NIC-based intrusion detection: A feasibility study Srinivasan Parthasarathy

NIC-based intrusion detection: A feasibility study Srinivasan Parthasarathy Ohio State University Joint work with M. Otey, R. Noronha, G. Li and D.Panda Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results

Conclusions Motivation LAN WAN LAN Conventional Security Setup

WAN Adding NIC-based security Legend Host (+ host-based security) Firewall NIC-based Intrusion Detection System Why NIC-based Intrusion Detection

Pros Better Coverage and Scalability More security end points Better Reliability and Performance Host is separate from NIC Adaptable, Flexible and Dynamic Intrusion patterns/rules can be modified on the fly so that the ID scheme can adapt. Possible Cons Efficiency and Performance of Network Messaging

Solution Simple yet effective schemes are needed Coverage and Scalability One-to-one mapping between NICs and hosts coverage Natural distribution of computation scalability Less aggregation Can detect more specific intrusions E.g. a firewall can detect host scans, a NIC is better positioned to track port scans. Can detect intrusion internal to a LAN Conventional setup cannot

Cooperating NICs can potentially detect more complex exploits Reliability and Performance Independence from host adds to reliability One extra security layer If host is contaminated NIC-security may still be activated If NIC is contaminated or detects an intrusion the host will still be secure Independence from host can improve performance Host OS is not frequently interrupted, can do other stuff If host is loaded, bandwidth not impacted as much.

Challenges Building specialized NIC hardware may be too expensive Our objective: work with commodity NICs Resources on commodity NICs are limited Smaller memory, slower processor Efficiency on basic actions (message transfers) a crucial concern Impact of ID schemes on bandwidth of good messages

Is NIC-based intrusion detection feasible? Objectives of this study Design some simple algorithms for intrusion detection that are: Efficient Utilize limited resources Evaluation Criteria Detection Accuracy Efficiency

Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results Conclusions Basic Algorithms Port Scan Detector (PSD) Anomaly Detector

Instantiation of Anomalous Client Detector Signature Detector Nave Bayesian Classifier Sample Instantiation LAN WAN Adding NIC-based security NIC-based Anomalous Client Detector

Legend Host + host-based security Firewall NIC-based Port Scan Detector NIC-based Nave Bayes Classifier Port Scan Detector Is memory constrained? No

One port, one bit 8KBKB Yes Length of bit vector = B Many (65536) to one (B) mapping f from ports to bits (biased mapping possible) Is one bit vector enough? Difficult to refresh (lose all previous information), may not detect slow scans Sliding window N such vectors P = max # of packets per vector (reuse rate)

How to combine? OR all bit vectors (low computational cost) How often to check and how to detect? F = Detection Frequency S = Threshold for port scan (# of 1s) Anomalous Client Detector Goal: Detect anomalous behavior E.g. Is this particular srcdest packet typical? Estimate P(srcIP|destIP) [chan02]

Is P(srcIP|destIP) > threshold? If yes, then detect normal If no, then detect anomaly Implementation Relies on hash tables Complete srcIP not modeled (only at the subnet level) Moderate/high memory utilization, low computational cost Anomalous Client Detector (contd.) Threshold Dynamic, functionally dependent on destIP

Must aid in discriminating amongst different levels of anomalous behavior E.g. A new client accessing web portal is less surprising than a new client accessing an internal machine We can use entropy to model this! Entropy of internal machine will be low. Entropy of external machine will be high. Extensions Non-stationary model (similar to port-scan detector) Can compare changes to P(srcIP|destIP) over time Nave Bayes Packet Classifier

Simplified Nave Bayes Classifier trained to identify the signature of seven different artificial intrusions. 6 features explicit in the packet header Protocol type, Protocol Flags, SrcPort, DestPort, SrcIP, DestPort (may be implicit), 1 derived feature E.g. # connections in last X seconds, average deviation of TTL Implementation details Relatively high computational requirements

Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results Conclusions Experimental Results Hardware Configuration 300 Mhz Pentium II, 128KB MB memory 66 Mhz LANai 4 processor NIC, 1MB memory

Software Synthetic datasets (described in paper) Training-Testing data split (standard) Results: Resource Requirements Effect of Host Load on Bandwidth Results: Port Scan Detector Results: Anomalous Client Detector

DARPA dataset 1 week attack-free data 1 week test data Only external tcp dump 13 million packets Detects 11/43 attacks

