efficient and effective architecture for intrusion detection system prepared by ashif adnan, omair...

34
Efficient and Effective Architecture for Intrusion Detection System Prepared by Ashif Adnan, Omair Alam, Akhtaruzzaman School of Computer Science University of Windsor ON, Canada

Upload: cornelius-burke

Post on 05-Jan-2016

219 views

Category:

Documents


1 download

TRANSCRIPT

Efficient and Effective Architecture for Intrusion

Detection System

Prepared by

Ashif Adnan, Omair Alam, Akhtaruzzaman

School of Computer ScienceUniversity of Windsor

ON, Canada

Outline Introduction Motivation Goal Related works Our observations Conclusion Acknowledgment References

Introduction Ubiquitous computing environment

Intrusion Detection Systems Misuse based Anomaly based

Intrusion determination False positive False negative

Intrusion detection rules

Proactive intrusion detection

Motivation Tremendous growth of network

More availability of information Need for information security

Growing importance of IDS

Lack of efficiency in data collection

Inefficiency and inaccuracy in analyzing attacks

Complexity in rules checking

Goal Effective,

Efficient and

Secured Intrusion Detection System

Related works New Approaches to Data Collection, Management and

Analysis for IDS

Basic concept used was SMASH SMASH – A Secure Monitoring System for Information Assurance, Analysis

and survivability of Network Hazards. Basic need for implementing SMASH was Network Security. The analysis will help reduce false positives and false negative

determinations of intrusions

Related works (cont’d)…Data Collection, Management and Analysis

Requirements for implementing SMASH sensors Low cost No extreme bandwidth requirements Flexible Scalable

Wireless networks fulfills all of these requirements

Additional advantage that sensors can be moved without disruption of the operational network

Related works (cont’d)…Data Collection, Management and Analysis

Features of Gumstix used It is a miniature computer which comes preloaded with

Linux operating system. A 400 MHz processor NetCf stick, which combines a 100Mbps Ethernet

interface with a compact flash card adapter A compact flash wireless card

It measures only 4” long by ¾” wide and ½” thick.

The motherboards measure 80 mm x 20 mm x 6.3 mm.

Related works (cont’d)…Data Collection, Management and Analysis

Figure 1: Gumstix Computers

Figure 2: Gumstix Motherboard

Graphic Reference: http://www.gumstix.com/

Related works (cont’d)…Data Collection, Management and Analysis

Collecting Data using Gumstix

Setting up the network Sensor(Gumstix) as the sniffer A central management system Network monitoring software such as Tcpdump IDS application such as Snort Java application using socket programming

Related works (cont’d)…Data Collection, Management and Analysis

Figure 3: Gumstix Network Setup

Related works (cont’d)…Data Collection, Management and Analysis

Managing Data over Wireless Key issue- Communication with the controlling workstation If the sensor undergoes DDOS attack, then its ability to send

the data back to the controller may have become compromised.

So the best solution is to make the sensor communicate with the management station on a dedicated, isolated network.

But an additional wired network becomes unmanageable, so a wireless network is used.

Related works (cont’d)…Analysis of the design

Analyzing data with Data Fusion and Data Mining Techniques Data Fusion, is generally defined as the use of techniques that

combine data from multiple sources and gather that information in order to achieve inferences, which will be more efficient than if they were achieved by means of a single source.

Data Mining is the principle of sorting through large amounts of data and picking out relevant information.

The combination of data fusion and data mining techniques has the greatest potential to solve a major drawback of IDS: the unacceptable numbers of false positives and false negatives.

Related works…cont’d High throughput string matching architecture for IDS/IPS

IDS/IPS requirements

Worst Case Performance

Non-Interrupting Rule Update

High Throughput per Area

Related works (cont’d)…String matching architecture

String Matching Engine

String is broken down into a set of small state machine

Hierarchical architecture

Highest level is the full device

Each device holds the entire set of strings Reads character in every cycle Computes the set of matches and reports

Devices can be replicated

Related works (cont’d)…String matching architecture

Figure 4: The String Matching Engine of the High Throughput Architecture [2]

Related works (cont’d)…String matching architecture

Support for Non-interrupting Update Automated systems are used Faster than old FPGA (Field-programmable gate array )

based techniques

Figure 5: Non-interrupting update support [2]

Related works (cont’d)…Analysis of the design Theoretical optimal partitioning

For a set of strings S each with L characters per string, the total number of bits the architecture requires is

Tn,g = n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)

Where n is number of state machine per rule module and g is the group size.

n Fanout Storage in bits Tn,g

2 16 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)

4 4 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)

8 2 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n + g)

Table 1: Optimal module size [2]

Related works (cont’d).. Analysis of the design Throughput analysis

Description Throughput(Gbps)

Char/Area(1/mm2)

Notes

Bit Split FSM(Group Size 16)

10.0749.7599.326

55.21972.592

156.569

Bank size 64BBank size 128BBank size 256B

Sourdis and Pnevmatikatos Pre-decoded CAMs

9.7084.913

23.48222.682

4B/cc, Virtex2-60004B/cc,Spartan3-5000

Hutchings et al.Regular Expressions

0.2480.400

32.49632.496

1B/cc, Virtex-10001B/cc, Virtex-1000

……. …….. ……. …….

