the dynamics and control of internet attacks
play

The Dynamics and Control of Internet Attacks James G. Garnett Liz - PowerPoint PPT Presentation

Sep 23, 2022 •8 likes •358 views

The Dynamics and Control of Internet Attacks James G. Garnett Liz Bradley University of Colorado Department of Computer Science (JGG now at Secure64) 1 Internet fundamentals, part I Design assumes that users are good citizens and that

  1. The Dynamics and Control of Internet Attacks James G. Garnett Liz Bradley University of Colorado Department of Computer Science (JGG now at Secure64) 1

  2. Internet fundamentals, part I • Design assumes that users are good citizens and that hosts don’t move around • No screening, address verification, … • Source of many current woes 2

  3. “Malware” • popups • spam • worms, viruses • botnets • spoofing • sniffers • direct attacks • denial-of-service (DoS) attacks • … 3

  4. Solutions • popups: good browser design & hygiene • spam: spam filters • worms, viruses: anti-virus software • botnets: anti-virus software • spoofing: authentication • sniffers: cryptography, anti-virus software • direct attacks: firewalls • denial-of-service (DoS) attacks: this talk 4

  5. Internet fundamentals, part II: • Design assumes that data can get lost • So retransmission is built into its protocols • Which means that it’s OK to drop resource requests • The trick is to drop as few of them as possible to keep the resource unclogged. 5

  6. Internet fundamentals, part III: • The “black hats” observe the defenses and adapt • Rapid co-evolution • So any kind of static response won’t work • Have to respond adaptively… 6

  7. • Build an adaptive stochastic model of resource usage • Use a nonlinear model-reference PID controller to screen resource requests 7

  8. What computer systems typically do to handle overload: • Set hard limits (e.g., drop-tail queue mgmt) • Control average demand • Use ad hoc linear proportional closed-loop controllers (at best) 8

  9. The model: Birth/Death Markov chain 1-p-q 1-p-q p p q p 0 1 n-1 n q q • Well known, widely used, and broadly applicable • State ranges from 0 to n • Edges denote possible state transitions • Edges are annotated with transition probabilities 9

  10. Stationary distributions of the BD chain: Key point: can calculate the distribution shape from p and q 10

  11. What if you wanted a different distribution? Key point: can calculate what p and q would give rise to this shape Control strategy: Calculate desired p, q • Estimate actual p, q • 11 Gatekeep on the difference •

  12. Controller architecture: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 12 Serviced Resource Requests

  13. System under control 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 13 Serviced Resource Requests

  14. Reference distribution: Q(i) 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 14 Serviced Resource Requests

  15. Q(i): The control goal specification 15

  16. Reference distribution: Q(i) 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 16 Serviced Resource Requests

  17. Calculate transition ratios: Q(i+1)/Q(i) 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 17 Serviced Resource Requests

  18. Estimate transition probabilities: Incoming Resource 1.00 – p d /p in Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 18 Serviced Resource Requests

  19. Calculate desired p d and drop resource requests accordingly: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 19 Serviced Resource Requests

  20. Model-reference feedback control loop: Model 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Controller Filter Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 20 Serviced Resource Requests

  21. What if R( β -1) is incorrect? QoS spec 21

  22. That second feedback loop adjusts it: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 22 Serviced Resource Requests

  23. Nonlinear transform accelerates convergence: 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 23 Serviced Resource Requests

  24. Denial of Service (DoS) example: Attacker Victim Bystander 1 2 • identical unix machines • 10 Mb/sec networks • NB: single s/w manager in victim handles all incoming traffic 24

  25. Without control: Attacker Victim Bystander 1 2 96.9% packet loss 97.0% packet loss 25

  26. With control: Attacker Victim Bystander 1 2 93.4% loss 0.0% loss 26

  27. Results: • It works. • It converges fairly quickly (1-3 sec in our tests). • It’s lightweight: – Small amount of code (~100 lines of C) – Low computational and memory overhead • |Q| subtracts are primary computational load; runs in µ sec • 128 bytes per controller for state information – Advantages of RED, without RED’s disadvantages (this is the IETF’s standard for congestion control) 27

