Distributed Security Enforcement for Trusted Cluster and Grid ...

Distributed Security 

Enforcement for Trusted 

Cluster and Grid Computing 

Keynote address at the IEEE 

International Conference on Cluster Computing 

(Cluster 2003), Hong Kong, Dec. 2, 2003 

Kai Hwang 

Internet and Grid Computing Lab 

University of Southern California 

Los Angeles, CA. 90089 USA 

2/17/2004 1

Presentation Outline: 

1. Distributed GridSec Architecture 

2. Virtual Private Networks for Distributed 

Security Enforcement 

3. Anomaly Intrusion Detection with 

Datamining over Network Traffic 

4. Security-Assured Resource Allocation 

5. Wireless Access Control in Grid Computing 

2/17/2004, Kai Hwang, USC 2

Evolutional Path of 

Network-based Computing 

Application 

to eliminate Resource Islands 

Grid 

grid://… 

Application 

Web Page 

Computer 

Web 

http://......... 

Internet 

telnet://.... , 

ftp://..... 

Web Page 

Computer 

Courtesy: Dr. Zhiwei Xu, Chinese Academy of Sciences 


Trust, Security, and Privacy 

• Trust vs. Risk – The foundation of security and 

privacy in both human society and Cyberspace 

• Distributed Computing Security – 

More effective with a centralized policy enforced 

with a distributed control 

• Internet Privacy – Must be protected with 

tradeoffs between security constraints and 

privacy demand 


Security vs. Scalability 

Fully 

Secured 

Increasing 

Security 

No 

Protection 

A distributed security system supporting 

fine-grain resource access with 

automatic intrusion prevention, 

Clusters/Intranets 

detection, and responses 

protected by gateway based on dynamic security 

firewalls under a 

policies, adaptive 

static policy 

cryptographic engines, 

Web sites 

or LANs 

with limited 

security 

or privacy 

protection 

with fixed 

cryptography 

and privacy 

protection 

privacy protection, 

and special network 

security interfaces, 

etc. 

Web sites/LANs Clusters/Intranets Grids/Internet 

Increasing Scalability 


Distributed GridSec Architecture 

Host 

Host 

3 


Resource 

Domain 1 

Host 

Host 

3 

3 

Host 

3 

1 


Resource 

Domain 2 

3 

3 

Host 

2 

Host 

Host 


Manager 

3 

2 


Resource 

Domain 3 

3 

3 

Host 


Boundary 

Step 1: 

Intrusion detected 

by a local microfirewall 

Step 2: 

All security 

managers alerted 

with the intrusion 

Step 3: 

Security managers 

broadcast 

response 

command to all 

hosts under their 

jurisdiction. 

(Source: Hwang, et al [1]) 


GridSec Design Objectives: 

• Remove the security barrier hindering distributed grid 

computing - Offering a new trust model 

• GridSec offers distributed intelligence in trust 

management on top of Globus, AppLes, NimRod etc. 

• Dynamic grid resource allocation optimized with respect 

to computing power, security demand, and cost limit 

• Benefiting E-commerce, digital government, public 

safety, and global economy over the Internet using 

GridSec-based VPN tunneling 


USC NetShield Defense System 

Protecting Grid Computing Resources 

ISP 

The The 

Internet 

Network 

Router 

The 

NetShield 

System 

Firewall 

Datamining for 

Anomaly Intrusion 

Detection (IDS) 

Risk 

Assessment 

System (RAS) 

Intrusion 

Response 

System (IRS) 

Victim’s 

Internal 

Network 


GridSec VPN : Combining both IPSec and MPLS 

Features for Federated Security 

Internet Traffic 

VPN Traffic 

The Internet 


Resource 

Sites 

A VPN specially configured on a public Infrastructure based on tunneling at the IPSec 

network layer. Same policies as a private network supported by service provider and 

using IPSec, MPLS, PKI, GridSec, attribute certificates, etc. 


A 

Secure Grid Resource Management 

supported by VPN 

2 

3 

B 

3 

2 

2 

C 

7 

3 

D 

2 

Resource 

Manager 

Trust 

Manager 

F 

2 

SARA 

3 

2 

3 

1 

4 

5 

E 

6 

VPN 

Step 1: Two-way authentication and User 

request submission to resource manager 

(RMgr) in Grid resource site F (GRS F). 

Step 2: RMgr in GRS F broadcast this request 

RMgrs in other GRSs. 