Table 2: Detailed Comparison of the Bit Split FSM Design and existing FPGA-based Designs [2]

Related works Utilizing fuzzy logic and neural network for IDS in

wireless environment

Current IDS No correlation between Host-base IDS and Network-base

IDS

Database need to be update frequently for missed attack

Log file need to be analyze for a long period of time

A problem with Anomaly Detection is that a user over time can train the system to accept anomalous behavior as normal, by slowly adding to the attack

Related works (cont’d)…Fuzzy logic and neural network

Difference

Figure 6: Comparison between Traditional and Alternative Misuse Detection [3]

Related works (cont’d)…Fuzzy logic and neural network

NeWPAIM-W2 Model

Figure 7: General Representation of NeGPAIM-W2 [3]

Related works (cont’d)…Fuzzy logic and neural network

The Fuzzy Engine

The fuzzy engine is one of the two low-level processing units of NeGPAIM-W2 and will process the input data.

This engine is responsible for implementing the Misuse Detection methodology.

The fuzzy engine will compute a template firstly, and the user action graph will be mapped against it to determine whether or not a user (intruder) has been, or is performing an intrusion attack.

Related works (cont’d)…Fuzzy logic and neural network

Neural Engine

Second low level processing engine

Its also process input data

This engine will process the data and search through it for patterns of abnormal user behaviors that may be occurring.

Related works (cont’d)…Fuzzy logic and neural network

Central Analysis Engine

To determine the source of an attack.

To determine the type of attack being currently perpetrated by the attacker.

To take into account all information gathered from various sources and to determine an overall intrusion probability.

Finally the engine uses the overall intrusion probability value along with the type of and source of the intrusion attack to perform a response to the intruder’s actions.

Related works (cont’d).. Analysis of the design

Fuzzy Engine

Neural Engine

Central Analysis Engine

6/9/75% risk

5/8/70% risk

7/10/80% risk

Figure 8: Risk analysis

Related works (cont’d).. Analysis of the design

Method of Testing Tested by fully functional prototype call Sentinel IDS Test Bed

Microsoft Windows OS Tools

Airodump, Aireplay, Aircrack, Super-Scan and Brutus Misuse test by Fuzzy Engine

98% accurate Anomaly test by Neural Engine

97% accurate

Our observations Data Collection, Management and Analysis for IDS…

Cumbersome and unwieldy to manage 2 or maybe more networks.

Need to backup management station

String matching architecture Applicable to general search problems on general state

machines Possible to improvement throughput

By reading in more than one byte Possible to extend the number of next states

By reading in more than one byte Need to multiply throughput with reasonable increase in

storage size.

Our observations (cont’d) Intrusion detection with fuzzy logic and neural

network Needs rigorous test Potential bugs and vulnerabilities might weaken the

WLAN security Cost of the wireless IDS solution may grow with the size

of the WLAN

Our observations (cont’d)…New Architecture

Fuzzy EngineCentral Analysis Engine

6/9/75% risk

5/8/70% risk

7/10/80% riskNeural Engine

Sticky GUM Architecture for Data Collection

Access Point Logs

High Throughput String Matching Rule based Architecture

Database

Figure 9: Modified architecture for Intrusion Detection System

Conclusion Observed steps

Investigation of new approach to data collection, management and analysis for IDS using Gumstix

Investigation of high throughput string matching architecture for IDS

Utilization of fuzzy logic and neural network for IDS using the model NeGPAIM-W2

Our proposed idea Efficient and Effective Architecture for Intrusion

Detection System

Acknowledgement We would like to thank our professor for his great support and

giving us the opportunity to learn about network security

We would like to thank our audience for listening our presentation

References[1] E. Derrick, R. Tibbs, L. Reynolds. Investigating new approaches to data collection,

management and analysis for network intrusion detection. In Proc. of the 45th annual southeast regional conference ACM-SE 45, Pages: 283 - 287, Publisher: ACM Press, 2007.

[2] L. Tan, T. Sherwood. A high throughput string matching architecture for intrusion detection and prevention, In Proc. of the 32nd International Symposium on Computer Architecture, Vol. 33, Isuue 2, Pages: 112-122, Publisher: IEEE Computer Society, 2005.

[3] R. Goss, M. Botha, R. Solms. Utilizing fuzzy logic and neural networks for effective, preventative intrusion detection in a wireless environment. In Proc of the 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries SAICSIT '07, Vol. 26, Pages: 29 - 35, Publisher: ACM Press, 2007.

[4] Gumstix, Inc. Gumstix – Way small computing. Accessed at http://gumstix.com/index.html.

[5] S. A. Crosby and D. S. Wallach. Denial of service via algorithmic complexity attacks. In Proc. of USENIX Annual Technical Conference, June 2003.

[6] http://portal.acm.org/citation.cfm?id=1292491.1292495.

The End

Questions ?