1 / 27

NIC-based intrusion detection: A feasibility study

NIC-based intrusion detection: A feasibility study. Srinivasan Parthasarathy Ohio State University Joint work with M. Otey , R. Noronha, G. Li and D.Panda. Roadmap. Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results Conclusions.

amadahy
Download Presentation

NIC-based intrusion detection: A feasibility study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIC-based intrusion detection:A feasibility study Srinivasan Parthasarathy Ohio State University Joint work with M. Otey, R. Noronha, G. Li and D.Panda

  2. Roadmap • Motivation and Approaches • Challenges and Objectives • Preliminary Work • Algorithms • Experimental Results • Conclusions

  3. Motivation WAN WAN LAN LAN Conventional Security Setup Adding NIC-based security Legend Host (+ host-based security) Firewall NIC-based Intrusion Detection System

  4. Why NIC-based Intrusion Detection • Pros • Better Coverage and Scalability • More security end points • Better Reliability and Performance • Host is separate from NIC • Adaptable, Flexible and Dynamic • Intrusion patterns/rules can be modified on the fly so that the ID scheme can adapt. • Possible Cons • Efficiency and Performance of Network Messaging • Solution  Simple yet effective schemes are needed

  5. Coverage and Scalability • One-to-one mapping between NICs and hosts  coverage • Natural distribution of computation  scalability • Less aggregation  Can detect more specific intrusions • E.g. a firewall can detect host scans, a NIC is better positioned to track port scans. • Can detect intrusion internal to a LAN • Conventional setup cannot • Cooperating NICs  can potentially detect more complex exploits

  6. Reliability and Performance • Independence from host adds to reliability • One extra security layer • If host is contaminated NIC-security may still be activated • If NIC is contaminated or detects an intrusion the host will still be secure • Independence from host can improve performance • Host OS is not frequently interrupted, can do other stuff • If host is loaded, bandwidth not impacted as much.

  7. Challenges • Building specialized NIC hardware may be too expensive • Our objective: work with commodity NICs • Resources on commodity NICs are limited • Smaller memory, slower processor • Efficiency on basic actions (message transfers) a crucial concern • Impact of ID schemes on bandwidth of good messages • Is NIC-based intrusion detection feasible?

  8. Objectives of this study • Design some simple algorithms for intrusion detection that are: • Efficient • Utilize limited resources • Evaluation Criteria • Detection Accuracy • Efficiency

  9. Roadmap • Motivation and Approaches • Challenges and Objectives • Preliminary Work • Algorithms • Experimental Results • Conclusions

  10. Basic Algorithms • Port Scan Detector (PSD) • Anomaly Detector • Instantiation of Anomalous Client Detector • Signature Detector • Naïve Bayesian Classifier

  11. Sample Instantiation WAN LAN Adding NIC-based security NIC-based Anomalous Client Detector Legend NIC-based Port Scan Detector Host + host-based security Firewall NIC-based Naïve Bayes Classifier

  12. Port Scan Detector • Is memory constrained? • No • One port, one bit  8KB • Yes • Length of bit vector = B • Many (65536) to one (B) mapping f from ports to bits (biased mapping possible) • Is one bit vector enough? • Difficult to refresh (lose all previous information), may not detect slow scans • Sliding window  N such vectors • P = max # of packets per vector (reuse rate) • How to combine? • OR all bit vectors (low computational cost) • How often to check and how to detect? • F = Detection Frequency • S = Threshold for port scan (# of 1’s)

  13. Anomalous Client Detector • Goal: Detect anomalous behavior • E.g. Is this particular srcdest packet typical? • Estimate P(srcIP|destIP) [chan02] • Is P(srcIP|destIP) > threshold? • If yes, then detect normal • If no, then detect anomaly • Implementation • Relies on hash tables • Complete srcIP not modeled (only at the subnet level) • Moderate/high memory utilization, low computational cost

  14. Anomalous Client Detector (contd.) • Threshold • Dynamic, functionally dependent on destIP • Must aid in discriminating amongst different levels of anomalous behavior • E.g. A new client accessing web portal is less surprising than a new client accessing an internal machine • We can use entropy to model this! • Entropy of internal machine will be low. • Entropy of external machine will be high. • Extensions • Non-stationary model (similar to port-scan detector) • Can compare changes to P(srcIP|destIP) over time

  15. Naïve Bayes Packet Classifier • Simplified Naïve Bayes Classifier trained to identify the signature of seven different artificial intrusions. • 6 features explicit in the packet header • Protocol type, Protocol Flags, SrcPort, DestPort, SrcIP, DestPort (may be implicit), • 1 derived feature • E.g. # connections in last X seconds, average deviation of TTL • Implementation details • Relatively high computational requirements

  16. Roadmap • Motivation and Approaches • Challenges and Objectives • Preliminary Work • Algorithms • Experimental Results • Conclusions

  17. Experimental Results • Hardware Configuration • 300 Mhz Pentium II, 128 MB memory • 66 Mhz LANai 4 processor NIC, 1MB memory • Software • Synthetic datasets (described in paper) • Training-Testing data split (standard)

  18. Results: Resource Requirements

  19. Effect of Host Load on Bandwidth

  20. Results: Port Scan Detector

  21. DARPA dataset 1 week attack-free data 1 week test data Only external tcp dump 13 million packets Detects 11/43 attacks Some spread over several packets Clustering alarms reduces false alarm rate Misses 32/43 attacks Uses only external TCP dump Several not detectable from just IP Synthetic dataset qualitative performance summary Results: Anomalous Client Detector Typical Confusion Matrix

  22. Results: Naïve Bayes Classifier Typical Confusion Matrix

  23. Roadmap • Motivation and Approaches • Challenges and Objectives • Preliminary Work • Algorithms • Experimental Results • Conclusions

  24. Related Work • Intrusion detection • Ton of recent work in this area • Anomaly detection [Forrest 97, Chan 02] • Signature detection, e.g. SNORT/BRO • Hybrid strategies [Barbara et al 2001/2002] • NIC based computing support • Fast synchronization support [Panda 01] • Fast support for application messaging [Bershad 98] • NIC based security • Self securing devices [Ganger 2001,2002] • Firewall security  3Com embedded firewall [2001]

  25. Current and Future Work • Testing using real data (DARPA/NETFLOW) • Port system to other NICs • Faster Myrinet cards • Effect of multiple processors per NIC  Quadrics • New detectors/algorithms? • Effect of multiple detectors per NIC • Distributed NIC-based ID schemes • Combining NIC+Host based schemes • Potentially lose out on some reliability at a gain of better techniques

  26. Conclusions • NIC-based intrusion detection can potentially be a useful addition to the overall network security system. • Potentially impact • Coverage, Scalability, Reliability, Performance, Flexibility • Technological outlook looks good • Multiprocessor NICs (Quadrics), 1Ghz NICs (soon) • Preliminary results support argument • However, there is a long way to go!

  27. Questions? srini@cis.ohio-state.edu

More Related