Step 3: RMgrs in other GRSs send reply to 

RMgr in GRS F with the current available 

resource information. 

Step 4: RMgr in GRS F generates several 

possible resource allocation solutions based on 

the received information, and sent back to user. 

Step 5: User selects one solution based on its 

computing power requirement and budget 

constraints, and reply to RMgr in GRS F. 

Step 6: Suppose user selects a resource 

allocation combination {A, E, F}, VPN 

connections are built between them, and user 

application is executed at these three GRSs. 

Step 7: RMgr in GRS F monitored the 

execution of user application and update the 

trust vector according to the execution quality. 

Step 8: Trust propagation: TMgr in each GRS 

broadcasts its trust vector periodically. TMgrs 

in other GRSs will update their trust vector 

accordingly. 

2/17/2004, Kai Hwang, USC 10

Developing Virtual Private Networks 

for Securing Grid Computing 

• Create encrypted tunnels between private 

networks used to form the Grid computing 

infrastructure 

• The GridSec project chooses an approach 

combining the advantages of both IPsec-based 

and MPLS-based VPNs 

• Aimed to satisfy the IPv6 standards proposed for 

both wired and wireless networks for the nextgeneration 

Internet 

(Reference: Hwang, et al [1]) 

2/17/2004, Kai Hwang, USC 11

GridSec VPN Design: Built with Encrypted Tunnels, 

IPSec, and PKI over Grid or P2P Resource Sites 

Protocol 

In VPN 

Applications 


Level 


Mechanisms 

Where in 

Network 

IPSec 

VPN 

Site-to-site VPNs, 

off-net VPNs, 

extranets, sessions 

(DSL, dial-in, etc.) 

High 

Strong encryption 

(3DES), data 

authentication (HMAC 

and SHA-1), user 

authentication 

(RADIUS and PKI) 

Best at local 

loop and Edge, 

apply IPSec 

tunneling and 

encryption 

MPLS 

VPN 

Site-to-site VPNs 

Ultra High 

“Tunnel” between 

end-points with 

same VPN ID 

Best within an 

ISP’s core 

network 

GridSec 

VPN 

VPNs built over 

distributed Grid or 

P2P networks with 

multiple resource 

sites 

Ultra High 

IPSec with multi-site 

authentication, VPN 

tunnels at network 

layer and using PKI, 

AC, GSI, etc. 

Intranet or 

extranet within a 

common virtual 

organization 

2/17/2004, Kai Hwang, USC 12

Anomaly-based IDS Architecture 

Audit data 

Data 

preprocessor 

Data mining 

Engine 

Attack-free 

episode rules 

Intrusion 

Detection 

Engine 

Feature 

extraction 

Signature 

Database 

Rules from realtime 

traffic 

Anomaly 

Detection 

Engine 

Normal 

profile 

database 

Alarm 

generator 

Alarm generation 

Security policy 

(Ref.: Qin and Hwang [3]) 

2/17/2004, Kai Hwang, USC 13

Testing of the Base-Support Mining Algorithm 

on Normal TCP Traffic Connections 

from the 1999 DARPA Intrusion Detection Evaluation 

Data Sets collected in the first 10 Days 

400 

Number of episode rules 

generated 

350 

300 

250 

200 

150 

100 

50 

Base-support algorithm, minimum 

base-support=0.1 

Base-support algorithm w ith 

minimum base-support=0.3 

level-w ise algorithm, initial support 

value=0.1 

level-w ise algorithm, initial support 

value=0.3 

0 

1 4 7 10 

Training sets in days 

Using our base-support mining algorithm with a minimum 

confidence value of 0.6 and a window size of 30 sec, 

compared with using Lee’s Level-wise mining algorithm 

2/17/2004, Kai Hwang, USC 14

Pruning of Ineffective Episode Rules 

• Transposition Law: The rule: L 1 

, L 2, 

…, L n 

→ R 1 

,…., R m 

is more effective than using the rule: 

L 1 

, L 2, 

…, L n-1 

→ L n 

, R 1 ,…., R m 

• Elimination Law: The rule L 1 

, L 2 

→ R 1 

(c 1 

, s 1 

) is less 

effective than using : L 2 

→R 1 

(c 2 

, s 2 

), if c1 ≈ c2 

• Transitive Reconstruction Law: The rule: L 1 

→R 1 

, R 2 

becomes ineffective, if we have the following rules 

L 1 

→ R 1 

and R 1 

→R 2 

already in the rule set 

2/17/2004, Kai Hwang, USC 15

Effects of Pruning on the Growth of Frequent Episode 

Rules for Inter-LAN and Intra-LAN Traffic Events 

Number of Rules Generated 

700 

600 

500 

400 

300 

200 

100 

0 

Inter-LA N FE R s 

Pruned inter-LAN FERs 

Intra-LA N FE R s 

Pruned intra-LAN FERs 

0 20 40 60 80 100 120 140 160 

Window Size(Sec) 

The base-support = 0.1, the minimum confidence = 0.6, the reference 

attributes = destination, and axis attributes = service 

2/17/2004, Kai Hwang, USC 16

Anomaly Intrusion Detection Rate 

35 

Total number of attacks detected 

30 

25 

20 

15 

10 

5 

0 

DoS R2L Probe 

Attack category 

Intrusions detected by 

single packet/connection 

anomalies 

Intrusions detected by 

FER anomalies 

Intrusive attacks detected by single packet per 

connection versus checking the frequent episode rules 

2/17/2004, Kai Hwang, USC 17

Effect of Pruning on Reducing the False 

Alarm Rate in Anomaly Intrusion Detection 

number of false alarm raised 

16 

14 

12 

10 

8 

6 

4 

2 

0 

100 300 500 1000 7200 

Scanning period (sec) 

Blue bar: Detection without rule pruning 

Purple bar: Detection with rule purning 

2/17/2004, Kai Hwang, USC 18

Intrusion Response Strategies 

for Defending against DDoS Attacks 

p0 

DDoS 

p1 

p2 

Single-Packet Attack 

Multiple-Packet Attack 

1. Drop Pack 

p3 

p4 

p5 

2. Block Host IP 

New 

Packets 

Running 

Process 

Stop 

Attackers 

1. Buffer Packet, 

2. Limit Resource 

3. Lower Priority 

4. Drop Packet 

5. Denial Request 

from Attacker 

6. Block IP 

1. Lower Processes Priority or 

or Limit Resource Usage 

2. Kill Processes 

3. Clean Up Service Table 

or Memory Usage 

4. Restart Service 

1. Trace 

Back 

2. Push 

back 

(The 

Internet) 

2/17/2004, Kai Hwang, USC 19



2/17/2004, Kai Hwang, USC 20



2/17/2004, Kai Hwang, USC 21



2/17/2004, Kai Hwang, USC 22



2/17/2004, Kai Hwang, USC 23

Optimal or Suboptimal Resource 

Allocation Vectors (x1, x2) with 

different Performance/Cost Ratios 

. 

2/17/2004, Kai Hwang, USC 24

SARA: A Trust Model for 

Securing Grid Resources Allocation 

GRS i 

Local 

Resource 

Monitor 

Resource 

Allocator 

SARA for GRS i 

User 


Manager 

for GRS i 

Trust 

Manager 

Authentication 

Manager 

Interface 

2/17/2004, Kai Hwang, USC 25

Example: Allocating Resources from Two Grid Sites 

Application Demand: (P o 

, T o 

, C o 

) = (4Tflops, 0.6, $2.25M) 

Resource Sit No. 1: R 1 

= (1.6Tflops, 0.8, $500K, 6 hosts) 

Resource Sit No. 2: R 2 

= (1.2Tflops, 0.7, $220K, 5 hosts) 

Objective function (Integer Programming): 

Subjective to the following constraints: 

2/17/2004, Kai Hwang, USC 26

Wireless Access Control of Grid Resources 

Wireless Ad Hoc Network/ 

Wireless Grid 

Sensor 

Sensor 

Sensor Network 

Sensor 

Internet / Wired Grid 

Digital Camera 

Cell phone 

PDA 

Laptop 

Laptop 

Wireless Ad Hoc Network/ 

Wireless Grid 

• Air interfaces, admission control, disconnection handling, wireless 

PKI, security binding, and QoS all demand extensive R/D 

• The GridSec VPN supports both wired and wireless communications 

in distributed cluster, grid , and pervasive applications 

2/17/2004, Kai Hwang, USC 27

The Architecture for Wireless 

Connection Admission Control 

Wireless 

connection 

requests from 

clients with 

traffic profile 

and the QoS 

requirements 

Effective 

bandwidth 

calculation 

Trust 

evaluation 

of client 

sources 

e ij 

t ij 

Connection 

Admission 

Control 

(CAC) 

Requested 

wireless 

connection 

granted or 

denied 

Trust information on clients 

or from traffic monitor 

Bandwidth constraints (C, 

C new and C handoff in Eqs. 1-3) 

