Check out the new USENIX Web site. next up previous
Next: Traffic Modeling Up: Real-Time Intrusion Detection and Previous: Real-Time Intrusion Detection and

   
Introduction

High-performance networks with support for Quality of Service (QoS), such as Asynchronous Transfer Mode (ATM), are increasingly being deployed to support distributed mission-critical computing, at shipboard level or at wider scale [1]. For example, ATM technology provides the backbone for various core technology subsystems of the SmartShip program for AEGIS class cruisers [11], such as integrated condition awareness system, damage control system, machinery control system, and integrated bridge system. The networks used in many of these systems must meet stringent timing and security requirements. In this paper, we report on our project aiming at providing real-time intrusion detection for these types of networks. By real-time detection, we mean that a solution should detect and suppress network intrusions within very short time periods, say, 100 $\mu$s.

In addition to its high speed, ATM's ability to provide QoS support to users makes it increasingly popular for many such systems. While QoS for a connection can be characterized by many parameters, for real-time applications it is bandwidth guarantees and delay bounds that are perhaps the most important parts of the QoS specification. Unfortunately, relying on bandwidth or delay guarantees makes this type of systems very vulnerable to denial-of-service attacks, in addition to traditional intrusions. Indeed, as with other types of networks, potential attacks in an ATM network include the modification of connection and path data in a switch in ways that are beneficial to the attacker. In this way, the attacker would be able to insert, divert, or delete traffic in an unauthorized manner. Although such attacks can be local in nature, they can have a global impact by affecting not only the attacked connections, but other connections as well. For example, localized or intermittent flooding by an intruder can cause the network to violate the QoS requirements of many unrelated connections. This may in turn cause applications to time out, and the effect may range from invocation of timing recovery actions to total loss of system control. Thus, the damage can be widespread and very serious for a mission critical system and, hence, must be confined in real-time.

Deleting and suppressing flooding by intruders is difficult to achieve effectively at switch or network level, as it may easily masquerade as ``friendly'' traffic. Detection approaches therefore often have to rely on end-to-end mechanisms with very long latencies.

During normal operation, connections in networks with support for QoS guarantees need to go through a connection establishment phase. The new connection specifies its QoS requirements along with a characterization of the amount of traffic that it will carry. The admission control component of the system will then determine whether enough resources are available to satisfy the requirements of the new connection without violating guarantees of previously established connections. Once the connection is established, a policing mechanism typically enforces that the sender adheres to the traffic specification defined at establishment time. If an appropriate traffic model is used, and a sufficiently detailed traffic specification is provided at connection setup time, both can be used to accurately profile traffic during the lifetime of the connection. The traffic model should be capable of describing the traffic generated at the source as well as the traffic at an arbitrary point within the network. In an ATM network, traffic belonging to different connections gets repeatedly multiplexed and demultiplexed at the entrance to the network and in the switches. Consequently, the traffic pattern of a connection undergoes several changes as it traverses the network. The traffic pattern of a connection inside the network may be substantially different from its pattern at the source. In particular, it differs substantially from the traffic specification provided during connection setup time.

An important contribution of our work is a traffic model that very accurately characterizes traffic flows in a network, and so allows for the definition of accurate traffic descriptors. We will describe in Section 2.2 how we use maximum and minimum traffic functions to define an envelope on the amount of traffic generated by a sender or a set of senders in a distributed application. As we will demonstrate, these functions are powerful enough to describe all types of traffic encountered in time-critical applications, both at the sources and inside of the network. At the same time, these mathematical functions are concise and easy to manipulate.

Based on the traffic modeling techniques developed, we design and analyze a security device that uses traffic information to detect intrusions. The device meets the ATM forum UNI data specification. An evaluation shows that it is able to perform covert network traffic detection, suppression, and alert in a timely fashion (within 25 $\mu$s) even under peak traffic conditions. Its implementation is both cost effective and stable.

The rest of this paper is organized as follows: In Section 2, we introduce our traffic modeling techniques. The design and analysis of the security device is presented in Section 3 while Section 4 concludes the paper with final remarks.


next up previous
Next: Traffic Modeling Up: Real-Time Intrusion Detection and Previous: Real-Time Intrusion Detection and
Riccardo Bettati
1999-02-23