Stateful Intrusion Detection for High Speed Networks - PowerPoint PPT Presentation

About This Presentation
Title:

Stateful Intrusion Detection for High Speed Networks

Description:

Topics in Advanced Network Security. 1. Stateful Intrusion Detection for ... Christopher Kruegel Fredrick Valeur. Giovanni Vigna Richard Kemmerer ... Scorpio ... – PowerPoint PPT presentation

Number of Views:92
Avg rating:3.0/5.0
Slides: 25
Provided by: siri77
Learn more at: https://www.cse.sc.edu
Category:

less

Transcript and Presenter's Notes

Title: Stateful Intrusion Detection for High Speed Networks


1
Stateful Intrusion Detection for High Speed
Networks
  • Christopher Kruegel Fredrick Valeur
  • Giovanni Vigna Richard Kemmerer
  • Reliable Software Group
  • University of California, Santa Barbara

2
Overview
  • Introduction
  • Related Work
  • A Slicing Approach for H-S ID
  • Evaluation
  • Conclusion and future work

3
Introduction
  • Problem Statement
  • Current IDS are not able to detect attacks on
    High Speed (Gigabit) networks
  • Why?
  • Sensor Speed
  • Architectural Limitations

4
What is High Speed?
  • Scorpio Stinger IDS
  • STINGER IDS meets the challenges of watching
    over a modern network by providing one or more
    high speed sensors
  • Integrated Intel Pro 10/100 Ethernet card (!!!)
  • Symantec Manhunt
  • Gigabit Detection
  • Intruvert IntrShield 2600
  • 2.2 GB/sec

5
IDS Introduction
  • Host Based
  • Network Based
  • Log Based
  • Target Based

6
Related Work
  • Distributed Sensors
  • CSD _at_ USC 20 snort machines
  • Therminator Anomaly based NIDS
  • NetICE Gigabit Sentry
  • gt300 Mbps
  • 500,000 packets/second
  • TopLayer Networks Switch
  • High Performance NIDS R. Sekar et al
  • 500 Mbps (Offline Traffic)

7
Introduction to Slicing Approach
  • Sensors
  • Misuse detection e.g. snort
  • Distributed, Autonomous
  • Slicer
  • TN T1 T2 .Tn
  • Maintains attack scenarios

8
System Architecture
9
System Architecture
  • Tap
  • Extract link layer frames (F)
  • Scatterer
  • Partitions F Fj 0 lt j lt m
  • Traffic Slicers S0.Sm-1
  • Route Frames to Sensors Frame Routing
  • Switch
  • Forwards packets to channels
  • Channel Stream Reassembler Multiple IDS

10
System Architecture
  • Stream Reassemblers R0.Rn-1
  • Prevents Out of Order packets (OOO)
  • (fj, fk ? FCi) and (fj before fk) then j lt k
  • Intrusion Detection Sensors I0.Ip-1
  • Access all packets on channel
  • Multiple attack scenario ( Aj Aj0..Ajq-1
  • Attack scenario has Event Space ES

11
Event Space
  • Defines policy for slicers to select channel
  • Ejk cjk0 V cjk1 V .cjkn
  • cjkxRy
  • x value from fi
  • R arithmetic relation ( , !, lt)
  • y constant, value of variable

12
Frame Routing
  • Splicer filter based on active ES in a channel
  • Static Configuration Prone to Overloads
  • Dynamic Load Balancing Reassign ES or subset of
    ES
  • Example Destination Attribute

13
Evaluation
  • Initial Setup
  • slicer3, reassembler4,sensor1 per stream
  • Scatterer
  • Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux
    2.4.2
  • Kernel Module, Layer 2 Bridge
  • Inserts Sequence number to source MAC address

14
Evaluation
  • Traffic Slicer
  • Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C-TX
    (Promiscuous Mode)
  • Data Portion matched against clauses
  • Redundant packets generated
  • Insert Channel Number in Destination MAC Address
  • Test Setup
  • Internal and External
  • Internal 4 Class C address groups

15
Evaluation
  • Framerouting
  • Cisco Catalyst 3500XL
  • Static associations (Channel Number Port)
  • Reassembler
  • Timeout Value (500 ms)
  • No retransmissions

16
Evaluation
  • Snort Sensor
  • Traffic - MIT Lincoln Labs
  • Traffic Injection tcpreplay

17
Snort Performance
  • Snort on tcpdump traffic log
  • Ruleset 961 rules
  • 11,213 detections in 10 seconds
  • Throughput (offline) 261 Mbps

18
Snort Performance vs Traffic Rate
  • Snort is run on Scatterer
  • Ruleset 18 signatures
  • Packetloss at traffic rate of 150 Mbps
  • Snorts Saturation point

19
Snort Performance vs Traffic Rate
20
Snort Perfomance Vs No. of Signatures
  • Traffic rate 100 Mbps
  • Ruleset
  • Initial value 18 signatures
  • Increase number of signatures

21
Snort Perfomance Vs No. of Signatures
22
Snort Performance in Proposed Architecture
23
Snort Performance in Proposed Architecture
24
Conclusion and Future Work
  • Experimentation in Real World Environment
  • Evaluate the trade-offs
  • Dynamic Load Balancing
  • Hierarchically structured Scatterers/Slicers
Write a Comment
User Comments (0)
About PowerShow.com