  28. Half a dozen equations, really… 1.00 – p d /p in Resource Requests Resource Π Manager p in p d Admission Desired Request Input Empirical Distribution Filter Controller Calculator β q Service Filter Ratio Reference Distribution Table β β− 1 R( β ) n Nonlinear Σ PID Controller Transform ε n-1 n 28 Serviced Resource Requests

  29. How you implement this: Resource existing incoming manager requests s/w slots 29

  30. Conclusions: • It works. • It converges fairly quickly (1-3 sec in our tests). • It’s lightweight: – Small amount of code (~100 lines of C) – Low computational and memory overhead • |Q| subtracts are primary computational load; runs in µ sec • 128 bytes per controller for state information – Advantages of RED, without RED’s disadvantages • It’s broadly applicable (any system that can be modeled by a G/G/1 queue) • And it has been already been deployed in practice… 30

  31. Commercialization… • Patent filing (6/26/2004) • Secure64 Wildfire/CE 2 (12/1/2004) • And then shot down. JGG’s thesis proposal was circulated to other students by a committee member, which constituted “prior disclosure” and kills a patent. (You have one year from the first disclosure to file it.) Moral: be careful with your ideas if you’re thinking of patenting them — keep dated, initialed notebooks, don’t share ideas until you’re ready to patent, etc. www.cs.colorado.edu/~lizb/papers/dos.html 31

  32. On the stove: Nonlinear dynamics Nonlinear dynamics • Modeling & control of internet attacks • Nonlinear time-series analysis of computer systems • MEMS-based flow control in jets • Recurrence plots • Computational topology & topology-based filters Artificial intelligence Artificial intelligence • Nonlinear system identification • Radioisotope dating • Movement patterns • Clear-air turbulence forecasting www.cs.colorado.edu/~lizb 32

  33. Collaborators • graduate students: Jenny Abernethy, Matt Easley, James Garnett, John Giardino, Kenny Gruchalla, Joe Iwanski, Zhichun Ma, Ricardo Mantilla, Todd Mytkowicz, Laura Rassbach, Vanessa Robins, Natalie Ross, Reinhard Stolle • postdocs: Tom Peacock (now at MIT) • undergrads: Ellenor Brown, Nate Farrell, Jesse Negretti, John Nord, Alex Renger, Roscoe Schenk, Stephen Schroeder, Evan Sheehan, Josh Stuart (now at UCSC) • faculty: — Jessica Hodgins, Computer Science, CMU — David Capps, Theater & Dance, Hunter College — Jean Hertzberg & YC Lee, Mechanical Engineering, CU — Amer Diwan, Computer Science, CU 33

Recommend

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats & Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of Control Methods of Taking Control Common Points of Attack Multifront Attacks Chapter 12 Auditing to Recognize Attacks Malicious

535 views • 7 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet

Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet

Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet architecture was designed to delivery packets to the destination efficiently. Even if the destination does not want them. Congestion control and

391 views • 28 slides
Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion

Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion

Internet congestion control: TCP Internet congestion control: TCP 1988: "Congestion Avoidance and Control" (Jacobson/Karels) Combined congestion/flow control for TCP Goal: stability - in equilibrum, no packet is sent into the

482 views • 24 slides
Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O.

Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O.

Internet Resiliency to Attacks and Failures under BGP Policy Routing D. Dolev, S. Jamin, O. Morkyn, Y. Shavitt Presenter: Shiva Kasiviswanathan Pennsylvania State University University Park Internet Resiliency to Attacks and Failures under BGP

920 views • 61 slides
Internet Congestion Control Research Group Mark Handley UCL Congestion Control The Internet

Internet Congestion Control Research Group Mark Handley UCL Congestion Control The Internet

Internet Congestion Control Research Group Mark Handley UCL Congestion Control The Internet only functions because TCPs congestion control does an effective job of matching traffic demand to available capacity. TCPs Window Time

628 views • 14 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 < > - + A study of denial of service attacks on the Internet p.1/39 Outline Background

761 views • 54 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
ICMP attacks against TCP Fernando Gont UTN/FRH, OpenBSD Project FIRST Technical Colloquium

