150 likes | 297 Views
Building Robust, flexible, Scalable Distributed Intrusion Detection Systems (DIDSes) Hao Che Department of Computer Science and Engineering University of Texas at Arlington. Outline. Motivations Proposed Solution Thoughts on attack identification Research goal. Motivations.
E N D
Building Robust, flexible, Scalable Distributed Intrusion Detection Systems (DIDSes) Hao Che Department of Computer Science and Engineering University of Texas at Arlington CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Outline • Motivations • Proposed Solution • Thoughts on attack identification • Research goal CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Motivations • Intrusion detection systems (IDSes) must be distributed in dealing with distributed attacks • There are various types of DIDSes being built including: • Host-based versus network-based • Host-based DIDS • Network-based DIDS • Hybrid DIDS • Centralized versus distributed • DIDS with centralized control • DIDS with distributed control • Both may be hierarchical or flat CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Motivations • A DIDS should be • Robust: able to cope with partial failures of the DIDS through, e.g., dynamic resource sharing and dynamic load balancing • Flexible: able to allow, e.g., fast run-time software upgrade and rule table update, and flow tracking at various granularities • Scalable: able to keep up with multigigabit line rates and scale to large sized network • In general, the existing DIDSes cannot meet all the above requirements simultaneously: • Most DIDSes do not address robustness issue • Software based IDSes cannot keep up with gigabit line rates • Hardware based solutions are lack of flexibility CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
A Proposed Solution • Network level: building a Secured DIDS Overlay using • multipath for: • both link and node resource optimization • fast failure recovery Point-to-multipoint (multipoint-point) multipath Network-based IDS Point-to-point multipath Host-based IDS CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
A Proposed Solution • Node level: a hybrid solution for network-based IDS design: • Separation of string matching into header matching and payload string matching • Stateful and stateless header matching and load balancing are handled by a fully run-time programmable network processor at multigigabit rate • Payload string matching is performed by a set of traditional sensors at lower rates • A network-based IDS may operate in one of the two modes: stealthy mode or inline mode CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
A Proposed Solution • Stealthy Mode: for intrusion detection only To Remote Sensors MEM IDS Console Network Processor Traffic Manager Framer SerDes CPU TCAM Coprocessor Local Sensors Line Card tap Network Monitored • Inline Mode: for both intrusion detection and prevention To Remote Sensors MEM IDS Console Network Processor Traffic Manager Framer SerDes Local Sensors CPU TCAM Coprocessor Line Card Network Monitored CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
A Proposed Solution • Intel IXP 2800 Multigigabit Network Processor: • Micro-engines (MEs) can be configured to work in pipeline and/or parallel • Each ME runs its own micro-code and the micro-code can be swapped at run-time • XScale Core maintains flow state and any other control plane functions CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
A Proposed Solution • A Four-Stage Configuration: • 1st stage: one ME distributes packets evenly to the MEs in the 2nd stage • 2nd stage: a set of MEs performs stateful flow classification and load balancing • 3rd stage: a set of MEs reorder the out-of-order packets received from the 2nd stage • 4th stage: outgoing packets are scheduled based on their QoS requirements load balancer sequencer scheduler dispatcher CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
A Proposed Solution • Summary of the proposed solution: • It enhances the robustness, flexibility, and scalability of the existing DIDSes • In the inline mode, the proposed IDS can also serve as a dynamic firewall for intrusion prevention • The run-time programmability of the proposed IDS is an important capability which can be further exploited to build intelligent DIDS CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Thoughts on Attack Identification • Two key components in a DIDS: • Attack identification • Alert correlation • Two candidate techniques: • Robust identification • Frequency domain analysis CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Thoughts on Attack Identification • A state-of-the-art robust identification technique developed by experts in Control Area • Problem Statement: • Given: • a model of the plant under normal conditions Go(λ, ∆o) • failure dynamics Gi(λ, ∆i) • a bound δ on the measurement noise • Uncertainty sets ∆i • N input/output experiment measurements • Determine: • Whether a fault has occurred • In that case, isolate it and determine its strength • Can be used for both anomaly and misuse detections CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Thoughts on Attack Identification • An immature thought on alert correlation • Frequency domain analysis may play an important role because: • Power spectrum captures the relative strength of the correlated signals at different frequencies or timescales • It is a mature research field and various tools are ready available CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Research Goal • Research goal by the end of this summer: a detailed architecture of the proposed research with one of two possible outcomes: • A DIDS architecture with the proposed solution integrated with a new anomaly and misuse detection mechanism • A DIDS architecture that integrates the proposed solution with an existing DIDS • The outcome will serve two purposes: • A proposal for funding opportunities • The basis for the development of such a DIDS CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.
Thanks!!! CSIIR and IOC 1st Annual Workshop – March 14-15, 2005 Oak Ridge National Lab.