Skip to main content
SpringerLink
Log in

Providing Dynamic Control to Passive Network Security Monitoring

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9404))

Included in the following conference series:

Abstract

Passive network intrusion detection systems detect a wide range of attacks, yet by themselves lack the capability to actively respond to what they find. Some sites thus provide their IDS with a separate control channel back to the network, typically by enabling it to dynamically insert ACLs into a gateway router for blocking IP addresses. Such setups, however, tend to remain narrowly tailored to the site’s specifics, with little opportunity for reuse elsewhere, as different networks deploy a wide array of hard- and software and differ in their network topologies. To overcome the shortcomings of such ad-hoc approaches, we present a novel network control framework that provides passive network monitoring systems with a flexible, unified interface for active response, hiding the complexity of heterogeneous network equipment behind a simple task-oriented API. Targeting operational deployment in large-scale network environments, we implement the design of our framework on top of an existing open-source IDS. We provide exemplary backends, including an interface to OpenFlow hardware, and evaluate our approach in terms of functionality and performance.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Indeed, our Bro OpenFlow module remains independent of Ryu and could support other controllers as well if one extended them with a similar receiver component.

  2. 2.

    Currently, Bro talks to an intermediary Python script, which in turn relays commands to acld through TCP. We plan to integrate Broker into acld directly in the future.

  3. 3.

    As this could potentially reorder rules, users can optionally disable threading.

  4. 4.

    While the lack of this feature does not affect the network control framework directly, it could prevent using it in combination with further static monitoring rules.

  5. 5.

    We excluded the HP A5500 with bi-directional rules due to problematic behavior when inserting rules that way: The average latency was \(>\)10 s, with many rules timing out and never getting an acknowledgment from the switch.

  6. 6.

    The connections reporting a size of 0 were not fully established.

References

  1. ACL blocker notes. http://www-nrg.ee.lbl.gov/leres/acl2.html

  2. Allcock, W., Bester, J., Bresnahan, J., Chervenak, A., Liming, L., Tuecke, S.: GridFTP: Protocol Extensions for the Grid. Grid ForumGFD-R-P.020 (2003)

    Google Scholar 

  3. Ballard, J.R., Rae, I., Akella, A.: Extensible and scalable network monitoring using OpenSAFE. In: INM/WREN (2010)

    Google Scholar 

  4. Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: LCN (2010)

    Google Scholar 

  5. Bro Network Monitoring System. https://www.bro.org

  6. Broker: Bro’s Messaging Library. https://github.com/bro/broker

  7. Campbell, S., Lee, J.: Prototyping a 100g monitoring system. In: PDP (2012)

    Google Scholar 

  8. Presentation slides–Anonymized for submission (2014)

    Google Scholar 

  9. ESnet: Science DMZ Security - Firewalls vs. Router ACLs. https://fasterdata.es.net/science-dmz/science-dmz-security/

  10. GlobalNOC: SciPass: IDS Load Balancer & Science DMZ. http://globalnoc.iu.edu/sdn/scipass.html

  11. Gonzalez, J., Paxson, V., Weaver, N.: Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention. In: ACM Communications and Computer Security (CCS) Conference, Washington, D.C (2007)

    Google Scholar 

  12. Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Schneider, F.: Enriching network security analysis with time travel. In: Proceedings of the ACM SIGCOMM (2008). http://www.icir.org/robin/papers/sigcomm08-tm.pdf

  13. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. CCR 38(2), 69–74 (2008)

    Google Scholar 

  14. Network Control framework and utility code. http://icir.org/johanna/netcontrol

  15. OSCARS: On-Demand Secure Circuits and Advance Reservation System. http://www.es.net/engineering-services/oscars/

  16. Papadogiannakis, A., Polychronakis, M., Markatos, E.P.: Improving the accuracy of network intrusion detection systems under load using selective packet discarding. In: EUROSEC (2010)

    Google Scholar 

  17. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  18. Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), February 2015

    Google Scholar 

  19. Ryu SDN Framework. http://osrg.github.io/ryu/

  20. Science DMZ - A Scalable Network Design Model for Optimizing Science Data Transfers. https://fasterdata.es.net/science-dmz

  21. Security and NAT Gateway for the Munich Scientific Network (MWN). https://www.lrz.de/services/netzdienste/secomat_en/

  22. Shirali-Shahreza, S., Ganjali, Y.: FleXam: flexible sampling extension for monitoring and security applications in openflow. In: HotSDN (2013)

    Google Scholar 

  23. Snortsam - A Firewall Blocking Agent for Snort. https://www.snortsam.net

  24. Van Adrichem, N., Doerr, C., Kuipers, F.: OpenNetMon: network monitoring in OpenFlow software-defined networks. In: NOMS (2014)

    Google Scholar 

  25. Xing, T., Huang, D., Xu, L., Chung, C.J., Khatkar, P.: SnortFlow: a OpenFlow-based intrusion prevention system in cloud environment. In: GREE (2013)

    Google Scholar 

Download references

Acknowledgments

We would like to thank Aashish Sharma, Keith Lehigh, and Paul Wefel for their feedback and help.

This work was supported by the National Science Foundation under grant numbers ACI-1348077 and CNS-1228792. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.

Author information

Authors and Affiliations

  1. International Computer Science Institute, Berkeley, USA

    Johanna Amann & Robin Sommer

  2. Lawrence Berkeley National Laboratory, Berkeley, USA

    Robin Sommer

Authors
  1. Johanna Amann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robin Sommer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Johanna Amann .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, Noord-Holland, The Netherlands

    Herbert Bos

  2. University of North Carolina at Chapel H, Chapel-Hill, USA

    Fabian Monrose

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Amann, J., Sommer, R. (2015). Providing Dynamic Control to Passive Network Security Monitoring. In: Bos, H., Monrose, F., Blanc, G. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2015. Lecture Notes in Computer Science(), vol 9404. Springer, Cham. https://doi.org/10.1007/978-3-319-26362-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26362-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26361-8

  • Online ISBN: 978-3-319-26362-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation