topics in advanced network security 1 stateful intrusion detection for high speed networks...
Post on 20-Dec-2015
217 views
TRANSCRIPT
Topics in Advanced Network Security
1
Stateful Intrusion Detection for High Speed Networks
Christopher Kruegel Fredrick Valeur
Giovanni Vigna Richard Kemmerer
Reliable Software Group
University of California, Santa Barbara
Topics in Advanced Network Security
2
Overview
• Introduction
• Related Work
• A Slicing Approach for H-S ID
• Evaluation
• Conclusion and future work
Topics in Advanced Network Security
3
Introduction
• Problem Statement– Current IDS are not able to detect attacks on
High Speed (Gigabit) networks
• Why?– Sensor Speed – Architectural Limitations
Topics in Advanced Network Security
4
What is High Speed?
• Scorpio – Stinger IDS– “STINGER IDS meets the challenges of watching over a
modern network by providing one or more high speed
sensors” – Integrated Intel Pro 10/100 Ethernet card (!!!)
• Symantec Manhunt– Gigabit Detection
• Intruvert IntrShield 2600– 2.2 GB/sec
Topics in Advanced Network Security
5
IDS Introduction
• Host Based
• Network Based
• Log Based
• Target Based
Topics in Advanced Network Security
6
Related Work
• Distributed Sensors – CSD @ USC : 20 snort machines– Therminator : Anomaly based NIDS
• NetICE Gigabit Sentry – >300 Mbps– 500,000 packets/second
• TopLayer Networks – Switch• High Performance NIDS – R. Sekar et al
– 500 Mbps (Offline Traffic)
Topics in Advanced Network Security
7
Introduction to Slicing Approach
• Sensors– Misuse detection e.g.: snort– Distributed, Autonomous
• Slicer– TN = T1 + T2 + ….Tn
– Maintains attack scenarios
Topics in Advanced Network Security
8
System Architecture
Topics in Advanced Network Security
9
System Architecture
• Tap – Extract link layer frames (F)
• Scatterer – Partitions F = Fj: 0 < j < m
• Traffic Slicers S0….Sm-1
– Route Frames to Sensors : Frame Routing
• Switch– Forwards packets to channels – Channel = Stream Reassembler + Multiple IDS
Topics in Advanced Network Security
10
System Architecture
• Stream Reassemblers R0….Rn-1
– Prevents Out of Order packets (OOO)
– (fj, fk Є FCi) and (fj before fk) then j < k
• Intrusion Detection Sensors I0….Ip-1
– Access all packets on channel
– Multiple attack scenario ( Aj = {Aj0…..Ajq-1}
– Attack scenario has Event Space [ES]
Topics in Advanced Network Security
11
Event Space
• Defines policy for slicers to select channel
• Ejk = cjk0 V cjk1 V ….cjkn
• cjk=xRy
– x value from fi
– R arithmetic relation ( =, !=, <)– y constant, value of variable
Topics in Advanced Network Security
12
Frame Routing
• Splicer filter based on active ES in a channel
• Static Configuration – Prone to Overloads
• Dynamic Load Balancing – Reassign ES or subset of ES
• Example : Destination Attribute
Topics in Advanced Network Security
13
Evaluation
• Initial Setup– slicer=3, reassembler=4,sensor=1 per stream
• Scatterer– Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux
2.4.2– Kernel Module, Layer 2 Bridge
– Inserts Sequence number to source MAC address
Topics in Advanced Network Security
14
Evaluation
• Traffic Slicer– Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-
TX (Promiscuous Mode)– Data Portion matched against clauses– Redundant packets generated– Insert Channel Number in Destination MAC Address
• Test Setup– Internal and External– Internal : 4 Class C address groups
Topics in Advanced Network Security
15
Evaluation
• Framerouting– Cisco Catalyst 3500XL– Static associations (Channel Number: Port)
• Reassembler– Timeout Value (500 ms)– No retransmissions
Topics in Advanced Network Security
16
Evaluation
• Snort Sensor
• Traffic - MIT Lincoln Labs
• Traffic Injection – tcpreplay
Topics in Advanced Network Security
17
Snort Performance
• Snort on tcpdump traffic log
• Ruleset = 961 rules
• 11,213 detections in 10 seconds
• Throughput (offline) =261 Mbps
Topics in Advanced Network Security
18
Snort Performance vs Traffic Rate
• Snort is run on Scatterer
• Ruleset = 18 signatures
• Packetloss at traffic rate of 150 Mbps
• Snort’s Saturation point
Topics in Advanced Network Security
19
Snort Performance vs Traffic Rate
Topics in Advanced Network Security
20
Snort Perfomance Vs No. of Signatures
• Traffic rate = 100 Mbps
• Ruleset – Initial value =18 signatures– Increase number of signatures
Topics in Advanced Network Security
21
Snort Perfomance Vs No. of Signatures
Topics in Advanced Network Security
22
Snort Performance in Proposed Architecture
Topics in Advanced Network Security
23
Snort Performance in Proposed Architecture
Topics in Advanced Network Security
24
Conclusion and Future Work
• Experimentation in Real World Environment
• Evaluate the trade-offs
• Dynamic Load Balancing
• Hierarchically structured Scatterers/Slicers