Secure Grid Computing - GridSec Project - University of Southern ...

NPC-2004 Oct. 18, 2004 

Secure Grid Computing 

with Trusted Resources 

and Internet Datamining 

Kai Hwang 

Internet and Grid Computing Laboratory 

University of Southern California 

Keynote Presentation at IFIP International Conference on 

Network and Parallel Computing (NPC2004) 

Wuhan, China, October 18, 2004 

This presentation represents parts of research results 

generated by the GridSec team members at USC and ISI: 

Kai Hwang, Viktor Prasanna, Clifford Neuman, Tatyana Ryutov, 

Ricky Kwok, Shanshan Song, Hua Liu, Rohit Tripathi, Ying Chen, 

Jie Lv, Yu Chen, Min Cai, Eugene Song, Li Zhou, and Zachary Baker 

The GridSec web site 

http://GridSec.usc.edu 

Presentation Outline: 

• Security/Privacy Demands in Grid/P2P Computing 

• Minimal VPN Tunneling to Secure Communication 

• NetShield for Self Defense of Grid Resources 

• Fuzzy Logic for Trust Management in Grids 

(To be presented in Session 1A of NPC2004 after the coffee break) 

• Effective Heuristics and Fast Genetic Algorithms 

for Trusted Job Scheduling in Risky Grid 

Environment 

• Internet Datamining for Joint Anomaly and Intrusion 

Detection with Traffic Episode Classification 

1 

October 18, 2004, Kai Hwang http://GridSec.usc.edu 

2 

Security and Privacy Demands 

in Grid/P2P Computing 

GridSec: A Grid Security Project at USC 

• Trusted resource allocation, sharing, and scheduling 

• Secure communications among Grid sites, clusters, and 

protected download operations among peer machines 

Host 

Host 

Host 

3 

3 

3 

VPN 

Gateway 

Site S 1 

3 

Internet 

• Intrusion resistance, attack repelling, trace back, etc 

• Fortification hardware/software (firewalls, packet filters, VPN 

gateways, traffic monitors, etc. ) 

• Self-defense toolkits/middleware (Distributed IDSs, risk 

assessment, response automation) 

• Anonymity, confidentiality, data integrity, fine- grain access 

control, resolving conflicts in security policies, etc 

2 

Host 

3 

3 

Host 

Host 

3 

2 

3 

Host 

1 

3 

VPN 

Host 

3 

Site S 2 

Gateway 

VPN 

Gateway 

Host Site S 3 

Self-defense Steps at resource site : 

Step 1: Intrusion detected by host-based firewall /IDS 

Step 2: All VPN gateways are alerted with the intrusion 

Step 3: Gateways broadcast response commands to all hosts 


3 


4 

GridSec VPN : Combining both IPSec and MPLS 

Features for Distributed Security Enforcement 

Internet Traffic 

VPN Traffic 

Building Encrypted Tunnels between Grid 

Resource Networks in a Public World 

• The number of encrypted tunnels should grow with 

O(N) instead of O(N x N), where N is the number of Grid 

sites 

The Internet 

Grid 

Resource 

Sites 

• Using shortest path, security policy is enforced 

with minimal VPN tunnels to satisfy special Grid 

requirements, automatically 

• How to integrate security policies from various private 

networks through the public network 

A VPN specially configured on a public Infrastructure based on tunneling at 

the IPSec network layer. Same policies as a private network supported by 

service provider and using IPSec, MPLS, PKI, IPv6, attribute certificates, etc. 


