High Performance Intrusion Detection using Traffic Classification

1
High Performance Intrusion Detection using
Traffic Classification

• Tarek Abbes, Alakesh Haloi, Michael Rusinowitch
• LORIA/INRIA-Lorraine
• DPNM LAB
• ? ??
• rone_at_postech.edu
• 2005.10.17

2
Table of Contents

• Introduction on the paper
• Problems and Goals
• Related Works
• The Solving Algorithm
• The Result
• Future Work
• My thoughts on their works
• Improve?
• Other related thoughts

3
Introduction on the paper

• Introduction
• IDS and Packet classification
• Contribution of this works
• Previous work on packet classification
• Survey of classification algorithms
• Classification researches on IDS
• Traffic classification Advantages
• High traffic analysis, Switched Environment
  Support, Fault Tolerance, Detection Efficiency,
  Honey-pot Deployment, Log Files Optimization
• Traffic classification Rules
• Traffic Classification Algorithms
• Classification with Port Criteria
• Classification with the Address Criteria
• Classification Algorithms
• Validation with Experiments
• Conclusion and Future work

4
Problems and Goals (1)

• Problems
• IDS
• Anomaly Detection
• Misuse Detection
• High speed network traffic makes the IDS is in
  high-stress mode.
• Overlap exist in the rules of misuse detection
  based IDS.
• Packet Classification
• IP Routing
• Service Differential
• Firewall Filtering
• Distribute the traffic, load-balancing
• Why not use packet classification in IDS systems?
• IDS Traffic Classification
• Several lightweight IDS
• Security policies and IDS characteristics not
  used in Traffic Classification

5
Problems and Goals (2)

• Goals
• IDS with Traffic Classification
• Distribute the network traffic by IDS rules
• Several lightweight IDSs make the detection
  efficient
• Reduce overlap between rules
• Optimize the search
• To provide fast classification of packets
• Better than binary search

6
Related works(1)

• Survey of Traffic classification
• P. Gupta and N. McKeown, Algorithms for packet
  classification,
• IEEE Network, vol. vol. 15, no. 2, pp.
  24-32,2001.
• Basic data structures linked-list (by priority
  of rules), binary tries.
• Hierarchical Trie and Set, pruning Trie algorithm
• Geometric geometric search
• Geometric Efficient Matching, The grid of trie
• Heuristic Use heuristic method
• Tuple Space, Woo Aproach
• Hardware directly implemented on fast hardware
  devices.
• Ternary CAM, Bitmap Intersection
• Network Applications
• IP routing, service differential, firewall
  filtering, billing etc
• Focused on the traffic division and
  load-balancing.

7
Related works(2)

• Traffic Classification research on IDS
• C. Kruegel, F. Valeur, G. Vigna, and R. Kemmerer,
  Stateful Intrusion Detection for High-Speed
  Networks, in Proceedings of the IEEE Symposium
  on Research on Security and Privacy. Oakland, CA
  IEEE Press, May 2002.
• Split the traffic by active scenarios on each IDS
  or destination addresses ranges.
• I.Charitakis, K.Anagnostakis, and E.Markatos, An
  active traffic splitter architecture for
  intrusion detection, in Proceedings of 11th
  IEEE/ACM International Symposium on Modeling,
  Analysis and Simulation of Computer and
  Telecommunication Systems (MASCOTS 2003),
  Orlando, October 2003, pp. 238241.
• Pre-filtering by packet header detection rules.
• Hash some fields of the IP headers to classify
  the traffic.
• Toplayer-Commercial solutions
• Flow based detection all packets in a flow are
  analyzed by a same IDS
• The classification policy are not the
  IDS rules.

8
What did they do?

• IDS rule based classifier
• The optimized search algorithm

Classifier with IDS rules
Lightweight IDSs
Port based
Address based
F IDS1
C
C
C
C
Detection Result
packets
I
C
F IDS2
C
M
M
C
C
C
M
M
F IDS3
9
Basic Knowledge

• Traffic classification rule
• Rules Overlap
• Usage of range values of IP addresses or ports,
  many rules overlap to the others.

10
Algorithm(1)

• Define a new classification algorithm which can
  reduce the overlap between the rules.
• The 1st step is to construct the sets of
  candidate rules with the same ranges of source
  and destination ports.
• The second phase builds a directed graph for each
  group.

11
Classification with the port criteria

• Examine the source and the destination ports to
  initiate the classification process.
• At the end of this phase, we obtain several
  groups of rules.

12
Classification with the Address criteria(1)
13
Classification with the Address criteria(2)
Edge type 193, 54 complete byte 48/5, 111/1
partial byte e void Node Type I initial
node C next edge is complete byte M next edge
is partial byte F a final node
F IDS1
C (3,0) 1
C (3,1) 2
C (3,2) 2
C (3, 3) 1
3
7
25
5
54
I (1,0) 1
C (2,0) 1
193
e
e
e
C (2,1) 1
M (2,2) 1
M (2,2) 2
F IDS2
e
25
48/5
111/1
14
Pseudo-code for Algorithm(1)
15
Algorithm(2)

• Propose an efficient method to classify the
  packets by the detection graph

16
The Result(1)

• Traffic used to measure performance
• Produced by MIT Lincoln lab for IDS evaluation.
• Use tcpreply to generate the traffic with
  different rates
• Several IDSs (snort 2.0)

17
The Results(2)

• Ratenetwork is defined as the network traffic
• speed.
• Rateclassifier is defined as the
• amount of traffic handled by the classifier.

18
The Results(3)

• The amount of memory consumed by the classifier
• Calculating the number of active nodes

19
Future works

• To manage the IDS activities
• To detect overloaded IDS
• To dynamically balance the traffic to equivalent
  IDS
• Dynamic updating of the classification graph

20
My thoughts on their work
Lightweight IDSs
Classifier with IDS rules
C
C
C
C
IDS1
Port based classifier
Detection Result
I
C
packets
IDS2
M
M
C
C
C
C
M
M
IDS(n)
Lightweight IDSs
F rule1
IDS1

• Good approach but lack of explanation.
• English writing is important to researchers.

F Rule 2
IDS2

F rule (n)
IDS(m)
21
QnA