ΕΘΝΙΚΟ ΜΕΤΣΟΒΙΟ ΠΟΛΥΤΕΧΝΕΙΟ...anomaly detection and mitigation mechanism on...
Transcript of ΕΘΝΙΚΟ ΜΕΤΣΟΒΙΟ ΠΟΛΥΤΕΧΝΕΙΟ...anomaly detection and mitigation mechanism on...
Network Management & Optimal Design (NETMODE) Laboratory http://www.netmode.ntua.gr
Director: Prof. Vasilis Maglaris [email protected]
Recent NETMODE Activities on Internet Research & Experimentation: Tetsbeds, Federated e-Infrastructures,
Network Security & SDN/NFV
May 2017
ΕΘΝΙΚΟ ΜΕΤΣΟΒΙΟ ΠΟΛΥΤΕΧΝΕΙΟ - Ε.Μ.Π. NATIONAL TECHNICAL UNIVERSITY OF ATHENS - NTUA
School of Electrical & Computer Engineering Division of Communications, Electronics & Information Engineering
Lab Facilities Overview
• OpenFlow-enabled Devices – NEC IP8800
– Juniper MX80-48T
– HP 2920
– 2 x Open vSwitch on Xeon Processor 5160 – 3GHz, 8GB RAM, 8xGbE ports
• 6 x ESXi Hypervisors (v4.1 & 5.0), hosting ~50VMs
• Wireless – Fed4FIRE & OpenFlow Testbeds
• Hosting FEDERICA & PlanetLab Facilities
Wireless Testbed Part of EU Fed4FIRE Distributed Testbed
SDN Testbed OpenFlow Switches & Controllers
Federated e-Infrastructures NOVI Concept of Data, Control & Management Plane Stitching
(Networking innovations Over Virtualized Infrastructures)
Policy Based Resource Management NFV Model of Policy Orchestration
Graphical Overview of Policy Ontology
NFV Approach of Policy Based Architecture
Anomaly Detection & Mitigation (I) Extending Remotely Triggered Black Hole (RTBH)
Adding OF Functionality to Legacy LANs
DDoS Attack Mitigation
Anomaly Detection & Mitigation (II) Classification of Malicious Source IP Prefixes
Based on CAIDA Anonymized Data (DDoS Attack, August 2007) & Recent NTUA LAN Data
Anomaly Detection & Mitigation (III) A Cooperative Schema for Multi-domain SDN Environments
Anomaly Detection & Mitigation (IV) Collaborative Schema for Exchanging Attack Data
CN CSlab NETMODE
Trusted Third PartyNTUA NOC
Network, System Event Shipping
Publish Monitoring Eventsto Collaborators
IDS
Node 2
Node 3
Node 1
LOCAL Monitoring Repository
(NETMODE)
REMOTE Monitoring Repository(Trusted Third Party)
Data Plane Connections
Shipping IDS Events
Mirrored Traffic
Anomaly Detection & Mitigation (V) Applying Emerging Tools for Network Security
• Network Traffic Monitoring
• Advanced Statistical Methods for Anomaly Detection (Baysian, Theory of Evidence…)
• Machine Learning Techniques for Anomaly Detection & Mitigation (Neural Networks, Deep Learning, Bloom Filters)
– Attack Classification
– Filtering DNS DDoS Attacks
Packet Capturing
NetFlow
SNMP MIB Counters
Multi-Tenant Monitoring as VNF (I) A Monitoring Architecture for Research in Internet
Experimentation (MARIE)
Multi-Tenant Monitoring as VNF (II) Monitoring in SDN Multi-tenant Environments
Multi-Tenant Monitoring as VNF (III) Scalable Monitoring-as-a-Service (MaaS)
Kibana
Logstash
Logstash
Logstash
Broker
Broker
Lightweight Shipper
Lightweight Shipper
Lightweight Shipper
Store/Search
Logstash ClusterAdministrator
Data Views
Kibana
Store/Search
PersonalizedData Views
Monitoring-as-a- Service
Multi-Tenant Monitoring as VNF (IV) Application in a Federated Environment:
GÉANT Testbed Service - GTS (GÉANT – NRENs – Campuses)
Scalable Network Monitoring Data Mining via the OmniDisco Collector
