Stateful Intrusion Detection for High Speed Networks

1
Stateful Intrusion Detection for High Speed
Networks

• Christopher Kruegel Fredrick Valeur
• Giovanni Vigna Richard Kemmerer
• Reliable Software Group
• University of California, Santa Barbara

2
Overview

• Introduction
• Related Work
• A Slicing Approach for H-S ID
• Evaluation
• Conclusion and future work

3
Introduction

• Problem Statement
• Current IDS are not able to detect attacks on
  High Speed (Gigabit) networks
• Why?
• Sensor Speed
• Architectural Limitations

4
What is High Speed?

• Scorpio Stinger IDS
• STINGER IDS meets the challenges of watching
  over a modern network by providing one or more
  high speed sensors
• Integrated Intel Pro 10/100 Ethernet card (!!!)
• Symantec Manhunt
• Gigabit Detection
• Intruvert IntrShield 2600
• 2.2 GB/sec

5
IDS Introduction

• Host Based
• Network Based
• Log Based
• Target Based

6
Related Work

• Distributed Sensors
• CSD _at_ USC 20 snort machines
• Therminator Anomaly based NIDS
• NetICE Gigabit Sentry
• gt300 Mbps
• 500,000 packets/second
• TopLayer Networks Switch
• High Performance NIDS R. Sekar et al
• 500 Mbps (Offline Traffic)

7
Introduction to Slicing Approach

• Sensors
• Misuse detection e.g. snort
• Distributed, Autonomous
• Slicer
• TN T1 T2 .Tn
• Maintains attack scenarios

8
System Architecture
9
System Architecture

• Tap
• Extract link layer frames (F)
• Scatterer
• Partitions F Fj 0 lt j lt m
• Traffic Slicers S0.Sm-1
• Route Frames to Sensors Frame Routing
• Switch
• Forwards packets to channels
• Channel Stream Reassembler Multiple IDS

10
System Architecture

• Stream Reassemblers R0.Rn-1
• Prevents Out of Order packets (OOO)
• (fj, fk ? FCi) and (fj before fk) then j lt k
• Intrusion Detection Sensors I0.Ip-1
• Access all packets on channel
• Multiple attack scenario ( Aj Aj0..Ajq-1
• Attack scenario has Event Space ES

11
Event Space

• Defines policy for slicers to select channel
• Ejk cjk0 V cjk1 V .cjkn
• cjkxRy
• x value from fi
• R arithmetic relation ( , !, lt)
• y constant, value of variable

12
Frame Routing

• Splicer filter based on active ES in a channel
• Static Configuration Prone to Overloads
• Dynamic Load Balancing Reassign ES or subset of
  ES
• Example Destination Attribute

13
Evaluation

• Initial Setup
• slicer3, reassembler4,sensor1 per stream
• Scatterer
• Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux
  2.4.2
• Kernel Module, Layer 2 Bridge
• Inserts Sequence number to source MAC address

14
Evaluation

• Traffic Slicer
• Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-TX
  (Promiscuous Mode)
• Data Portion matched against clauses
• Redundant packets generated
• Insert Channel Number in Destination MAC Address
• Test Setup
• Internal and External
• Internal 4 Class C address groups

15
Evaluation

• Framerouting
• Cisco Catalyst 3500XL
• Static associations (Channel Number Port)
• Reassembler
• Timeout Value (500 ms)
• No retransmissions

16
Evaluation

• Snort Sensor
• Traffic - MIT Lincoln Labs
• Traffic Injection tcpreplay

17
Snort Performance

• Snort on tcpdump traffic log
• Ruleset 961 rules
• 11,213 detections in 10 seconds
• Throughput (offline) 261 Mbps

18
Snort Performance vs Traffic Rate

• Snort is run on Scatterer
• Ruleset 18 signatures
• Packetloss at traffic rate of 150 Mbps
• Snorts Saturation point

19
Snort Performance vs Traffic Rate
20
Snort Perfomance Vs No. of Signatures

• Traffic rate 100 Mbps
• Ruleset
• Initial value 18 signatures
• Increase number of signatures

21
Snort Perfomance Vs No. of Signatures
22
Snort Performance in Proposed Architecture
23
Snort Performance in Proposed Architecture
24
Conclusion and Future Work

• Experimentation in Real World Environment
• Evaluate the trade-offs
• Dynamic Load Balancing
• Hierarchically structured Scatterers/Slicers