[talks] H Ringberg preFPO

Melissa Lawson mml at CS.Princeton.EDU
Mon Dec 8 10:19:42 EST 2008

Haakon Ringberg will present his preFPO on Friday December 12 at 10AM in Room 302.
The members of his committee are:  Jennifer Rexford, advisor; Nicholas Duffield (AT&T), 
Mike Freedman, Vivek Pai, and Rob Calderbank.  Everyone is invited to attend his talk. 
His abstract follows below.

Unwanted traffic is a major concern in the Internet today. The algorithms that attempt to
identify this unwanted traffic are called network anomaly detectors, and their task is
challenging in part because many network attacks mimic the behavior of normal traffic. The
victims of these attacks should therefore collaborate by correlating their attack data,
under the assumption that a given malicious host is likely to affect more than one victim.
The major obstacle to such collaboration is that the corporations who manage these
networks are hesitant to openly share information about the hosts (customers) that use
their services.

In this thesis, we propose and evaluate the feasibility of an architecture for
privacy-preserving collaborative anomaly detection. 
First, we study the potential gain from collaboration on traces from operational networks.
We do this by calculating the fraction of detected network anomalies (viz., IP scans, port
scans, and DoS attacks) that could have been mitigated in these traces if some subset of
the victim hosts collaborated to block attackers. Second, we propose and evaluate the
efficiency of a novel cryptographic protocol that allows victims to collaborate to
identify the hosts sending unwanted traffic. The protocol allows each participant to
submit a set of IP addresses that they suspect might be engaging in said activity. The
protocol preserves privacy because it never reveals who suspected whom, and a submitted IP
address is only revealed when more than n participating networks suspect it.

Finally, we close the loop by evaluating the feasibility of making a commonly-used single
vantage-point anomaly detector faster and more scalable. Specifically, we propose and
evaluate a system that leverages machine learning to bring the classification intelligence
of the
signature- and packet-based intrusion detection system (IDS) Snort to the IP flow realm.
We demonstrate that our system can effectively learn to classify many Snort alarms on IP
flows. In sum, the thesis presents a complete collaborative anomaly detection
architecture, from the high-confidence detection of unwanted traffic at single networks to
a privacy-preserving protocol that allows these networks to collectively increase their
confidence in their detections.

More information about the talks mailing list