Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

6/1/2014FLOCON 2009, Scottsdale, AZ. DoD Disclaimer 6/1/2014FLOCON 2009, Scottsdale, AZ This document was prepared as a service to the DoD community.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Performance Evaluation of Open Virtual Routers M.Siraj Rathore
Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
1 Issues in Benchmarking Intrusion Detection Systems Marcus J. Ranum.
InterVLAN Routing Design and Implementation. What Routers Do Intelligent, dynamic routing protocols for packet transport Packet filtering capabilities.
COEN 252 Computer Forensics
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
Network Intrusion Detection Systems on FPGAs with On-Chip Network Interfaces Christopher ClarkGeorgia Institute of Technology Craig UlmerSandia National.
Common Devices Used In Computer Networks
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Bob Gilber, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara RAID 2011,9 報告者:張逸文 1.
Local Area Networks: Internetworking
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
Intrusion Detection Presentation : 2 OF n by Manish Mehta 02/07/03.
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FORESEC Academy FORESEC Academy Security Essentials (III)
High-speed IDS The search for the Holy Grail….. Agenda The Problem Types of IDS’ The Problem Drawbacks Testing Assumptions Conclusions.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Review: –Ethernet What is the MAC protocol in Ethernet? –CSMA/CD –Binary exponential backoff Is there any relationship between the minimum frame size and.
Chapter 5: Implementing Intrusion Prevention
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Local Area Networks.
Para-Snort : A Multi-thread Snort on Multi-Core IA Platform Tsinghua University PDCS 2009 November 3, 2009 Xinming Chen, Yiyao Wu, Lianghong Xu, Yibo Xue.
Intro to Switching Lecture # 3 Hassan Shuja 03/14/2006.
Packet Capture and Analysis: An Introduction to Wireshark 1.
An overview.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
STORE AND FORWARD & CUT THROUGH FORWARD Switches can use different forwarding techniques— two of these are store-and-forward switching and cut-through.
Configuring VLAN Chapter 14 powered by DJ 1. Chapter Objectives At the end of this Chapter you will be able to:  Understand basic concept of VLAN  Configure.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
Hardened IDS using IXP Didier Contis, Dr. Wenke Lee, Dr. David Schimmel Chris Clark, Jun Li, Chengai Lu, Weidong Shi, Ashley Thomas, Yi Zhang  Current.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
@Yuan Xue CS 285 Network Security Placement of Security Function and Security Service Yuan Xue Fall 2013.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Ethernet Packet Filtering - Part1 Øyvind Holmeide Jean-Frédéric Gauvin 05/06/2014 by.
InterVLAN Routing 1. InterVLAN Routing 2. Multilayer Switching.
CompTIA Security+ Study Guide (SY0-401)
Snort – IDS / IPS.
Under the Guidance of V.Rajashekhar M.Tech Assistant Professor
© 2002, Cisco Systems, Inc. All rights reserved.
Distributed Network Traffic Feature Extraction for a Real-time IDS
Chapter 5: Inter-VLAN Routing
Ad-hoc Transport Layer Protocol (ATCP)
Virtual LANs.
CompTIA Security+ Study Guide (SY0-401)
Introduction An introduction to the software and organization of the Internet Lab.
Intrusion Detection Systems (IDS)
INTRUSION DETECTION SYSTEMS
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
Intrusion Detection Systems
© 2002, Cisco Systems, Inc. All rights reserved.
Presentation transcript:

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer Reliable Software Group University of California, Santa Barbara

Topics in Advanced Network Security 2 Overview Introduction Related Work A Slicing Approach for H-S ID Evaluation Conclusion and future work

Topics in Advanced Network Security 3 Introduction Problem Statement –Current IDS are not able to detect attacks on High Speed (Gigabit) networks Why? –Sensor Speed –Architectural Limitations

Topics in Advanced Network Security 4 What is High Speed? Scorpio – Stinger IDS –“ STINGER IDS meets the challenges of watching over a modern network by providing one or more high speed sensors” –Integrated Intel Pro 10/100 Ethernet card (!!!) Symantec Manhunt –Gigabit Detection Intruvert IntrShield 2600 –2.2 GB/sec

