240 likes | 262 Views
A comprehensive overview of stateful intrusion detection for high-speed networks, including a slicing approach for H-S.ID, evaluation, and future work.
E N D
Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer Reliable Software Group University of California, Santa Barbara Topics in Advanced Network Security
Overview • Introduction • Related Work • A Slicing Approach for H-S ID • Evaluation • Conclusion and future work Topics in Advanced Network Security
Introduction • Problem Statement • Current IDS are not able to detect attacks on High Speed (Gigabit) networks • Why? • Sensor Speed • Architectural Limitations Topics in Advanced Network Security
What is High Speed? • Scorpio – Stinger IDS • “STINGER IDS meets the challenges of watching over a modern network by providing one or more high speed sensors” • Integrated Intel Pro 10/100 Ethernet card (!!!) • Symantec Manhunt • Gigabit Detection • Intruvert IntrShield 2600 • 2.2 GB/sec Topics in Advanced Network Security
IDS Introduction • Host Based • Network Based • Log Based • Target Based Topics in Advanced Network Security
Related Work • Distributed Sensors • CSD @ USC : 20 snort machines • Therminator : Anomaly based NIDS • NetICE Gigabit Sentry • >300 Mbps • 500,000 packets/second • TopLayer Networks – Switch • High Performance NIDS – R. Sekar et al • 500 Mbps (Offline Traffic) Topics in Advanced Network Security
Introduction to Slicing Approach • Sensors • Misuse detection e.g.: snort • Distributed, Autonomous • Slicer • TN = T1 + T2 + ….Tn • Maintains attack scenarios Topics in Advanced Network Security
System Architecture Topics in Advanced Network Security
System Architecture • Tap • Extract link layer frames (F) • Scatterer • Partitions F = Fj: 0 < j < m • Traffic Slicers S0….Sm-1 • Route Frames to Sensors : Frame Routing • Switch • Forwards packets to channels • Channel = Stream Reassembler + Multiple IDS Topics in Advanced Network Security
System Architecture • Stream Reassemblers R0….Rn-1 • Prevents Out of Order packets (OOO) • (fj, fkЄ FCi)and (fj before fk)then j < k • Intrusion Detection Sensors I0….Ip-1 • Access all packets on channel • Multiple attack scenario ( Aj = {Aj0…..Ajq-1} • Attack scenario has Event Space [ES] Topics in Advanced Network Security
Event Space • Defines policy for slicers to select channel • Ejk = cjk0 V cjk1 V ….cjkn • cjk=xRy • x value from fi • R arithmetic relation ( =, !=, <) • y constant, value of variable Topics in Advanced Network Security
Frame Routing • Splicer filter based on active ES in a channel • Static Configuration – Prone to Overloads • Dynamic Load Balancing – Reassign ES or subset of ES • Example : Destination Attribute Topics in Advanced Network Security
Evaluation • Initial Setup • slicer=3, reassembler=4,sensor=1 per stream • Scatterer • Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux 2.4.2 • Kernel Module, Layer 2 Bridge • Inserts Sequence number to source MAC address Topics in Advanced Network Security
Evaluation • Traffic Slicer • Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-TX (Promiscuous Mode) • Data Portion matched against clauses • Redundant packets generated • Insert Channel Number in Destination MAC Address • Test Setup • Internal and External • Internal : 4 Class C address groups Topics in Advanced Network Security
Evaluation • Framerouting • Cisco Catalyst 3500XL • Static associations (Channel Number: Port) • Reassembler • Timeout Value (500 ms) • No retransmissions Topics in Advanced Network Security
Evaluation • Snort Sensor • Traffic - MIT Lincoln Labs • Traffic Injection – tcpreplay Topics in Advanced Network Security
Snort Performance • Snort on tcpdump traffic log • Ruleset = 961 rules • 11,213 detections in 10 seconds • Throughput (offline) =261 Mbps Topics in Advanced Network Security
Snort Performance vs Traffic Rate • Snort is run on Scatterer • Ruleset = 18 signatures • Packetloss at traffic rate of 150 Mbps • Snort’s Saturation point Topics in Advanced Network Security
Snort Performance vs Traffic Rate Topics in Advanced Network Security
Snort Perfomance Vs No. of Signatures • Traffic rate = 100 Mbps • Ruleset • Initial value =18 signatures • Increase number of signatures Topics in Advanced Network Security
Snort Perfomance Vs No. of Signatures Topics in Advanced Network Security
Snort Performance in Proposed Architecture Topics in Advanced Network Security
Snort Performance in Proposed Architecture Topics in Advanced Network Security
Conclusion and Future Work • Experimentation in Real World Environment • Evaluate the trade-offs • Dynamic Load Balancing • Hierarchically structured Scatterers/Slicers Topics in Advanced Network Security