Efficient and Effective Architecture for Intrusion Detection System

1
Efficient and Effective Architecture for
Intrusion Detection System

• Prepared by
• Ashif Adnan, Omair Alam, Akhtaruzzaman
• School of Computer Science
• University of Windsor
• ON, Canada

2
Outline

• Introduction
• Motivation
• Goal
• Related works
• Our observations
• Conclusion
• Acknowledgment
• References

3
Introduction

• Ubiquitous computing environment
• Intrusion Detection Systems
• Misuse based
• Anomaly based
• Intrusion determination
• False positive
• False negative
• Intrusion detection rules
• Proactive intrusion detection

4
Motivation

• Tremendous growth of network
• More availability of information
• Need for information security
• Growing importance of IDS
• Lack of efficiency in data collection
• Inefficiency and inaccuracy in analyzing attacks
• Complexity in rules checking

5
Goal

• Effective,
• Efficient and
• Secured Intrusion Detection System

6
Related works

• New Approaches to Data Collection, Management and
  Analysis for IDS
• Basic concept used was SMASH
• SMASH A Secure Monitoring System for
  Information Assurance, Analysis and survivability
  of Network Hazards.
• Basic need for implementing SMASH was Network
  Security.
• The analysis will help reduce false positives and
  false negative determinations of intrusions

7
Related works (contd)Data Collection,
Management and Analysis

• Requirements for implementing SMASH sensors
• Low cost
• No extreme bandwidth requirements
• Flexible
• Scalable
• Wireless networks fulfills all of these
  requirements
• Additional advantage that sensors can be moved
  without disruption of the operational network

8
Related works (contd)Data Collection,
Management and Analysis

• Features of Gumstix used
• It is a miniature computer which comes preloaded
  with Linux operating system.
• A 400 MHz processor
• NetCf stick, which combines a 100Mbps Ethernet
  interface with a compact flash card adapter
• A compact flash wireless card
• It measures only 4 long by ¾ wide and ½ thick.
• The motherboards measure 80 mm x 20 mm x 6.3 mm.

9
Related works (contd)Data Collection,
Management and Analysis
Figure 1 Gumstix Computers
Figure 2 Gumstix Motherboard
Graphic Reference http//www.gumstix.com/
10
Related works (contd)Data Collection,
Management and Analysis

• Collecting Data using Gumstix
• Setting up the network
• Sensor(Gumstix) as the sniffer
• A central management system
• Network monitoring software such as Tcpdump
• IDS application such as Snort
• Java application using socket programming

11
Related works (contd)Data Collection,
Management and Analysis
Figure 3 Gumstix Network Setup
12
Related works (contd)Data Collection,
Management and Analysis

• Managing Data over Wireless
• Key issue- Communication with the controlling
  workstation
• If the sensor undergoes DDOS attack, then its
  ability to send the data back to the controller
  may have become compromised.
• So the best solution is to make the sensor
  communicate with the management station on a
  dedicated, isolated network.
• But an additional wired network becomes
  unmanageable, so a wireless network is used.

13
Related works (contd)Analysis of the design

• Analyzing data with Data Fusion and Data Mining
  Techniques
• Data Fusion, is generally defined as the use of
  techniques that combine data from multiple
  sources and gather that information in order to
  achieve inferences, which will be more efficient
  than if they were achieved by means of a single
  source.
• Data Mining is the principle of sorting through
  large amounts of data and picking out relevant
  information.
• The combination of data fusion and data mining
  techniques has the greatest potential to solve a
  major drawback of IDS the unacceptable numbers
  of false positives and false negatives.

14
Related workscontd

• High throughput string matching architecture for
  IDS/IPS
• IDS/IPS requirements
• Worst Case Performance
• Non-Interrupting Rule Update
• High Throughput per Area

15
Related works (contd)String matching
architecture

• String Matching Engine
• String is broken down into a set of small state
  machine
• Hierarchical architecture
• Highest level is the full device
• Each device holds the entire set of strings
• Reads character in every cycle
• Computes the set of matches and reports
• Devices can be replicated

16
Related works (contd)String matching
architecture
Figure 4 The String Matching Engine of the High
Throughput Architecture 2
17
Related works (contd)String matching
architecture

• Support for Non-interrupting Update
• Automated systems are used
• Faster than old FPGA (Field-programmable gate
  array ) based techniques

Figure 5 Non-interrupting update support 2
18
Related works (contd)Analysis of the design

• Theoretical optimal partitioning
• For a set of strings S each with L characters per
  string, the total number of bits the architecture
  requires is
• Tn,g n floor(S/g)2floor(log2(gL))(floor(log2(gL)
  ))28/n g)
• Where n is number of state machine per rule
  module and g is the group size.

n Fanout Storage in bits Tn,g
2 16 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n g)
4 4 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n g)
8 2 n floor(S/g)2floor(log2(gL))(floor(log2(gL)))28/n g)
Table 1 Optimal module size 2
19
Related works (contd).. Analysis of the design

• Throughput analysis

Description Throughput (Gbps) Char/Area (1/mm2) Notes
Bit Split FSM (Group Size 16) 10.074 9.759 9.326 55.219 72.592 156.569 Bank size 64B Bank size 128B Bank size 256B
Sourdis and Pnevmatikatos Pre-decoded CAMs 9.708 4.913 23.482 22.682 4B/cc, Virtex2-6000 4B/cc,Spartan3-5000
Hutchings et al. Regular Expressions 0.248 0.400 32.496 32.496 1B/cc, Virtex-1000 1B/cc, Virtex-1000
. .. . .
Table 2 Detailed Comparison of the Bit Split FSM
Design and existing FPGA-based Designs 2
20
Related works

