|
It used to be easy to secure a telephony connection. Traditional phone companies owned their networks and controlled every inch of the connection between their central offices and the simple telephone instrument at the other end. The only interconnections were with a handful of other carriers whose networks were equally secure. Today, the communications that initiate or terminate with a phone company’s customer travel through a chaotic maze of connections, much of which is outside the domain of the telecommunications industry as a whole — companies like
eBay (News - Alert)
and Barclays Bank, for example, but also the hackers and fraudsters that impersonate them, and others, who just want to hijack or ransom them. And instead of simple phone calls, those lines of communications are a bedlam of digital goods and services, movies and music, email and web pages, online games and videoconferences, as well as VoIP and
IPTV (News - Alert)
— the brave new world of Services-over-IP (SoIP).
As carriers evolve to a world of SoIP and IMS architectures, they must learn to manage networks that are larger, faster, more complex — and more vulnerable — than ever. Indeed, IMS is designed to facilitate the provisioning and decommissioning of services. But it provides nothing to help carriers with the management and security of those services. One option is for carriers to buy single point solutions to secure each service, one by one. However, this is hardly an option for carriers that envision offering anywhere from five to 20 concurrent IP services; the cost is too prohibitive.
Yet history has proven a need to protect against malicious network attacks. Over the past few years, each new threat epidemic has demonstrated increased speed, virulence and sophistication over its predecessor. The Code Red worm took more than 14 hours to infect its population in 2001. The Slammer worm, released some 18 months later, did the same in less than 10 minutes. Code Red is thought to have infected roughly 360,000 hosts; while by some estimates, the Nimda worm compromised more than 2 million.
Unfortunately, the ability to defend against these outbreaks remains entirely inadequate, not having advanced significantly since the Code Red episode in mid-2001. Again, traditional security point solutions and appliances placed only at the network edge are no longer sufficient for dealing with highly distributed, low-volume and layer 7 attacks. Such systems either provide deep-packet inspection but lack correlation across the entire network; or provide some correlation, but only for layer 4 information. Solutions of both description lack the holistic view of the network (meaning deep-packet inspection plus full correlation) required to detect the emerging breed of malicious attacks.
Today’s carriers require a next-generation security solution that provides real-time anomaly detection on the edge and in the core of the network — a systems approach to security, rather than an expensive and inadequate point solution approach. Carriers must have full visibility into all network elements, from edge-based devices such as IDS/IPS (intrusion detection and prevention systems) and firewalls, to databases, to the gateway and backbone routers themselves. They must combine this visibility with both coarse and fine granularity of information about the traffic they carry. Most importantly, they must have the ability to correlate all this data in one place to accurately detect widely distributed, low-volume attacks. In effect, carriers must also evolve to behavior-based security algorithms that extend beyond the typical signature-based and volume-based detection and, instead, monitor the actual entropy of the network as a whole.
A Shift in Thinking: Entropy-Based Security
Essential to effective network security is the ability to detect an anomaly, classify its type, identify the specific threat and potential damage to the network, and then take the appropriate action.
Different types of attacks are identifiable by different kinds of analysis: some by layer 3, others by full layer 4 and still others by layer 7. For carriers to successfully prevent widespread network impact, they need a system that integrates and analyzes information from multiple sources. This system should also employ the new generation of advanced algorithms that provide unmatched detection capabilities, while reducing detection lag to seconds. Over the past few years, each new threat epidemic has demonstrated increased speed, virulence and sophistication over its predecessor.
Thanks to the dedicated work of experts in the industry, there exist two families of algorithms that jointly detect and prioritize a substantial variety of network attacks. By employing these algorithms, carriers can build a robust security system around their network perimeters to remain safe from the most sophisticated and distributed of today’s — or even tomorrow’s — attacks.
Information Entropy
The first family of algorithms is based on information entropy. Every system in the universe is governed by its own set of physical laws. Like all complex physical systems, the Internet is uniquely identified by its equilibrium point or fingerprint. Any external disturbance introduced into a working system will break its equilibrium point and will force the system to transition to a new one, thereby creating a signature that uniquely identifies that disturbance. Information entropy succinctly represents the system’s equilibrium at any point in time. By capturing the difference between any of these two points one can characterize any subtle disturbances brought on by any type of network anomaly.
Information entropy algorithms extract in real-time the critical features from Internet traffic (from layer 2 through to layer 7) that reflect the network’s status. These features are then used to detect any deviation of the network’s equilibrium point (for example, a change in its energy, structure, randomness or fuzziness). In order to visualize this abstract concept, consider a very simple example of network anomaly: a worm outbreak. Worm traffic is more uniform or structured than normal Internet traffic in some respects and more random in others. When a network is attacked by a worm, several traffic features (such as source and destination IPs, source and destination ports, and flow size) will massively change their behavior.
For instance:
• A large number of flows that originate from only a few infected machines become a significant part of the total traffic.
• Destination hosts are selected in a purely random fashion, leading to an abnormally large number of distinct destination IPs being contacted in a short time frame.
• Source and destination ports are used in an abnormal fashion, depending on the scanning strategy used by the worm to identify its potential targets.
• Flows with a similar size become a dominant part of the total flows observed.
A worm outbreak will alter the Internet fingerprint by severely changing the distributions of the features mentioned here. Some distributions will be skewed along a few values (for example, the source IP address of the infected machines or the destination ports used by the worm); while other distributions will become more uniformly dispersed across a larger set of values (for example, the destination IP addresses of the targeted victims). Information entropy algorithms will monitor both the distributions and their correlation in time, and quickly detect any deviation (either small or large) that is symptomatic of the anomaly.
Low-rate anomalies, slowly propagating worms and other early-stage anomalies are easily detected and accurately reported by these algorithms.
Signal Processing Theory
The second family of algorithms utilizes concepts from signal processing theory. These algorithms extract key features of Internet traffic (again from layers 2 through 7) from all vantage points and analyze the data in real-time, profiling both the temporal and spatial correlation across all sources of data. These new algorithms are capable of adapting to different network conditions and “statistically” learning the normal behavior of any network at any point in time — without the need for human interaction. Key features are extracted, stored and processed at very high speeds using efficient data structures and searching algorithms, which guarantee excellent performance.
Conclusion
Today’s complex, ever-changing carrier environment is fertile ground for a host of new, sophisticated threats, vulnerabilities and malicious attacks. Forward-looking carrier architectures such as IMS require a next-generation systems approach to security, one that is designed for use on large, complex, high-speed networks and can adapt to rapidly changing environments and new service offerings. Such a system must provide full visibility into all the elements in the network, and the ability to manage and correlate all the information from those elements at extremely high speeds. Finally, next-generation security systems must employ advanced algorithms, based on advanced mathematical principals, such as information entropy and signal processing that see well beyond traditional volume or signature-based appliances and point solutions. 
By Dr. Antonio Nucci is the Chief Technology Officer of Narus, Inc. For more information, please visit www.narus.com.
|
INDUSTRIES
Activate Email 
