Upload File

hardened ids using ixp didier contis, dr. wenke lee, dr. david schimmel chris clark, jun li, chengai...

  • Home
  • Documents
  • Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang Current
1
Hardened IDS using IXP Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang Current Network Intrusion Detection Systems (NIDS) are software based. They have a number of issues and limitations, including: • An inability to keep up with throughput significantly greater than 100 Mb/s • An inability to deal with encrypted traffic (VPN) • An inability to utilize knowledge of network topology and OS • Not easily scalable as network becomes more complex and higher speed Motivation Motivation Create a new generation of network hardware based IDS / Firewall sensor, integrated on the Network Card Take advantage of the hardware and the network sensors to create a global distributed and adaptable IDS The Vision The Vision Implementation of a proof of concept: 1. Port open-source software IDS systems such as Bro or Snort on the StrongArm 2. Offload some of the CPU intensive functions of these software IDS to the Micro-Engines (CRC checksums, Defragmentation, Sanity checks) 3. Investigate the use of FPGA based co-processor to work with the IXP1200, to perform some specific tasks (TCP state-tracking and reassembly) Current Project Current Project Packet stream Packet stream Filtered pkt Filtered pkt stream stream Event Event stream stream Alerts Alerts Policy Policy script script Event Event control control tcpdump tcpdump filters filters Host Host NIC NIC Event Engine Event Engine Network Network Libpcap Libpcap Policy Script Policy Script Interpreter Interpreter Conventional Software based Conventional Software based IDS IDS Filtered pkt Filtered pkt stream stream Filtered pkt Filtered pkt stream stream Event Event stream stream Alerts Alerts Policy Policy script script Event Event control control tcpdump tcpdump filters filters StrongARM StrongARM Engines Engines Event Engine: ip-defrag, tcp Event Engine: ip-defrag, tcp reassembly, event generation reassembly, event generation Network: header analysis, Network: header analysis, filtering filtering Libpcap: compatibility w/ Libpcap: compatibility w/ existing IDSs existing IDSs Policy Script Policy Script Interpreter Interpreter Host Host Current Implementation of an IXP Current Implementation of an IXP based IDS based IDS Lan Host IDS Analysis: Pattern Matching Behavioral model Re-programmable Co-processors: • TCP Stream Reassembly •… Network Card Capture of Network Traffic (e.g. receive of ethernet frames) IP Packet Preprocessing: • CRC check • IPDefrag • IP options check Functions performed at the micro-engine level IXP1200 Packet Packet Alerts Proposed implementation of an IXP Proposed implementation of an IXP based IDS with FPGAs based IDS with FPGAs Ack/Seq Tracking Unit Buffer Connection – State-Machine Input State-Machine enabl e data_ in CLK Payload data TCP/IP header elements exception_fla gs Memory Gateway read serve r data_val id data_out SelectRAM Client Server 1,2,3,8,16 kB SelectRAM Server Client 1,2,3,8,16 kB Block diagram of the reassembly unit A TCP reassembly unit has been implemented in VHDL and mapped to a Xilinx XCV1000. This prototype is currently being ported to the Celoxica FPGA environment A dynamically re-configurable FPGA implementation permits adaptive allocation of detection resources and therefore a more accurate and efficient pattern-matching or behavorial analysis. TCP Reassembly in Hardware TCP Reassembly in Hardware In parallel, some micro-code are being developed to off-load some of the cpu intensive functions of the IDS: • IP Defragmentation • CRC Checksums at Layer 4 • Packet decoding ACE + Micro-Engine C Compiler = Faster learning Cycle BUT The PCI interface between the Board and the Host, as well as the current drive appears as a bottleneck The ACE SDK generates too much overhead on the StrongArm Current Status & Lessons Current Status & Lessons Learned Learned Implementation of a fully distributed IDS Adaptation in the NIDS • Integration of detection and response • Agile context dependent reconfiguration multiple of IDS methods such as pattern- matching and behavioral models. Unified framework for network policies • Common response mechanisms for QoS, Fault Detection, NIDS Load Balancing Future Steps Future Steps

Upload: hortense-dean

Post on 08-Jan-2018

217 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang Current

Hardened IDS using IXPHardened IDS using IXPDidier Contis, Dr. Wenke Lee, Dr. David Schimmel

Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang

Current Network Intrusion Detection Systems (NIDS) are software based. They have a number of issues and limitations, including:

• An inability to keep up with throughput significantly greater than 100 Mb/s• An inability to deal with encrypted traffic (VPN)• An inability to utilize knowledge of network topology and OS• Not easily scalable as network becomes more complex and higher speed