Topics in Advanced Network Security 5 IDS Introduction Host Based Network Based Log Based Target Based

Topics in Advanced Network Security 6 Related Work Distributed Sensors USC : 20 snort machines –Therminator : Anomaly based NIDS NetICE Gigabit Sentry – >300 Mbps –500,000 packets/second TopLayer Networks – Switch High Performance NIDS – R. Sekar et al –500 Mbps (Offline Traffic)

Topics in Advanced Network Security 7 Introduction to Slicing Approach Sensors –Misuse detection e.g.: snort –Distributed, Autonomous Slicer –T N = T 1 + T 2 + ….T n –Maintains attack scenarios

Topics in Advanced Network Security 8 System Architecture

Topics in Advanced Network Security 9 System Architecture Tap –Extract link layer frames (F) Scatterer –Partitions F = F j : 0 < j < m Traffic Slicers S 0 ….S m-1 –Route Frames to Sensors : Frame Routing Switch –Forwards packets to channels –Channel = Stream Reassembler + Multiple IDS

Topics in Advanced Network Security 10 System Architecture Stream Reassemblers R 0 ….R n-1 –Prevents Out of Order packets (OOO) –(f j, f k Є FC i ) and (f j before f k ) then j < k Intrusion Detection Sensors I 0 ….I p-1 –Access all packets on channel –Multiple attack scenario ( A j = {A j0 …..A jq-1 } –Attack scenario has Event Space [ES]

Topics in Advanced Network Security 11 Event Space Defines policy for slicers to select channel E jk = c jk0 V c jk1 V ….c jkn c jk =xRy –x value from f i –R arithmetic relation ( =, !=, <) –y constant, value of variable

Topics in Advanced Network Security 12 Frame Routing Splicer filter based on active ES in a channel Static Configuration – Prone to Overloads Dynamic Load Balancing – Reassign ES or subset of ES Example : Destination Attribute

Topics in Advanced Network Security 13 Evaluation Initial Setup –slicer=3, reassembler=4,sensor=1 per stream Scatterer –Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux –Kernel Module, Layer 2 Bridge –Inserts Sequence number to source MAC address

Topics in Advanced Network Security 14 Evaluation Traffic Slicer –Intel Pentium Ghz, 256 MB RAM, 3Com 905C- TX (Promiscuous Mode) – Data Portion matched against clauses –Redundant packets generated –Insert Channel Number in Destination MAC Address Test Setup –Internal and External –Internal : 4 Class C address groups

Topics in Advanced Network Security 15 Evaluation Framerouting –Cisco Catalyst 3500XL –Static associations (Channel Number: Port) Reassembler –Timeout Value (500 ms) –No retransmissions

Topics in Advanced Network Security 16 Evaluation Snort Sensor Traffic - MIT Lincoln Labs Traffic Injection – tcpreplay

Topics in Advanced Network Security 17 Snort Performance Snort on tcpdump traffic log Ruleset = 961 rules 11,213 detections in 10 seconds Throughput (offline) =261 Mbps

Topics in Advanced Network Security 18 Snort Performance vs Traffic Rate Snort is run on Scatterer Ruleset = 18 signatures Packetloss at traffic rate of 150 Mbps Snort’s Saturation point

Topics in Advanced Network Security 19 Snort Performance vs Traffic Rate

Topics in Advanced Network Security 20 Snort Perfomance Vs No. of Signatures Traffic rate = 100 Mbps Ruleset –Initial value =18 signatures –Increase number of signatures

Topics in Advanced Network Security 21 Snort Perfomance Vs No. of Signatures

Topics in Advanced Network Security 22 Snort Performance in Proposed Architecture

Topics in Advanced Network Security 23 Snort Performance in Proposed Architecture

Topics in Advanced Network Security 24 Conclusion and Future Work Experimentation in Real World Environment Evaluate the trade-offs Dynamic Load Balancing Hierarchically structured Scatterers/Slicers