ICMP attacks against TCP Fernando Gont UTN/FRH, OpenBSD Project FIRST Technical Colloquium

ICMP attacks against TCP Fernando Gont UTN/FRH, OpenBSD Project FIRST Technical Colloquium Buenos Aires, Argentina, October 5 th -7 th , 2005 Fault Isolation in the Internet Architecture The Internet Architecture relies on the Internet

484 views • 16 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Out of Control: Stealthy Attacks on Robotic Vehicles Protected by Control-Based Techniques Pritam

Out of Control: Stealthy Attacks on Robotic Vehicles Protected by Control-Based Techniques Pritam

Out of Control: Stealthy Attacks on Robotic Vehicles Protected by Control-Based Techniques Pritam Dash, Mehdi Karimi, and Karthik Pattabiraman University of British Columbia, Vancouver, Canada 1 Robotic Vehicle (RV) in Industrial Sector

441 views • 23 slides
Attacks on routing: IP hijacks How Internet number resources are managed

Attacks on routing: IP hijacks How Internet number resources are managed

Attacks on routing: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP #1 ISP NIC.br NIC.MX LIRs/ISPs

919 views • 40 slides
Perspective on Internet Congestion Control by Nathan Jay *, Noga H. Rotman*, Brighten Godfrey,

Perspective on Internet Congestion Control by Nathan Jay *, Noga H. Rotman*, Brighten Godfrey,

A Deep Reinforcement Learning Perspective on Internet Congestion Control by Nathan Jay *, Noga H. Rotman*, Brighten Godfrey, Michael Schapira, and Aviv Tamar *Equal contribution Internet Congestion Control The Internet (maybe?) End Host

480 views • 28 slides
End-to-end principle by Dave Clark Hop-by-hop control vs. End-to-end control In X.25

End-to-end principle by Dave Clark Hop-by-hop control vs. End-to-end control In X.25

Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 23 in Huitema) Internet-1 S-38.2121 / Fall-06 / RKa, NB Internet Architecture Principles End-to-end principle by Dave

669 views • 23 slides
PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September

PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September

Introduction Internet worm models Continuous Approximation Quantified analysis Conclusions PEPA models of Internet worm attacks Jane Hillston. LFCS, University of Edinburgh 8th September 2005 Joint work with Jeremy Bradley and Stephen

1.34k views • 98 slides
WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a Global View the Internet is an evolving open system no central point, no typical network or user complexity everywhere: topology, usage

608 views • 13 slides
Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu , Shweta

Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu , Shweta

Data-Oriented Programming On the Expressiveness of Non-Control Data Attacks Hong Hu , Shweta Shinde, Sendroiu Adrian, Zheng Leong Chua, Prateek Saxena, Zhenkai Liang Department of Computer Science National University of Singapore Control

1.32k views • 103 slides
Attacks on Pay-TV Access Control Systems Markus G. Kuhn Computer Laboratory Generations of

Attacks on Pay-TV Access Control Systems Markus G. Kuhn Computer Laboratory Generations of

Attacks on Pay-TV Access Control Systems Markus G. Kuhn Computer Laboratory Generations of Pay-TV Access Control Systems Analog Systems remove sync information, try to confuse gain-control in receiver, etc. cryptography is not essential part

463 views • 14 slides
12 Networked Control Systems: a Discrete-time Approach Nathan van de Wouw Dynamics and Control

12 Networked Control Systems: a Discrete-time Approach Nathan van de Wouw Dynamics and Control

12 Networked Control Systems: a Discrete-time Approach Nathan van de Wouw Dynamics and Control Group, Department of Mechanical Engineering, Eindhoven University of Technology, the Netherlands Universit Catholique de Louvain, October 5th,

1.42k views • 47 slides
Attacks Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and

Attacks Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Attacks Trent Jaeger Systems and Internet Infrastructure Security

534 views • 18 slides
Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background

Network Forensics and Next Generation Internet Attacks Moderated by: Moheeb Rajab Background singers: Jay and Fabian 1 Agenda Questions and Critique of Timezones paper Extensions Network Monitoring (recap) Post-Mortem Analysis

666 views • 40 slides

More recommend