MotivationMotivation

Create a new generation of network hardware based IDS / Firewall sensor, integrated on the Network Card

Take advantage of the hardware and the network sensors to create a global distributed and adaptable IDS

The VisionThe Vision

Implementation of a proof of concept:

1. Port open-source software IDS systems such as Bro or Snort on the StrongArm

2. Offload some of the CPU intensive functions of these software IDS to the Micro-Engines (CRC checksums, Defragmentation, Sanity checks)

3. Investigate the use of FPGA based co-processor to work with the IXP1200, to perform some specific tasks (TCP state-tracking and reassembly)

Current ProjectCurrent Project

Packet streamPacket stream

Filtered pkt Filtered pkt streamstream

Event Event streamstream

AlertsAlertsPolicy scriptPolicy script

Event controlEvent control

tcpdump filterstcpdump filters

HostHost

NICNIC

Event EngineEvent Engine

NetworkNetwork

LibpcapLibpcap

Policy Script InterpreterPolicy Script Interpreter

Conventional Software based IDSConventional Software based IDS

Filtered pkt Filtered pkt streamstream

Filtered pkt Filtered pkt streamstream

Event Event streamstream

AlertsAlertsPolicy scriptPolicy script

Event controlEvent control

tcpdump filterstcpdump filters

StrongARStrongARMM

EnginesEngines

Event Engine: ip-defrag, tcp Event Engine: ip-defrag, tcp reassembly, event generationreassembly, event generation

Network: header analysis, Network: header analysis, filteringfiltering

Libpcap: compatibility w/ existing Libpcap: compatibility w/ existing IDSsIDSs

Policy Script InterpreterPolicy Script InterpreterHostHost

Current Implementation of an IXP based IDSCurrent Implementation of an IXP based IDS

Lan

Host

IDS Analysis:Pattern MatchingBehavioral model

Re-programmable Co-processors:• TCP Stream Reassembly•…

Network Card

Capture of Network Traffic(e.g. receive of ethernet frames)

IP Packet Preprocessing:• CRC check• IPDefrag• IP options check

Functions performed at the micro-engine level IXP1200

Packet Packet

Alerts

Proposed implementation of an IXP Proposed implementation of an IXP based IDS with FPGAsbased IDS with FPGAs

Ack/Seq Tracking Unit

Buffer

Connection – State-Machine

Input State-Machine

enabledata_in

CLK

Payload data

TCP/IP headerelements

exception_flags

Memory Gateway

readserver

data_validdata_out

SelectRAMClient Server1,2,3,8,16 kB

SelectRAMServer Client1,2,3,8,16 kB

Block diagram of the reassembly unit

A TCP reassembly unit has been implemented in VHDL and mapped to a Xilinx XCV1000. This prototype is currently being ported to the Celoxica FPGA environment

A dynamically re-configurable FPGA implementation permits adaptive allocation of detection resources and therefore a more accurate and efficient pattern-matching or behavorial analysis.

TCP Reassembly in HardwareTCP Reassembly in Hardware

In parallel, some micro-code are being developed to off-load some of the cpu intensive functions of the IDS:

• IP Defragmentation• CRC Checksums at Layer 4• Packet decoding

ACE + Micro-Engine C Compiler = Faster learning Cycle

BUT

The PCI interface between the Board and the Host, as well as the current drive appears as a bottleneck The ACE SDK generates too much overhead on the StrongArm

Current Status & Lessons LearnedCurrent Status & Lessons Learned

Implementation of a fully distributed IDS Adaptation in the NIDS

• Integration of detection and response• Agile context dependent reconfiguration multiple of IDS methods such as pattern-matching and behavioral models.

Unified framework for network policies • Common response mechanisms for QoS, Fault Detection, NIDS Load Balancing

Future StepsFuture Steps

Status of BESIII Weidong Li IHEP, CAS, Beijing Nanchang 17th April, 2010

SENARAI PERLANTIKAN PEMVERIFIKASI STOR...Ruth Ariffah binti Md Jasin Pegawai Pertanian G41 Unit Pembangunan Industri Tanaman, Kompleks Pertanian Telok Chengai 06600 Kuala Kedah Kedah

BESIII Offline Software Overview Weidong Li & Yajun Mao BESIII Collaboration Meeting, Beijing 12 January 2006

An Integrated Framework for Dependable and Revivable Architecture Using Multicore Processors Weidong ShiMotorola Labs Hsien-Hsin “Sean” LeeGeorgia Tech

