An Architectural Approach to Inter-domain Measurement Data Sharing - - PowerPoint PPT Presentation

an architectural approach to inter domain measurement
SMART_READER_LITE
LIVE PREVIEW

An Architectural Approach to Inter-domain Measurement Data Sharing - - PowerPoint PPT Presentation

Sep 14, 2022 123 likes •310 views

An Architectural Approach to Inter-domain Measurement Data Sharing Brian Trammell Communication Systems Group, ETH Zrich DUST 2012, San Diego, 15 May 2012 Questions and Wishes common platform for darkspace analysis lets use

slide-1
SLIDE 1

An Architectural Approach to Inter-domain Measurement Data Sharing

Brian Trammell

Communication Systems Group, ETH Zürich

DUST 2012, San Diego, 15 May 2012

slide-2
SLIDE 2

Questions and Wishes

§ common platform for darkspace analysis

§ “let’s use the same software to make it easier to share data”

§ common interface for collaborative interface

§ “what sort of interface do we provide to a running window of data?”

§ analyze unsolicited traffic on lit space

§ keep doing “darkspace”-like studies in an v4-scarce world § but, assumptions about privacy don’t hold at all anymore. § even “one-way” traffic isn’t all unsolicited

15 May 2012 - San Diego 2 Interdomain Measurement Data Sharing - DUST 2012

slide-3
SLIDE 3

Privacy issues in measurement data sharing

§ In the general case, most collected data simultaneously quite sensitive and completely uninteresting. § Darkspace collection suffers less from these concerns:

§ no “legitimate” user traffic, so no “users” to threaten; however: § illegitimate user traffic (compromised host IPs, occasional payload) § structure of the darkspace itself

§ Anonymization alone not a solution to the problem

§ any attacker that can induce or otherwise know details about traffic can reverse identifiers with ~24 bits of information per

(Burkhart et al., “The Role of Network Trace Anonymization Under Attack, ACM CCR Jan ‘10)

§ Any solution must include policy framework

§ Semi-open consortia of operators/CSIRTs/researchers/etc.

15 May 2012 - San Diego 3 Interdomain Measurement Data Sharing - DUST 2012

slide-4
SLIDE 4

Scalability issues in measurement data sharing

§ Passive network measurement collects [insert impressive word for “big”] amounts of data. § Separation of collection and analysis presents scalability issues at the sharing interface. § Data volume in darkspace directly proportional to size of

  • bservation surface; bigger surfaces are more useful.

§ Usual methods of addressing this:

§ limit retrospection interval (“last two weeks”) § limit fidelity for older data (sampling, aggregation) § spend a lot of money on disks… § …and don’t underestimate the bandwidth of a delivery truck.

15 May 2012 - San Diego 4 Interdomain Measurement Data Sharing - DUST 2012

slide-5
SLIDE 5

The DEMONS Approach

Centralized

Router Meter Capture Repository Network Analyze Present

DEMONS

Capture Repository Network Present Analyze Mitigate

15 May 2012 - San Diego Interdomain Measurement Data Sharing - DUST 2012 5

slide-6
SLIDE 6

The DEMONS approach: decentralization § Move processing to the edge

§ Support iterative analysis on live traffic using programmable edge devices. § Emphasize stream processing § Assumes temporal non- uniqueness of interesting activity in darkspace. § Data reduction improves scalability. § (and reduces sensitivity of collected data)

Capture Repository Network Present Analyze Mitigate

15 May 2012 - San Diego 6 Interdomain Measurement Data Sharing - DUST 2012

slide-7
SLIDE 7

The DEMONS approach: sharing § Share analysis, not data

§ Analyses built by composition of well-defined processing modules § Inspection of intermediate results before export

§ “yes/no decision” instead of anonymization/protection at the edge.

§ Realism about technical limitations of data protection

§ Designed to operate within a consortium governed by a legal agreement.

Domain X Domain Y

Capture Repository Network Present Analyze Mitigate Capture Repository Network Present Analyze Mitigate Share

15 May 2012 - San Diego 7 Interdomain Measurement Data Sharing - DUST 2012

slide-8
SLIDE 8

Components and Interfaces

§ Measurement layer nodes provide capture and analysis. § Interdomain exchange point (IXP) provides "sharing" interfaces to external domains. § Workflow-based control interface, for passing requests within and among domains § Integration with existing mitigation processes

§ not particularly relevant for research

Application User Interface (AUI) Mitigation Control Point (MCP) Interdomain Exchange Point (IXP) Measurement Layer Capture Repository Network Present Analyze Mitigate Share Workflow Planner and Orchestrator (Control)

15 May 2012 - San Diego 8 Interdomain Measurement Data Sharing - DUST 2012

slide-9
SLIDE 9

Inspirations

§ EU FP7 PRISM (March 2008 – May 2010)