5 

• How to resolve security policy conflicts among hosts, 

firewalls, switches, routers, and servers, etc. in a Grid 

environment 


6 

Keynote Presentation at the IFIP International Conference on Network and Parallel Computing, 

(NPC 2004), Wuhan, China, Oct. 18, 2004 1

NPC-2004 Oct. 18, 2004 

Trust Integration over a VPN Ring 

Aggregate costs in Single Sign-on 

operation over VPN vs. PKI Services 

V 

V 

Site S 2 

Site S 1 

Site S 4 

V 

SeGO 

Server 

VPN 

Gateway 

Hosts 

Site S 3 

Physical backbone 

VPN tunnel ring 

V Trust Vector 

Trust vector 

propagation 

User application 

and SeGO server 

negotiation 

Cooperating gateways working together 

to establish VPN tunnels for trust integration 

V 

Aggregate Service Cost 

10 

8 

6 

4 

GSI based 

VPN based 

2 

0 

10 20 30 40 50 60 70 80 90 100 

Grid Size 


7 


8 

Global GridSec Testing Environment 

International Collaborators in USA, 

France, China, and Australia 

USC NetShield Intrusion Defense System 

for Protecting Local Network 

of Grid Computing Resources 

INRIA, 

Sophia 

Antipolis, 

France 

ICT of CAS 

Beijing, 

China 

Melbourne 

University, 

Australia 

The GridSec 

over Internet 

USC Gateway, 

Los Angeles 

Trojan 

Cluster in 

IGC Lab. 

USC/ISD 

Supercluster 

USC NetShield Defense 

System and Testing 

Facilities 

Security 

Policy 

Manager 

Security 

Database 

ISP 

The 

Internet 

Network 

Router 

The 

NetShield 

System 

Firewall 

Datamining for Anomaly 

Intrusion Detection (IDS) 

Risk 

Assessment 

System (RAS) 

Intrusion 

Response 

System (IRS) 

Victim’s 

Internal 

Network 


9 


10 

Security-Driven Heuristics for Trusted Job 

Scheduling on Risky Grids 

• Min-min heuristics: 

‣ For each job, the resource site that gives the earliest completion time is 

selected first. The job that has the minimum earliest completion time is 

assigned to the selected resource site. 

• Sufferage heuristics: 

‣ The Sufferage heuristic is based on the idea that better mappings are 

generated by assigning a site to a job that would “suffer” most in terms of 

expected completion time 

• Three secure and risky scheduling modes: 

‣ Secure mode – Allocate jobs only to those Grid sites with security level 

exceeding the job requirement (SD < SL) 

‣ Risky mode – Allocate jobs to any available Grid sites without checking 

the risk level or the job demand 

‣ f-risky mode – Allocate jobs to those Grid sites taking at most f % risk 

Risk scale: 

0 f 100% 

( ) 0 P fail = P( fail) 

f 

P( fail )

NPC-2004 Oct. 18, 2004 

The bad things always happen --- Murphy’s Law 

Historical 

database 

We are scared. 

Let us just wait 

… 

☺☺ 

☺ 

☺ ☺ 

☺ 

☺ 

☺ ☺ ☺ 

☺☺ 

☺☺☺☺☺☺☺ 

We don’t care, just do 

it. I am courageous, not 

a kid anymore,…. 

☺ 

☺ 

☺ ☺ ☺ 

☺ 

☺ 

☺ ☺ ☺ 

Decreasing security demands 

(SD) from user jobs 

Decreasing security level (SL), assured 

by Grid sits or increasing risk levels 

I will run a calculated 

risk, but wait a while … 

☺ 

☺ ☺ ☺ 

☺ 

☺ 

☺ ☺ ☺ 


13 

☺ 

I calculate 

too, maybe I 

am lucky … 

(a) Secure Mode (b) Risky mode (c) f-risky mode 

NAS and PSA Workloads : 

• Parameters in Two Real Workloads: 

‣ NAS (Numerical Aerodynamic Simulation) 

Workload: 

• Resource sites: 12 sites (8: 8 nodes/site, 

4: 16 nodes/site) 

• Jobs: arrival time and workload from the trace file 

• N = 16,000 jobs running on M = 12 Grid sites 

‣ Parameter Sweep Application (PSA) Workload: 

• Site processing speed:10 levels, M = 20 sites 

• Job workload: 20 levels, N = 5,000 jobs 

• Job arrival: Poisson distribution 0.008 jobs/sec 


14 

Difference between Traditional GA and 

Space-Time Genetic Algorithms (STGA) 

in Term of Solution Quality 

--- Fast scheduling and easy to implement 

Solution 

Quality 

Generate random 

initial population 

STGA 

starting point 

GA 

STGA 

Good 

solution 

is found 

Evolution 

Iterations 

The starting point is based on prior solution database. 