• Utilizing fuzzy logic and neural network for IDS
  in wireless environment
• Current IDS
• No correlation between Host-base IDS and
  Network-base IDS
• Database need to be update frequently for missed
  attack
• Log file need to be analyze for a long period of
  time
• A problem with Anomaly Detection is that a user
  over time can train the system to accept
  anomalous behavior as normal, by slowly adding to
  the attack

21
Related works (contd)Fuzzy logic and neural
network

• Difference

Figure 6 Comparison between Traditional and
Alternative Misuse Detection 3
22
Related works (contd)Fuzzy logic and neural
network

• NeWPAIM-W2 Model

Figure 7 General Representation of NeGPAIM-W2 3
23
Related works (contd)Fuzzy logic and neural
network

• The Fuzzy Engine
• The fuzzy engine is one of the two low-level
  processing units of NeGPAIM-W2 and will process
  the input data.
• This engine is responsible for implementing the
  Misuse Detection methodology.
• The fuzzy engine will compute a template firstly,
  and the user action graph will be mapped against
  it to determine whether or not a user (intruder)
  has been, or is performing an intrusion attack.

24
Related works (contd)Fuzzy logic and neural
network

• Neural Engine
• Second low level processing engine
• Its also process input data
• This engine will process the data and search
  through it for patterns of abnormal user
  behaviors that may be occurring.

25
Related works (contd)Fuzzy logic and neural
network

• Central Analysis Engine
• To determine the source of an attack.
• To determine the type of attack being currently
  perpetrated by the attacker.
• To take into account all information gathered
  from various sources and to determine an overall
  intrusion probability.
• Finally the engine uses the overall intrusion
  probability value along with the type of and
  source of the intrusion attack to perform a
  response to the intruders actions.

26
Related works (contd).. Analysis of the design
Figure 8 Risk analysis
27
Related works (contd).. Analysis of the design

• Method of Testing
• Tested by fully functional prototype call
  Sentinel IDS
• Test Bed
• Microsoft Windows OS
• Tools
• Airodump, Aireplay, Aircrack, Super-Scan and
  Brutus
• Misuse test by Fuzzy Engine
• 98 accurate
• Anomaly test by Neural Engine
• 97 accurate

28
Our observations

• Data Collection, Management and Analysis for IDS
• Cumbersome and unwieldy to manage 2 or maybe more
  networks.
• Need to backup management station
• String matching architecture
• Applicable to general search problems on general
  state machines
• Possible to improvement throughput
• By reading in more than one byte
• Possible to extend the number of next states
• By reading in more than one byte
• Need to multiply throughput with reasonable
  increase in storage size.

29
Our observations (contd)

• Intrusion detection with fuzzy logic and neural
  network
• Needs rigorous test
• Potential bugs and vulnerabilities might weaken
  the WLAN security
• Cost of the wireless IDS solution may grow with
  the size of the WLAN

30
Our observations (contd)New Architecture
Database
High Throughput String Matching Rule based
Architecture
Fuzzy Engine
Central Analysis Engine 6/9/75 risk
5/8/70 risk
7/10/80 risk
Neural Engine
Sticky GUM Architecture for Data
Collection Access Point Logs
Figure 9 Modified architecture for Intrusion
Detection System
31
Conclusion

• Observed steps
• Investigation of new approach to data collection,
  management and analysis for IDS using Gumstix
• Investigation of high throughput string matching
  architecture for IDS
• Utilization of fuzzy logic and neural network for
  IDS using the model NeGPAIM-W2
• Our proposed idea
• Efficient and Effective Architecture for
  Intrusion Detection System

32
Acknowledgement

• We would like to thank our professor for his
  great support and giving us the opportunity to
  learn about network security
• We would like to thank our audience for listening
  our presentation

33
References

• 1 E. Derrick, R. Tibbs, L. Reynolds.
  Investigating new approaches to data collection,
  management and analysis for network intrusion
  detection. In Proc. of the 45th annual southeast
  regional conference ACM-SE 45, Pages 283 - 287,
  Publisher ACM Press, 2007.
• 2 L. Tan, T. Sherwood. A high throughput string
  matching architecture for intrusion detection
  and prevention, In Proc. of the 32nd
  International Symposium on Computer Architecture,
  Vol. 33, Isuue 2, Pages 112-122, Publisher IEEE
  Computer Society, 2005.
• 3 R. Goss, M. Botha, R. Solms. Utilizing fuzzy
  logic and neural networks for effective,
  preventative intrusion detection in a wireless
  environment. In Proc of the 2007 annual research
  conference of the South African institute of
  computer scientists and information technologists
  on IT research in developing countries SAICSIT
  '07, Vol. 26, Pages 29 - 35, Publisher ACM
  Press, 2007.
• 4 Gumstix, Inc. Gumstix Way small computing.
  Accessed at http//gumstix.com/index.html.
• 5 S. A. Crosby and D. S. Wallach. Denial of
  service via algorithmic complexity attacks. In
  Proc. of USENIX Annual Technical Conference, June
  2003.
• 6 http//portal.acm.org/citation.cfm?id1292491.
  1292495.

34
The End

• Questions ?