Distributed Intrusion Detection

Paul Barford

Network intrusions have been a fact of life in the Internet for many years and continue to present serious challenges for network researchers and operators alike. In the first part of this talk, we will describe and demonstrate the capabilities of our DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks) system for distributed intrusion data sharing. DOMINO's design is based on data sharing between a trusted set of core systems each of which maintains an independent hierarchy of sensor nodes. We evaluate the effectiveness of DOMINO using a set of firewall logs collected in 1600 networks world wide and demonstrates significant marginal benefits from distributed, coordinated intrusion data sharing. Through a retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer epidemics we highlight how information exchange through DOMINO would reduce reaction time and false alarm rates during outbreaks.

An important component in DOMINO is the monitoring of unused (routed but without an end host) address space. In the second part of this talk, we describe the design of our Internet Sink (iSink) systems for unused address space monitoring. iSink is a highly scalable system that includes both passive packet capture capability and a set of active responders that enable details of exploits to be captured. We provide results from our prototype system that has been deployed on several large blocks of address space for some time. Our results illustrate the variability in the traffic on unused IP addresses and the feasibility of efficient classification and discrimination of attack types.

Paul Barford received his BS in electrical engineering from the University of Illinois at Champaign-Urbana in 1985, and his Ph.D. in Computer Science from Boston University in 2001. He is an assistant professor of computer science at the University of Wisconsin at Madison. He is the founder and director of the Wisconsin Advanced Internet
Laboratory and his research interests are in the design, measurement, and modeling of wide area networked systems and network protocols.

Sponsored by