Genetic Algorithms (GA) 

• Genetic Algorithms (GAs) are a popular technique used in 

search of large solution spaces. 

• GA is studied for job scheduling in heterogeneous 

computing and Grid environments. 

‣ It is powerful for generating some good solutions. 

‣ It is not widely used for its long computational time 

(overhead) 

How GA works 

0 

1 

0 

1 

0 

1 

1 

0 

0 

1 

0 

0 

0 

1 

0 

0 

1 

0 

0 

1 

0.3 0.6 0.9 0.6 

Initial Population 

0 

0 

0 

1 

0 

1 

1 

0 

0 

1 

0 

0 

0 

1 

0 

0 

1 

0 

0 

1 

0.9 0.6 0.9 0.6 

After selection 

0 

0 

0 

0 

1 

1 

1 

0 

1 

0 

0 

0 

0 

1 

0 

0 

1 

0 

0 

1 

1.0 0.4 0.9 0.6 

After crossover 

0 

0 

0 

0 

1 

1 

1 

0 

1 

0 

1 

0 

0 

1 

0 

0 

1 

0 

0 

1 

1.0 0.4 0.8 0.6 

After mutation 


15 


16 

Simulation of The Space-Time 

Genetic Algorithm (STGA) 

• STGA parameters: 

‣ Training data: 500 jobs 

‣ Look table size = 150 

‣ Initial population size = 200 

‣ Evolution times = 100 iterations 

• Compared with 1000 used in traditional GA 

‣ Crossover probability = 0.8 

‣ Mutation probability = 0.01 

The Total Execution Time of 16,000 jobs 

on 12 Grid sites with 8 or 16 nodes per site 

--- Makespan in seconds under the NAS Workload with 

uniform distributions on site security level (0.4 – 1.0) 

and on job security demand (0.6 – 0.9) 

Makespan (seconds) 

7x10 6 

6x10 6 

5x10 6 

4x10 6 

3x10 6 

2x10 6 

1x10 6 

0 

1 2 3 4 5 6 7 

Min-min 

Secure 

Min-Min 

f-Risky 

Min-min 

Risky 

Sufferage 


Sufferage 

f-Risky 

Sufferage 

Risky 

STGA 


17 


18 



NPC-2004 Oct. 18, 2004 

Relative Performance of Three Scheduling 

Algorithms on the NAS Workload under 

Three Different Risky Conditions 

Scheduling Algorithms Makespan (sec) Ave. Rsp. Time (sec) Ranking 

The Total Execution Time of 5,000 jobs 

on 20 Grid sites with10 levels of site speed 

--- Makespan in second under the PSA workload with uniform 

distributions on the site security level (0.4 – 1.0) and on the job 

security demand (0.6-0.9) 

Min-Min Secure 6491186 131% 1308360 203% ≈ 4 th 

0.5-Risky 5714605 115 % 926952 144 % ≈ 3 rd 

Risky 5402546 109 % 811873 126 % ≈ 2 nd 

Sufferage Secure 6454823 130 % 1292948 201 % ≈ 4 th 

0.5-Risky 5834757 118 % 999765 155 % ≈ 3 rd 

Risky 5441722 110 % 819667 127 % ≈ 2 nd 

STGA 4939777 100 % 643076 100 % 1 st 

Makespan(seconds) 

2.0x10 6 

1.5x10 6 

1.0x10 6 

5.0x10 5 

0.0 

Min-min 

1 2 3 4 5 6 7 


Min-min 

f-Risky 

Min-min 

Risky 

Sufferage 


Sufferage 

f-Secure 

Sufferage 

Risky 

STGA 


19 


20 

Total Grid Site Resource Utilization (%) 

Basic Concept of Internet Episodes 

--- Plotted for a partially risky situation with f = 0.5 

under the PSA workload distributed to 20 Grid sites 

100 

• Event Type: A, B, C, D, E, F, etc. 

