1 / 24

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. Speaker: Ming-Yuan Hsu. Outline. Information Introduction Aho-Corasick Architecture Evaluation Conclusion. Information. Authors H. Bos Vrije Universiteit, Amsterdam, The Netherlands

niles
Download Presentation

Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card Speaker: Ming-Yuan Hsu

  2. Outline • Information • Introduction • Aho-Corasick • Architecture • Evaluation • Conclusion WNS.Lab.Meeting

  3. Information • Authors • H. Bos • Vrije Universiteit, Amsterdam, The Netherlands • herbertb@cs.vu.nl • Kaiming Huang • Xiamen University, Xiamen, China • kmhuang@xmu.edu.cn • Symposium • A. Valdes and D. Zamboni (Eds.): RAID 2005, LNCS 3858, pp. 102–123, 2006. ⒸSpringer-Verlag Berlin Heidelberg 2006 WNS.Lab.Meeting

  4. Outline • Information • Introduction • Aho-Corasick • Architecture • Evaluation • Conclusion WNS.Lab.Meeting

  5. Introduction (1) • Signature detection system (SDS) in software on the network card. • Distributed firewall • Do not implement payload inspection at all. • FPGAs • Complex to modify. • CardGuard is intended to protect • Single end-user’s host • Small set of host connected to a switch WNS.Lab.Meeting

  6. Introduction (2) • Author’s goal has been to make the SDS • An inexpensive device • Competitive with large firewalls. • Fast enough to handle realistic loads. WNS.Lab.Meeting

  7. Distributing the firewall • Most current approaches to IDS/IPS • High-performance firewall/IDS at the edge. • All internal nodes are assumed to be safe. • All external nodes are considered suspect. WNS.Lab.Meeting

  8. Drawbacks (compared to a distributed firewall) • Doesn’t protect internal nodes • Attacks originate within the intranet. • Represent the intranet’s link to the outside world. • The traffic is vary large • Payload scans difficult/ infeasible • Attacker can send a large number harmless packets. • Protect a heterogeneous collection of machines. • Close all ports except a select few. • It’s inconvenience to users. • Configuration is more complex. WNS.Lab.Meeting

  9. The IXP1200 Network Processor • CardGuard implemented • Implemented on an IXP1200 network processor unit. • Employ the Aho-Corasick algorithm WNS.Lab.Meeting

  10. Outline • Information • Introduction • Aho-Corasick • Architecture • Evaluation • Conclusion WNS.Lab.Meeting

  11. Aho-Corasick • A string match algorithm. • Make the dictionary to finite state machine. • A simple example • The dictionary include “aba, abcd” WNS.Lab.Meeting

  12. Inline • In-memory • Store DFAs in Aho-Corasick is a trie WNS.Lab.Meeting

  13. The input “bababcdab” • Aho-Corasick return • aba X 1 • abcd X 1 WNS.Lab.Meeting

  14. Aho-Corasick Example a deterministic finite automaton (DFA) for the Slammer worm identifies 5 different patterns WNS.Lab.Meeting

  15. The signatures of Slammerworm are • h.dllhel32hkernQhounthickChGetTf • hws2 • Qhsockf • toQhsend • Qhsoc • Aho-Corasick could found signatures at: • State 32、35、40、42、50 WNS.Lab.Meeting

  16. Outline • Information • Introduction • Aho-Corasick • Architecture • Evaluation • Conclusion WNS.Lab.Meeting

  17. CardGuard is implement on a Intel IXP1200 NPU board. • Contains 2 Gigabit ports. • Packet reception/transmission • Newer version is IXP2800 • Its efficiency is better than IXP1200. WNS.Lab.Meeting

  18. The ports are used for all data between hosts and the NPU. • CardGuard is designed as a plug-and-play IDS. • To protect a set of hosts connected to a switch. • No reconfiguration of the end-systems is encessary. WNS.Lab.Meeting

  19. Outline • Information • Introduction • Aho-Corasick • Architecture • Evaluation • Conclusion WNS.Lab.Meeting

  20. Evaluation • This is a typical result in Aho-Corasick. • The times of the different level are visited. WNS.Lab.Meeting

  21. First experiment • Use tcpreplay(max rate : about 50Mbps) • Second experiment • Examine the number of cycles. • Packets of various size • Ten state transitions in the DFA. • Single thread could process 52.5Mbps for maximum-sized non-TCP packets. WNS.Lab.Meeting

  22. Final experiment (A stress-test ) • Packets sent by iperf. • Evaluate the throughput under worst cast. • The payload needs to be checked from start to finish. • It’s not a realistic scenario. • Send packet is checked in its entirely. WNS.Lab.Meeting

  23. Outline • Information • Introduction • Aho-Corasick • Architecture • Evaluation • Conclusion WNS.Lab.Meeting

  24. Conclusion • The hardware used in CardGuard is rather old. • The principles remain valid for newer hardware. • CardGuard represent a first step. • Intrusion detection on a NIC in software WNS.Lab.Meeting

More Related