Synthetic dataset qualitative performance summary Some spread over several packets Clustering alarms reduces false alarm rate Misses 32/43 attacks Uses only external TCP dump Several not detectable from just IP

Good Bad Good 8KB9948KB6 0 Bad 790 99724 Typical Confusion Matrix Results: Nave Bayes Classifier Good Bad Good 105118KB 0

Bad 67545 8KB27337 Typical Confusion Matrix Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms

Experimental Results Conclusions Related Work Intrusion detection Ton of recent work in this area Anomaly detection [Forrest 97, Chan 02] Signature detection, e.g. SNORT/BRO Hybrid strategies [Barbara et al 2001/2002] NIC based computing support Fast synchronization support [Panda 01]

Fast support for application messaging [Bershad 98KB] NIC based security Self securing devices [Ganger 2001,2002] Firewall security 3Com embedded firewall [2001] Current and Future Work Testing using real data (DARPA/NETFLOW) Port system to other NICs Faster Myrinet cards Effect of multiple processors per NIC Quadrics

New detectors/algorithms? Effect of multiple detectors per NIC Distributed NIC-based ID schemes Combining NIC+Host based schemes Potentially lose out on some reliability at a gain of better techniques Conclusions NIC-based intrusion detection can potentially be a

useful addition to the overall network security system. Potentially impact Coverage, Scalability, Reliability, Performance, Flexibility Technological outlook looks good Multiprocessor NICs (Quadrics), 1Ghz NICs (soon) Preliminary results support argument However, there is a long way to go! Questions?

[email protected]

Recently Viewed Presentations

  • HALIDE ION TESTS TEST FOR HALIDE IONS (Cl-

    HALIDE ION TESTS TEST FOR HALIDE IONS (Cl-

    NOTE// The nitric acid is added to remove CO. 3. 2- (carbonate ions) and OH- ions (hydroxide ions) which would otherwise precipitate with Ag+ ions and ∴ show incorrect results by masking the desired observations
  • School Portal Complete Reference Guide School Portal  Complete

    School Portal Complete Reference Guide School Portal Complete

    Online Advertising. Create great quality ads fast, and post them in a few clicks whenever it's convenient. Ad Performance Tracking. View your jobs' statistics and use the data to maximise their performance. School Career Site. Position your school as an...
  • Predictive Application-Performance Modeling in a ...

    Predictive Application-Performance Modeling in a ...

    Predictive Application-Performance Modeling in a Computational Grid Environment (HPDC '99) Nirav Kapadia, José Fortes, Carla Brodley ECE, Purdue Presented by Peter Dinda, CMU Summary Use locally-weighted memory-based learning (instance-based learning) to predict each application run's ...
  • Vocabulary Workshop - levittownschools.com

    Vocabulary Workshop - levittownschools.com

    Vocabulary Workshop Unit 7: #'s 1-20 www.vocabularyworkshop.com authorize (v.) to approve or permit; to give power or authority to Synonyms: order, entitle, empower I wonder if Congress will someday authorize U.S. citizens to cast official votes over the Internet.
  • Caring and Sharing

    Caring and Sharing

    If you share, the person might be appreciative because they did not have what they needed/wanted. What I would do to care and share is if a person needed help on their homework or classwork, so they will have a...
  • Impacto social de las nuevas tecnologías hipermedia

    Impacto social de las nuevas tecnologías hipermedia

    La TV a través de redes P2P (P2PTV) que permiten distribuir y compartir estos contenidos libremente o bajo demanda Joost.com Zatoo.com Las plataformas IPTV, mediante el uso del protocolo TCP/IP para la transmisión de datos como las integradas en paquetes...
  • BD Expert Panel I Final Report - DPCPSI

    BD Expert Panel I Final Report - DPCPSI

    Several respondents used "Hale's book" as a reference point from which to compare LACT, which emerged somewhat lacking in content and detail. Additionally, inclusion of links to the AAP, CBI (Center for Breastfeeding Information), and LLLI (La Leche League) were...
  • Royal Naval Air stations - Cloudobservers

    Royal Naval Air stations - Cloudobservers

    Royal Naval Air Stations Over The Past 100 Years The Admiralty ordered its first airship on 7 May 1909 and it is from this single standing point that naval aviation progressed so rapidly. The first four naval pilots learned to...