Site Utilization (%) 

80 

60 

40 

20 

0 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 

Grid Resource Site 

Min-Min f-risky 

Sufferage f-risky 

STGA 

• Event Sequence: e.g., 

• Window: Event sequence with a particular width 

• Episode: partially ordered set of events, e.g. whenever A occurs, B 

will occur soon 

• Frequency of episode: fraction of windows in which episode occurs 

• Frequent episode: set of episodes having a frequency over a 

particular frequency threshold 

• Frequent episode rules are generated to describe the 

connection events 


21 


22 

Frequent Episode Rules (FER) 

for Characterizing Network Traffic Connections 

E → D, F ( c, s ) 

The episode of 3 connection events (E, D, F) = (http, smpt, telent). 

On the LHS , we have the event E (http). On the RHS, we have two 

consequence events D (smpt) and F(telnet); where s is the 

support probablity and c is the confidence level specified below: 

(service = http, flag = SF) → 

(service = smpt, srcbyte = 5000), 

(service = telnet, flag = SF) (0.8, 0.9) 

Support probability s = 0.9 and Confidence level c = 0.8 that the 

episode will take place in a typical traffic stream 

The JAIDS Architecture 

Audit records 

from traffic data 

Known 

attack 

signatures 

from ISD 

provider 

Single-connection attacks 

detected at packet level 

IDS 

Signature 

Matching 

Engine 

Attack 

Signature 

Database 

Unknown 

or burst 

attacks 

New 

signatures 

from 

anomalies 

detected 

Episode Rule 

Database 

ADS 

Training data from 

audit normal traffic 

records 

Episode 

Mining 

Engine 

ADS 

Signature 

Generator 

Anomalies detected 

over multiple 

connections 


23 


24 



NPC-2004 Oct. 18, 2004 

Internet Datamining 

for Episode Rule Generation 

Attack Spectrum 

in 10 Days of Experimentation 

Audit data 

Feature 

extraction 

Connection 

Records 

Episode rule 

mining Engine 

Training 

phase 

Detection 

phase 

Attack-free 

episode rules 

Rules from 

real-time 

traffic 

Normal 

profile 

database 

Anomaly 

Detection 

Engine 

Alarm 

Generation 

Attack numbers 

20 

15 

10 

5 

0 

Day1 Day2 Day3 Day4 Day5 Day6 Day7 Day8 Day9 Day10 

Days 

DoS 

U2R 

R2L 

Probe 


25 


26 

Automated Signature Generation 

1. Label relevant connections to 

associate with an FER. 

Online traffic episode rules 

from the datamining engine 

Success Rates of Snort (a Network IDS), a 

Pure Anomaly Detection System (ADS), and the 

Joint Anomaly and Intrusion Detection System (JAIDS) 

Yes 

Episode Frequency 

exceeding the rule 

threshold 

No 

Yes (Massive attacks) 

2 Calculate additional information such 

as connection count, average and 

percentage of connections, etc. 

3 Select one of the predefined classifiers 

4 Use the selected classifier to classify the attack 

class and find the relevant connections 

5 Extract common features in all identified 

connections, such as the IP addresses, protocol, 

etc. to form the signature 

Episode rules 

matching the normal 

FER database 

No (Stealthy attacks) 

2 Check error flags or other useful 

temporal statistics 

3 Extract common features such 

as IP addresses, protocol, etc. 

to form the signature 

Adding new 

signatures to the 

Snort database 

Ignore the normal episode rules from legitimate users (No anomaly detected) 


27 


28 

False Alarms out of 201 Attacks in JAIDS 

Triggered by Different Attack Types 

under Various Scanning Window Sizes 

Detection Rates of Snort (a Network IDS), a 

custom-designed Anomaly Detection System (ADS), 

Joint Anomaly/Intrusion Detection System (JAIDS) 

Number of False Alarms 

18 

16 

14 

12 

10 

8 

6 

4 

2 

0 

100 300 500 1000 7200 

Wi ndow Si ze (Second) 

