Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardware based Intrusion Detection

Published byJennifer Henry Modified over 7 years ago

Similar presentations

Presentation on theme: "Hardware based Intrusion Detection"— Presentation transcript:

1 Hardware based Intrusion Detection
HPCA San Francisco, CA

2 What is an Intrusion Detection System?
Defined as the tools, methods, and resources to help identify, assess, and report unauthorized or unapproved network activity. An IDS detects activity in traffic that may or may not be an intrusion. IDSes can detect and deal with insider attacks, as well as, external attacks, and are often very useful in detecting violations of corporate security policy and other internal threats.

3 Host Based Intrusion Detection
Are usually installed on servers and are more focused on analyzing the specific operating systems and applications, resource utilization and other system activity residing on the Host-based IDS host. It will log any activities it discovers to a secure database and check to see whether the events match any malicious event record listed in the knowledge base. Host-based IDS are often critical in detecting internal attacks directed towards an organization’s servers such as DNS, Mail, and Web Servers.

4 Network Based Intrusion Detection
Are dedicated network devices distributed within networks that monitor and inspect network traffic flowing through the device. Instead of analyzing information that originates and resides on a host, Network-based IDS uses packet sniffing techniques to pull data from TCP/IP packets or other protocols that are traveling along the network. Most Network-based IDS log their activities and report or alarm on questionable events. Network-based IDS work best when located on the DMZ, on any subnets containing mission critical servers and just inside the firewall.

5 Comparison Host Based Narrow in scope (watches only specific host activities) More complex setup Better for detecting attacks from the inside More expensive to implement Detection is based on what any single host can record Does not see packet headers Usually only responds after a suspicious log entry has been made OS-specific Detects local attacks before they hit the network Verifies success or failure of attacks Network Based Broad in scope (watches all network activities) Easier setup Better for detecting attacks from the outside Less expensive to implement Detection is based on what can be recorded on the entire network Examines packet headers Near real-time response OS-independent Detects network attacks as payload is analyzed Detects unsuccessful attack attempts

6 Hybrid Intrusion Detection
Are systems that combine both Host-based IDS, which monitors events occurring on the host system and Network-based IDS, which monitors network traffic, functionality on the same security platform. A Hybrid IDS, can monitor system and application events and verify a file system’s integrity like a Host-based IDS, but only serves to analyze network traffic destined for the device itself. A Hybrid IDS is often deployed on an organization’s most critical servers.

7 Honeypots Are decoy servers or systems setup to gather information regarding an attacker of intruder into networks or systems. Appear to run vulnerable services and capture vital information as intruders attempt unauthorized access. Provide you early warning about new attacks and exploitation trends which allow administrators to successfully configure a behavioral based profile and provide correct tuning of network sensors. Can capture all keystrokes and any files that might have been used in the intrusion attempt.

8 Passive Systems Detects a potential security breach
Logs the information Signals an alert on the console Does not take any preventive measures to stop the attack

9 Passive Systems

10 Reactive/Active Systems
Responds to the suspicious activity like a passive IDS by logging, alerting and recording, but offers the additional ability to take action against the offending traffic.

11 Reactive/Active Systems

12 Signature Based IDS Monitor network or server traffic and match bytes or packet sequences against a set of predetermined attack lists or signatures. Should a particular intrusion or attack session match a signature configured on the IDS, the system alerts administrators or takes other pre-configured action. Signatures are easy to develop and understand if you know what network behavior you’re trying to identify. However, because they only detect known attacks, a signature must be created for every attack. New vulnerabilities and exploits will not be detected until administrators develop new signatures. Another drawback to signature-based IDS is that they are very large and it can be hard to keep up with the pace of fast moving network traffic.

13 Anomaly Based IDS Use network traffic baselines to determine a “normal” state for the network and compare current traffic to that baseline. Use a type of statistical calculation to determine whether current traffic deviates from “normal” traffic, which is either learned and/or specified by administrators. If network anomalies occur, the IDS alerts administrators. A new attack for which a signature doesn’t exist can be detected if it falls out of the “normal” traffic patterns. High false alarm rates created by inaccurate profiles of “normal” network operations.

