topics in advanced network security 1 stateful intrusion detection for high speed networks...
Post on 20-Dec-2015
220 views
TRANSCRIPT
![Page 1: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/1.jpg)
Topics in Advanced Network Security
1
Stateful Intrusion Detection for High Speed Networks
Christopher Kruegel Fredrick Valeur
Giovanni Vigna Richard Kemmerer
Reliable Software Group
University of California, Santa Barbara
![Page 2: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/2.jpg)
Topics in Advanced Network Security
2
Overview
• Introduction
• Related Work
• A Slicing Approach for H-S ID
• Evaluation
• Conclusion and future work
![Page 3: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/3.jpg)
Topics in Advanced Network Security
3
Introduction
• Problem Statement– Current IDS are not able to detect attacks on
High Speed (Gigabit) networks
• Why?– Sensor Speed – Architectural Limitations
![Page 4: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/4.jpg)
Topics in Advanced Network Security
4
What is High Speed?
• Scorpio – Stinger IDS– “STINGER IDS meets the challenges of watching over a
modern network by providing one or more high speed
sensors” – Integrated Intel Pro 10/100 Ethernet card (!!!)
• Symantec Manhunt– Gigabit Detection
• Intruvert IntrShield 2600– 2.2 GB/sec
![Page 5: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/5.jpg)
Topics in Advanced Network Security
5
IDS Introduction
• Host Based
• Network Based
• Log Based
• Target Based
![Page 6: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/6.jpg)
Topics in Advanced Network Security
6
Related Work
• Distributed Sensors – CSD @ USC : 20 snort machines– Therminator : Anomaly based NIDS
• NetICE Gigabit Sentry – >300 Mbps– 500,000 packets/second
• TopLayer Networks – Switch• High Performance NIDS – R. Sekar et al
– 500 Mbps (Offline Traffic)
![Page 7: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/7.jpg)
Topics in Advanced Network Security
7
Introduction to Slicing Approach
• Sensors– Misuse detection e.g.: snort– Distributed, Autonomous
• Slicer– TN = T1 + T2 + ….Tn
– Maintains attack scenarios
![Page 8: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/8.jpg)
Topics in Advanced Network Security
8
System Architecture
![Page 9: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/9.jpg)
Topics in Advanced Network Security
9
System Architecture
• Tap – Extract link layer frames (F)
• Scatterer – Partitions F = Fj: 0 < j < m
• Traffic Slicers S0….Sm-1
– Route Frames to Sensors : Frame Routing
• Switch– Forwards packets to channels – Channel = Stream Reassembler + Multiple IDS
![Page 10: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/10.jpg)
Topics in Advanced Network Security
10
System Architecture
• Stream Reassemblers R0….Rn-1
– Prevents Out of Order packets (OOO)
– (fj, fk Є FCi) and (fj before fk) then j < k
• Intrusion Detection Sensors I0….Ip-1
– Access all packets on channel
– Multiple attack scenario ( Aj = {Aj0…..Ajq-1}
– Attack scenario has Event Space [ES]
![Page 11: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/11.jpg)
Topics in Advanced Network Security
11
Event Space
• Defines policy for slicers to select channel
• Ejk = cjk0 V cjk1 V ….cjkn
• cjk=xRy
– x value from fi
– R arithmetic relation ( =, !=, <)– y constant, value of variable
![Page 12: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/12.jpg)
Topics in Advanced Network Security
12
Frame Routing
• Splicer filter based on active ES in a channel
• Static Configuration – Prone to Overloads
• Dynamic Load Balancing – Reassign ES or subset of ES
• Example : Destination Attribute
![Page 13: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/13.jpg)
Topics in Advanced Network Security
13
Evaluation
• Initial Setup– slicer=3, reassembler=4,sensor=1 per stream
• Scatterer– Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux
2.4.2– Kernel Module, Layer 2 Bridge
– Inserts Sequence number to source MAC address
![Page 14: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/14.jpg)
Topics in Advanced Network Security
14
Evaluation
• Traffic Slicer– Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-
TX (Promiscuous Mode)– Data Portion matched against clauses– Redundant packets generated– Insert Channel Number in Destination MAC Address
• Test Setup– Internal and External– Internal : 4 Class C address groups
![Page 15: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/15.jpg)
Topics in Advanced Network Security
15
Evaluation
• Framerouting– Cisco Catalyst 3500XL– Static associations (Channel Number: Port)
• Reassembler– Timeout Value (500 ms)– No retransmissions
![Page 16: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/16.jpg)
Topics in Advanced Network Security
16
Evaluation
• Snort Sensor
• Traffic - MIT Lincoln Labs
• Traffic Injection – tcpreplay
![Page 17: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/17.jpg)
Topics in Advanced Network Security
17
Snort Performance
• Snort on tcpdump traffic log
• Ruleset = 961 rules
• 11,213 detections in 10 seconds
• Throughput (offline) =261 Mbps
![Page 18: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/18.jpg)
Topics in Advanced Network Security
18
Snort Performance vs Traffic Rate
• Snort is run on Scatterer
• Ruleset = 18 signatures
• Packetloss at traffic rate of 150 Mbps
• Snort’s Saturation point
![Page 19: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/19.jpg)
Topics in Advanced Network Security
19
Snort Performance vs Traffic Rate
![Page 20: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/20.jpg)
Topics in Advanced Network Security
20
Snort Perfomance Vs No. of Signatures
• Traffic rate = 100 Mbps
• Ruleset – Initial value =18 signatures– Increase number of signatures
![Page 21: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/21.jpg)
Topics in Advanced Network Security
21
Snort Perfomance Vs No. of Signatures
![Page 22: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/22.jpg)
Topics in Advanced Network Security
22
Snort Performance in Proposed Architecture
![Page 23: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/23.jpg)
Topics in Advanced Network Security
23
Snort Performance in Proposed Architecture
![Page 24: Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer](https://reader030.vdocuments.net/reader030/viewer/2022032704/56649d415503460f94a1bdf3/html5/thumbnails/24.jpg)
Topics in Advanced Network Security
24
Conclusion and Future Work
• Experimentation in Real World Environment
• Evaluate the trade-offs
• Dynamic Load Balancing
• Hierarchically structured Scatterers/Slicers