NIC-based intrusion detection: A feasibility study Srinivasan Parthasarathy

NIC-based intrusion detection: A feasibility study Srinivasan Parthasarathy Ohio State University Joint work with M. Otey, R. Noronha, G. Li and D.Panda Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results

Conclusions Motivation LAN WAN LAN Conventional Security Setup

WAN Adding NIC-based security Legend Host (+ host-based security) Firewall NIC-based Intrusion Detection System Why NIC-based Intrusion Detection

Pros Better Coverage and Scalability More security end points Better Reliability and Performance Host is separate from NIC Adaptable, Flexible and Dynamic Intrusion patterns/rules can be modified on the fly so that the ID scheme can adapt. Possible Cons Efficiency and Performance of Network Messaging

Solution Simple yet effective schemes are needed Coverage and Scalability One-to-one mapping between NICs and hosts coverage Natural distribution of computation scalability Less aggregation Can detect more specific intrusions E.g. a firewall can detect host scans, a NIC is better positioned to track port scans. Can detect intrusion internal to a LAN Conventional setup cannot

Cooperating NICs can potentially detect more complex exploits Reliability and Performance Independence from host adds to reliability One extra security layer If host is contaminated NIC-security may still be activated If NIC is contaminated or detects an intrusion the host will still be secure Independence from host can improve performance Host OS is not frequently interrupted, can do other stuff If host is loaded, bandwidth not impacted as much.

Challenges Building specialized NIC hardware may be too expensive Our objective: work with commodity NICs Resources on commodity NICs are limited Smaller memory, slower processor Efficiency on basic actions (message transfers) a crucial concern Impact of ID schemes on bandwidth of good messages

Is NIC-based intrusion detection feasible? Objectives of this study Design some simple algorithms for intrusion detection that are: Efficient Utilize limited resources Evaluation Criteria Detection Accuracy Efficiency

Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results Conclusions Basic Algorithms Port Scan Detector (PSD) Anomaly Detector

Instantiation of Anomalous Client Detector Signature Detector Nave Bayesian Classifier Sample Instantiation LAN WAN Adding NIC-based security NIC-based Anomalous Client Detector

Legend Host + host-based security Firewall NIC-based Port Scan Detector NIC-based Nave Bayes Classifier Port Scan Detector Is memory constrained? No

One port, one bit 8KBKB Yes Length of bit vector = B Many (65536) to one (B) mapping f from ports to bits (biased mapping possible) Is one bit vector enough? Difficult to refresh (lose all previous information), may not detect slow scans Sliding window N such vectors P = max # of packets per vector (reuse rate)

How to combine? OR all bit vectors (low computational cost) How often to check and how to detect? F = Detection Frequency S = Threshold for port scan (# of 1s) Anomalous Client Detector Goal: Detect anomalous behavior E.g. Is this particular srcdest packet typical? Estimate P(srcIP|destIP) [chan02]

Is P(srcIP|destIP) > threshold? If yes, then detect normal If no, then detect anomaly Implementation Relies on hash tables Complete srcIP not modeled (only at the subnet level) Moderate/high memory utilization, low computational cost Anomalous Client Detector (contd.) Threshold Dynamic, functionally dependent on destIP

Must aid in discriminating amongst different levels of anomalous behavior E.g. A new client accessing web portal is less surprising than a new client accessing an internal machine We can use entropy to model this! Entropy of internal machine will be low. Entropy of external machine will be high. Extensions Non-stationary model (similar to port-scan detector) Can compare changes to P(srcIP|destIP) over time Nave Bayes Packet Classifier

Simplified Nave Bayes Classifier trained to identify the signature of seven different artificial intrusions. 6 features explicit in the packet header Protocol type, Protocol Flags, SrcPort, DestPort, SrcIP, DestPort (may be implicit), 1 derived feature E.g. # connections in last X seconds, average deviation of TTL Implementation details Relatively high computational requirements

Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms Experimental Results Conclusions Experimental Results Hardware Configuration 300 Mhz Pentium II, 128KB MB memory 66 Mhz LANai 4 processor NIC, 1MB memory

Software Synthetic datasets (described in paper) Training-Testing data split (standard) Results: Resource Requirements Effect of Host Load on Bandwidth Results: Port Scan Detector Results: Anomalous Client Detector

DARPA dataset 1 week attack-free data 1 week test data Only external tcp dump 13 million packets Detects 11/43 attacks

Synthetic dataset qualitative performance summary Some spread over several packets Clustering alarms reduces false alarm rate Misses 32/43 attacks Uses only external TCP dump Several not detectable from just IP

