Researcher: Hyong Kim
Research Area: Survivable Distributed Systems
Distributed Security Monitoring System for Survivable Networks Based on Network Tomography
The network management system consists of monitoring and configuration functions. The monitoring capability ranges from high quality telephone networks to unstructured and unregulated Internet. Monitoring minute details of each call time, location, and duration in telephone networks contrasts with that of the Internet where a simple mapping of the network is a challenge due to diverse ownership and heterogeneous infrastructure. Many networks are joined by peering points in the Internet and details of these networks are hidden from each other except for generalized routing information via BGP. The heterogeneous and unregulated infrastructure of the Internet makes monitoring of service provisioning, service-level monitoring and verification, and detection of anomaly or malicious behavior increasingly difficult and challenging. In order to provide a survivable network infrastructure in the presence of failures and malicious attacks, two functions are required: an intelligent detection of anomaly or malicious behavior and a mechanism to isolate the problem sources from the rest of network.
Currently proposed network monitoring systems assume the complete knowledge and access to network elements such as switches and routers. However, the Internet consists of many unstructured and heterogeneous sub-networks and they are not easily accessible and visible to the network operators who do not own them. Thus, it is difficult to protect the network against malicious attacks from invisible network elements. Even a simple tracing of the problem elements could be challenging. Many sources of malicious attacks could be hidden from the network operator who does not have the control over them.
In this work, we plan to develop a distributed security monitoring system for the Internet where not all network elements are visible and accessible. We focus on the monitoring and detection of anomaly in the Internet. Distributed monitoring and inference techniques will be used to detect and identify the problems arising from malicious attacks and network failures. In the research area of signal processing, there have been numerous studies to solve “inverse problem” where a system is identified in which key aspects of the system are not directly observable (i.e. Internet). The tomographic reconstruction of anatomical images from MRI equipment is a well known example of “inverse problem”. The internal organs are reconstructed through processing of the differences in the effects on the passage of the energy waves generated by multiple arrays of sensors impinging on these objects. Recently there have been efforts in extracting the network performance metrics such as delay and throughput by applying tomographic technique on the networks. Multiple edge nodes in the unknown network infrastructure actively send the probe packets throughout the network. Then the statistics and the behavior of such probes are analyzed to identify the network topology and to estimate its performance metrics using the presumed basic network model. Effective use of probe packets could give fairly accurate delay estimates for certain network topologies.
We propose to develop a distributed security monitoring system for detecting network anomaly and malicious attacks using the network tomography concept. Prior works in network tomography focus on the measurement of the network performance while we focus on detecting the network anomaly. Unlike the prior works that assume complete ignorance of the network information, we assume that we have islands of networks in the Internet that are visible and accessible. We assume that network providers or operators have their islands of networks that are accessible in terms of providing more detailed information of each network nodes via SNMP, for example. There will be blind spots that interconnect such islands of known networks. Thus, our approach assumes that more information is available and they should help us in identifying the network anomaly. At the same time, we do not assume the complete knowledge of the network elements. The proposed plan consists of the following tasks.