§ Architecture for privacy-aware network monitoring applying context-sensitive access control § Explicit application of regulatory framework to access control and conditional data protection § Focus on single domain (no sharing)

§ Secure Queries (Mirkovic, NDA ‘08)

§ Trol (SQL-like) language for network queries § Anonymity-aware access control

§ Dialing Privacy and Utility (Kenneally and Claffy, IEEE S&P July ‘10)

§ Combines technical data protection techniques with a policy framework considering legal, social, privacy and utility aspects of sharing. § Applied to network telescope operations

15 May 2012 - San Diego 9 Interdomain Measurement Data Sharing - DUST 2012

slide-10
SLIDE 10

Measurement Layer: Blockmon

§ Composable measurement using small blocks

§ Increases parallelizability, measurement performance on multicore hardware § Code reuse for measurement development

§ Platform for understanding composable measurement application development § Enable code and analysis interchange in the form of compositions of modules from a standard, trusted base. § Current work in ontology of basic operations:

§ Filters, Metrics, Features, Correlations, and Feedback

§ Current work in core performance tuning:

§ cache-aware allocation, automatic queue balancing

January 11, 2012 10 DEMONS/BlockMon - Flocon 2012 Austin

slide-11
SLIDE 11

Blockmon: Implementation

§ Compositions of blocks exchange messages (packets, flows, etc.) connected at runtime via gates. § Control over thread/CPU assignment and block invocation for tuning. § Blocks, framework and scheduling implemented in C++ § Python-based CLI and JSON-RPC daemon, compositions in XML § Compositions split among instances via IPFIX import/export

January 11, 2012 11 DEMONS/BlockMon - Flocon 2012 Austin

Composition Source Block O BlockA I O BlockB I O Export Block I BlockC I O

slide-12
SLIDE 12

Blockmon: Applicability

§ Researchers and data providers agree on a set of blocks as primitives from which to build analyses. § Additional blocks may be distributed as object code signed by a trusted third party and dynamically loaded at runtime. § A given study is handed to data provider in terms of a composition. § Composition runs over live traffic from telescope, or replayed traces / pre-analyzed data kept by the data provider.

15 May 2012 - San Diego 12 Interdomain Measurement Data Sharing - DUST 2012

slide-13
SLIDE 13

Interdomain Data Exchange

§ Intermediate and final results of analyses sent to remote domains through an interdomain exchange point (IXP)

§ Data crossing domain boundaries always significantly reduced for scalability as well as privacy reasons.

§ Data subject to inspection at a proxy.

§ Forwarding logic is presently application-specific.

§ Data may be further analyzed by another Blockmon instance in the remote domain. § In certain circumstances, data protected by secure multiparty computation protocols such as SEPIA instead.

15 May 2012 - San Diego 13 Interdomain Measurement Data Sharing - DUST 2012

slide-14
SLIDE 14

Secure Multiparty Computation: SEPIA

§ Secure multiparty computation framework based on Shamir secret sharing. § Optimized for network traffic analysis and list/set

  • perations.

§ can be applied to aggregation over realistically large time bins from reasonably sized networks § parallelization of rounds reduces overhead among privacy peers

§ Applicable to aggregate or set operations on data from multiple sources without a trusted third party. § available under LGPL at http://sepia.ee.ethz.ch

15 May 2012 - San Diego 14 Interdomain Measurement Data Sharing - DUST 2012

slide-15
SLIDE 15

Secure Multiparty Computation: SEPIA

15 May 2012 - San Diego 15 Interdomain Measurement Data Sharing - DUST 2012

slide-16
SLIDE 16

SEPIA: Applicability

§ Example: aggregate traffic per port without exposing differences per provider among providers. § Example: union/intersection of unsolicited senders without attribution. § Limited to situations with

§ many data providers § relatively limited data volumes § easily defined aggregation operations

§ So: unclear whether it’s worth the trouble in most network telescope operations.

15 May 2012 - San Diego 16 Interdomain Measurement Data Sharing - DUST 2012

slide-17
SLIDE 17

Guidance for Darkspace Monitoring

§ Data sharing is fraught with peril…

§ and becomes moreso the closer you get to lit networks

§ …so share analysis instead of data.

§ Composable measurement is one way to do this § Sandboxing, code inspection/signing are other approaches § A common vocabulary for description (and tools supporting it) would be a third.

§ Reduce data aggressively close to the edge

§ Throw away what you know isn’t interesting.

§ Consider “live” analysis

§ Assume that unsolicited traffic is temporally non-unique.

15 May 2012 - San Diego 19 Interdomain Measurement Data Sharing - DUST 2012

slide-18
SLIDE 18

Acknowledgments

§ FP7-DEMONS project, especially… § Blockmon development team

§ NEC Laboratories Europe § University of Pisa § University of Rome Tor Vergata § ETH Zürich

15 May 2012 - San Diego 20 Interdomain Measurement Data Sharing - DUST 2012