Allocate the bandwidth to satisfy the 

given QoS and security requirements 

2/17/2004, Kai Hwang, USC 28

Secure Connection Admission 

based on Effective Bandwidth Allocation 

25 

Admissible Connections 

20 

15 

10 

5 

PB 

EB1 

EB2 

0 

0.13M 0.19M 0.26M 0.32M 

Allocated Bandwidth 

Maximum number of admissible connections under different traffic 

condition. PB: Peak bandwidth method with zero drop rate, 

EB1: Effective bandwidth method 1 with 0.1% loss probability, 

EB2: Effective bandwidth method-2 with 1% loss probability) 

2/17/2004 29

Maximum Number of Admissible Connections 

70 

Number of Admissible Connections 

60 

50 

40 

30 

20 

10 

100% T rust 

90% T rust 

70% T rust 

0 

PB EB1 EB2 

EB1: Effective bandwidth method with 0.1% loss probability and 

EB2: Effective bandwidth method with 1% loss probability), 

PB: Peak bandwidth allocation method 

2/17/2004, Kai Hwang, USC 30

GridSec Research Team at USC 

and our International Collaborators: 

• Sponsored by a NSF/ITR Research Grant in the USA 

• Principal Investigator: Kai Hwang at USC 

Co-PI: Clifford Neuman at Information Science Institute, USC 

• Post-doctorial Researchers at ISI/USC 

Dr. Tatyana Ryutov and Dr. Dongho Kim 

• Research Assistants at USC EE and CS Departments: 

Min Qin, Shanshan Song, Yongjin Kim, Rakesh Rajbanshi, 

Ching-Hua Chuan, Gurpreet Grewal, Mikin Macwan, 

Narayana Jayaram, Yushun Zhang, Rohil Tripathi, ..... 

• International Collaborators: 

Prof. Michel Cosnard of INRIA, France 

Dr. Zhiwei Xu of Chinese Academy of Sciences 

Dr. Rajkumar Buyya of Melbourne Univ., Australia 

2/17/2004, Kai Hwang, USC 31

Global GridSec Testing Environment 

International Collaborators in USA, 

France, China, and Australia 

INRIA, 

Nice, 

France 

CAS/Vega 

Beijing, 

China 

The GridSec 

over Internet 

USC 

Gateway, 

Los Angeles 

Trojan 

Cluster in 

IGC Lab. 

USC/ISD 

Supercluster 


Policy 

Manager 


Database 

Melbourne 

University, 

Australia 

USC NetShield Defense 

System and Testing 

Facilities 

2/17/2004, Kai Hwang, USC 32



2/17/2004, Kai Hwang, USC 33



2/17/2004, Kai Hwang, USC 34

Conclusions: 

• GridSec for protecting distributed resources 

• Security-assured resource allocation (SARA) 

• Local resources fortified with NetShield library 

• Remote processing through GridSec VPN tunneling 

• Automated intrusion detection and response 

• Generating anomaly detection rules to build IDS 

• Adaptive intrusion response through risk assessment 

• Priority defense against DDoS and flood attacks 

• Continued research tasks and future directions: 

• Testing SARA and NetShield on GridSec testbed 

• Optimize the GridSec VPN architecture 

• Explore wireless Grid computing technology 

• Integrating pervasive, cluster, and Grid computing 

2/17/2004, Kai Hwang, USC 35

Recent Reports and Submitted Papers: 

1. K. Hwang, et al, “ GridSec: A Distributed VPN/IDS Architecture for 

Securing Grid Computing ”, Technical Report, Internet and Grid 

Computing Lab., Univ. of Southern Calif., Dec. 2003 (in preparation) 

2. S. Song, K. Hwang, and R. Rajbanshi, “Security-Assured Resource 

Allocation for Trusted Grid Computing”, submitted to IPDPS- 2004, 

October 16, 2003 

3. M. Qin and K. Hwang, “Effectively Generating Frequent Episode 

Rules for Anomaly-based Intrusion Detection”, submitted to IEEE 

Symposium on Security and Privacy, Nov.3, 2003 

4. Y. Kim and K. Hwang, “Secure Admission Control for Resolving 

Wireless Congestion in Grid Computing “, submitted to IEEE 

Internet Computing Magazine, Nov.27, 2003 

2/17/2004, Kai Hwang, USC 36

Distributed Security Enforcement for Trusted Cluster and Grid ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?