Good Bad Good 8KB9948KB6 0 Bad 790 99724 Typical Confusion Matrix Results: Nave Bayes Classifier Good Bad Good 105118KB 0

Bad 67545 8KB27337 Typical Confusion Matrix Roadmap Motivation and Approaches Challenges and Objectives Preliminary Work Algorithms

Experimental Results Conclusions Related Work Intrusion detection Ton of recent work in this area Anomaly detection [Forrest 97, Chan 02] Signature detection, e.g. SNORT/BRO Hybrid strategies [Barbara et al 2001/2002] NIC based computing support Fast synchronization support [Panda 01]

Fast support for application messaging [Bershad 98KB] NIC based security Self securing devices [Ganger 2001,2002] Firewall security 3Com embedded firewall [2001] Current and Future Work Testing using real data (DARPA/NETFLOW) Port system to other NICs Faster Myrinet cards Effect of multiple processors per NIC Quadrics

New detectors/algorithms? Effect of multiple detectors per NIC Distributed NIC-based ID schemes Combining NIC+Host based schemes Potentially lose out on some reliability at a gain of better techniques Conclusions NIC-based intrusion detection can potentially be a

useful addition to the overall network security system. Potentially impact Coverage, Scalability, Reliability, Performance, Flexibility Technological outlook looks good Multiprocessor NICs (Quadrics), 1Ghz NICs (soon) Preliminary results support argument However, there is a long way to go! Questions?

[email protected]

Recently Viewed Presentations

  • Play - rachelhawkes.com

    Play - rachelhawkes.com

    Kim's game (sentence-level)Good for: sentence building, revision, plenary, memory-generating. Preparation and Instructions: Create a grid in PPT (3 x 3) with either English sentences or pictures to cue key sentences learnt about the topic. Animate rectangle shapes to cover each...
  • Psychology 4910 - Memorial University of Newfoundland

    Psychology 4910 - Memorial University of Newfoundland

    Gestalt psychologists incorrectly accused of being "nativists" Gestalt laws appear innately determined rather than learned. Gestalt psychologists view Gestalt laws of organization as necessary consequence of physical laws. Minimum principle is a physical law, not innate or learned
  • Measuring Runtime and Asymptotic Analysis

    Measuring Runtime and Asymptotic Analysis

    Asymptotic Analysis Hannah Tang and Brian Tjaden Summer Quarter 2002 Today's Outline How's the project going? Finish up stacks, queues, lists, and bears, oh my! Math review and runtime analysis Pretty pictures Asymptotic analysis Analyzing Algorithms: Why Bother?
  • Critically Appraising a Journal Article

    Critically Appraising a Journal Article

    One of the most effective means by which students and professionals keep up with current biomedical literature. ... It is believed that Sir William Osler established the first formal journal club at McGill University in Montreal in 1875, though Osler...
  • Vad är kvalitet inom vården? - Karolinska Institutet

    Vad är kvalitet inom vården? - Karolinska Institutet

    Sammanhållning och högpresterande grupper - ett team perspektiv Hilmar Thór Hilmarsson, MMC 2008-08-25 Kvalitetsvinster - kärnan i virtuella nätverk.
  • Ancient Egypt, The New Kingdom

    Ancient Egypt, The New Kingdom

    Hyksos Well trained warriors with advanced weapons From Asia Conquered Egypt/Nile Delta Taught Egyptians Curved sword and war chariot Wanted to ally with Nubians to conquer Egypt Akhenaton Hyksos Well trained warriors with advanced weapons From Asia Conquered Egypt/Nile Delta...
  • OLD SOUTH BUILDING 294 Washington Street/10 Milk Street

    OLD SOUTH BUILDING 294 Washington Street/10 Milk Street

    GFRP or Glass Fiber Reinforced Plastic. High strength to weight ratio. Corrosion resistant - Resists salt water, chemicals, and the environment - unaffected by acid rain, salts and most chemicals ... The Strand Theatre - Roxbury, MA. Ferdinand Building -...
  • PHOSIWA MALILIMALO IRENE - Application server

    PHOSIWA MALILIMALO IRENE - Application server

    EMAIL ADDRESS: [email protected] ... 3 Verdana Wingdings 2 Calibri Concourse 1_Concourse 2_Concourse 3_Concourse 4_Concourse 5_Concourse PHOSIWA MALILIMALO IRENE MY ACADEMIC QUALIFICATION Who is Irene WHAT I DID IN THE PAST WHAT I DID IN THE PAST WHAT I DO NOW...