1 / 15

A practice of Intrusion Prevention System

A practice of Intrusion Prevention System. Rachana George. Overview. Introduction Basic Building Blocks IP Based Packet Signature (IPBS) Cumulative Sum (CUSUM) Class-Based Queuing (CBQ) Intrusion Prevention System Overview Intrusion Prevention System Implementation

sonora
Download Presentation

A practice of Intrusion Prevention System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A practice of Intrusion Prevention System Rachana George

  2. Overview • Introduction • Basic Building Blocks • IP Based Packet Signature (IPBS) • Cumulative Sum (CUSUM) • Class-Based Queuing (CBQ) • Intrusion Prevention System Overview • Intrusion Prevention System Implementation • Experiments and Results • Conclusion

  3. Introduction Intrusion Prevention System • Distributed Denial of Service (DDoS) attack is the most difficult to prevent on internet as it occupies entire network bandwidth and system resources. • The paper presents the design of IPS to realize source-end defense method. • The IPS classifies packets into three types • Normal packet Allowed to enter network • Suspicious packet Bandwidth restricted • Attack packet Blocked from entering the network

  4. Overview Intrusion Prevention System • The system monitors amount of packets generated by each host and categorize into three types: normal, suspicious and attack packets. • For suspicious packet – edge router attaches signature to packet and bandwidth of host generating such packets is restricted • At destination, the signature of suspicious packet is verified and packet is inspected by Intrusion detector. • If DDoS is detected, edge router of attack source is located and command is sent to source edge router to block those packets.

  5. Basic Building Block IP Based Packet Signature (IPBPS)

  6. Basic Building Block Cumulative Sum (CUSUM) • X[n] : collected packets at a sampling period n • α: mean of X[n] • X2[n] = X[n] – α • When network is without attack, X2[n] ≈ 0 • When attack occurs, X2[n] = X[n] – α > 0 • Let, y[n] be cumulative sum of X2[n]

  7. Basic Building Block Class Based Queuing (CBQ) • Existing FIFO Scheduling scheme does not provide differential service to different flows • Class based Queuing (CBQ) divides the bandwidth into several queuing levels. • CBQ allows different bandwidths for different flows.

  8. Components Intrusion Prevention System • Edge Router to make signature at source/verify at destination • Firewall to control bandwidth of suspicious packets • Network IDS at Source to monitor and classify outbound packets • Network IDS at Destination to monitor inbound traffic and detect attack

  9. Implementation Edge Router • IPBPS Sign Module Calculates and places signature into packet • IPBPS Verify Module Verifies signature of the incoming packet • IPBPS Control Module Analyzes commands from NIDS and activates/deactivates sign/verify sends block command to firewall or source edge router

  10. Implementation Firewall • Control Module Analyzes block or throttle command from NIDSout at source or edge router • Throttle of Traffic Control Module Executes the commands analyzed by control module

  11. Network Attack Detector at Source End (NIDSOUT) Implementation • Sniffing Module Captures outbound packets and passes to traffic watchdog module for analysis • Traffic-Watchdog Module Classifies packets into normal, suspicious or attack. • Control Module Acts as an interface between traffic watchdog module, firewall and edge router

  12. Network Attack Detector at Destination End (NIDSIN) Implementation • Sniffing Module Captures inbound packets and passes to other modules • IPBPS Verify Module Verifies signature on the option field of IP header of packet • DDoS Detection Module Detects DoS attacks and sends source IP of edge router to control module • Control Module Send block command to source end edge router.

  13. Experiments DDoS Attacks Detected by IPS

  14. Conclusion Prevention of DDoS attacks • Simple and Robust IPS • Helps in early detection and reduces propagation of Distributed Denial of Service attacks • System blocks packets confirmed by victim and thus reduces false-positive rate

  15. Reference Lih-Chyau Wuu,   Yen-Hung Chen ,  Chih-Chieh Ma and  I-Tao Lung   on A practice of Intrusion Prevention System from IEEE Region 10 Conference, Pages: 1-4, 2007

More Related