Topics in Advanced Network Security

1

Stateful Intrusion Detection for High Speed Networks

Christopher Kruegel Fredrick Valeur

Giovanni Vigna Richard Kemmerer

Reliable Software Group

University of California, Santa Barbara

Topics in Advanced Network Security

2

Overview

• Introduction

• Related Work

• A Slicing Approach for H-S ID

• Evaluation

• Conclusion and future work

Topics in Advanced Network Security

3

Introduction

• Problem Statement– Current IDS are not able to detect attacks on

High Speed (Gigabit) networks

• Why?– Sensor Speed – Architectural Limitations

Topics in Advanced Network Security

4

What is High Speed?

• Scorpio – Stinger IDS– “STINGER IDS meets the challenges of watching over a

modern network by providing one or more high speed

sensors” – Integrated Intel Pro 10/100 Ethernet card (!!!)

• Symantec Manhunt– Gigabit Detection

• Intruvert IntrShield 2600– 2.2 GB/sec

Topics in Advanced Network Security

5

IDS Introduction

• Host Based

• Network Based

• Log Based

• Target Based

Topics in Advanced Network Security

6

Related Work

• Distributed Sensors – CSD @ USC : 20 snort machines– Therminator : Anomaly based NIDS

• NetICE Gigabit Sentry – >300 Mbps– 500,000 packets/second

• TopLayer Networks – Switch• High Performance NIDS – R. Sekar et al

– 500 Mbps (Offline Traffic)

Topics in Advanced Network Security

7

Introduction to Slicing Approach

• Sensors– Misuse detection e.g.: snort– Distributed, Autonomous

• Slicer– TN = T1 + T2 + ….Tn

– Maintains attack scenarios

Topics in Advanced Network Security

8

System Architecture

Topics in Advanced Network Security

9

System Architecture

• Tap – Extract link layer frames (F)

• Scatterer – Partitions F = Fj: 0 < j < m

• Traffic Slicers S0….Sm-1

– Route Frames to Sensors : Frame Routing

• Switch– Forwards packets to channels – Channel = Stream Reassembler + Multiple IDS

Topics in Advanced Network Security

10

System Architecture

• Stream Reassemblers R0….Rn-1

– Prevents Out of Order packets (OOO)

– (fj, fk Є FCi) and (fj before fk) then j < k

• Intrusion Detection Sensors I0….Ip-1

– Access all packets on channel

– Multiple attack scenario ( Aj = {Aj0…..Ajq-1}

– Attack scenario has Event Space [ES]

Topics in Advanced Network Security

11

Event Space

• Defines policy for slicers to select channel

• Ejk = cjk0 V cjk1 V ….cjkn

• cjk=xRy

– x value from fi

– R arithmetic relation ( =, !=, <)– y constant, value of variable

Topics in Advanced Network Security

12

Frame Routing

• Splicer filter based on active ES in a channel

• Static Configuration – Prone to Overloads

• Dynamic Load Balancing – Reassign ES or subset of ES

• Example : Destination Attribute

Topics in Advanced Network Security

13

Evaluation

• Initial Setup– slicer=3, reassembler=4,sensor=1 per stream

• Scatterer– Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux

2.4.2– Kernel Module, Layer 2 Bridge

– Inserts Sequence number to source MAC address

Topics in Advanced Network Security

14

Evaluation

• Traffic Slicer– Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-

TX (Promiscuous Mode)– Data Portion matched against clauses– Redundant packets generated– Insert Channel Number in Destination MAC Address

• Test Setup– Internal and External– Internal : 4 Class C address groups

Topics in Advanced Network Security

15

Evaluation

• Framerouting– Cisco Catalyst 3500XL– Static associations (Channel Number: Port)

• Reassembler– Timeout Value (500 ms)– No retransmissions

Topics in Advanced Network Security

16

Evaluation

• Snort Sensor

• Traffic - MIT Lincoln Labs

• Traffic Injection – tcpreplay

Topics in Advanced Network Security

17

Snort Performance

• Snort on tcpdump traffic log

• Ruleset = 961 rules

• 11,213 detections in 10 seconds

• Throughput (offline) =261 Mbps

Topics in Advanced Network Security

18

Snort Performance vs Traffic Rate

• Snort is run on Scatterer

• Ruleset = 18 signatures

• Packetloss at traffic rate of 150 Mbps

• Snort’s Saturation point

Topics in Advanced Network Security

19

Snort Performance vs Traffic Rate

Topics in Advanced Network Security

20

Snort Perfomance Vs No. of Signatures

• Traffic rate = 100 Mbps

• Ruleset – Initial value =18 signatures– Increase number of signatures

Topics in Advanced Network Security

21

Snort Perfomance Vs No. of Signatures

Topics in Advanced Network Security

22

Snort Performance in Proposed Architecture

Topics in Advanced Network Security

23

Snort Performance in Proposed Architecture

Topics in Advanced Network Security

24

Conclusion and Future Work

• Experimentation in Real World Environment

• Evaluate the trade-offs

• Dynamic Load Balancing

• Hierarchically structured Scatterers/Slicers