R2L 

DoS 

Pr obe 

U2R 

Using larger windows result in more false alarms. Shorter windows in 300 sec 

or less are better in the sense that shorter episodes will be mined to produce 

shorter rules, leading to faster rule matching in the anomaly detection process 

Intrusion Detection 

Rate (%) 

70 

60 

50 

40 

30 

20 

10 

0 

DoS U2R R2L PROBE Tot a l 

At t a c k Type s 

SNORT 

ADS 

JAIDS 

On the average, the JAIDS (white bars) outperforms 

the Snort and ADS by 51% and 40%, respectively 


29 


30 



NPC-2004 Oct. 18, 2004 

ROC Curves for 4 Attack Classes 

on The Simulated JAIDS 

ROC Performance of Three 

Intrusion Detection Systems 

Intrusion Detection Rate (%) 

80 

70 

60 

50 

40 

30 

20 

10 

0 

0 2 4 6 8 10 12 

False Alarm Rate (%) 

DoS 

Pr obe 

R2L 

U2R 

Intrusion Detection Rate 

(%) 

80 

70 

60 

50 

40 

30 

20 

10 

0 

0 2 4 6 8 10 12 

False Alarm Rate (%) 

JAIDS 

Snor t 

ADS 


31 


32 

Final Remarks: 

• The security-driven Min-Min and Sufferage heuristics and the 

new space-time genetic algorithm (STGA) are fast and easy to 

implement in a risky open Grid environment to yield 

satisfactory performance with low overhead. 

• The new Internet episode detection scheme (JAIDS) can cope 

with both known and unknown network attacks. This will 

secure many Grid/P2P operations in using common Internet 

services: telnet, http, ftp, smtp, Email, authentication, etc. 

• The NetShield self-defense IDS/IRD system is still under 

development at USC. For ultra security-sensitive Grid services, 

we recommend the use of dedicated VPN tunnels to secure Grid 

communications and safeguard P2P download operations. 

Hot Research Thrust Areas: 

• Perfection of the trust models for protecting virtual 

organizations with scalable Grid applications without worry 

about infections or becoming victims by participating in 

collective operations – In particular, the fuzzy- and gametheoretical 

approaches are promising. 

• Large-scale benchmark experiments on open Grids are 

desired to work out some semi-optimal solutions to real-life 

scientific and business Grid applications 

• Internet datamining for security control and for the guarantee 

of the Quality-of-Service in real-life Grid applications – 

Interoperability between wired and wireless Grids is also a 

very hot issue. 


33 


34 

Recent Papers or Reports : 

1. K. Hwang, S. Song, and J. Lv, “ GridSec: Grid Security Enforcement with 

Trust Integration over Minimal VPN Tunnels”, USC Technical Report 2004 –13, 

IEEE Computer Magazine, submitted July 2004. 

2. S. Song, K. Hwang, and M. Macwan, “Fuzzy Trust Integration for Security 

Enforcement in Grid Computing”, Proc. of NPC 2004, Wuhan, China, 

October 18, 2004 

3. M. Qin and K. Hwang, “Frequent Episode Rules for Internet Traffic Analysis 

and Anomaly Detection”, IEEE Network Computing and Application Symp. 

(NCA-2004), Cambridge, MA. August 31, 2004 

4. K. Hwang, H. Liu, Y. Chen, and M.Qin,“ Protecting Network-Centric Systems 

with Joint Anomaly/Intrusion Detection over Internet Episodes”, USC 

Technical Report 2004 –17, submitted to IPDPS 2005, Oct.8, 2004 

Questions or Taking the Coffee Break 

5. S. Song, R. Kwok, and K. Hwang, “ Trusted Job Scheduling in Open 

Computational Grids: Security-Driven Heuristics and A Fast Genetic 

Algorithm”, USC Technical Report 2004 –18, submitted to IPDPS 2005, Oct.8, 

2004 


35 


36

Secure Grid Computing - GridSec Project - University of Southern ...

Create successful ePaper yourself

Delete template?

Save as template?