MBB Carrier Selection & Offloading by Mobile Nodes Monitoring & Analysis for
Radio Interface seLection for Y2020 Networks (MARILYN)
OpenFlow Control Functionality
Open vSwitch (OVS) Client S/W:
Mounted on Android Mobile Node
(SDN-enabled Multi-SIM Mobile
Devices)
OpenFlow Controller and Selection
Policy Engine:
Mounted on Android Mobile Node
and/or within a Core Cloud
Infrastructure
Trade-off Criteria:
Power Consumption, Quality of
Experience, Seamless Reliable
Operation, H/W – S/W Cost &
Subscription/Usage Fees,
Penetration of Multi-SIM Mobile
Devices…
1. V. Maglaris, C. Papagianni, G. Androulidakis, M. Grammatikou, P. Grosso, J. van der Ham, C. de Laat, B. Pietrzak, B. Belter, J. Steger, S. Laki, M. Campanella and S. Sallent, "Toward a Holistic Federated Future Internet Experimentation Environment: The Experience of NOVI Research and Experimentation", IEEE Communications Magazine, Vol. 53, No. 7, pp. 136-147, July 2015 (Overview of the NOVI FIRE FP7 project)
2. A. Douitsis and V. Maglaris, "Towards A Scalable management Collector", in Proc. of GIIS'16, Porto, Portugal, October 2016 (Network Monitoring Architecture featuring SNMP and ElasticSearch)
3. Y. Kryftis, M. Grammatikou, D. Kalogeras and V. Maglaris, "Policy-Based Management for Federation of Virtualized Infrastructures", Journal of Network & Systems Management, Springer, June 2016 (Policy-based Network Management, Virtualized Infrastructures, Federated SLA)
4. K. Giotis, M. Apostolaki and V. Maglaris, "A Reputation-based Collaborative Schema for the Mitigation of Distributed Attacks in SDN Domains", in Proc. of IEEE/IFIP Network Operations and Management Symposium, Istanbul, Turkey, April 2016 (Cooperative schemes to mitigate DDoS attacks)
5. K. Giotis, G. Androulidakis and V. Maglaris, "A Scalable Anomaly Detection and Mitigation Architecture for Legacy Networks via an OpenFlow Middlebox", Security and Communication Networks, Wiley, October 2015 (Anomaly Detection & Mitigation Architecture for DDoS attacks using an approach on Legacy Networks)
6. K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras and V. Maglaris, "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments", Computer Networks, Vol. 62, No. 7 , pp. 122-136, April 2014 (Scalable Anomaly Detection using Entropy Algorithms and sFlow sampling)
7. C. Argyropoulos, S. Mastorakis, K. Giotis, G. Androulidakis, D. Kalogeras and V. Maglaris, "Control-Plane Slicing Methods in Multi-Tenant Software Defined Networks", in Proc. IFIP/IEEE Integrated Network Management Symposium (IM 2015), Ottawa, Canada, May 2015 (Assessing Virtual Network Slicing in terms of Resource Consumption)
8. C. Siaterlis and V. Maglaris, "Detecting incoming and Outgoing DDoS Attacks at the Edge Using a Single Set of Network Characteristics“, in Proc. IEEE 10th Symposium on Computer and Communications (ISCC), Cartagena, Spain, June 2005 (Theoretical Statistical Analysis of Attack Patterns as experienced within the NTUA campus LAN)
9. C. Siaterlis and B. Maglaris, "Towards Multisensor Data Fusion for DoS detection", in Proc. ACM Symposium on Applied Computing, 2004 (Data-fusion algorithms combining Attack Metrics for DDoS Anomaly Detection)
Selected Publications