Intrusion Detection Systems II - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Intrusion Detection Systems II

Description:

State transition analysis: a rule-based intrusion detection approach ... A Sense of Self - Immunology Approach. Prof. Forrest at University of New Mexico ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 17
Provided by: fengmi5
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection Systems II


1
Intrusion Detection Systems (II)
  • CS 6262 Spring 04

2
STAT/USTAT
  • State transition analysis a rule-based intrusion
    detection approach
  • USTAT for Unix real-time intrusion detection
  • Misuse detection
  • Modeling intrusion signature
  • Initial state the state of the system prior to
    execution of the attack
  • Compromised state the state of the system
    resulting from the completion of the attack
  • Intermediate states and transitions attack steps

3
An Example
user ln ltfilegt -ltany stringgt user -ltany
stringgt root
User Create File1
User Execute File1
S2
S3
S1
1. File Set 1 ! empty 2. Files are suid
privileged
1. access (user,euid) root
1. name(File1) 2. typeof(File1)
link 3. owner(link_to(File1)) ! user 4.
name(link_to(File1)) exists_in File Set 1
4
A Sense of Self - Immunology Approach
  • Prof. Forrest at University of New Mexico
  • Anomaly detection
  • Simple and short sequences of events to
    distinguish self from not
  • Currently looking at system calls (strace)
  • Apply to detection of lpr and sendmail

5
Some Details
  • Anomaly detection for Unix processes
  • Short sequences of system calls as normal
    profile (Forrest et al. UNM)

,open,read,mmap,mmap,open,getrlimit,mmap,close,
6
Problems with Current IDSs
  • Knowledge and signature-based
  • We have the largest knowledge/signature base
  • Ineffective against new attacks
  • Individual attack-based
  • Intrusion A detected Intrusion B detected
  • No long-term proactive detection/prediction
  • Statistical accuracy-based
  • x detection rate and y false alarm rate
  • Are the most damaging intrusions detected?
  • Statically configured.

7
Next Generation IDSs
  • Adaptive
  • Detect new intrusions
  • Scenario-based
  • Correlate (multiple sources of) audit data and
    attack information
  • Cost-sensitive
  • Model cost factors related to intrusion detection
  • Dynamically configure IDS components for best
    protection/cost performance

8
Adaptive IDSs
ID Modeling Engine
IDS
anomaly detection
semiautomatic
IDS
IDS
9
Semi-automatic Generation of ID Models
models
Learning
features
patterns
connection/ session records
Data mining
packets/ events (ASCII)
raw audit data
10
High Speed Intrusion Detection System
11
Problem Statement
  • Implement intrusion detection system (IDS) as an
    inherent and reliable network function
  • A high-speed, highly scalable, and high-fidelity
    IDS architecture
  • Integration of network security, QoS, fault
    tolerance and distributed collaboration
    mechanisms on the network interface card
  • Make possible the deployment of a security policy
    enforceable and secure
  • Defeat evasion and tempering

12
Solution Approach
  • Distributed network node IDS
  • IDS on end-host to unambiguously monitor traffic,
    share work load, and scale with network
  • IDS implemented on network processor to integrate
    with other network functions and allow the host
    to remain a productivity node
  • Layered and pipelined architecture
  • Optimize performance to handle high-speed traffic
  • Improve Bayesian detection rate

13
Layered Architecture
Alerts
Policy script
Detection Engine
Event control
Event stream
Event Engine
Filtered packet stream
tcpdump filters
Libpcap
Packet stream
Network
14
Implementation on Intel IXP
Alert messages
Strong Arm Matching Snort rules (OTNs)
Filtering, IP fragmentation reassembly, port-scan
Result Vectors
uEng
UDP/ICMP Packets
Ethernet Packets
uEng
uEng
uEng
TCP Packets
Matching Snort Rule Headers (RTNs)
TCP stream Reassembly
Telnet Decode, Http Decode
15
FPGA Based Pattern Matching
  • Pattern matching is slow in software, but fast in
    hardware
  • FPGA compares a packet to all signatures
    simultaneously
  • Current implementation using Virtex-1000
  • Capacity 200 Snort rules (2200 chars)
  • Performance exceeds that of high-end PC

Rule 1, Pattern 1
Match Vector returned to IXP after each packet
Input packets from IXP
H A C K E R
Match_R1_P1 0
W O R M
. . .
R1 0
Match_R1 0
W O R M
AND
Match_R1_P2 0
Rule 1, Pattern 2
R2 1
Match_R2 1
R O O T
W O R M
Rule 2, Pattern 1
W O R M
W O R M
Rn
16
Implication of Results
  • IDS can be implemented on network processor/card
  • Integrated IDS on NIC is more tamper resistant
    because it does not depend on the host operating
    system
  • Integration of IDS and firewall functions on NIC
    provides better basis for a security policy
    deployment
  • Implementation of active response mechanisms
    (traffic rate limiting, attack blocking )
  • Design of an all-in-one network/security
    processor for mobile devices
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Intrusion Detection Systems II" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!