150 likes | 311 Views
A practice of Intrusion Prevention System. Rachana George. Overview. Introduction Basic Building Blocks IP Based Packet Signature (IPBS) Cumulative Sum (CUSUM) Class-Based Queuing (CBQ) Intrusion Prevention System Overview Intrusion Prevention System Implementation
E N D
A practice of Intrusion Prevention System Rachana George
Overview • Introduction • Basic Building Blocks • IP Based Packet Signature (IPBS) • Cumulative Sum (CUSUM) • Class-Based Queuing (CBQ) • Intrusion Prevention System Overview • Intrusion Prevention System Implementation • Experiments and Results • Conclusion
Introduction Intrusion Prevention System • Distributed Denial of Service (DDoS) attack is the most difficult to prevent on internet as it occupies entire network bandwidth and system resources. • The paper presents the design of IPS to realize source-end defense method. • The IPS classifies packets into three types • Normal packet Allowed to enter network • Suspicious packet Bandwidth restricted • Attack packet Blocked from entering the network
Overview Intrusion Prevention System • The system monitors amount of packets generated by each host and categorize into three types: normal, suspicious and attack packets. • For suspicious packet – edge router attaches signature to packet and bandwidth of host generating such packets is restricted • At destination, the signature of suspicious packet is verified and packet is inspected by Intrusion detector. • If DDoS is detected, edge router of attack source is located and command is sent to source edge router to block those packets.
Basic Building Block IP Based Packet Signature (IPBPS)
Basic Building Block Cumulative Sum (CUSUM) • X[n] : collected packets at a sampling period n • α: mean of X[n] • X2[n] = X[n] – α • When network is without attack, X2[n] ≈ 0 • When attack occurs, X2[n] = X[n] – α > 0 • Let, y[n] be cumulative sum of X2[n]
Basic Building Block Class Based Queuing (CBQ) • Existing FIFO Scheduling scheme does not provide differential service to different flows • Class based Queuing (CBQ) divides the bandwidth into several queuing levels. • CBQ allows different bandwidths for different flows.
Components Intrusion Prevention System • Edge Router to make signature at source/verify at destination • Firewall to control bandwidth of suspicious packets • Network IDS at Source to monitor and classify outbound packets • Network IDS at Destination to monitor inbound traffic and detect attack
Implementation Edge Router • IPBPS Sign Module Calculates and places signature into packet • IPBPS Verify Module Verifies signature of the incoming packet • IPBPS Control Module Analyzes commands from NIDS and activates/deactivates sign/verify sends block command to firewall or source edge router
Implementation Firewall • Control Module Analyzes block or throttle command from NIDSout at source or edge router • Throttle of Traffic Control Module Executes the commands analyzed by control module
Network Attack Detector at Source End (NIDSOUT) Implementation • Sniffing Module Captures outbound packets and passes to traffic watchdog module for analysis • Traffic-Watchdog Module Classifies packets into normal, suspicious or attack. • Control Module Acts as an interface between traffic watchdog module, firewall and edge router
Network Attack Detector at Destination End (NIDSIN) Implementation • Sniffing Module Captures inbound packets and passes to other modules • IPBPS Verify Module Verifies signature on the option field of IP header of packet • DDoS Detection Module Detects DoS attacks and sends source IP of edge router to control module • Control Module Send block command to source end edge router.
Experiments DDoS Attacks Detected by IPS
Conclusion Prevention of DDoS attacks • Simple and Robust IPS • Helps in early detection and reduces propagation of Distributed Denial of Service attacks • System blocks packets confirmed by victim and thus reduces false-positive rate
Reference Lih-Chyau Wuu, Yen-Hung Chen , Chih-Chieh Ma and I-Tao Lung on A practice of Intrusion Prevention System from IEEE Region 10 Conference, Pages: 1-4, 2007