1 / 24

Stateful Intrusion Detection for High Speed Networks

A comprehensive overview of stateful intrusion detection for high-speed networks, including a slicing approach for H-S.ID, evaluation, and future work.

lamberton
Download Presentation

Stateful Intrusion Detection for High Speed Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer Reliable Software Group University of California, Santa Barbara Topics in Advanced Network Security

  2. Overview • Introduction • Related Work • A Slicing Approach for H-S ID • Evaluation • Conclusion and future work Topics in Advanced Network Security

  3. Introduction • Problem Statement • Current IDS are not able to detect attacks on High Speed (Gigabit) networks • Why? • Sensor Speed • Architectural Limitations Topics in Advanced Network Security

  4. What is High Speed? • Scorpio – Stinger IDS • “STINGER IDS meets the challenges of watching over a modern network by providing one or more high speed sensors” • Integrated Intel Pro 10/100 Ethernet card (!!!) • Symantec Manhunt • Gigabit Detection • Intruvert IntrShield 2600 • 2.2 GB/sec Topics in Advanced Network Security

  5. IDS Introduction • Host Based • Network Based • Log Based • Target Based Topics in Advanced Network Security

  6. Related Work • Distributed Sensors • CSD @ USC : 20 snort machines • Therminator : Anomaly based NIDS • NetICE Gigabit Sentry • >300 Mbps • 500,000 packets/second • TopLayer Networks – Switch • High Performance NIDS – R. Sekar et al • 500 Mbps (Offline Traffic) Topics in Advanced Network Security

  7. Introduction to Slicing Approach • Sensors • Misuse detection e.g.: snort • Distributed, Autonomous • Slicer • TN = T1 + T2 + ….Tn • Maintains attack scenarios Topics in Advanced Network Security

  8. System Architecture Topics in Advanced Network Security

  9. System Architecture • Tap • Extract link layer frames (F) • Scatterer • Partitions F = Fj: 0 < j < m • Traffic Slicers S0….Sm-1 • Route Frames to Sensors : Frame Routing • Switch • Forwards packets to channels • Channel = Stream Reassembler + Multiple IDS Topics in Advanced Network Security

  10. System Architecture • Stream Reassemblers R0….Rn-1 • Prevents Out of Order packets (OOO) • (fj, fkЄ FCi)and (fj before fk)then j < k • Intrusion Detection Sensors I0….Ip-1 • Access all packets on channel • Multiple attack scenario ( Aj = {Aj0…..Ajq-1} • Attack scenario has Event Space [ES] Topics in Advanced Network Security

  11. Event Space • Defines policy for slicers to select channel • Ejk = cjk0 V cjk1 V ….cjkn • cjk=xRy • x value from fi • R arithmetic relation ( =, !=, <) • y constant, value of variable Topics in Advanced Network Security

  12. Frame Routing • Splicer filter based on active ES in a channel • Static Configuration – Prone to Overloads • Dynamic Load Balancing – Reassign ES or subset of ES • Example : Destination Attribute Topics in Advanced Network Security

  13. Evaluation • Initial Setup • slicer=3, reassembler=4,sensor=1 per stream • Scatterer • Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux 2.4.2 • Kernel Module, Layer 2 Bridge • Inserts Sequence number to source MAC address Topics in Advanced Network Security

  14. Evaluation • Traffic Slicer • Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-TX (Promiscuous Mode) • Data Portion matched against clauses • Redundant packets generated • Insert Channel Number in Destination MAC Address • Test Setup • Internal and External • Internal : 4 Class C address groups Topics in Advanced Network Security

  15. Evaluation • Framerouting • Cisco Catalyst 3500XL • Static associations (Channel Number: Port) • Reassembler • Timeout Value (500 ms) • No retransmissions Topics in Advanced Network Security

  16. Evaluation • Snort Sensor • Traffic - MIT Lincoln Labs • Traffic Injection – tcpreplay Topics in Advanced Network Security

  17. Snort Performance • Snort on tcpdump traffic log • Ruleset = 961 rules • 11,213 detections in 10 seconds • Throughput (offline) =261 Mbps Topics in Advanced Network Security

  18. Snort Performance vs Traffic Rate • Snort is run on Scatterer • Ruleset = 18 signatures • Packetloss at traffic rate of 150 Mbps • Snort’s Saturation point Topics in Advanced Network Security

  19. Snort Performance vs Traffic Rate Topics in Advanced Network Security

  20. Snort Perfomance Vs No. of Signatures • Traffic rate = 100 Mbps • Ruleset • Initial value =18 signatures • Increase number of signatures Topics in Advanced Network Security

  21. Snort Perfomance Vs No. of Signatures Topics in Advanced Network Security

  22. Snort Performance in Proposed Architecture Topics in Advanced Network Security

  23. Snort Performance in Proposed Architecture Topics in Advanced Network Security

  24. Conclusion and Future Work • Experimentation in Real World Environment • Evaluate the trade-offs • Dynamic Load Balancing • Hierarchically structured Scatterers/Slicers Topics in Advanced Network Security

More Related