PANDA - Precice Attack Detection for Network Domains by Application Classification

PANDA - 按应用分类对网络域进行精确攻击检测

• 批准号: 397400564
• 负责人: Professor Dr.-Ing. Falko Dressler
• 金额: --
• 依托单位: Lehrstuhl Rechnernetze und Kommunikationssysteme
• 依托单位国家: 德国
• 项目类别: Research Grants
• 财政年份: 2018
• 资助国家: 德国
• 起止时间: 2017-12-31 至 2021-12-31
• 项目状态: 已结题
• 来源: https://gepris.dfg.de/gepris/projekt/397400564?language=en
• 关键词: PANDA; Precice; Attack; Detection; Network

The detection of attacks on large administrative network domains, e.g., an enterprise network consisting of multiple subnets, is nowadays usually accomplished centrally by analyzing the data traffic on the uplink to the Internet. This allows detecting attacks from the Internet, but has substantial disadvantages. Insider attacks cannot be detected, no matter if they are initiated deliberately or triggered by compromised (private) devices. A network-wide distributed monitoring would be a useful alternative to established procedures, but it faces a number of still unsolved problems:1. Data rates in the subnets are sporadically very high and often highly variable (e.g., load peaks of up to 10 Gbit/s).2. High data rates along with the standard configurations typically used for monitoring usually imply high false alarm rates.3. Data traffic is increasingly encrypted and eludes traditional analysis methods.4. The increased deployment of virtualization technologies, such as virtual machines and networks, establishes areas that are inaccessible for monitoring measures.When performing security monitoring usually flow aggregation and deep packet inspection (DPI) are carried out separately. Flow analysis so far considers only accounting information up to the transport layer. New technologies, such as virtual networks, dilute transport layer information resulting from flow aggregation because same IP addresses now represent different systems. In addition, new protocols, such as HTTP/2, further complicate the analysis process because additional context is often missing, e.g., single connection or multiplexing. Likewise, the DPI often runs into the void, since there is no contextual information regarding the observed application.In the proposed research project, the methods of flow aggregation and DPI will be used complementarily. Key aspects of the investigations are a significant reduction of the data volume to be analyzed at the network sensor, the examination of alarm relevance, the monitoring of data flows also in virtual environments, analyses of cryptographic traffic to infer supported applications and applied protocols, and methods for cooperative analysis within the administrative domain. Problems to be solved include, inter alia, an accurate identification of applications (including observed protocol dialects, if distinguishable) providing context for the DPI to allow a dynamic adaptation of the signature bases to the context, an efficient aggregation of security information from the application layer to AppFlows to allow analysis relocations, the aggregation of information beneath the network layer to enable the integration of virtual systems into the monitoring, and the extraction of parameters from initiating handshakes during connection establishment of encrypted channels to detect vulnerabilities raised by outdated crypto methods.

检测大型管理网络域上的攻击，例如，由多个RNC组成的企业网络，现在通常通过分析到因特网的上行链路上的数据业务来集中地实现。这允许检测来自互联网的攻击，但具有实质性的缺点。内部攻击无法被检测到，无论它们是故意发起的还是由受损（私人）设备触发的。一个网络范围的分布式监控将是一个有用的替代既定的程序，但它面临着一些尚未解决的问题：1。数据传输中的数据速率偶尔非常高并且经常高度可变（例如，负载峰值高达10 Gbit/s）。高数据速率沿着通常用于监控的标准配置通常意味着高误报率。数据流量越来越加密，无法通过传统的分析方法进行分析。4.随着虚拟机、网络等虚拟化技术的普及，监控措施无法进入的区域也越来越多。在进行安全监控时，通常会分别进行流聚合和深度包检测（DPI）。到目前为止，流分析只考虑到传输层的计费信息。虚拟网络等新技术稀释了流聚合产生的传输层信息，因为相同的IP地址现在代表不同的系统。此外，新协议（如HTTP/2）使分析过程进一步复杂化，因为通常会丢失额外的上下文，例如，单连接或多路复用。同样，DPI也经常陷入空白，因为没有关于所观察到的应用的上下文信息。在拟议的研究项目中，流聚合和DPI的方法将互补使用。调查的关键方面是显着减少的数据量进行分析，在网络传感器，警报相关性的检查，数据流的监测，也在虚拟环境中，分析加密流量，以推断支持的应用程序和应用协议，并在管理域中的合作分析方法。需要解决的问题包括准确识别应用程序等（包括观察到的协议方言，如果可区分的话）为DPI提供上下文以允许签名基础动态适应上下文，从应用层到AppFlows的安全信息的有效聚合以允许分析重定位，网络层下的信息聚合，以使虚拟系统集成到监控中，以及在加密信道的连接建立期间从发起握手提取参数，以检测由过时的加密方法引起的漏洞。