14 Issues False Negatives When an IDS fails to detect an attack
False negatives occur when the pattern of traffic is not identified in the signature database, such as new attack patterns. False negatives are deceptive because you usually have no way of knowing if and when they occurred. You are most likely to identify false negatives when an attack is successful and wasn’t detected by the IDS. False Positives Described as a false alarm. When an IDS mistakenly reports certain “normal” network activity as malicious. Administrators have to fine tune the signatures or heuristics in order to prevent this type of problem.

15 Host based monitoring for malware detection
Really expensive to monitor applications all the time As a result, we sample Applications know, hide Scrubbing attacks Application can detect analysis Hide Want to monitor all the time HPCA San Francisco, CA

16 Malware-Aware Processors: A Framework for Efficient Online Malware Detection
Meltem Ozsoy*, Caleb Donovick*, Iakov Gorelik*, Nael Abu-Ghazaleh** and Dmitry Ponomarev* * Binghamton University, ** University of California, Riverside HPCA San Francisco, CA

17 Malware Growth Anti-virus software OS Level Defenses Execution
Monitoring AV Test Malware Statistics,2014 ( HPCA San Francisco, CA

18 What This Work is All About
Comprehensive execution monitors are too heavy-weight to be always-on Performance loss Low-level indicators were shown to be effective to classify malware Demme et al. (ISCA 2013) proposed offline detection using performance counters Our contribution: online detection in hardware Hardware classifies are not perfect, thus: Two Level Detection Framework: Use hardware-based detector to prioritize the work of heavy-weight software detector HPCA San Francisco, CA

19 Two Level Detection Framework
HPCA San Francisco, CA

20 Malware Detection Static Analysis Limitations of Static Analysis
Study program without execution Signature generation with byte/instruction sequences Using source code, CFG generation Limitations of Static Analysis Requires source code, disassembly Metamorphic malware (Self Modifying Code) Polymorphic (encrypted) malware Non-deterministic inputs can change program flow HPCA San Francisco, CA

21 Malware Detection Dynamic Analysis Limitations of Dynamic Analysis
System calls, function parameters, API calls, created processes/threads, etc. monitored Expensive, uses VM or emulator Limitations of Dynamic Analysis Only effective against analyzed malware Advanced Persistent Threats (APTs) can bypass with zero-day exploits HPCA San Francisco, CA

22 Execution Monitoring Systemcall Forwarding
Application VM VM Modified Application EM Application EM EM Kernel Kernel Kernel Systemcall Forwarding Proxos (OSDI’06) VM Introspection, Isolated Monitoring Livewire(NDSS’03), Virtuoso (IEEE Security & Privacy’11) Reference Monitoring PinOS(ACM VEE’07), Kernel DBT(ASPLOS’12) HPCA San Francisco, CA

23 Malware Detection at Low-level
Sub-semantic Monitoring Low-level indicators of program such as Performance Counters (Demme et al. ISCA’13) are monitored Limitations Detection is after the fact Not real-time Features are limited to available performance counters HPCA San Francisco, CA

24 Our Proposal: MAP Malware Aware Processor (MAP)
Use hardware for sub-semantic detection Train a simple machine learning algorithm Periodic checks during execution Perform online detection using time series analysis in hardware High overhead software analysis activated only for suspicious programs (Two Level Detection) HPCA San Francisco, CA

25 MAP Design Overview Instruction Cache Exception Unit
Physical Register File Issue ROB & Architectural Register File Exception Unit Instruction Fetch MAP Rename/Decode Collect sub-semantic features Have a simple machine learning engine Check executing program in real-time Branch Prediction Functional Units MMU Data Cache HPCA San Francisco, CA

26 Sub-Semantic Feature Space
Architectural ARCH : Frequency of memory read/writes, taken & immediate branches and unaligned memory accesses Memory Address MEM1 : Frequency of memory address distance histogram MEM2 : Memory address distance histogram mix Instruction INS1 : Frequency of instruction categories INS2 : Difference between two most frequent opcodes INS3 : Existence of categories INS4 : Existence of opcodes HPCA San Francisco, CA

27 Machine Learning Algorithms
Logistic Regression Hypothesis function (ax1+bx c) is trained to figure out weights (a, b, c) Sigmoid function translates the hypothesis function to a value (0 – 1) Neural Network (multi layer perceptron) One hypothesis function trained for each layer Translation function is tanh HPCA San Francisco, CA

