Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer."— Presentation transcript:

1 Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer Reliable Software Group University of California, Santa Barbara

2 Topics in Advanced Network Security 2 Overview Introduction Related Work A Slicing Approach for H-S ID Evaluation Conclusion and future work

3 Topics in Advanced Network Security 3 Introduction Problem Statement –Current IDS are not able to detect attacks on High Speed (Gigabit) networks Why? –Sensor Speed –Architectural Limitations

4 Topics in Advanced Network Security 4 What is High Speed? Scorpio – Stinger IDS –“ STINGER IDS meets the challenges of watching over a modern network by providing one or more high speed sensors” –Integrated Intel Pro 10/100 Ethernet card (!!!) Symantec Manhunt –Gigabit Detection Intruvert IntrShield 2600 –2.2 GB/sec

5 Topics in Advanced Network Security 5 IDS Introduction Host Based Network Based Log Based Target Based

6 Topics in Advanced Network Security 6 Related Work Distributed Sensors –CSD @ USC : 20 snort machines –Therminator : Anomaly based NIDS NetICE Gigabit Sentry – >300 Mbps –500,000 packets/second TopLayer Networks – Switch High Performance NIDS – R. Sekar et al –500 Mbps (Offline Traffic)

7 Topics in Advanced Network Security 7 Introduction to Slicing Approach Sensors –Misuse detection e.g.: snort –Distributed, Autonomous Slicer –T N = T 1 + T 2 + ….T n –Maintains attack scenarios

8 Topics in Advanced Network Security 8 System Architecture

9 Topics in Advanced Network Security 9 System Architecture Tap –Extract link layer frames (F) Scatterer –Partitions F = F j : 0 < j < m Traffic Slicers S 0 ….S m-1 –Route Frames to Sensors : Frame Routing Switch –Forwards packets to channels –Channel = Stream Reassembler + Multiple IDS

10 Topics in Advanced Network Security 10 System Architecture Stream Reassemblers R 0 ….R n-1 –Prevents Out of Order packets (OOO) –(f j, f k Є FC i ) and (f j before f k ) then j < k Intrusion Detection Sensors I 0 ….I p-1 –Access all packets on channel –Multiple attack scenario ( A j = {A j0 …..A jq-1 } –Attack scenario has Event Space [ES]

11 Topics in Advanced Network Security 11 Event Space Defines policy for slicers to select channel E jk = c jk0 V c jk1 V ….c jkn c jk =xRy –x value from f i –R arithmetic relation ( =, !=, <) –y constant, value of variable

12 Topics in Advanced Network Security 12 Frame Routing Splicer filter based on active ES in a channel Static Configuration – Prone to Overloads Dynamic Load Balancing – Reassign ES or subset of ES Example : Destination Attribute

13 Topics in Advanced Network Security 13 Evaluation Initial Setup –slicer=3, reassembler=4,sensor=1 per stream Scatterer –Intel Xeon 1.7 Ghz, 512 MB RAM, 3Com 996-T, Linux 2.4.2 –Kernel Module, Layer 2 Bridge –Inserts Sequence number to source MAC address

14 Topics in Advanced Network Security 14 Evaluation Traffic Slicer –Intel Pentium 4 1.5 Ghz, 256 MB RAM, 3Com 905C- TX (Promiscuous Mode) – Data Portion matched against clauses –Redundant packets generated –Insert Channel Number in Destination MAC Address Test Setup –Internal and External –Internal : 4 Class C address groups

15 Topics in Advanced Network Security 15 Evaluation Framerouting –Cisco Catalyst 3500XL –Static associations (Channel Number: Port) Reassembler –Timeout Value (500 ms) –No retransmissions

16 Topics in Advanced Network Security 16 Evaluation Snort Sensor Traffic - MIT Lincoln Labs Traffic Injection – tcpreplay

17 Topics in Advanced Network Security 17 Snort Performance Snort on tcpdump traffic log Ruleset = 961 rules 11,213 detections in 10 seconds Throughput (offline) =261 Mbps

18 Topics in Advanced Network Security 18 Snort Performance vs Traffic Rate Snort is run on Scatterer Ruleset = 18 signatures Packetloss at traffic rate of 150 Mbps Snort’s Saturation point

19 Topics in Advanced Network Security 19 Snort Performance vs Traffic Rate

20 Topics in Advanced Network Security 20 Snort Perfomance Vs No. of Signatures Traffic rate = 100 Mbps Ruleset –Initial value =18 signatures –Increase number of signatures

21 Topics in Advanced Network Security 21 Snort Perfomance Vs No. of Signatures

22 Topics in Advanced Network Security 22 Snort Performance in Proposed Architecture

23 Topics in Advanced Network Security 23 Snort Performance in Proposed Architecture

24 Topics in Advanced Network Security 24 Conclusion and Future Work Experimentation in Real World Environment Evaluate the trade-offs Dynamic Load Balancing Hierarchically structured Scatterers/Slicers

Download ppt "Topics in Advanced Network Security 1 Stateful Intrusion Detection for High Speed Networks Christopher Kruegel Fredrick Valeur Giovanni Vigna Richard Kemmerer."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
6/1/2014FLOCON 2009, Scottsdale, AZ. DoD Disclaimer 6/1/2014FLOCON 2009, Scottsdale, AZ This document was prepared as a service to the DoD community.

6/1/2014FLOCON 2009, Scottsdale, AZ. DoD Disclaimer 6/1/2014FLOCON 2009, Scottsdale, AZ This document was prepared as a service to the DoD community.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Performance Evaluation of Open Virtual Routers M.Siraj Rathore

Performance Evaluation of Open Virtual Routers M.Siraj Rathore
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.

SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.

Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Similar presentations

Ads by Google