Mr Zhou Weidong - IT Infrastructure Practice & Innovation in Shanghai World Expo

Weidong Xiang - Energy Metals Limited - Highlight of Australian uranium projects

1 InfoShield: A Security Architecture for Protecting Information Usage in Memory Georgia Tech Weidong Shi – Georgia Tech Josh Fryman – Intel Corporation

@ NCSU Zhi Wang @ NCSU @ NCSU Xuxian Jiang @ NCSU @ Microsoft Research Weidong Cui @ Microsoft Research @ NCSU Peng Ning @ NCSU ACM CCS’09

Ubc 2008 Fall Xiao Weidong

Elevate productivity and improve outcomes with … outcomes with innovative learning spaces ... and it also impacts how we utilize the spaces ... says Didier Contis,

XING CHENGAI-1960-CHINESE PAINTER 2–A C-

Case Study: Georgia Tech University Private Cloud for Researchers Didier Contis Director Technology Services College of Engineering Georgia Institute of

Holy Cros~ Church - Pittsburgh, Pennsylvania will be leaving after the Christmas Pageant and a quick lunch. New Year's Eve Gala ... Contis 412.445.5298 / Jen Liokareas 412.580.9272

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch

WEIDONG CLOUD EDUCATION ON COVID-19 ... › wp-content › uploads › 2020 › 04 › ...never stops”, which encourage educational department, institutions, teacher and students

Tracking Rootkit Footprints with Pratical Memory Analysis System Weidong Cui and Marcus Peinado, Microsoft Research; Zhilei Xu, Massachusetts Institute

Improving Object-Based Land Use/Cover Classification from ...gis.geog.uconn.edu/weidong/Publications/WangW_Land_2018.pdf · Wenjie Wang ID, Weidong Li ID, Chuanrong Zhang * ID and

Perfluorooctanoic acid stimulates breast cancer cells ...download.xuebalib.com/xuebalib.com.27076.pdf · NF- B Weidong a Zhangb, 1, Fengliang ... (P

Creating a Faculty Fellows Community: Developing Collaboration Through Facilitation Ellene Tratras Contis Creative Scientific Inquiry Experiences - CSIE

Spectator: Detection and Containment of JavaScriptWorms Benjamin Livshits Weidong Cui Microsoft Research

Copyright © 1999, by the author(s). All rights reserved ...Weidong Liu,Xiaodong Jin,JamesChen, Min-ChieJeng,Zhihong Liu, YuhuaCheng,Kai

Environmental Management and Water Resource Protection … - Weidong - CNPC-EN.pdf · Environmental Management and Water Resource ... operation. To form shale gas ... Use Microbial

WEIDONG CLOUD EDUCATION GROUP - UNESCO Documents... · In June 2014, Weidong Cloud Education Group signed a strategic cooperation agreement with UNESCO in the World Language Conference

Framework Technologies and Progress Huang Xingtao Zou jiaheng Li weidong Zhang xueyao 2013.07.05

Ada Che , Weidong Lei, Jianguang Feng, and Chengbin Chu

Reinforcement Learning to Optimize Long-term User ... · Jiaxing Song Tsinghua University [email protected] Weidong Liu Tsinghua University [email protected]

SCL Conference 2015: Contis Payment Solutions

COURS DE DES 09/11/2012 ANNE CONTIS Vascularites médicamenteuses

Research Article Nan Wang*, Weidong Wen and Haitao Cui A

Detecting horizontal and vertical urban growth from medium ...gis.geog.uconn.edu/weidong/Publications/ZhangW_IJRS_2017.pdf · medium resolution imagery and its relationships with

UAVAR: An Augmented Reality Supported …sigmr.vrsj.org/MARI2016/MARI2016_paper_10.pdfUAVAR: An Augmented Reality Supported Unmanned Aerial Vehicle Application Yuan Wang, Weidong Huang,

Automating Malware Detection by Inferring Intent · Automating Malware Detection by Inferring Intent Weidong Cui ... Automating Malware Detection by Inferring Intent by Weidong Cui

XPDS16: Xen Scalability Analysis - Weidong Han, Zhichao Huang & Wei Yang, Huawei

Final Project Report - University of Floridaplaza.ufl.edu/chengai/file/tree.pdf · 1 Introduction The tree rendering is a popular research area in computer graphics in recent decades

Weidong Li Jesse Leaman Alex Filippenko Department of Astronomy University of California, Berkeley Nearby Supernova Rates from the Lick Observatory Supernova