28 Data Set & Data Collection
Family Train Test Val Extended Total Vundo 14 2 5 21 42 Emerleox 10 4 33 52 Virut 8 3 7 46 64 Sality 12 Ejik 6 101 118 Looper 145 164 AdRotator 1 119 136 PornDialer 11 196 217 Boaxxe 13 211 230 99 34 36 918 1087 32-bit Windows 7 on VirtualBox Windows Security Services disabled Features collected through PIN during execution of malware University Of Mannheim dataset Offensive Computing VirusTotal HPCA San Francisco, CA

29 Selecting Features for Classification
Offline detection performance Low hardware implementation complexity Used for hardware implementation HPCA San Francisco, CA

30 Key Aspects of MAP Operation
Machine Learning model trained at design time Weights for the model are loaded into MAP hardware While program executes, MAP hardware collects features at instruction commit stage For each 10K committed instructions, a binary decision (malware/regular) is made HPCA San Francisco, CA

31 MAP Online Detection Periodic binary signals created for 10K instructions during execution Exponentially Weighted Moving Average (EWMA) is used for filtering out occasional false positives/negatives Additional optimizations for efficient hardware implementation Fixed Point representation Sliding window of signals HPCA San Francisco, CA

32 Hardware Implementation
Logistic Regression Neural Network HPCA San Francisco, CA

33 MAP FPGA Implementation
HPCA San Francisco, CA

34 Example of EWMA Logistic Regression Neural Network
HPCA San Francisco, CA

35 Results HPCA San Francisco, CA

36 Key Results of MAP Best performing feature is based on instruction opcodes MAP achieves 89% real-time detection with only 6% false positives with a simple LR prediction Physical design overhead Cycle time 1.9%(LR), 5.5%(NN) Area %(LR), 5.7%(NN) Power %(LR), 1.7%(NN) HPCA San Francisco, CA

37 Future Directions MAP can be extended as a configurable malware detection engine Updating weights for new malware Configuring features Integrated FPGAs in new CPU designs (Intel Xeon) can be used for MAP Can this be applied to other environments? Network detection, routers, IoT, … HPCA San Francisco, CA

38 What have we done since then
Adversarial machine learning: Can an adversary hide? Very interesting question and an emerging research area How to use MAP? False positives a problem Can we integrate with a second level detector? HPCA San Francisco, CA

39 Adversarial Machine Learning
Key vulnerabilities of machine learning systems ML models derived from fixed datasets Assuming similar distribution of training and real-world data Strong adversaries in ML systems Aware of usage, reverse engineering ML systems Adaptive evasion, temper with the trained model Practical adversarial attacks What are the practical constrains for adversaries? With constrains, how effective are adversarial attacks?

40 Reverse Engineer detectors
HPCA San Francisco, CA

41 We can guess the detector parameters!
HPCA San Francisco, CA

42 Reverse engineered detector does pretty well
HPCA San Francisco, CA

43 Lets fool the detector--process
Equivalent to adding noise for images Constraints are different for malware HPCA San Francisco, CA

44 Cant just randomly add instructions
HPCA San Francisco, CA

45 Can fool detectors easily!
HPCA San Francisco, CA

46 Overhead not too bad HPCA San Francisco, CA

47 Can we retrain?

48 What explains this? HPCA San Francisco, CA

49 What if we keep training?
HPCA San Francisco, CA

50 Defense? Randomize!

51 Randomize more! HPCA San Francisco, CA

52 Resilient to Evasion HPCA San Francisco, CA

53 Direction 2: What to do when you detect
Two layer detection solution Hardware detects suspicious program Always on, low overhead, low power But false positives can be bad Alerts something else that is more accurate Expensive, but now only invoked when needed Example, software malware detector, sandboxing, … Could be cloud based! Crowdsourced malware detection Uses the always on native execution properties HPCA San Francisco, CA

Download ppt "Hardware based Intrusion Detection"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.

John Felber.  Sources  What is an Intrusion Detection System  Types of Intrusion Detection Systems  How an IDS Works  Detection Methods  Issues.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.

Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Meltem Ozsoy*, Caleb Donovick*, Iakov Gorelik*,

Meltem Ozsoy*, Caleb Donovick*, Iakov Gorelik*,
IIT Indore © Neminah Hubballi

IIT Indore © Neminah Hubballi
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Similar presentations

Ads by Google