220 likes | 408 Views
Like Zhang. Kernel Mode Network Intrusion Detection. Outlines. Network Intrusion Detection Overview Network Monitoring Solutions Network Layers in Windows Kernel Recent Research Work to do. What is Network Intrusion Detection. Complete packet inspection Complicated rules set
E N D
Like Zhang Kernel Mode Network Intrusion Detection
Outlines • Network Intrusion Detection Overview • Network Monitoring Solutions • Network Layers in Windows Kernel • Recent Research • Work to do
What is Network Intrusion Detection • Complete packet inspection • Complicated rules set • Able to inspect application layer data • Anomaly detection for unknown attacks
How NIDS works System Kernel NIC NIC BUFFER DPC (Interrupt Handling) Packet Filter Driver System RAM User Mode Related applications Packet Analysis (Pattern matching or statistic analysis)
Evolution of packet engine Early Stage • CMU/Stanford packet filter, 1987 Expression tree based Slow • Berkeley packet filter, 1993 DAG (CFG) based Efficient (fields are checked only once)
Tree v.s. DAG Expression Tree Stack Simulation Directed Acyclic Graph
The Interface • Libpcap • Winpcap Used by: tcpdump Ethereal Snort Available for: Perl, Java, .NET(C#), C/C++, Ruby, etc.
Microsoft Solution • NDIS Driver Network Driver Interface Specification Microsoft and 3com, 1989 Standard windows driver for network adapters • .NET Network Monitoring Easy usage Very limited abilities
Windows Network Kernel Overview Application layer NDIS Driver physic layer
Windows NDIS Driver Overview Protocol Driver Filter Driver1 Filter Driver2 … Intermediate Driver (Virtual adapter)
Kernel based IDS Research • Modifying Linux Kernel source code (for most researches) • Hooking up Windows Kernel (very few)
Zero Copy Y. L, M. C, “Lyranet: A Zero-copy TCP/IP Protocol Stack for Embedded Operating Systems”, 2005 • Network packet go straight to system memory instead copy from kernel space
Kernel Based Decision Tree B. Chung, J.N. Kim, S.W. Sohn, C. H. Park, “Kernel Level Intrusion Detection System for Minimum Packet Loss”, 2004 Perform simple rule checking in kernel Associate multiple packets for further processing in user mode
Kernel Based PCA B. J. Kim, I. Kim, “Kernel Based Intrusion Detection System”, 2005 Use a modified PCA approach to perform real-time packet processing inside system kernel (linux) On-line feature extraction (modified PCA) Classification (Least Squares SVM) Online Detection
Firewall based on NDIS Driver H. Chaokai, “Design and Implementation of a Personal Firewall Based on NDIS Intermediate Drivers”, 2007 Introduce the concept of implementing firewall using Microsoft NDIS driver
Why kernel? • The first consideration when moving algorithm from theory to application • Most “perfect” intrusion detection algorithms only work for off-line experiment • No current software based IDS can handling large traffic volumes • Few related research exists • Important topic for industry
What to do? • How much performance can be gained? • What is the best strategy to implement a NIDS? • How to communicate between kernel and user mode?